OpenVPN : routing all traffic through the VPN tunnel

I’m really into OpenVPN these days, see my two previous posts about it :

Setting up OpenVPN for your road warriors :
http://www.wains.be/index.php/2008/07/15/a-vpn-for-remote-users-with-openvpn/

Setting up a VPN between two sites :
http://www.wains.be/index.php/2008/06/07/routed-openvpn-between-two-subnets-behind-nat-gateways/

Today : how to route all traffic through the OpenVPN tunnel

On the server side :

First of all, if you want to route all your traffic through the VPN tunnel, you need to turn on IP forwarding (also called routing) and add a masquerading rule on the server (where eth0 is the device connecting you to the internet) :

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 10.30.0.0/24 -o eth0 -j MASQUERADE

To make routing persistent, see http://www.wains.be/index.php/2006/06/06/enable-ip-forward-under-rhelcentos/

Then, here’s the OpenVPN configuration :

port 10000
proto udp
dev tun
comp-lzo
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
duplicate-cn
server 10.30.0.0 255.255.255.0
client-to-client
push "dhcp-option DOMAIN local.example.org"
push "dhcp-option DNS 172.16.7.253"
push "redirect-gateway def1"
keepalive 10 120
persist-key
persist-tun
user nobody
group nogroup
log vpn.log
verb 1
chroot /tmp

You can see the option redirect-gateway that is responsible for creating all the routes on the client computer when the connection is set up.

The two other push options are only taken into account by Windows clients (to my knowledge).
If you want to change the DNS resolution of your linux clients, you need to use the up and down options on the client (see below).

Client configuration :

vpn.conf :

client
dev tun
proto udp
remote vpn.example.org
port 10000
nobind
persist-key
persist-tun
ca ./ca.crt
cert ./user.crt
key ./user.key
verb 5
up ./up.sh
down ./down.sh
ping 60
ping-restart 120

up.sh :

#!/bin/sh
mv /etc/resolv.conf /etc/resolv.conf.bak
echo "search local.example.org" > /etc/resolv.conf
echo "nameserver 172.16.7.253" >> /etc/resolv.conf

down.sh :

#!/bin/sh
mv /etc/resolv.conf.bak /etc/resolv.conf

When connecting to the server (with verbose option set to 5), we can see the server pushing the route settings to the client.

Fri Jul 18 23:22:19 2008 us=838005 ifconfig tun0 10.30.0.6 pointopoint 10.30.0.5 mtu 1500
Fri Jul 18 23:22:19 2008 us=843211 route add -net 72.x.x.x netmask 255.255.255.255 gw 172.16.7.253
Fri Jul 18 23:22:19 2008 us=845178 route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.30.0.5
Fri Jul 18 23:22:19 2008 us=848568 route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.30.0.5
Fri Jul 18 23:22:19 2008 us=850460 route add -net 10.30.0.0 netmask 255.255.255.0 gw 10.30.0.5

On the client, the routes :

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
72.x.x.x  172.16.7.253   255.255.255.255 UGH   0      0        0 wlan0
10.30.0.5       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.16.7.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0
10.30.0.0       10.30.0.5       255.255.255.0   UG    0      0        0 tun0
0.0.0.0         10.30.0.5       128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.30.0.5       128.0.0.0       UG    0      0        0 tun0
0.0.0.0         172.16.7.253   0.0.0.0         UG    0      0        0 wlan0

VSftpd on RHEL

FTP server on RHEL

RPM : vsftpd

Config : /etc/vsftpd/vsftpd.conf

By default :
- anonymous users will fall in a chroot located in /var/ftp/pub. They have read access only.
- local users are connecting in their /home and are not chrooted

In order to chroot local users use in the config :
chroot_local_user=YES

Thanks to Toutim for pointing out a mistake I’ve made in this article.

SWAP space under RHEL/CentOS

Adding a 250 MB swap file to the system

Create an empty 250M file :
dd if=/dev/zero of=/swapfile bs=1024 count=256000

Create the swap on the newly created file :
mkswap /swapfile

Enable the new swap file :
swapon /swapfile

Edit fstab and add :
/swapfile swap swap defaults 0 0

Verify if the new swap space is enabled :
cat /proc/swaps
free -m

A good idea is to have your swap partition as an LVM volume.. So you can always resize it if your needs are growing.

Managing LVM on Redhat-based systems

Steps :
1. Creation of Physical Volumes (container of volume groups)
2. Creation of Volume Groups (container of logical volumes)
3. Creation of Logical Volumes (“partitions”)
4. Formatting the Logical Volumes
5. (optional) Resizing Logical Volumes

Quota on RHEL/CentOS

Here are the steps to implementing quotas on a RedHat based system :

We will enable quotas on /home on the /dev/hda3 partition.

CentOS + RAID with mdadm

RHCE exam requires you to be able to create a RAID array on a running system, as well as with the installer.

I won’t explain here how to deal with the installer as it’s pretty easy.

Setting up http/https on CentOS

Packages needed : httpd + deps
Package needed for https : mod_ssl

yum install httpd mod_ssl

service httpd start
chkconfig httpd on

Done !

I’m not sure what they could ask about Apache at the RHCE exam.. ? Virtual domains ?

Setting up NFS + autofs under CentOS 4

Packages needed : nfs-utils

Setting up NIS under CentOS 4

Server : server.lab.local (10.0.0.254)
Client : client1.lab.local (10.0.0.1)

Server side :

Packages needed : yp-tools ypbind ypserv portmap

Creating a local CentOS mirror

For my RHCE prep, I’m setting up a small lab of 3 machines.. one machine will act as the server..
For my ease of use, I decided to build a local mirror of the CentOS repository (base and updates).

I had downloaded the 4 ISO images of CentOS 4.4 overnight and burnt them.

Please consider the following :
I’m only building a local copy of the base and updates repo for CentOS 4.4 for the i386 architecture.