-->

..:: seize the day ::..

August 12, 2008

How to Make (site-to-site) VPN Connection in Linux

Filed under: IT stuff

Some friends ask me how to make VPN connection between site. In Linux it is quite easy, because as far as I know point-to-point tunneling as well as GRE already supported. As for mobile VPN, openVPN should be an interesting choice. This post will explain how to make site-to-site VPN using Linux. It is actually based on my experience setting-up a VPN link between two sites.

In setting up a tunnel we should setting it up from two sides. Don’t forget that tunnel increase the overhead. Usually it is 20 bytes per packet, so if the maximum MTU is 1500 per packet then with tunnel running it become only 1480 bytes per packet maximum. But actually this is not a big problem. For you who have time please read the chapter 3 of lartc document from here.

Supposed we have site A and B with configuration:

A: eth0 123.234.123.1 netmask 255.255.255.0, eth1 10.1.2.1 netmask 255.255.255.0

B: eth0 210.123.234.2 netmask 255.255.255.0, eth1 10.2.2.1 netmask 255.255.255.0

We need to add another ip in eth0 on both site to make sure that the forwarding happens. See the picture below

vpn
 

Now just create one script, something like this one for site A

#!/bin/sh

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD 1 -i TunnelAST -j ACCEPT
#
#Site A <——> to Site B
#
ip tunnel add TunnelA mode gre remote 210.123.234.2 local 123.234.123.1 ttl 255
ip link set TunnelA up
ip addr add 10.1.15.5/32 dev TunnelA
ip route add 10.2.2.0/24 dev TunnelA
route add -net 10.2.2.0 netmask 255.255.255.0 gw 10.1.15.5

And for site B:

#!/bin/sh

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD 1 -i TunnelAST -j ACCEPT
#
#Site B <——> to Site A
#
ip tunnel add TunnelB mode gre remote 123.234.123.1 local 210.123.234.2 ttl 255
ip link set TunnelB up
ip addr add 10.2.15.5/32 dev TunnelB
ip route add 10.1.2.0/24 dev TunnelB
route add -net 10.1.2.0 netmask 255.255.255.0 gw 10.2.15.5

We can put this on rc.local on fedora and clone, or for openSUSE create a script based on /etc/init.d/skeleton then register it with insserv, so it can running on boot.

Try the configuration and see if it works :-)

Ok that’s it for now. Keep safe and stop global warming.

Comments »

The URI to TrackBack this entry is: http://medwinz.blogsome.com/2008/08/12/how-to-make-site-to-site-vpn-connection-in-linux/trackback/

No comments yet.

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>



Anti-spam measure: please retype the above text into the box provided.