Wiki

User Tools

Site Tools

Trace: l3_tunneling
ubuntu:vpn:openvpn:l3_tunneling

This is an old revision of the document!

Table of Contents

Ubuntu - VPN - OpenVPN - L3 Tunneling

L3 tunneling will route the traffic at the OpenVPN server to the destination.

A L3 tunnel is easier to implement as there is no need to change something in the infrastructure.

Create the server config

/etc/openvpn/server_l3.conf
# Port.
port 1194
 
# TCP or UDP.
proto tcp-server
mode server
tls-server
 
# tun or tap device.
# tun is an IP tunnel.
# tap an ethernet tunnel.
dev tun
 
# Our Server IP.
server 10.0.0.0 255.255.255.0
 
# Paths to the certs.
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/test.domain.local.crt
key /etc/openvpn/easy-rsa/keys/test.domain.local.key
 
# Diffie-Hellmann Parameters.
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
 
# Ciphers.
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
remote-cert-tls client
 
# Tests the connection with a ping like packet.
# Wait=120sec.
keepalive 10 120
 
# Authentication.
auth SHA512
 
# Compression.
comp-lzo
 
# Sets new rights after the connection.
user nobody
group nogroup
 
# This is needed because of user nobody/group nobody.
persist-key
persist-tun
 
# Logging 0.
# Testing 5.
verb 0

NOTE: Ensure the file does end with .conf.

  • A not used IP subnet is needed.
  • This IP subnet will be used by the server and the client to communicate with each other.
  • The clients will also get IP address from this subnet from the OpenVPN server.

Create the client config

client

float

dev tun

# tcp or udp.
proto tcp-client

remote test.domain.local 1194

ca ca.crt
cert client.domain.local.crt
key client.domain.local.key

cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2

verify-x509-name test.domain.local name

remote-cert-tls server

route 123.123.123.123 255.255.255.255
route 234.234.234.234 255.255.255.255
route 192.168.2.0 255.255.255.0

auth SHA512

nobind 
comp-lzo 
persist-key 
persist-tun 
verb 1

NOTE: The client config contains the necessary certificate entries and some individual routing entries.

  • The individual routing entries will make sure, that traffic to those destinations will be routed through the tunnel.
  • All other traffic will use the normal default gateway configured on the client.

NOTE: To use the tunnel to redirect all traffic through the tunnel the individual routing entries can be removed and this entry needs to be added: 

redirect-gateway

If everything is working correctly, the client can connect to the server.

ubuntu/vpn/openvpn/l3_tunneling.1625243500.txt.gz · Last modified: 2021/07/02 16:31 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki