March 18, 2014 at 14:51Raise a VPN tunnel from the world home bypassing NAT
- Tutorial
. 
I want to tell you about how, having your VPS server on the Internet, you can raise the tunnel to your home network. And at the same time, not paying for a static IP provider, and even being behind NAT, will still make your home services available on the Internet.
First of all, install and configure OpenVPN server on our VPS:
Edit the configuration file:
Here 10.9.8.x will be our VPN network, in which we will assign the address 10.9.8.1 to the VPN server, and the address 10.9.8.2 to the VPN client.
The last line is the static route that is needed so that our VPS knows that the path to our home network lies through the router
. We also need to generate a key with which our router will connect to the server:
And you can run the daemon:
Now install OpenVPN on our router from which we will initialize the VPN connection:
Copy the key to our router using scp :
Edit the interface configuration:
as alexdob said :
And check if everything works for us:
If everything is ok, then run and add the OpenVPN daemon to autorun:
Now configure routing.
In order for our router to pass our server to the home network, and the machines from the home network to the server, you need to add the following rules to the router.
Create a file and write these rules into it:
Let's make it executable:
And add it to /etc/rc.local for autorun:
You need to add before exit 0
In principle, everything is ready.
Our networks are connected, all machines see each other perfectly and exchange packets.
Now, if desired, you can configure port forwarding from external to internal address.
So, for example, the ssh port forwarding to one of the machines in my home network looks like:
Where XX.XX.XX.XXX is the external server IP, 192.168.1.200 is the IP of my machine inside the home network, 666 is the port when I access this machine.
PS: If you can’t get something, make sure that your VPS is there and all the kernel modules necessary for this are connected
When writing the article, I used information from the following sources:
I want to tell you about how, having your VPS server on the Internet, you can raise the tunnel to your home network. And at the same time, not paying for a static IP provider, and even being behind NAT, will still make your home services available on the Internet.
Initial data
- VPS server on debian with static real IP
- router with OpenWRT firmware, which is located behind the provider NAT
- home network with computers and virtual machines in 192.168.1.0/24
Tunnel setup
First of all, install and configure OpenVPN server on our VPS:
apt-get update
apt-get install openvpn
Edit the configuration file:
vi /etc/openvpn/tun0.conf
dev tun0
ifconfig 10.9.8.1 10.9.8.2
secret /etc/openvpn/static.key
route 192.168.1.0 255.255.255.0
Here 10.9.8.x will be our VPN network, in which we will assign the address 10.9.8.1 to the VPN server, and the address 10.9.8.2 to the VPN client.
The last line is the static route that is needed so that our VPS knows that the path to our home network lies through the router
. We also need to generate a key with which our router will connect to the server:
openvpn --genkey --secret static.key
And you can run the daemon:
service openvpn start
Now install OpenVPN on our router from which we will initialize the VPN connection:
opkg update
opkg install openvpn
Copy the key to our router using scp :
scp root@your-server.org:/etc/openvpn/static.key /etc/openvpn/static.key
Edit the interface configuration:
vi /etc/openvpn/tun0.conf
remote your-server.org
dev tun0
ifconfig 10.9.8.2 10.9.8.1
secret /etc/openvpn/static.key
keepalive 60 120
as alexdob said :
keepalive 60 180
Means the following: send ping to a remote host every 60 seconds, and if no packets were received in 180 seconds, then restart the tunnel.
And check if everything works for us:
openvpn --config /etc/openvpn/tun0.conf
If everything is ok, then run and add the OpenVPN daemon to autorun:
/etc/init.d/openvpn start
/etc/init.d/openvpn enable
Routing
Now configure routing.
In order for our router to pass our server to the home network, and the machines from the home network to the server, you need to add the following rules to the router.
Create a file and write these rules into it:
vi /etc/iptables.up.rules
#!/bin/sh
#Allow forwarding via tunnel
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
Let's make it executable:
chmod +x /etc/iptables.up.rules
And add it to /etc/rc.local for autorun:
/etc/iptables.up.rules
You need to add before exit 0
In principle, everything is ready.
Our networks are connected, all machines see each other perfectly and exchange packets.
Now, if desired, you can configure port forwarding from external to internal address.
So, for example, the ssh port forwarding to one of the machines in my home network looks like:
# Forward SSH port to server
iptables -t nat -A PREROUTING -d XX.XX.XX.XXX -p tcp --dport 666 -j DNAT --to-dest 192.168.1.200:22
iptables -t nat -A POSTROUTING -d 192.168.1.200 -p tcp --dport 22 -j SNAT --to-source 10.9.8.1
Where XX.XX.XX.XXX is the external server IP, 192.168.1.200 is the IP of my machine inside the home network, 666 is the port when I access this machine.
PS: If you can’t get something, make sure that your VPS is there and all the kernel modules necessary for this are connected
Sources
When writing the article, I used information from the following sources: