Local Area Network

Our company has groups of servers located in different data centers and even cities. At the moment we use 6 data centers. There is an intensive traffic exchange between the majority of servers, and data exchange protocols do not always provide the necessary level of protection. Therefore, we decided to create a common local area network between all available servers. We refused to create a network using OpenVPN using routing due to the excessive cumbersome architecture of such networks. In our opinion, the simplest and most convenient option is a peer-to-peer network. Further we will tell in more detail about how to create and configure a peer-to-peer network.

To create it, we use OpenVPN and Bridge-utils.
The standard network on OpenVPN consists of one or more servers with OpenVPN and the clients that connect to them. OpenVPN supports TCP and UDP connections. Since our dedicated servers do not have any controlled traffic filtering, it is better to choose the UDP protocol, in addition, UDP is a faster protocol.

The first server

The first server (in fact, this is our traffic exchange point) is configured according to the standard scheme. Since Debian is installed on most servers, further instructions will be given taking into account the features of this OS.

aptitude install openvpn openvpn-blacklist
cd / etc / openvpn /
cp -R /usr/share/openvpn/easy-rsa/2.0 / etc / openvpn / easy-rsa
mkdir / etc / openvpn / keys
chmod 750 / etc / openvpn / keys


Edit / etc / openvpn / easy-rsa / vars as follows:

export EASY_RSA = "/ etc / openvpn / easy-rsa"
export KEY_DIR = "/ etc / openvpn / keys"
export KEY_SIZE = 2048
export KEY_COUNTRY = "RU"
export KEY_PROVINCE = "MSK"
export KEY_CITY = "Samara"
export KEY_ORG = " Regtime Ltd. »
export KEY_EMAIL = "support@regtime.net"


Further, according to the same scheme, we prepare the keys:

cd / etc / openvpn / easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server servername
./build-dh


We create the minimum config for the server in / etc / openvpn / udp-server . You can specify a lot more parameters: the optimization possibilities are very wide.

dev tap0
proto udp
port 1194
ca keys / ca.crt
cert keys / servername.crt
key keys / servername.key
dh keys / dh2048.pem
user nobody
group nogroup
server 172.18.5.208 255.255.255.240
persist-key
persist-tun
status / dev / shm / openvpn-status-udp
verb 3
client-to-client
client-config-dir ccd-udp
log-append /var/log/openvpn-udp.log
comp-lzo
script-security 2
up "/ etc / init. d / lan0 start "
down" /etc/init.d/lan0 stop "


We connect it and start the server:

ln -s udp-server udp-server.conf
/etc/init.d/openvpn start


Pay attention to the last three lines of the config. They make it possible to use this server in a peer-to-peer network. It should be noted that this can only be done for a UDP server. The script itself looks like this /etc/init.d/lan0 :
#! / bin / bash

### BEGIN INIT INFO
# Provides: lan0
# Required-Start: $ network $ remote_fs $ syslog openvpn
# Required-Stop: $ network $ remote_fs $ syslog openvpn
# Should-Start:
# Should-Stop:
# X-Start-Before: $ x-display-manager gdm kdm xdm wdm ldm sdm nodm
# X-Interactive: true
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: lan0 service
### END INIT INFO

. / lib / lsb / init-functions

PATH = / bin: / sbin: / usr / bin: / usr / sbin

br = "lan0"
tap = "tap0"
eth = "eth1"
eth_ip = "172.18.5.2"
eth_netmask = " 255.255.255.0 "
eth_broadcast =" 172.18.5.255 "

case" $ 1 "in
start)
brctl addbr $ br
brctl addif $ br $ eth

for t in $ tap; do
brctl addif $ br $ t
done

for t in $ tap; do
ifconfig $ t 0.0.0.0 promisc up
done

ifconfig $ eth 0.0.0.0 promisc up

ifconfig $ br $ eth_ip netmask $ eth_netmask broadcast $ eth_broadcast
;;

stop)
ifconfig $ br down
brctl delbr $ br

ifconfig $ eth $ eth_ip netmask $ eth_netmask broadcast $ eth_broadcast
;;
*)
echo "usage lan0 {start | stop}"

exit 1
;;
esac
exit 0


The same script can be used for rc.d.

update-rc.d lan0 defaults


The sequence for manual start is as follows:

/etc/init.d/openvpn start
/etc/init.d/lan0 start
When manually stop:
/etc/init.d/lan0 stop
/etc/init.d/openvpn stop


Please note that upon restart OpenVPN lan0 will rise again. In some cases, this must be done manually. For example, through cron the task looks like this:

[-n "` / sbin / ifconfig tap0` "] && [-z" `/ usr / sbin / brctl show | grep tap0`"] && /etc/init.d/lan0 start


Server is ready! Now you need to create keys and certificates for clients.

Clients

On the server, we create certificates for clients that will connect externally:

cd / etc / openvpn / easy-rsa
. ./vars
./build-key client


Of course, the name of each client (here client) must be unique.
After entering and confirming the data for the certificate, the following files will appear:

client.crt
client.csr
client.key


On the client side, we need the following files from the / etc / openvpn / keys directory on the server:

ca.crt
client.key
client.crt


Also on the client side install OpenVPN:

aptitude install openvpn openvpn-blacklist
mkdir / etc / openvpn / keys
chmod 750 / etc / openvpn / keys


Copy the key and certificates to / etc / openvpn / keys :
Create the simplest config /etc/openvpn/client.conf :
dev tap0
proto udp
client
remote server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys / ca.crt
cert keys / client.crt
key keys / client.key
comp-lzo
verb 3
status / dev / shm / client- status-udp
log /var/log/openvpn-client.log
ping 10
ping-restart 1800
script-security 2
up "/etc/init.d/lan0 start"
down "/etc/init.d/lan0 stop"


To connect to a common peer-to-peer network, the same lan0 script is used (with the eth_ip correction to the correct one) as on the server.

Multiple Servers

A network can have multiple traffic exchange points. In this case, it is necessary that the client can connect to any of them and get into the same network. There is nothing complicated about it. You can configure any number of servers as described above. But there are two nuances.
1. Each server must issue separate unique IP addresses.
This is achieved by replacing one line in the configs:

server 172.18.5.208 255.255.255.240


2. You need to synchronize certificates between OpenVPN servers.
The simplest solution is to simply copy the / etc / openvpn / keys directory over ssh. But there is a better way - rsync.
For a two-way exchange, we need two scripts - downloading updates and downloading them.
Download - push
#! / bin / bash

export RSYNC_RSH = "ssh -c arcfour -o Compression = no -x -l root"

rsync --delete-after \
-zu --modify-window = 10 -aHAX --numeric-ids - sparse \
/ etc / openvpn / keys remotehost: / etc / openvpn / keys

Update - pop
#! / bin / bash

export RSYNC_RSH = "ssh -c arcfour -o Compression = no -x -l root"

rsync --delete-after \
-zu --modify-window = 10 -aHAX --numeric-ids - sparse \
remotehost: / etc / openvpn / keys / etc / openvpn / keys


Note the –delete-after switch. It is used to delete files that are not on the destination side after synchronization. Those. pop will delete locally everything that is not on remotehost.

The key update order is also important. Under normal circumstances, new keys and certificates need to be created on the first (main) OpenVPN server, and everyone else should receive updates from it via pop. Thus, we do not need push at all. But if necessary, you can add new users on any server, and then you first need to do push to download, and then pop on all other OpenVPN servers.

Since the interaction goes through ssh, then all servers need to exchange ssh keys for root. The key can be generated using the command

ssh-keygen -t rsa -b 2048


and copy using

ssh-copy-id remote host


Note that root must be allowed on all these servers . For security, you can disable password authentication. / etc / ssh / sshd_config

PermitRootLogin yes
PasswordAuthentication no


Now, after adding a new client, you need to push on the server where the key was added, and pop on all other OpenVPN servers.

People

Sometimes employees do not have to work from the office, but they need access to the local network. This is also easy to implement within lan0. But since there is no ambiguity in matters of operating systems and traffic filtering, it is better to use the slower, but unpretentious TCP protocol on OpenVPN.

Config / etc / openvpn / tcp-server:
dev tun0
proto tcp
port 1194
ca keys / ca.crt
cert keys / server.crt
key keys / server.key
dh keys / dh2048.pem
user nobody
group nogroup
server 172.18.5.248 255.255.255.240
persist-key
persist-tun
status / dev / shm / openvpn-status-tcp
verb 3
client-to-client
client-config-dir ccd-tcp
push "route 172.18.5.0 255.255.255.0"
log-append /var/log/openvpn-tcp.log
comp-lzo


The key and certificate are prepared in the same way as for UDP. The config for such a connection will be even slightly simpler - client.ovpn :

client
proto tcp
remote server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo


Clients for different OSes are better to download from the official site: openvpn.net

Also popular now: