NetworkManager, broadband network connection and VPN
I described in a previous post how to use the NetworkManager in Fedora 8 to connect to a broadband network provider, with the Huawei-E172 USB 3G+ key. The next step is naturally to use this wireless link to setup a VPN connection over this unsecure network. The cherry on the cake will be the integration of this VPN client into the NetworkManager, with a single applet to manage all the magic.
An openvpn plugin is available for NetworkManager, so the client configuration is basically limited to just a few clicks in the GUI. The server config file looks like that (/etc/openvpn/server.conf) :
port 1194 dev tuntls-server ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem
mode server ifconfig 192.168.129.1 192.168.129.2 ifconfig-pool 192.168.129.4 192.168.129.255
push "route 192.168.129.1 255.255.255.255" push "route 192.168.128.0 255.255.255.0" push "dhcp-option DOMAIN example.com" push "dhcp-option DNS 192.168.128.1"
keepalive 10 60 inactive 600 route 192.168.129.0 255.255.255.0 user openvpn group openvpn persist-tun persist-key
verb 3
This configuration is basically the same than the roadwarrior-server.conf example provided in the documentation directory of the Fedora openvpn package. In this file, the openvpn server is configured for a tun-style tunnel (instead of an ethernet tunnel using ethernet bridging), it provides routes for the internal local network 192.168.128.0/24, it advertizes the local DNS. The clients are allocated in the subnet 192.168.129.0/24, where are also assigned the addresses of the virtual endpoints of the tunnel. The certificates are generated with the easy-rsa scripts, many details on certificates generation is available on the web.
Some iptables rules are needed (eth0 is the outgoing interface of the VPN server box) :
echo 1 > /proc/sys/net/ipv4/ip_forwardiptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A INPUT -i tun0 -j ACCEPT iptables -A FORWARD -i tun0 -j ACCEPT iptables -A FORWARD -i eth0 -o tun0 -d 192.168.129.0/24 -j ACCEPT iptables -A INPUT -p udp -i eth0 --dport openvpn -j ACCEPT
If you use Fedora-8, and NetworkManager version 0.7.0-0.6.7.svn3370 from the updates-testing repository, this supplementary patch is also needed:
--- NetworkManager-0.7.0.orig/src/NetworkManagerSystem.c 2008-01-21 16:21:00.000000000 +0100
+++ NetworkManager-0.7.0/src/NetworkManagerSystem.c 2008-04-13 23:18:03.000000000 +0200
@@ -347,7 +347,7 @@
/* Set up a route to the VPN gateway through the real network device */
if (active_device && (ad_config = nm_device_get_ip4_config (active_device))) {
- nm_system_device_set_ip4_route (nm_device_get_iface (active_device),
+ nm_system_device_set_ip4_route (nm_device_get_ip_iface (active_device),
ad_config,
nm_ip4_config_get_gateway (ad_config),
nm_ip4_config_get_gateway (config),
--- NetworkManager-0.7.0.orig/src/nm-device.h 2008-01-09 19:10:15.000000000 +0100
+++ NetworkManager-0.7.0/src/nm-device.h 2008-04-14 00:20:53.000000000 +0200
@@ -122,6 +122,7 @@
const char * nm_device_get_udi (NMDevice *dev);
const char * nm_device_get_iface (NMDevice *dev);
+const char * nm_device_get_ip_iface (NMDevice *dev);
const char * nm_device_get_driver (NMDevice *dev);
NMDeviceType nm_device_get_device_type (NMDevice *dev);
--- NetworkManager-0.7.0.orig/src/nm-device.c 2008-02-21 04:16:11.000000000 +0100
+++ NetworkManager-0.7.0/src/nm-device.c 2008-04-13 23:22:25.000000000 +0200
@@ -248,7 +248,7 @@
}
-static const char *
+const char *
nm_device_get_ip_iface (NMDevice *self)
{
g_return_val_if_fail (self != NULL, NULL);
This patch appearead later in upstream, and is available in NetworkManager from rawhide, so you may prefer to rebuild this more recent version for Fedora-8 instead.
The configuration of the VPN, with the GUI is very simple. Be sure to upload the client certificate, the client key, and the ca certificate from the server easy-rsa directory on the client. Enter these file paths in the nm-applet openvpn configuration, define the IP address of your openvpn server, and that's all. Advanced settings should be left to their default values. The openvpn client behaviour, as driven by NetworkManager, is to add a direct route to the openvpn gateway, via the existing network connection, and to add a default route for all other traffic through the tunnel of the VPN. So all the traffic will be crypted, except the traffic directed to the openvpn server itself.