Intro
In my uni room I have a network connection. I'm a paranoid sort, so I want to encrypt all my traffic. Except the traffic going to local sites. I'd also like to have more than one machine connected - and they only give you access for one MAC at a time. Bummer.
This is how I did it
Configure the Network
First of all, I had to jump through all the hoops their silly authentication system requires you to jump through. This includes installing antivirus (ew) and other such lameness. Once I'd authenticated my MAC on a windows machine (pretty much the only thing it supports properly) I changed the MAC of my external interface on my *nix machine, plugged it in, changed the IP to a properly routable one and voila, I have internets
Next, I got the internal network up.
First I configured eth0 in /etc/network/interfaces
allow-hotplug eth0
iface eth0 inet static
address 10.0.0.254
network 10.0.0.0
netmask 255.255.255.0
Then, I installed a DHCP server and a DNS server, and configured appropriately for my netblock.
/etc/dhcp3/dhcpd.conf
...snip ....
# option definitions common to all supported networks...
option domain-name "home.naxxtor.com";
option domain-name-servers 10.0.0.254;
... snip ...
# NaxxNet Internal Configuration
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.1 10.0.0.230;
option domain-name-servers 10.0.0.254;
option domain-name "home.naxxtor.com";
option routers 10.0.0.254;
option broadcast-address 10.0.0.255;
default-lease-time 600;
max-lease-time 7200;
}
Now, I plug in a client to the internal network and voila, we have some lovely automagical networking. I check I can ping 10.0.0.254, and move on
VPN
I decided to not mess around with openvpn as it's a bit of a nightmare, and went instead for PPP over SSH.
I followed the PPP SSH Mini HOWTO, and ended up with a ppp0 on my gateway here and a server in Amsterdam. I chose the addresses 10.0.1.1 and 10.0.1.2 for the VPN link, and although far from perfect (if I wanted to expand my network to more than 254 machines, it wouldn't work ... :P ) it works fine.
I tweaked the config so that the VPN would come up on boot, and everything's lovely
Masquerading
Now, this bit was a bit trickier to get my head around. I had to use a double NAT for this, as I have 2 layers of routing which are required.
If you recall from earlier, I wanted to be able to still access internal Uni stuff with my "real" IP, whilst tunneling all Internet traffic through my external machine.
Here's a little ASCII diagram
10.0.0.0/24
|
| Internal Network
MASQUERADE to 10.0.1.1
|
| VPN Link
10.0.1.2
MASQUERADE to 84.x.x.x
|
|
0.0.0.0 (The Internet)
In order to get the behaviour I need, I add an extra rule in at the Internal Network level (before the VPN). This rule states that if the destination is within the subnet of my uni, then use my normal default gateway on eth1 (my 'external' NIC). Otherwise, any traffic from 10.0.0.0/24 gets masqueraded to 10.0.1.2, which has a default gateway of 10.0.1.1, which then gets masqueraded to 84.x.x.x (my public IP on my remote machine).
My nat IPtable looks something like this
Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 0 -- anywhere anywhere # ppp0 MASQUERADE 0 -- 10.0.0.0/24 99.99.0.0/16 # eth1 # My uni's subnet MASQUERADE 0 -- 10.0.0.0/24 vpn.naxxtor.com # eth1 # my VPN server Chain OUTPUT (policy ACCEPT) target prot opt source destination
The exception, the only host which is external which cannot be accessed via the VPN is, of course, the VPN server itself. You couldn't connect to a VPN server unless you're connected to it already, which doesn't make any sense. Also, there is an extra line in the routing table to say this too.
Then with a bit of iptables-save and iptables-restore magic, the configuration should survive a reboot.
Finished
And the result is that any traffic to Internet hosts gets routed through my VPN server, but I can still access local resources!
If you were to do this yourself, make sure that you have a machine, preferably in a datacenter somewhere, which you have root access on. I'm lucky in that JANET is peered with my provider, so I get potentially gigabit speeds between here and there (if my network port wasn't limited to 10MBit, that is ... *grumble*).