Archive for February, 2009
Linux VPN and bridging
by jammie on Feb.01, 2009, under networking, ubuntu
After many weeks of getting fed up with the Microsoft VPN client I decided to give the Linux side of things a spin.
After a bit of searching i came across a page on the ubuntu wiki
which started to point me in the right direction.
For my vpn connection i have had to remove the usepeerdns entry. Leaving that in place stopped the box from being able to see the net.
Now the server could see the vpn network so I started to look into methods of making the network available to my other pcs. This stage was the hardest to find information for and everyones version seemed to be different.
This is what worked for me (i found my information at here and here:
- I added ipt_MASQUERADE to the bottom of my /etc/modules file
- In /etc/ppp/ip-up i added the following:
if [ "${PPP_IPPARAM}" = "myvpn" ]; then
ip r a <vpn ip range>/8 via <vpn ip> dev "${PPP_IFACE}"
iptables -F;iptables -t nat -F;
iptables -t mangle -F
iptables -t nat -A POSTROUTING -o "${PPP_IFACE}" -j MASQUERADE
fi - bring up the connection using pon <yourconnection>. Test that you can ping both the local network, remote network and the internet
- Secure it by adding the following before the fi in step 2
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -P INPUT DROP #only if the first two are successful
iptables -A FORWARD -i"${PPP_IFACE}"-o"${PPP_IFACE}"-j REJECT
- Drop the previous connection using poff and then reconnect. The VPN connection should now be correctly setup and you should be able to ping local, vpn and external machines as before
- Create a route on your pcs that point traffic to your VPN’s ip range through the Linux system and you should now have VPN access
I hope this helps people that are trying to setup a vpn connection and then share it between there local machines. The only thing that i am now missing is dns from the vpn. Its not a major problem at the moment but it would be a nice to have feature. I will post my findings once i have some time to investigate.
