Friday, August 18, 2017

Putting the whole house on VPN through OpenSuse router

For years I've been running the internal network at the house through a PC running OpenSuse as the NAT/Masquerade router instead of a dedicated router box.   It lets me fiddle with things on my network more easily.  I suppose a WRT54 could do the same, but I don't.

A few months ago, we learned that the FCC was probably going to damage net-neutrality, and allow ISPs to do deep-packet-inspection.   My high speed vendor is among those most likely to be scummy, but there are no alternatives with the same speed.

The solution is to run a VPN through the high speed vendor to someplace that has good privacy guarantees, like, say sonic.net, which is one of the best.   I'd used them for DSL until the DSL was just too slow to tolerate.

Now, Sonic doesn't have a VPN account, but it does have an access account for $18/mo.  This is kind of pricey, but I don't really mind because I trust them.

The problems were

  1. When I connected with the openvpn software on the router, the inside hosts stopped getting NAT service through to the outside world.
  2. DNS was messed up
  3. It wasn't setup to autostart on boot.
Much digression later, the solutions were relatively simple.

1.   To make the NAT work, one can't configure OpenSuse through the guis.   You have to edit, as root, /etc/sysconfig/SuSEfirewall2 and add "tun0" (the interface openvpn makes and uses) to
FW_DEV_EXT="br0 eth0 tun0" 
FW_MASQ_DEV="br0 tun0"
2.    Change the DNS from the naughty ISP to something better, like google, editing /etc/resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4
3.   Setup the boot automation stuff.


  • systemctl enable openvpn@<yourhostname>
  • copy your .ovpn file to /etc/openvpn/<yourhostname>.conf
  • change the auth-user-pass line in /etc/openvpn/<yourhostname>.conf to point to /etc/openvpn/creds.txt
  • edit creds.txt to include your user/pass
# cat /etc/openvpn/creds.txt
yourusername
yourpassword
#
  • protect your user/pass
# chmod 600 /etc/openvpn/creds.txt 
  • edit yourhostname.conf to add
script-security 2
up /etc/openvpn/up.sh
  • edit to create up.sh:
# cat /etc/openvpn/up.sh
#!/bin/bash
systemctl restart SuSEfirewall2
#
  • make up.sh executable
# chmod +x /etc/openvpn/up.sh

  •  fire it up with systemctl
# systemctl start openvpn@<yourhostname>

Now, when you boot, the system will automatically log in your openvpn connection, and restart the firewall to NAT your internal network though the tunnel instead of the naked interface.

This is essentially transparent to all the internal devices -- they don't have to login to the VPN at all.







Posted by at No comments:
Subscribe to: Posts (Atom)