IpCop ver 1.4.1 and Zerina 0.9.5b: create a vpn net-to-net connection with a Debian box

2928-934xFew days ago I was working on a old IPCOP Firewall setup: my goal was to connect the local LAN to another LAN in another office in a different location.
In the other site the firewall is a Debian-based (Debian+Firehol) device, and it is behind a NAT.

Situation
LAN site 1 (192.168.0.0/24) – IPCOP – WAN – Router/NAT – Debian+Firehol – LAN site 2 (10.18.10.0/24)

IpCop is equipped with Zerina for roadwarrior openvpn connections. Using Zerina it is impossible to setup to create a site-to-site (or net-to-net) vpn connection.

In other words: “Net-to-Net VPNs can only be created using IPsec. OpenVPN Net-to-Net is not yet implemented” (taken from IpCop Documentation).

The other problem is that in the other site Debian is behind a NAT, and for this reason it is impossible to use ipsec via strongswan or similar to connect to IpCop (or at least I’ve never managed to make them work) !

But… I needed a solution……….. Only for some weeks…. after that we will change all the devices….

I then had a great idea, I want to share with you, as perhaps it might be useful to someone else !

Warning: This is a terrible idea and I can’t believe I’m actually going to suggest it. But… it works…….

The idea was to create in IpCop another openvpn server that works in a different port. Pls see the next step.

In the IpCop setup.
1) Create a new openvpn cert for roadwarrior in IpCop/Zerina (in my case this new cert is named vpnTelefonia)
2) Create a new file /var/ipcop/ovpn/serverTel.conf

dev tun1
tun-mtu 1400
proto udp
port [REMOTE IP ADDRESS] 1196
tls-server
ca /var/ipcop/ovpn/ca/cacert.pem
cert /var/ipcop/ovpn/certs/servercert.pem
key /var/ipcop/ovpn/certs/serverkey.pem
dh /var/ipcop/ovpn/ca/dh1024.pem
ifconfig 10.90.10.1 10.90.10.2
route 10.18.10.0 255.255.255.0 10.90.10.2
status-version 1
status /var/log/ovpnserver.log 30
cipher BF-CBC
max-clients 100
tls-verify /var/ipcop/ovpn/verify
crl-verify /var/ipcop/ovpn/crls/cacrl.pem
user nobody
group nobody
persist-key
persist-tun
verb 3

Att: 10.18.10.0 255.255.255.0 is the network address in site2: you have to change accordingly.

3) In the file /etc/rc.d/rc.local add the next line (to start this new openvpn server on reboot)

openvpn --daemon --config /var/ipcop/ovpn/serverTel.conf

4) Add a rules that permit connection to WAN side to the port 1196/UDP
5) Reboot: at the end to check if all works you can launch the next from command line and verify that OpenVpn is listening on 1196/UDP

netstat -lpn

In Debian side.
6) Install openvpn
7) Put in /etc/openvpn the files taken from IpCop (vpnTelefonia.p12 and vpnTelefonia.conf).
8) Modify /etc/openvpn/vpnTelefonia.conf and add the next lines

..
ifconfig 10.90.10.2 10.90.10.1
route 192.168.0.0 255.255.255.0 10.90.10.1

Final result.

tls-client
client
dev tun
proto udp
tun-mtu 1400
remote <remote ip address> 1196
port 1196
pkcs12 vpnTelefonia.p12
ifconfig 10.90.10.2 10.90.10.1
route 192.168.0.0 255.255.255.0 10.90.10.1
cipher BF-CBC
verb 3
ns-cert-type server
log /var/log/openvpn-client.log

Att: 192.168.10.0 255.255.255.0 is the network address in site1: you have to change accordingly.

9) Modify Firehol rule in /etc/firehol/firehol.conf

....
interface tun0 vpnTel
policy accept

router vpnTel2lan inface tun0 outface eth0
route all accept

router lan2vpnTel inface eth0 outface tun0
route all accept
....

There ‘been helpful?