Few days ago I was working on a old IPCOP Firewall setup: my goal was to connect the local LAN to another LAN in another office in a different location.
In the other site the firewall is a Debian-based (Debian+Firehol) device, and it is behind a NAT.
LAN site 1 (192.168.0.0/24) – IPCOP – WAN – Router/NAT – Debian+Firehol – LAN site 2 (10.18.10.0/24)
IpCop is equipped with Zerina for roadwarrior openvpn connections. Using Zerina it is impossible to setup to create a site-to-site (or net-to-net) vpn connection.
In other words: “Net-to-Net VPNs can only be created using IPsec. OpenVPN Net-to-Net is not yet implemented” (taken from IpCop Documentation).
The other problem is that in the other site Debian is behind a NAT, and for this reason it is impossible to use ipsec via strongswan or similar to connect to IpCop (or at least I’ve never managed to make them work) !
But… I needed a solution……….. Only for some weeks…. after that we will change all the devices….
I then had a great idea, I want to share with you, as perhaps it might be useful to someone else !
Warning: This is a terrible idea and I can’t believe I’m actually going to suggest it. But… it works…….
The idea was to create in IpCop another openvpn server that works in a different port. Pls see the next step.
In the IpCop setup.
1) Create a new openvpn cert for roadwarrior in IpCop/Zerina (in my case this new cert is named vpnTelefonia)
2) Create a new file /var/ipcop/ovpn/serverTel.conf
dev tun1 tun-mtu 1400 proto udp port [REMOTE IP ADDRESS] 1196 tls-server ca /var/ipcop/ovpn/ca/cacert.pem cert /var/ipcop/ovpn/certs/servercert.pem key /var/ipcop/ovpn/certs/serverkey.pem dh /var/ipcop/ovpn/ca/dh1024.pem ifconfig 10.90.10.1 10.90.10.2 route 10.18.10.0 255.255.255.0 10.90.10.2 status-version 1 status /var/log/ovpnserver.log 30 cipher BF-CBC max-clients 100 tls-verify /var/ipcop/ovpn/verify crl-verify /var/ipcop/ovpn/crls/cacrl.pem user nobody group nobody persist-key persist-tun verb 3
Att: 10.18.10.0 255.255.255.0 is the network address in site2: you have to change accordingly.
3) In the file /etc/rc.d/rc.local add the next line (to start this new openvpn server on reboot)
openvpn --daemon --config /var/ipcop/ovpn/serverTel.conf
4) Add a rules that permit connection to WAN side to the port 1196/UDP
5) Reboot: at the end to check if all works you can launch the next from command line and verify that OpenVpn is listening on 1196/UDP
In Debian side.
6) Install openvpn
7) Put in /etc/openvpn the files taken from IpCop (vpnTelefonia.p12 and vpnTelefonia.conf).
8) Modify /etc/openvpn/vpnTelefonia.conf and add the next lines
.. ifconfig 10.90.10.2 10.90.10.1 route 192.168.0.0 255.255.255.0 10.90.10.1
tls-client client dev tun proto udp tun-mtu 1400 remote <remote ip address> 1196 port 1196 pkcs12 vpnTelefonia.p12 ifconfig 10.90.10.2 10.90.10.1 route 192.168.0.0 255.255.255.0 10.90.10.1 cipher BF-CBC verb 3 ns-cert-type server log /var/log/openvpn-client.log
Att: 192.168.10.0 255.255.255.0 is the network address in site1: you have to change accordingly.
9) Modify Firehol rule in /etc/firehol/firehol.conf
.... interface tun0 vpnTel policy accept router vpnTel2lan inface tun0 outface eth0 route all accept router lan2vpnTel inface eth0 outface tun0 route all accept ....
There ‘been helpful?