NETGEAR ReadyNAS

[bjorn_e58]

I own two properties, basically my primary and secondary homes. They both have internet connection with a typical router setup for multiple devices, wifi, etc. in both places. I wanted to have them connected privately and had made some experiments with ssh (-w option); it worked by wasn't really stable and easy to cope with. I then decided to go for a solution based on openvpn. I finally got it to work, so I thought I would describe the whole thing for others to benefit.

These are the characteristics of the setup before I started:

HomeA is connected to the Internet via a cable modem and therefore does not have a fixed IP address. This is also where the ReadyNAS is physically located. The network there is 192.168.11.0/24, the router that sits on cable modem has IP address 192.168.11.1 on the inside and the ReadyNAS has a fixed IP address of 192.168.11.154 (I mostly use DHCP, but have fixed IP addresses for a few things like the ReadyNAS and a printer).

HomeB is connected to the Internet via a DSL connection and has a fixed IP address. I don't want to reveal it here (I get enough ssh break-in attempts already!), but for the sake of this discussion, let me assume it is 11.22.33.44. On it's internal side, my network is 192.168.2.0/24, the router has address 192.168.2.1 and there is also an older PC running Ubuntu 9.10 with IP address of 192.168.2.3.

The ReadyNAS and the Ubuntu box will take roles of the openvpn systems; the former in HomeA a client (as it is behind a changing IP address, the latter in HomeB as a server. You need to open the ReadyNAS for root ssh access and get the "apt-get" add-on so that you can download software to it using apt-get; google will be your friend if you need help doing this.

To complicate things, I wanted to be able to manage and install the whole thing from HomeB (with fixed IP), so I initially created a small trick to be able to get to HomeA with its variable IP address. First, I opened my routers so that port 22 forward to 192.168.11.154 in HomeA, and to 192.168.2.3 in HomeB, I then setup password-less root ssh (yes, this sounds utterly unsecure, it isn't as long as your boxes are behind a firewall, google for it!) to simply things, although this is not strictly necessary from HomeB to HomeA. But the trick is that HomeA has a crontab entry that every 4 hours ssh's as root to HomeB leaving its IP address (which really is the one assigned by my cable modem provider). Therefore, when I am on the Ubuntu box in HomeB, I can always find the actual IP address of HomeA. This is a like a simplified dynamic DNS entry.

Next, download openvpn on both the ReadyNAS and the Ubuntu box using

apt-get install openvpm

There are a few things more (cryptostuff) that also needs downloading; check the openvpn documentation.

Read and follow the openvpn documentation on how to generate server and client keys (I did it all in HomeB) and copy the appropriate keys to /etc/openvpn in both HomeA (ReadyNAS) and HomeB (Ubuntu). You should, like I, use scp to copy. I next setup the configuration files in /etc/openvpn on both sides, again basically following the instructions on the openvpn website. Of particular importance are the following.

I opened the 1194 port in the router of HomeB forwarding to 192.168.2.3. I also decided to start with tcp (rather than udp).

In server.conf in HomeB (Ubuntu), the following are my non-comment lines:

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0"
route 192.168.11.0 255.255.255.0
client-config-dir ccd
route 10.9.1.0 255.255.255.0
client-to-client
ping 15
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
mute 10

We need to push the HomeB server side subnet to the HomeA client, hence the push and we also need to have the server side know about the client side, hence the "route 192.168.11...." line. I also found that 'keepalive' was causing restarts of the client so I just replaced it by a ping. In the client-specific file on the server side, I have these two lines (and nothing more):

iroute 192.168.11.0 255.255.255.0
ifconfig-push 10.9.1.1 10.9.1.2

And the non-comment lines of client.conf, i.e. the file on the ReadyNAS in /etc/openvpn are (xxxxxx are real names that I am not showing here, also recall 11.22.33.44 really should be the external fixed IP of HomeB):

client
dev tun
proto tcp
remote 11.22.33.44 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert xxxxxx.crt
key xxxxxx.key
comp-lzo
verb 4
mute 10
ping 15

Coming this far, I was able to start openvpn on first HomeA side (i.e. Ubuntu) and the HomeB side (ReadyNAS) and those two boxes would see each other, happily ping and connect. I did not have firewall issues, i.e. the iptables firewall already existing on my Ubuntu box did not prevent anything.

Next, in order to get everything on the two sides to fully see the other side, I had to do the following:

Turn on ip forwarding in both the ReadyNAS and Ubuntu. At runtime, you do it by doing

echo 1 > /proc/sys/net/ipv4/ip_forward

but I also made sure it happens automatically at reboots. The next, very important step is to make the routers (that sit on directly on the Internet connection in the two places) now about routing to the other sides. And you need to add two static routes in each router. I initially thought I would only need to add the static routes to 192.168.2.0/255.255.255.0 and 192.168.11.0/255.255.255.0 respectively, but I realized this is not sufficient. The tunnel network (10.8.0.0/255.255.255.0) does also need to be known to the two routers. So, in the router of HomeA, the following two static routes are used:

192.168.2.0/255.255.255.0 via 192.168.11.154
10.8.0.0/255.255.255.0 via 192.168.11.154

and in HomeB, its basically the opposite:

192.168.11.0/255.255.255.0 via 192.168.2.3
10.8.0.0/255.255.255.0 via 192.168.2.3

The frustrating thing is that you can actually ping with only the first of the two static routes above, but in order to make a connection, you also need the 10.8.0.0/255.255.255.0 routes.

Finally, I made sure openvpn comes up automatically on both sides after a reboot. In HomeA (the ReadyNAS), this was already the case (I assume after doing the apt-get), in HomeB (on Ubuntu) I used 'chkconfig' to do it.

Let me finally add that all this (among other things) allows me to use softsqueeze in HomeB on Ubuntu against squeezecenter running in the ReadyNAS. In HomeA, I have the physical squeeze thing connected to my stereo.

I finally had some version issues with the Squeezebox setup - please see http://forums.slimdevices.com/showthread.php?t=78777 for details.

/Bjørn.

[LrdShaper]

Very nice how-to. I have the same setup although both VPN apps run on the routers (WRT150n in Philippines and WRT350n here in Malaysia) to overcome NAT issues on my asterisk box located in the Philippines. Congratulations on getting it to work and thanks for sharing.

You can use wget from your ReadyNAS to update a DynDNS account to avoid using a passphrase-less key in SSH (call me paranoid ). I have a short howto here. Cheers!