Site-to-site via first tunnel

Comments

7 comments

  • Avatar
    Firewalla

    Do you also require customized routing?  for example, if they access the internet, do they go through your internet or theirs?   Is the site to site connection going to be persistent?   When sessions are persistent, there will be traffic going back and forth, so not sure if they care about the cost? 

     

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    It would be more of a split tunnel kinda situation. Regular internet go through normal, but if they need to access the cameras then it would go through me. And only when they are outside their network. The vpn from them to me would just be a way for me to tunnel back in.

    They have “unlimited” internet (up to 15gig at 4G, then 600K after the 15Gig). Wasn’t sure if it would be possible to vpn back through the initial connection.

    0
    Comment actions Permalink
  • Avatar
    dj-mayo

    Hi James, I’ve seen in your post for the contest that you connect a remote raspberry to make a site to site connection. I would like to do the same (fwg with public ip and raspi with lte connection with double nat). Can you please explain me how to reach my goal? Thank you so much!

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    Hi dj-mayo,

    I had the same situation. My parents use a cellular connection so there is no port forwarding and no public IP. Here is what happens,

    1) RaspberryPi initiates the connection to my FirewallaGold. The Gold OpenVPN server assigns a IP address to the client.

    2) The Firewalla Gold makes a request back to the RaspberryPi via the IP address assigned by the OpenVPN server from the Gold.

    3) Some iptable rules are  created to allow that network traffic (inside the Firewalla Gold) to route the traffic through the OpenVPN server for that network.

    4) I don't want all computers on my parents network to access my network so the computer(s) there have to have routing rules inlace to route traffic destined for my home network through the RaspberryPi.

    To set this Up you need to SSH into the Firewalla Gold and navigate to '~/ovpns/' in this directory create a directory by the same client config you want to use. My dad's name is Jim and it's a Pi so I used 'jims_pi' as the directory name.

    Inside that directory create a file by the same name as the folder with the extension 'rc' so the file name is 'jims_pi.rc'

    Here is what I have for the file contents

     

    ----------------------------------------- Script --------------------------------

    #!/bin/bash

    LOG="/home/pi/ovpns/jims_pi/log.log"

    OVPNDIR="/home/pi/.firewalla/run/ovpn_profile"

    OVPNS="/home/pi/ovpns"

     

    if [[ $script_type == "client-connect" ]]; then

            echo "Client ${common_name} is connecting from ${trusted_ip}" >> $LOG

     

            if [[ ${common_name} == "jims_pi" ]]; then

                    echo "Dad's house is connecting" >> $LOG

                    echo "Create connection back" >> $LOG

                    echo "Local: ${ifconfig_local}" >> $LOG

                    echo "Remote: ${ifconfig_remote}" >> $LOG

                    echo "Pool: ${ifconfig_pool_remote_ip}" >> $LOG

     

                    sudo openvpn --config "${OVPNDIR}/88F8_88F87.ovpn" --remote "${ifconfig_pool_remote_ip}" --daemon "OpenVPN_Jims_Pi" --writepid "/var/run/88F8_88F87.pid" --up "${OVPNS}/jims_pi/client-up up" --down "${OVPNS}/jims_pi/client-up down" --script-security 2 --log-append /var/log/jims_pi.log

            fi

     

            echo "" >> $LOG

            echo "" >> $LOG

    fi

     

    if [[ $script_type == "client-disconnect" ]]; then

            if [[ ${common_name} == "jims_pi" ]]; then

                    echo "Disconnect Dad's house" >> $LOG

                    PID=$(cat /var/run/88F8_88F87.pid)

                    #Run the down script

                    #sudo "${OVPNS}/jims_pi/client-up down"

                    sudo kill ${PID}

                    echo "Killed PID ${PID}" >> $LOG

                    sudo rm /var/run/88F8_88F87.pid

                    echo "" >> $LOG

                    echo "" >> $LOG

     

     

            fi

    fi

     

    ----------------------------- End Script ---------------------------------

     

    I also use a up/down script that adds and removes the iptable rules needed

     

    inside that same directory create a file called 'client-up' which contains the following

    --------------------------- Script ---------------------------

    #!/bin/bash

      

    UPDOWN=$1

     

    if [[ $UPDOWN == "up" ]]; then

            sudo ip -4 route add 192.168.10.0/24 via 10.8.0.1 dev vpn_88F8_88F87 table static

     

            sudo iptables -t nat -I POSTROUTING 1 -d 192.168.10.0/24 -m comment --comment "Added via ~/ovpn/jims_pi/client-up" -j MASQUERADE

     

            #Block Guest Network from this path

            sudo iptables -I FORWARD 1 -s 192.168.53.0/24 -d 192.168.10.0/24 -m comment --comment "Added via ~/ovpn/jims_pi/jims_pi.rc" -j DROP

     

            #Block IoT Network from this path

            sudo iptables -I FORWARD 1 -s 192.168.90.0/24 -d 192.168.10.0/24 -m comment --comment "Added via ~/ovpn/jims_pi/jims_pi.rc" -j DROP

     

    fi

     

    if [[ $UPDOWN == "down" ]]; then

            sudo ip -4 route del 192.168.10.0/24 via 10.8.0.1 dev vpn_88F8_88F87 table static

     

            sudo iptables -t nat -D POSTROUTING -d 192.168.10.0/24 -m comment --comment "Added via ~/ovpn/jims_pi/client-up" -j MASQUERADE

     

            #Remove the iptables rule for Guest Network

            sudo iptables -D FORWARD -s 192.168.53.0/24 -d 192.168.10.0/24 -m comment --comment "Added via ~/ovpn/jims_pi/jims_pi.rc" -j DROP

     

            #Remove the iptabels rule for IoT Network

            sudo iptables -D FORWARD -s 192.168.90.0/24 -d 192.168.10.0/24 -m comment --comment "Added via ~/ovpn/jims_pi/jims_pi.rc" -j DROP

     

    fi

     

    ---------------------- End Script ------------------

     

    inside the "up" block (the first line) adds the route for the Pi's network (my Dad's house is 192.168.10.0/24) so Firewalla knows where to route that traffic. 

    The second line allows the traffic from that network to MASQUERADE through the Firewalla (This is needed for traffic coming from the Pi to go out).

    The third and fourth lines are two networks inside my Firewalla Gold that is not allowed to access my Dad's network so it is dropped

    Everything inside the "down" block just removes what is in the "up" block.

     

    You will have to set up the OpenVpn server on the Pi and have it AutoConnect to the Firewalla if the Pi restarts or the connection goes down. I Imported the configuration as a "Client" on the Firewalla Gold because I had it changing the status of the "Client" inside the Firewalla UI but that became troublesome and didn't work all the time so I commented that out, but kept the config file it created. That is why you see the line in the first script with the config file named something like 88F8_88F87.ovpn

    sudo openvpn --config "${OVPNDIR}/88F8_88F87.ovpn" --remote "${ifconfig_pool_remote_ip}" --daemon "OpenVPN_Jims_Pi" --writepid "/var/run/88F8_88F87.pid" --up "${OVPNS}/jims_pi/client-up up" --down "${OVPNS}/jims_pi/client-up down" --script-security 2 --log-append /var/log/jims_pi.log

     

    I'll refine some of this down into something easier later if needed. I set this up a year ago, sometimes I have to go into the openvpn server and kill the client because it gets the wrong IP address, still refining it and just haven't had the time with Kids schedule to mess around with it.

     

    Hope this helps

     

    0
    Comment actions Permalink
  • Avatar
    dj-mayo

    Ciao James,
    Thank you so much!
    I’m not so skilled and I don’t want to make mistakes… I’ve understand everything, to make the things simple how I can do to see all the clients on the “remote (LTE)” subnet? Other question: do you think that adding a firewalla blue+/purple will bypass double nat block?
    Thank you again and enjoy your Sunday !

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    If you add a purple I think that will allow you to use Firewalla UI. Firewalla might have to do some adjusting for it to work, but as long as the LTE side initiates the connection first, then you can connect back. I don’t use the site- to - site much, more from my FWG to the LTE side, but when I’m at my parents I just point my default gateway to the RPi and that allows me back to my network.

     

    Edit: Now that I think about it, the Purple would be overkill, as you could not (most likely) put the LTE modem/router in bridge mode. The blue might be enough but not sure if that will do “site-to-site”. That’s why I just used a RPi. I had an old RPi 2 laying around and the only thing I needed was to gain access into their network (maybe only go from their side to mine, maybe 5 times a year).

    0
    Comment actions Permalink
  • Avatar
    James Willhoite

    Hey dj-mayo did you ever get this figured out?

    0
    Comment actions Permalink

Please sign in to leave a comment.