■OpenVPNの暗号化無しのお手軽VPNで接続する。
ホストOSはSqueeze。ゲストOSはWheezy。vmnet8のNATで以下の構成でVPN構成を行う。
VPNクライアント <-> GuestOS eth0 <-> Host OS vmnet8 <-> HostOS eth0 <-> Virtual Internet
結果的にGuestOSのNAT環境で、HostOSのeth0のLAN Networkと同じネットワークアドレス帯のIPアドレスを持つことになる。
■概念図。
PeerToPeerなので、nwdiagよりもblockdiagの方が書きやすい。
LAN NICに見立てたゲストOSのNATネットワーク(vmnet8)
WAN NICに見立てたホストOSのローカルネットワーク
インターネットに見立てた上位ネットワーク
2枚目の画像は流れが逆。3枚目がVPNらしい接続図なのかな。
$ cat bvpn.diag
blockdiag {
orientation = portrait;
Internet [shape=cloud,height=60,label = "Virtual\nInternet\n"];
VPNServerLAN [label = "vmnet8\n192.168.45.1"];
VPNServerWAN [label = "eth0\n172.16.31.11"];
VPNClientLAN [label = "eth0\n192.168.45.11"];
VPNClientWAN [label = "VPNC\n172.16.31.12"];
VPNClientWAN -> VPNClientLAN -> VPNServerLAN -> VPNServerWAN -> Internet;
group {
label = "WAN NIC";
color = lightgreen;
VPNServerWAN; VPNServerLAN;
}
group {
label = "LAN NIC"
color = lightblue;
VPNClientWAN; VPNClientLAN;
}
}
■ホストOSからゲストOSへ。
$ sudo openvpn --remote 192.168.45.11 --dev tun1 --ifconfig 172.16.31.11 172.16.31.12 --verb 3
Mon Jun 10 21:47:10 2013 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11]
[MH] [PF_INET6] [eurephia] built on Feb 20 2012 Mon Jun 10 21:47:10 2013 IMPORTANT:
OpenVPN's default port number is now 1194, based on an official port number assignment
by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Mon Jun 10
21:47:10 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call
user-defined scripts or executables Mon Jun 10 21:47:10 2013 ******* WARNING ***
****: all encryption and authentication features disabled -- all data will be tunnelled
as cleartext Mon Jun 10 21:47:10 2013 Socket Buffers: R=[112640->131072] S=[112640-
>131072] Mon Jun 10 21:47:10 2013 WARNING: potential TUN/TAP adapter subnet conflict
between local LAN [172.16.31.0/255.255.255.0] and remote VPN [172.16.31.11/255.255.
255.255] Mon Jun 10 21:47:10 2013 TUN/TAP device tun1 opened Mon Jun 10 21:47:10
2013 TUN/TAP TX queue length set to 100 Mon Jun 10 21:47:10 2013 /sbin/ifconfig
tun1 172.16.31.11 pointopoint 172.16.31.12 mtu 1500 Mon Jun 10 21:47:10 2013 Data
Channel MTU parms [ L:1500 D:1450 EF:0 EB:4 ET:0 EL:0 ] Mon Jun 10 21:47:10 2013
Local Options hash (VER=V4): 'fff92c83' Mon Jun 10 21:47:10 2013 Expected Remote
Options hash (VER=V4): 'b2515aa2' Mon Jun 10 21:47:10 2013 UDPv4 link local (bound):
[undef] Mon Jun 10 21:47:10 2013 UDPv4 link remote: [AF_INET]192.168.45.11:1194
Mon Jun 10 21:47:21 2013 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Jun 10 21:49:42 2013 Peer Connection Initiated with [AF_INET]192.168.45.11:1194
Mon Jun 10 21:49:42 2013 Initialization Sequence Completed
■ゲストOSからホストOSへ。
$ sudo openvpn --remote 192.168.45.1 --dev tun1 --ifconfig 172.16.31.12 172.16.31.11 --verb 3
Mon Jun 10 21:43:38 2013 OpenVPN 2.2.1 i486-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11]
[eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012
Mon Jun 10 21:43:38 2013 IMPORTANT: OpenVPN's default port number is now 1194, based
on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used
5000 as the default port. Mon Jun 10 21:43:38 2013 NOTE: OpenVPN 2.1 requires '-
-script-security 2' or higher to call user-defined scripts or executables Mon Jun
10 21:43:38 2013 ******* WARNING *******: all encryption and authentication features
disabled -- all data will be tunnelled as cleartext Mon Jun 10 21:43:38 2013 Socket
Buffers: R=[163840->131072] S=[163840->131072] Mon Jun 10 21:43:38 2013 TUN/TAP
device tun1 opened Mon Jun 10 21:43:38 2013 TUN/TAP TX queue length set to 100 Mon
Jun 10 21:43:38 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon
Jun 10 21:43:38 2013 /sbin/ifconfig tun1 172.16.31.12 pointopoint 172.16.31.11 mtu
1500 Mon Jun 10 21:43:38 2013 Data Channel MTU parms [ L:1500 D:1450 EF:0 EB:4 ET:
0 EL:0 ] Mon Jun 10 21:43:38 2013 Local Options hash (VER=V4): 'b2515aa2' Mon Jun
10 21:43:38 2013 Expected Remote Options hash (VER=V4): 'fff92c83' Mon Jun 10 21:
43:38 2013 UDPv4 link local (bound): [undef] Mon Jun 10 21:43:38 2013 UDPv4 link
remote: [AF_INET]192.168.45.1:1194 Mon Jun 10 21:43:48 2013 Peer Connection Initiated
with [AF_INET]192.168.45.1:1194 Mon Jun 10 21:43:49 2013 Initialization Sequence
Completed
■ホストOS側のtun1
$ env LANG=C /sbin/ifconfig tun1 | grep inet
inet addr:10.26.7.11 P-t-P:10.26.7.12 Mask:255.255.255.255
■ゲストOS側のtun1
$ env LANG=C /sbin/ifconfig tun1 | grep inet
inet addr:10.26.7.12 P-t-P:10.26.7.11 Mask:255.255.255.255
■ゲストOS自身のVPN IPにping
$ ping -c 1 172.16.31.12
PING 172.16.31.12 (172.16.31.12) 56(84) bytes of data.
64 bytes from 172.16.31.12: icmp_req=1 ttl=64 time=0.145 ms
--- 172.16.31.12 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.145/0.145/0.145/0.000 ms
■ホストOSのVPN [f:id:labunix:20130610220418p:plain]IPにping
$ ping -c 1 172.16.31.11
PING 172.16.31.11 (172.16.31.11) 56(84) bytes of data.
64 bytes from 172.16.31.11: icmp_req=1 ttl=64 time=1.38 ms
--- 172.16.31.11 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.388/1.388/1.388/0.000 ms
■ホストOSが持つeth0のIPにping
※実際にはbond0なのだけれど、そこは問題じゃない。
$ ping -c 1 172.16.31.10
PING 172.16.31.10 (172.16.31.10) 56(84) bytes of data.
64 bytes from 172.16.31.10: icmp_req=1 ttl=128 time=0.573 ms
--- 172.16.31.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.573/0.573/0.573/0.000 ms
■ホストOSが接続できるインターネットに見立てたIPへping
$ ping -c 1 172.16.16.1
PING 172.16.16.1 (172.16.16.1) 56(84) bytes of data.
64 bytes from 172.16.16.1: icmp_req=1 ttl=128 time=1.37 ms
--- 172.16.16.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.372/1.372/1.372/0.000 ms