I have long marvelled at the ability of ssh to tunnel connections, and regularly use this feature to give myself access to services behind firewalls, in offices, far far away… As such, In spite of the seeming ubiquity of the concept, I have never seen the benifit of a VPN. But recently, after discovering OpenVPN set up on one of the servers at work (One for which I’m not the primary admin).

I looked through the configuration and it looked significantly simpler than I had anticipated. So I took it upon myself to join my home network with that of the one in the office (Why?… Why not?)

It was fairly simple, after reading through and following the tips in the official How-To I had a basic VPN connection with a shared key for encryption.

On my local box, the configuration looked like:

/etc/openvpn/tunnel.conf

dev tun
remote my.office.domain
float
ifconfig 10.0.0.2 10.0.0.1
secret .keys/office.key
verb 3
ping 30
route 192.168.0.0 255.255.255.0


And on the box in the back room at work:

dev tun
remote everyone-here.is-a-geek.com
float
ifconfig 10.0.0.1 10.0.0.2
secret .keys/brenton.key
verb 3
ping 30


Note: Both are class C networks, My home IP range is 192.168.1.xxx and the one at work is 192.168.0.xxx This makes life easier, because the networks don’t overlap, otherwise I believe some form of NAT would be required. Once the Tunnels are set up and both services are started

/etc/init.d/openvpn start

the machines should be able to ping each other across the VPN

From work:

$ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=45.0 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=28.4 ms
…


This configuration even adds and tears down the routing rule (only set up on my local machine at the moment) that forward traffic to the "other" network through the tunnel (The "route" line in my configuration). Unfortunately, because these machines are not the default gateways for their networks, some configuration on the gateway may be required to get them to forward everyone’s traffic (not just that originating from the connected systems) through the tunnel. I’ll post it when I figure it out. OR if anyone knows, please comment!

I have just set up a local DNS (bind9) server on my network, mainly because I got tired of forever editing my ‘hosts’ files, and just to see if I could… I have worked with DNS servers mainly through web-based front-ends, so I wanted to find out what the configuration really looked like. The most helpful and complete resource I came across was the BIND 9 Administrator Reference Manual (Good title). Here is the configuration I finally came up with (and some associated notes).

The Configuration Files

The ‘named.conf’ file that usually contains the main configuration information is split into 3 seperate files on the debian install.

named.conf

The ‘named.conf’ file is located in the ‘/etc/bind/’ directory, this is the main bind configuration directory on a debian install. The ‘named.conf’ file itself is written so there is probably no need to edit it. All personalisation of the service can be done using the ‘named.conf.options’ and ‘named.conf.local’ files that are referenced in the ‘named.conf’.

named.conf.options

‘named.conf.options’ pretty much contains the options block that is usually found in the top of the ‘named.conf’ file.

The directory parameter specifies the root directory where all relatively referenced files can be found (this is the default on debian)

The forwarders is a list of DNS servers that this server can ‘forward’ the query to if it doesn’t know the answer. This is pointed at my ISP’s normal DNS server (in this case, via the network router)

The auth-nxdomain directive instructs the server to answer as an authoritative source for non-existant (nx) records. It is generally a bad idea.

The allow-query directive is fairly self-explanatory, it provides a list of IP ranges that are permitted to query this server. In this case, I have limited access to the localhost and the private network.

The listen-on directive is similar, it provides a list of IPs that the server should listen on. In my case this is only the loopback and the private interface.


options {
directory "/etc/bind";
forwarders {
192.168.1.1;
};
auth-nxdomain no; # conform to RFC1035
allow-query {
192.168.1.0/24; # Only allow queries from the network and local machine
127.0.0.0/24;
};
listen-on {
192.168.1.100;
127.0.0.1;
};
};


On the debian package the file ‘named.conf.local’ is referenced by the ‘named.conf’ to provide information about the setup specific to this server. As such, there is little or no need to edit the ‘named.conf’ itself. My ‘named.conf.local’ defines 2 zones; ‘everyone-here.is-a-geek.com’, whichs maps the computers on the LAN, and the ‘1.168.192.in-addr.arpa’ zone, which provides the reverse dns information. While this is (especially on a LAN) pretty much un-used as far as I know, it’s still good practice to put it in, and it can be useful at times for resolving the "Which computer connected to my server?" question.

The type ‘master’ tells the server that it is the authority for this zone, and it should be able to answer definitively about requests for systems in it.

The file points to the ‘database’ file containing specific information about the contents of the zone. This file is relative to the path given earlier, but an absolute path can also be used.


//Add the zone for normal DNS lookup
zone "everyone-here.is-a-geek.com" {
type master;
file "db.everyone-here.is-a-geek.com";
};


The reverse zone is exactly the same as the forward zone. All reverse DNS zones end in ‘.in-addr.arpa’, the rest of the address is the IP in reverse (i.e 192.168.1. is my internal IP range, so to allow lookups I add entries for ‘1.168.192.in-addr.arpa’)


//Add the zone for reverse lookups
zone "1.168.192.in-addr.arpa" {
type master;
file "db.192";
};


The Database file(s)

db.everyone-here.is-a-geek.com

This one probably needs a bit more explanation, I think it’s easier if I comment it inline. Two important things to remember everything that doesn’t end in a "." will be prepended to the base domain, and the @ is substituted for the base domain.


$TTL 604800
$ORIGIN everyone-here.is-a-geek.com. ;The base domain name (From now on = @)
@ IN SOA gir webmaster (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ NS gir ;This is the nameserver
@ MX 10 gir ;mail sent to @everyone-here.is-a-geek.com goes to this server
@ A 192.168.1.100 ;the "A" record specifies a direct pointer to the IP address
gir CNAME @ ;each "CNAME" points to another entry (or domain) in this case gir points to the base domain
* CNAME gir ;and everything (*) points to gir
ben A 192.168.1.69 ;My housemates desktop - an "A" record pointing to Ben's static IP
zyrtec A 192.168.1.150 ;My desktop machine - ditto for mine


And the reverse table works the same way as the forward ones, except with the special .in-addr.arpa postfix.

/etc/bind/db.192


$TTL 1D
$ORIGIN 1.168.192.in-addr.arpa.
@ IN SOA gir.everyone-here.is-a-geek.com. hostmaster.everyone-here.is-a-geek.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ NS gir.everyone-here.is-a-geek.com. ;Add entries for all known IP->hostname maps in the domain
100 PTR gir.everyone-here.is-a-geek.com.
150 PTR zyrtec.everyone-here.is-a-geek.com.
69 PTR ben.everyone-here.is-a-geek.com.


So there you have it, thats pretty much the guts of my DNS configuration. It took some tweaking to get it right (syslog is you best friend on this one) but it now works for my needs.