VPN on a ubuntu server limited to certain ips

Question

I got an server running Ubuntu Server 9.10 and I need access to it and other parts of my network sometimes when not at home. There's two places I need to access the VPN from. One of the places to an static IP and the other got an dynamic but with DynDNS setup so I can always get the current IP if I want to.

Now when it comes to servers people call me kinda paranoid but security is always my number one priority and I never like to allow access to the server outside the network therefor I have two things I have to have on this VPN. One it shouldn't be accessiable from any other IP then these 2 and two it has to use a very secure key so it will be virtually impossible to bruteforce even from the said IP´s.

I have no experience what so ever in setting up VPNs, I have used SSH tunneling but never an actuall VPN. So what would be the best, most stable, safest and performance effiecent way to set this up on a Ubuntu Server? Is it possible or should I just set up some kind of SSH Tunnel instead?

Thanks on beforehand for answers.

score 2 · Answer 1 · edited Apr 13 '17 at 12:13

2

In my experience the most reliable VPN service that you can run is OpenVPN. Getting the certificates setup for the first time is a bit tricky. Using something like TinyCA should make the certificate creation a lot easier then creating them manually. See the docs and questions here tagged openvpn for hints about setting it up.

If a SSH tunnel can meet your needs I would suggest you stick with that though. It is very easy to work with and pretty flexible. If you want to use ssh regularly you might want to use a tunnel manager to make day-to-day usage easier.

edited Apr 13 '17 at 12:13

Community

1

answered Apr 23 '10 at 18:00

Zoredache

130,897
41
276
420

I personally use a large (2048-bit) shared key with OpenVPN. So it is also possible to avoid the certificates altogether. – Shtééf Apr 23 '10 at 18:15
How secure is a 2048-bit shared key versus a certificate and is there any advantage in avoiding certificates (like performance or such). Also since I've never used a VPN how fast would a file be uploaded/downloaded from and to the server over VPN, I mean is there any signifciant speedloss. Running Intel Pro Server MT Gigabit Dual Port card in the server and will be accessing the network from laptops mainly. Internet speed is 100/100 Mbit/s. – Hultner Apr 23 '10 at 18:45
There really shouldn't be much speed loss on a computer with a good processor over what the link already allows. There may be some increased latency and this may effect protocols that are sensitive to latency (SMB, Voip). On a recent test of one of my links the VPN added about 1.5ms. The problem with a shared key is that only one computer/user can connect to the VPN at a time. If you plan on permitting access from multiple computers you are going to need to need to setup a CA. – Zoredache Apr 23 '10 at 19:02
There should be no performance difference between using a shared key versus a CA. The main difference is just the ability to handle multiple users with a single server instance. – Zoredache Apr 23 '10 at 19:04
About TinyCA, is that an application that I run on one of my computers and then export the certificate to the server or do I need an desktop on the server, if so is there any other similar program? – Hultner Apr 24 '10 at 09:03
You can run TinyCA wherever you want and generate the certs. If you are really paranoid about security if you could even run it from a livecd and store your CA on a flash drive. – Zoredache Apr 24 '10 at 18:26

score 1 · Accepted Answer · answered Apr 23 '10 at 20:09

Agree, OpenVPN is the easiest solution to set up. You could also look at OpenVPN-AS server, which is extremely easy to set up on Ubuntu and provides a great web management interface. It's free for 1-2 concurrent connections, and up to 10 connections can be licensed for $50.

For limiting the VPN to particular IPs, on Ubuntu you could simply use ufw:

#CAUTION - Be careful if you're doing this remotely 
# over ssh or other as you could easily lock yourself out.
sudo ufw disable
sudo ufw default deny
sudo ufw allow proto udp from 10.0.0.1 to 192.168.0.1 port 1194
sudo ufw allow proto udp from 10.0.0.2 to 192.168.0.1 port 1194
sudo ufw allow proto tcp from 192.168.0.0/24 to 192.168.0.1 port 22
sudo ufw allow proto tcp from 192.168.0.0/24 to 192.168.0.1 port 443
sudo ufw enable

This example opens UDP port 1194 (default listening port for OpenVPN) to 2 different IP addresses and allows ssh and secure web access to IPs on the same subnet as the server for management.

Still doesn't solve the problem with the dynamic ip, I can get a hold of the ip since it's always connected to a hostname, is it possible to allow by hostname in ufw and will that work the way I want? If not wouldn't it be possible to write a script which does this for me? — Hultner, Apr 24 '10 at 07:08
There's a script that does what you want for ufw and a DynDNS-type service at http://superuser.com/questions/79855/how-to-use-fqdn-in-firewall-rules-for-gnu-linux/84988#84988. Just replace the target_hosts entry with your DynDNS FQDN and schedule to run via cron at the interval you want. — nedm, Apr 25 '10 at 00:30

VPN on a ubuntu server limited to certain ips

2 Answers2