[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: VPN and @Home



Hi

I can ping you (213.51.198.92) from South Africa :)

On Mon, Jun 25, 2001 at 11:48:59PM +0200, Mythiq wrote:
> @Home is blocking a port! I get the same response from @home
> here. I'm thinking of the following solution:
> 
> I have a network at home (my ISP is @home, over the coaxial
> TV-cable with a cable-modem), so do two of my friends. One is
> living nearby (only 1 block away) the other lives at the other
> side of town. I cannot reach (ping, ftp, ssh, whatever) my
> friend A nearby. The other, friend B, however, I can reach and
> he can reach me and my friend A. 

> I could tell ipchains to route all network traffic from my own

This is just routing.  It has nothing to do with ipchains,
really.

> network 192.168.0.0 destined to a subnet 192.168.1.0 (A) to
> leave my network over the Inet-if to the B-network
> (192.168.2.0) with a tunnel over a non-blocked port (?can I?).
[snip]

If you can send UDP packets to B's box on a particular port and
he sees them (e.g. with tcpdump) or even if you can connect to a
TCP port on his machine, you can create a tunnel on that port.
Cipe can set up an encrypted tunnel on a particular UDP port and
you then have an extra interface called "cipe0" or "cipe1" etc.,
in addition to your "eth0" etc.

(Note:  I haven't used cipe for a long time.  The interface name
might be slightly different, but I think it was cipe0, cipe1
etc.)

So things will look like this, physically:

                           (Internet)
                               |
                               |
[B's network]-[Bfw]---[gw1]--(@home)
                               |
                             [gw2]
                               |
[Your net]-[Yfw]---------------+---[Afw]-[A's net]

You set up cipe (for example) on you firewall (Yfw), Afw and two
instances of cipe on Bfw.

When the tunnels are up you and A will have a cipe0 interface
and B will have cipe0 and cipe1 interfaces.

Then if B's cipe0 interface is 192.168.2.1 and B's cipe1
interface is 192.168.2.2 and A's cipe0 interface is 192.168.1.1
and your cipe0 interface is 192.168.0.1:

Do this on Yfw:
# Add a route to B's network via Bfw over cipe tunnel
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1 dev cipe0
# Add a route to A's network via Bfw over cipe tunnel
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1 dev cipe0
# See?  Just normal routing :)

On Afw you have the same thing, basically:
# Add a route to B's network via Bfw over cipe tunnel
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1 dev cipe0
# Add a route to your network via Bfw over cipe tunnel
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.2.1 dev cipe0

On Bfw it's similar:
# Add a route to your network via Yfw over cipe tunnel
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 dev cipe0
# Add a route to your network via Bfw over cipe tunnel
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 dev cipe1

You don't have to use cipe for the tunnels.  If you use
something else it should be basically the same.

You can find cipe here:
http://sites.inka.de/bigred/devel/cipe.html

> I think my humble idea might work but it sure as hell will be
> slooooowww. So: anyone knows a route2 solution or a faster
> tunnel-solution? Maybe something like firewall-piercing
> (whatever that may be, haven't read that HOWTO yet)?
[snip]

It should work and I don't think it should be that slow.  Try it
out :)

I don't know what @Home is doing, so I can't really suggest a
better method.

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies



Reply to: