vpn/routing by port

To: debian-firewall@lists.debian.org
Subject: vpn/routing by port
From: Leonardo Boselli <leo@dicea.unifi.it>
Date: Wed, 17 May 2006 14:29:14 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.21.0605171347490.32566-100000@student.dicea.unifi.it>

Problem:
 site H : computer with a dynamic IP ADSL connection, but unable to use
certain ports due ISP restriction
 site C : computer with a static connection, one public IP, no limitations
on use, and a private subnet behind.
 site L : computer with a static connection, many ip available, same
restriction as H on ports (NIC on L and A subnets).
 site A : many computers  with private addresses, accessible only from
their subnet (where L is the gateway)
 site G : same as A, behind C 
 site I : server that accepts only connections coming from C
 site W : server that accepts only connections coming from L subnet
I have root access and posibility to change configurations for H C L
hosts.
I assume i want to connect from H computer.
To connect to A and W i just set two openVPNs with bidging from H to L ,
giving me two virtual addresses on A and W subnet and this is OK.
So if i have to connect to computers on A and L subnet I am ready, if I
have to connect to computers on W subnet, I route throught the L submet
gateway.
 The problems come when i have to connect either to I servers or using
ports that either H's and L's gateways ban.  
(of course: all other services are routed trought the H default gateway)   
 In this case i should appear as coming from C .
 How to:
  a. set a VPN that masquerade to be from C (ideally i would like to set
anothere VPN to C, taking an address on his private subnet, so I would be
seen also by the other computers in his subnet). I have managed on L, buth
there i had the possibility to have a spare public address to "donate"to
the VPN user. but on C I must exit with C's address. I have also to
reserve a number of ports to be routed to H _when_vpn_is_in_use 
 b. more difficult: tell C that certain programs, or any one using as
source or destination certain ports must use this particular v-address,
while all other traffic (not intercepted by the previous rules of
"plain" routing) should use normal eth0 interface (the only use to use VPN
is to be able to access to services that accept connections only by
certain addresses, i I have to download an update there is no reason to
use a VPN sucking three times the band also on the intermediate
computer ...)

Reply to:

Prev by Date: Re: possible dhcpd misconfiguration
Next by Date: Attempt to contact -- M2k
Previous by thread: Re: possible dhcpd misconfiguration
Next by thread: Attempt to contact -- M2k
Index(es):
- Date
- Thread