Re: openvpn question

To: debian-user@lists.debian.org
Subject: Re: openvpn question
From: Zenaan Harkness <zen@freedbms.net>
Date: Mon, 19 Aug 2013 13:07:06 +1000
Message-id: <[🔎] CAOsGNSSWTHKsqmi1BoQcQwdNMyzO00vJavdYcOmif6uyZLhpVQ@mail.gmail.com>
In-reply-to: <[🔎] 20130819020200.GA17844@gregn.net>
References: <[🔎] 20130818221000.GA14154@gregn.net> <[🔎] 20130818222916.GE15208@hysteria.proulx.com> <[🔎] 20130818234041.GB14154@gregn.net> <[🔎] CAOsGNSRqGX67MVNO942dR_NR08uS00677_u4k9GHRC4dT2SYYg@mail.gmail.com> <[🔎] 20130819020200.GA17844@gregn.net>

On 8/19/13, Gregory Nowak <greg@gregn.net> wrote:
> On Mon, Aug 19, 2013 at 10:26:14AM +1000, Zenaan Harkness wrote:
>> The key I think is the word "routable" which you use.
>
> Yes, exactly.
>
>> After a successful VPN setup, your VPS becomes analogous to your home
>> internet modem router - the router has a public address dedicated to
>> _all_ of your home computers/phones/etc.
>>
>> Your home router can only "assign" its public ip (through its ppp
>> link) to an internal box by setting up port forwarding or a DMZ host.
>> Port forwarding eg for 80, 443 etc, or DMZ host where _all_ external
>> ports are mapped to one particular internal IP address.
>>
>> It sounds like you want the (laptop) client end of your VPN to be the
>> DMZ host for a particular VPS /29 external address.
>
> Close. The caveat is that the /29 is assigned to the VPS. That means
> that the VPS, network, and broadcast are all on that /29. So, what I

Of course. I understand this.

> actually want is to give one ip address out of that /29 to the
> laptop. The laptop is an endpoint in itself. It doesn't have any other

You need to question yourself, imagine an isolated network of three computers:
A <-> B <-> C

Lets say A is your isolated "public" computer wanting to access C,
your "clandestine" routed laptop.

So B has a "public" ip address block, let's say a /29 subnet :)

In your thinking, using any technology you choose whatsoever, how
would you "assign" one of B's IP addresses to C?

> machines sitting behind it. So yes, in a sense, the laptop is in the
> DMZ, since any firewalling for that single public IP would be done on
> the laptop.

Well, the VPS needs its own firewalling.
Part of that can be routing of packets hitting your "chosen public ip
address which really goes to the clandestine server".

> There wouldn't be any port forwarding or NAT going on

Here is perhaps your misunderstanding.

VPS has a public IP address, which "looks like" a web server say. In
reality this web server is a clandestine server behind a restrictive
firewalling regime, which however is able also to connect to the VPS.

A connection, means 2 endpoints, each of which needs it's own address
(eg MAC address, IP address, or whatever happens with PPP I don't
know).

So in my diagram above, A of course has a unique public (possibly
NATed) ip address, and connects to B, your VPS, which has this
specially chosen-by-you IP special-address.

And all requests that hit this special-address on B, need to somehow
get to machine C. Machine C has its own address, but B cannot
ordinarily access C - this is the reason you are using a VPN in the
first place.

So instead, C connects into B, and a virtual (private-encrypted)
network is set up, with TWO ip addresses, for VPS server B, and laptop
clandestine machine C.

> here. The laptop would have it's own routable public IP address as if
> I had connected it to a modem, and dialed a dial--up provider. My VPS
> would in a sense be an ISP as far as the laptop is concerned.

That's called a "DMZ host".

You need to set up firewalling on VPS B, to route all packets to (eg) 10.1.1.2.

Yes, this is forwarding. Yes this implies a type of NAT for packets
coming back out of C, over the VPN, through B, back out to the
"public" Internet (to A).

But how else do you expect to do this?

>> Set up OpenVPN:
>> OpenVPN will still have two endpoint addresses for each client, and
>> one for the server. Eg 10.1.1.1/24 for the server, eg 10.1.1.2 for the
>> VPN (laptop) client.
>>
>> Choose a /29 address on your VPS to dedicate to the VPN (laptop) client.
>> Configure the VPS kernel firewall rules to 1:1 map all public ports on
>> this chosen /29 address, to the VPN (laptop) client address eg to
>> 10.1.1.2.
>>
>> Does this sound like what you want?
>
> Yes! I was stuck in thinking of things how pppd does them, and it
> didn't occur to me I can map a private address onto a public one. I was
> hoping I could avoid using NAT here, which I know I wouldn't need to
> do if things worked out how I originally planed. But what you propose
> would do the job as well I think. Would
> something like this work on the VPS side?
>
> iptables -t nat -A POSTROUTING --source public_addr -j SNAT
> --to-source 10.0.0.2
> iptables -t nat -A PREROUTING --destination 10.0.0.2 -J DNAT
> --to-destination public_addr

You'll need some diy or help elsewhere sorry.

> Then of course assign the public address I want the laptop to get to
> eth0:0 on the VPS.

This is unclear. But the public IP address of course needs to be
public - it has to appear on the public internet. Your VPS, to make
use of it, will need to "host" that IP address of course.

Good luck
Zenaan

Reply to:

Follow-Ups:
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>

References:
- openvpn question
  - From: Gregory Nowak <greg@gregn.net>
- Re: openvpn question
  - From: Bob Proulx <bob@proulx.com>
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>
- Re: openvpn question
  - From: Zenaan Harkness <zen@freedbms.net>
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>

Prev by Date: Re: unable to get /etc/resolv.conf and /etc/network/interfaces configured properly in wheezy
Next by Date: Re: A strange new phenomena
Previous by thread: Re: openvpn question
Next by thread: Re: openvpn question
Index(es):
- Date
- Thread