Re: openvpn question

To: debian-user@lists.debian.org
Subject: Re: openvpn question
From: Zenaan Harkness <zen@freedbms.net>
Date: Mon, 19 Aug 2013 18:27:58 +1000
Message-id: <[🔎] CAOsGNST3tt44z5ZqrtnJfHJgNpwFQHwVU3xLmw3DPkp7pyDOFg@mail.gmail.com>
In-reply-to: <[🔎] 20130819062836.GA21584@gregn.net>
References: <[🔎] 20130818221000.GA14154@gregn.net> <[🔎] 20130818222916.GE15208@hysteria.proulx.com> <[🔎] 20130818234041.GB14154@gregn.net> <[🔎] CAOsGNSRqGX67MVNO942dR_NR08uS00677_u4k9GHRC4dT2SYYg@mail.gmail.com> <[🔎] 20130819020200.GA17844@gregn.net> <[🔎] CAOsGNSSWTHKsqmi1BoQcQwdNMyzO00vJavdYcOmif6uyZLhpVQ@mail.gmail.com> <[🔎] 20130819062836.GA21584@gregn.net>

On 8/19/13, Gregory Nowak <greg@gregn.net> wrote:
> On Mon, Aug 19, 2013 at 01:07:06PM +1000, Zenaan Harkness wrote:
> I wrote:
>> > actually want is to give one ip address out of that /29 to the
>> > laptop. The laptop is an endpoint in itself. It doesn't have any other
>>
>> You need to question yourself, imagine an isolated network of three
>> computers:
>> A <-> B <-> C
>>
>> Lets say A is your isolated "public" computer wanting to access C,
>> your "clandestine" routed laptop.
>>
>> So B has a "public" ip address block, let's say a /29 subnet :)
>>
>> In your thinking, using any technology you choose whatsoever, how
>> would you "assign" one of B's IP addresses to C?
>
> I would put a route in B's routing table to C's interface to B. To
> make this more concrete, on B I would:
> route -A inet add -host public_addr_assigned_to_C iface_connected_to_C

But public_addr_assigned_to_C is already configured on B, it is
assigned to an iface on C.

So if you tried to ping public_addr_assigned_to_C (while in a shell on
B), to see if the iface is up, would that ping packet then have to go
to both the local public_addr_assigned_to_C, as well as be routed
across to C?

And on C, which iface are you going to configure, to listen for
incoming packets to "public_addr_assigned_to_C"?

Think of the problem this way: C runs a webserver on port 80.
It is listening on a particular ip.address:80 for incoming packets.

On which iface is the webserver (on C) supposed to open up
server-listening port 80?

And if that iface is supposed to be configured with
public_addr_assigned_to_C, can you see a problem with having
public_addr_assigned_to_C configured on both that iface on C,
as well as an iface on B?

> I think you might be taking what I said too literally and maybe that's
> why we aren't on the same page. I didn't mean that the laptop would
> literally be an endpoint onto itself.

I don't know what you mean by this sorry.

> The only way that would happen
> is if I disconnected the laptop from any ethernet/wifi networks. I
> only meant to say that the laptop wouldn't be routing to any machines
> attached to it through a second interface (it wouldn't act as a router).

Of course.
I was drawing an analogy with home modem/router, and B.
In this analogy, C is simply one home computer, NATing
through the "modem/router" B.
And you want some reverse NAT, basically, either specific ports, all
all ports on the "modem/router" "public" ip address, ie
public_addr_assigned_to_C.

Some confusion may arise because you say "ip _assigned_ to C", which
is generic terminology - but that ip address is most certainly
"assigned" (by the sound of it, as an address 'alias') to B's public
facing iface.

Your problem is, you can't simultaneously 'assign' the same ip
address, to two iface's, and expect to get no routing problems,
somewhere.

Regarding "public" IPs:

One IP -> one iface.
OR:
One iface -> one or more IPs.

But you can't have one IP -> multiple ifaces.
Will likely cause problems.

>> Well, the VPS needs its own firewalling.
>> Part of that can be routing of packets hitting your "chosen public ip
>> address which really goes to the clandestine server".
>
> Yes, I agree.
>
>> > There wouldn't be any port forwarding or NAT going on
>>
>> Here is perhaps your misunderstanding.
>>
>> VPS has a public IP address, which "looks like" a web server say. In
>> reality this web server is a clandestine server behind a restrictive
>> firewalling regime, which however is able also to connect to the VPS.
>>
>> A connection, means 2 endpoints, each of which needs it's own address
>> (eg MAC address, IP address, or whatever happens with PPP I don't
>> know).
>>
>> So in my diagram above, A of course has a unique public (possibly
>> NATed) ip address, and connects to B, your VPS, which has this
>> specially chosen-by-you IP special-address.
>>
>> And all requests that hit this special-address on B, need to somehow
>> get to machine C. Machine C has its own address, but B cannot
>> ordinarily access C - this is the reason you are using a VPN in the
>> first place.
>>
>> So instead, C connects into B, and a virtual (private-encrypted)
>> network is set up, with TWO ip addresses, for VPS server B, and laptop
>> clandestine machine C.
>
> I agree. Let me [paste the part of the openvpn man page where I see the
> problem. Maybe I'm misunderstanding something:
>
> "--ifconfig l rn
>               Set  TUN/TAP  adapter  parameters.   l  is the IP
>               address of the
>               local VPN endpoint.  For TUN devices, rn is the  IP
>               address  of the remote VPN endpoint.  For TAP devices,
>               rn is the subnet mask
>               of the virtual ethernet segment which is being created
>               or  con
>               nected to.
>
>               For TUN devices, which facilitate virtual point-to-point
>               IP con
>               nections, the proper usage of --ifconfig is to use  two
>               private
>               IP addresses which are not a member of any existing
>               subnet which
>               is in use.  The IP addresses may be consecutive and
>               should  have
>               their  order  reversed  on  the  remote  peer.  After
>               the VPN is
>               established, by pinging rn, you will be pinging across
>               the VPN."
>
> So, because I want a point-to-point connection, I have to use two
> private addresses that are on the same subnet. That means I have to
> assign the laptop a private address, not a public one. For me to map
> data from the private address to the public one means doing NAT. By
> doing NAT, laptop would have a private address on its end of the VPN,
> but any connections laptop made to the internet would look like they
> came from the public address assigned to it. That means doing NAT.
>
>> You need to set up firewalling on VPS B, to route all packets to (eg)
>> 10.1.1.2.
>>
>> Yes, this is forwarding. Yes this implies a type of NAT for packets
>> coming back out of C, over the VPN, through B, back out to the
>> "public" Internet (to A).
>>
>> But how else do you expect to do this?
>>
>
> Like I showed above. I think we both agree the VPS would need to serve
> as a router. My question still stands. If I have to assign private
> addresses that aren't part of the same subnet, then the laptop can't
> have a public address. I could of course have a statement like:
>
> --config 10.0.0.1 public_addr
>
> in the server config file on the VPS. If I do that though, I see no
> way to tell openvpn that the subnet here is /32.

I'll assume you mean
"--ifconfig 10.0.0.1 public_addr
in the OpenVPN server config file on the VPS".

Read again this part of the OpenVPN man page which you pasted:
"the proper usage of --ifconfig is to use  two private
IP addresses which are not a member of any existing
subnet which is in use"

Notice "two private IP addresses", eg 10.1.1.1 and 10.1.1.2.
Also, it should say elsewhere in the openvpn manpage, that
these IPs ought be in the same subnet.

Use of a public IP address here is bound to cause problems, both
networking, and security problems.

>> This is unclear. But the public IP address of course needs to be
>> public - it has to appear on the public internet. Your VPS, to make
>> use of it, will need to "host" that IP address of course.
>
> Right. On the VPS I would setup routing as I showed above.

See my comments above.

> On the laptop I would do
> ifconfig iface public_addr netmask 255.255.255.248

Again, as above, what "iface" do you propose to use here???

> the
> case of a ptp link, that would become ifconfig iface public_addr
> pointopoint VPN_addr netmask 255.255.255.255. Is there something I'm
> not getting here?

Yes.

Just had a quick look now, and I can see that pptp man page doesn't
speak succinctly to clear up this misunderstanding.

man pppd however (looking at it now) says near the top "The pppd
daemon works ... to negotiate Internet Protocol (IP) addresses for
each end of the link".

The key is, each end has a separate IP.

> Thanks for taking the time to work through this
> with me. I think we mostly agree. It just seems to me you're saying
> that the VPN interface on the laptop would be configured with the
> public address, and I don't see how that's possible with openvpn.

No. Never said anything like it. This is what you are wishing for. Not
what I am saying :)

What I am saying, is you can turn laptop/"C" into a DMZ host, or
forward only specific ports. Up to you.

There's no other way you can do it, that I am aware of.

Good luck
Zenaan

Reply to:

Follow-Ups:
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>

References:
- openvpn question
  - From: Gregory Nowak <greg@gregn.net>
- Re: openvpn question
  - From: Bob Proulx <bob@proulx.com>
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>
- Re: openvpn question
  - From: Zenaan Harkness <zen@freedbms.net>
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>
- Re: openvpn question
  - From: Zenaan Harkness <zen@freedbms.net>
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>

Prev by Date: Re: openvpn question
Next by Date: Re: configuring grub[SOLVED]
Previous by thread: Re: openvpn question
Next by thread: Re: openvpn question
Index(es):
- Date
- Thread