[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openvpn question

On Thu, Aug 22, 2013 at 04:16:13PM -0600, Bob Proulx wrote:
> Gregory Nowak wrote:
> > The public address assigned to the laptop would actualy be
> > configured on the VPS,
> 
> Hmm...  No.  Sorry.  Doesn't make sense.  The public address assigned
> to the laptop would probably be yet another private address behind a
> NAT somewhere.

Ok, some confusion here it seems. Both you and I are right in that the
laptop's public address is assigned to the VPS, and is also in reality
yet another private address behind a NAT somewhere like you said. I'll
explain below, since I do in fact have this going as I mentioned in my
latest post to the VPS crashing thread.

I wrote> 
> > and the VPS would be doing NAT between the private address of the
> > laptop, and the public address assigned to the laptop, but
> > configured on the VPS itself.
> 
> If you understand this then please keep going.  But the description
> doesn't make sense to me.

I read carefully what I wrote above, and I can't think of a way to
make it any clearer. Let me explain how I have this going. On the VPS,
eth0:0 is configured with the laptop's public address. Just to be
clear, the public address here is the one machines on the internet
send traffic to, and the one which traffic from the laptop is coming
from as far as the rest of the internet is concerned. In addition to
this, I have iptables rules using the nat table, which take traffic
which has the laptop's public address as destination, and do DNAT on
it, changing the destination address to be the laptop's private
address. I also have a rule doing the reverse. This rule takes
packets with the laptop's private address as source, and does SNAT on
them, changing the source address to be the laptop's public address,
and sends them out eth0. Again, I do have this functioning. So,
whereas before I was writing this based on theory, I can assure you it
does actually work in practice.

I wrote
> 
> > In a nutshell, the laptop would have a private address assigned to
> > it, but all traffic to and from the laptop would actually be using
> > the public address assigned to it, which itself would be configured
> > on the VPS.
> 
> One of the often hit traps is that people often think, start up DHCP
> on the mobile client.  Then start up the VPN.  Then change the
> routing so that 100% of all traffic goes through the VPN.  Sounds
> great.  Except that it can't work.  The mobile device needs to
> transport the VPN traffic over the non-VPN routed network.  And the
> mobile client needs to have DHCP available which will periodically
> need to interact with the local dhcp server and renew its leases.

Correct. The notion of routing all traffic through the VPN is a
misnomer. It seems you're taking what I said to literally.

> 
>   Routing all client traffic (including web-traffic) through the VPN
>   http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
> 
> I would consider setting up proxy arp on the server.  Set it up to
> proxy for the IP address but do not configure it to own the IP
> address.  Here is a reference.
> 
>   Proxy ARP
>   http://shorewall.net/ProxyARP.htm
> 

Ok, proxy arp as I understand it requires that network devices have a
MAC address. Since I didn't assign a MAC address to the tun0 device in
the openvpn config, it wouldn't work. Yes, I could assign the tun
device a MAC address if I wanted to, I know. The other part of this is
that proxying arp just tells the rest of the network on what given
interface a particular machine can be reached. I
think Zenaan and I have established sufficiently in this thread that I
can't simply give the laptop side a public address through openvpn
directly, and expect it to just work. So that still leaves the laptop
with using a private address to go through the openvpn gateway. So, I
still need NAT, and that's how I have things working now.

> I read back but didn't see anywhere that you said what services you
> wanted.  "All" I suppose.

I did indicate that I didn't want the VPS to do any
firewalling. Zenaan's response to this was that for it to work, the
VPS will need to do firewalling. This is correct of course. Perhaps if I would have stated I
don't want the VPS to do any port blocking for the laptop's public
address, it would have been more clear.

Hope this makes more sense now.

Greg


-- 
web site: http://www.gregn..net
gpg public key: http://www.gregn..net/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

--
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
Reply to: