Gregory Nowak wrote: > In addition to this, I have iptables rules using the nat table, > which take traffic which has the laptop's public address as > destination, and do DNAT on it, changing the destination address to > be the laptop's private address. I also have a rule doing the > reverse. This rule takes packets with the laptop's private address > as source, and does SNAT on them, changing the source address to be > the laptop's public address, and sends them out eth0. Okay. This is much more clear. And this does now make sense. There are many different ways to do things. The end result of this is very similar to the way the proxy arp strategy works although in a different way. > Again, I do have this functioning. So, whereas before I was writing > this based on theory, I can assure you it does actually work in > practice. As I said if it made sense to you then keep going with it! :-) > > Proxy ARP > > http://shorewall.net/ProxyARP.htm > > Ok, proxy arp as I understand it requires that network devices have a > MAC address. I hesitate to comment further since you have something working. But will anyway. Yes, all network devices will have a MAC ethernet address. > Since I didn't assign a MAC address to the tun0 device in > the openvpn config, it wouldn't work. The device will still have an ethernet address whether you assigned one to it or not. It is not necessary for you to assign one since one has already been assigned by default. (From the vendor. Or in the case of virtual hardware from the software that created the simulation.) And therefore proxy arp is still a viable strategy. (And I like proxy arp better than bridging strategies that I sometimes see people use to extend networks. And I like your DNAT/SNAT configuration that you described above better too. Your strategy is good. Keep going with it.) > The other part of this is that proxying arp just tells the rest of > the network on what given interface a particular machine can be > reached. I think Zenaan and I have established sufficiently in this > thread that I can't simply give the laptop side a public address > through openvpn directly, and expect it to just work. So that still > leaves the laptop with using a private address to go through the > openvpn gateway. So, I still need NAT, and that's how I have things > working now. Now it is my turn to say that this is a confusing topic but yes it really does work. Since it is fully documented in the proxy arp reference above I won't describe it here and make mistakes doing so. But you will just have to trust that yes proxy arp does work just fine in that situation. Meanwhile, if you understand the method that you used as you described then that is fine too. It is better because you understand it. Don't let me distract you. I only mentioned proxy arp because it is one of the standard strategies. But by no means is it the only one. > > I read back but didn't see anywhere that you said what services you > > wanted. "All" I suppose. > > I did indicate that I didn't want the VPS to do any > firewalling. Zenaan's response to this was that for it to work, the > VPS will need to do firewalling. This is correct of course. Perhaps > if I would have stated I don't want the VPS to do any port blocking > for the laptop's public address, it would have been more clear. And I read here that you still don't say what services you are trying to enable! Saying "didn't want the VPS to do any firewalling" doesn't mean anything. That is okay though. I take that to mean "gotta have my freedom, its all about freedom baby, room to breath". :-) But the reason I asked was because often I need a very specific set of services such as web or mail or ssh and setting up a dedicated connection just for those specific services is often easier and very robust. Such as using a web proxy. Such as using a tunneled port. Other possibilities. In any case, glad to see that you have things well in hand and have something working for you that you are happy with. Good deal. Bob
Attachment:
signature.asc
Description: Digital signature