Re: openvpn question

To: debian-user@lists.debian.org
Subject: Re: openvpn question
From: Gregory Nowak <greg@gregn.net>
Date: Fri, 23 Aug 2013 14:44:17 -0700
Message-id: <[🔎] 20130823214417.GA10450@gregn.net>
In-reply-to: <[🔎] 89D1798A7351D040B4E74E0A043C69D7594E7D26@EinExch-01.tio.nl>
References: <[🔎] 20130818234041.GB14154@gregn.net> <[🔎] CAOsGNSRqGX67MVNO942dR_NR08uS00677_u4k9GHRC4dT2SYYg@mail.gmail.com> <[🔎] 20130819020200.GA17844@gregn.net> <[🔎] CAOsGNSSWTHKsqmi1BoQcQwdNMyzO00vJavdYcOmif6uyZLhpVQ@mail.gmail.com> <[🔎] 20130819062836.GA21584@gregn.net> <[🔎] CAOsGNST3tt44z5ZqrtnJfHJgNpwFQHwVU3xLmw3DPkp7pyDOFg@mail.gmail.com> <[🔎] 20130819225804.GA10223@gregn.net> <[🔎] 20130822221613.GD31040@hysteria.proulx.com> <[🔎] 20130823033322.GA10414@gregn.net> <[🔎] 89D1798A7351D040B4E74E0A043C69D7594E7D26@EinExch-01.tio.nl>

On Fri, Aug 23, 2013 at 12:36:58PM +0000, Bonno Bloksma wrote:
> I have been following this and I think it is getting clear what you are doing but I have lost what the problem is we are trying to resolve.
> 
> If I understand it right your setup is something like:
> 
> VPS has network 1.2.3.0/24 (mask 255.255.255.0)

i Bonno. This is true for the private network used by openvpn. From
what you say below, it seems you are assuming this is the case for the
public network. Unfortunately, my public subnet is only a /29. Getting
a /24 (assuming I can in the first place) would be quite expensive! On
the one hand, having a public /24 means I would be wasting a lot of
IP addresses. This is particularly important given that we're close to
running out of them! On the other hand, having a public /24 means I
could subdivide that, and use a part of those addresses for
openvpn. In that case, the laptop could get a public address, and it
would just be a trivial routing issue at that point, problem solved.

> 
> Somehow you have made sure client always gets same 10.1.1.x number, for instance 10.1.1.3

Yes. I have a directory with per client configuration files for
openvpn. I can use that to push a specific IP address to the laptop
using the common name from its certificate.

> 
> Via iptables you make sure any traffic coming in on the VPS server with destination 1.2.3.3 is going to the VPN ip of the laptop
> And vice versa any traffic coming from the laptop vpn ip get sent out with the source 1.2.3.3
> openvpn server iptables
> iptables -t nat -A PREROUTING -d 1.2.3.3 -j DNAT --to 10.1.1.3
> iptables -t nat -A POSTOUTING -s 10.1.1.3 -j SNAT --to 1.2.3.3
> 

Exactly.

> What is it that is not working? If you think we can solve the problem better by supplying the real configs then please do so.
> 

As I already said, everything is working. The problem is solved. If
there is interest, I can paste the openvpn configs from server/client,
and the interfaces file with relevant iptables rules from the server
to show how I'm doing what I'm doing. Thanks again to everyone for
your help.

Greg

-- 
web site: http://www.gregn..net
gpg public key: http://www.gregn..net/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

--
Free domains: http://www.eu.org/ or mail dns-manager@EU.org

Reply to:

Follow-Ups:
- Re: openvpn question
  - From: Zenaan Harkness <zen@freedbms.net>

References:
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>
- Re: openvpn question
  - From: Zenaan Harkness <zen@freedbms.net>
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>
- Re: openvpn question
  - From: Zenaan Harkness <zen@freedbms.net>
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>
- Re: openvpn question
  - From: Zenaan Harkness <zen@freedbms.net>
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>
- Re: openvpn question
  - From: Bob Proulx <bob@proulx.com>
- Re: openvpn question
  - From: Gregory Nowak <greg@gregn.net>
- RE: openvpn question
  - From: Bonno Bloksma <b.bloksma@tio.nl>

Prev by Date: Re: deb-multimedia repository
Next by Date: Re: deb-multimedia repository
Previous by thread: RE: openvpn question
Next by thread: Re: openvpn question
Index(es):
- Date
- Thread