Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 19 Dec 2008 12:54:43 -0800
From:      Noah Silverman <noah@webclipping.com>
To:        freebsd-net@freebsd.org
Subject:   Re: Surf outside Internet through VPN
Message-ID:  <AE0C157F-936A-4DA7-B3DA-6EA652199623@webclipping.com>
In-Reply-To: <20081219200058.GA86470@citylink.fud.org.nz>
References:  <E35F3ECA-9084-4C96-B4CE-D51E8E76A4A0@webclipping.com> <20081219200058.GA86470@citylink.fud.org.nz>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for all the replies.

I think that I need to better explain what I'm trying to do....

My company has a small server farm that is co-located at a major ISP.   
In that farm we have a machine that acts as a small webserver and pop  
server.
Since that webserver is already "exposed" to the public, I thought it  
would make a good choice as a VPN server for a few of our guys who  
travel and/or connect from home.

Right now, I have openVPN working, certificates exchanged and signed,  
etc.  I can remotely connect and setup a tunnel easily.  I can ssh to  
the openVPN server using 10.0.8.1 and it works.  I CAN'T surf the web  
or get outside the netblock of my openVPN.

For this e-mail, lets assume the public IP of the webserver is  
123.123.123.100

This was my plan:

1 )Setup openVPN on the webserver with a TUN interface.
2) Remote workers can then connect to the openVPN running on  
123.123.123.100
3) Remote workers can now access our pop and smtp email at 10.0.8.1  
(Address from openVPN.)
4) When Remote workers surf web or connect to other outside services,  
they appear to come from 123.123.123.100 (address of webserver.)
5) Remote workers need to access some "admin" pages on the webserver.   
Again, this should be easy as they could connect to 10.0.8.1 to get to  
the webserver through the VPN tunnel.  We can then add rules to the  
webserver to only allow admin access from the 10.0.8.x block.
6) Remote workers can access services on  our other servers through  
various firewalls because we have a simple rule in those firewalls  
allowing traffic in from 123.123.123.100.

The "big picture" was to "standardize" the way remote workers connect,  
and to make sure all their traffic comes from the same IP address.   
That way we can manage rules for firewall, email relaying, mysql  
access, etc.

Here are the key  config settings for openVPN that I have setup now:
proto udp
dev tun
server 10.0.8.0 255.255.255.0
push "route 10.0.8.0 255.255.255.0"
push "redirect-gateway"
client-to-client


My guess is that I'm missing some very basic config line or routing  
setup.

Here are some interesting observations:

############
On the client (remote laptop)  I see some strange things in "netstat - 
rn"
the first line is:
Destination        Gateway            Flags    Refs      Use  Netif  
Expire
0/1                10.0.8.5          UGSc        6       74   tun0

Why is the gateway coming in as "10.0.8.5"??   I thought my gateway  
would be 10.0.8.1 from openVPN.  Why did it skip to "5"

##############
On the webserver (openVPN host)  "netstat -rn" gives me the following:
Destination        Gateway            Flags    Refs      Use  Netif  
Expire
default            123.123.123.1        UGS         0 10514423    em0
10.0.8/24         10.0.8.2          UGS         0      436   tun0

Why is the gateway "10.0.8.2"??  Shouldn't it be "10.0.8.1"??

##############
On the webserver (openVPN host) an ifconfig shows some odd results

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	inet 10.0.8.1 --> 10.0.8.2 netmask 0xffffffff
	Opened by PID 52970

What is the reference to '10.0.8.2'??  I didn't put that in.


Any and all help, suggestions, ideas, etc would be greatly appreciated!!

Thanks!!

-N



On Dec 19, 2008, at 12:00 PM, Andrew Thompson wrote:

> On Fri, Dec 19, 2008 at 03:23:57AM -0800, Noah Silverman wrote:
>> Hello,
>>
>> I want to find a way to pass ALL traffic from my laptop THROUGH my  
>> office
>> VPN and then out to the Internet.  This is a "road warrior" setup.  
>> This
>> gives me a few benefits:  1) I can check my email securely through  
>> VPN.  2)
>> No matter where I am, I will always have the external IP of my VPN  
>> server
>> when accessing the web.
>>
>> I have setup a VPN.  Was able to get it working with either tun or  
>> tap
>> interfaces.  That part seems OK.
>>
>> Now what??  (I can see and connect to the VPN server with '10.0.8.1'
>> easily.  I can't see or connect to the outside world.)  Do I need  
>> to add
>> some kind of special route in the routing table?
>>
>> Would this be better as a tun or using a bridge through tap?
>
> Have you considered just using a http/socks proxy?, it would do away  
> with
> all the routing magic.
>
> Andrew
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AE0C157F-936A-4DA7-B3DA-6EA652199623>