Date: Fri, 19 Dec 2008 12:54:43 -0800 From: Noah Silverman <noah@webclipping.com> To: freebsd-net@freebsd.org Subject: Re: Surf outside Internet through VPN Message-ID: <AE0C157F-936A-4DA7-B3DA-6EA652199623@webclipping.com> In-Reply-To: <20081219200058.GA86470@citylink.fud.org.nz> References: <E35F3ECA-9084-4C96-B4CE-D51E8E76A4A0@webclipping.com> <20081219200058.GA86470@citylink.fud.org.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for all the replies. I think that I need to better explain what I'm trying to do.... My company has a small server farm that is co-located at a major ISP. In that farm we have a machine that acts as a small webserver and pop server. Since that webserver is already "exposed" to the public, I thought it would make a good choice as a VPN server for a few of our guys who travel and/or connect from home. Right now, I have openVPN working, certificates exchanged and signed, etc. I can remotely connect and setup a tunnel easily. I can ssh to the openVPN server using 10.0.8.1 and it works. I CAN'T surf the web or get outside the netblock of my openVPN. For this e-mail, lets assume the public IP of the webserver is 123.123.123.100 This was my plan: 1 )Setup openVPN on the webserver with a TUN interface. 2) Remote workers can then connect to the openVPN running on 123.123.123.100 3) Remote workers can now access our pop and smtp email at 10.0.8.1 (Address from openVPN.) 4) When Remote workers surf web or connect to other outside services, they appear to come from 123.123.123.100 (address of webserver.) 5) Remote workers need to access some "admin" pages on the webserver. Again, this should be easy as they could connect to 10.0.8.1 to get to the webserver through the VPN tunnel. We can then add rules to the webserver to only allow admin access from the 10.0.8.x block. 6) Remote workers can access services on our other servers through various firewalls because we have a simple rule in those firewalls allowing traffic in from 123.123.123.100. The "big picture" was to "standardize" the way remote workers connect, and to make sure all their traffic comes from the same IP address. That way we can manage rules for firewall, email relaying, mysql access, etc. Here are the key config settings for openVPN that I have setup now: proto udp dev tun server 10.0.8.0 255.255.255.0 push "route 10.0.8.0 255.255.255.0" push "redirect-gateway" client-to-client My guess is that I'm missing some very basic config line or routing setup. Here are some interesting observations: ############ On the client (remote laptop) I see some strange things in "netstat - rn" the first line is: Destination Gateway Flags Refs Use Netif Expire 0/1 10.0.8.5 UGSc 6 74 tun0 Why is the gateway coming in as "10.0.8.5"?? I thought my gateway would be 10.0.8.1 from openVPN. Why did it skip to "5" ############## On the webserver (openVPN host) "netstat -rn" gives me the following: Destination Gateway Flags Refs Use Netif Expire default 123.123.123.1 UGS 0 10514423 em0 10.0.8/24 10.0.8.2 UGS 0 436 tun0 Why is the gateway "10.0.8.2"?? Shouldn't it be "10.0.8.1"?? ############## On the webserver (openVPN host) an ifconfig shows some odd results tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 10.0.8.1 --> 10.0.8.2 netmask 0xffffffff Opened by PID 52970 What is the reference to '10.0.8.2'?? I didn't put that in. Any and all help, suggestions, ideas, etc would be greatly appreciated!! Thanks!! -N On Dec 19, 2008, at 12:00 PM, Andrew Thompson wrote: > On Fri, Dec 19, 2008 at 03:23:57AM -0800, Noah Silverman wrote: >> Hello, >> >> I want to find a way to pass ALL traffic from my laptop THROUGH my >> office >> VPN and then out to the Internet. This is a "road warrior" setup. >> This >> gives me a few benefits: 1) I can check my email securely through >> VPN. 2) >> No matter where I am, I will always have the external IP of my VPN >> server >> when accessing the web. >> >> I have setup a VPN. Was able to get it working with either tun or >> tap >> interfaces. That part seems OK. >> >> Now what?? (I can see and connect to the VPN server with '10.0.8.1' >> easily. I can't see or connect to the outside world.) Do I need >> to add >> some kind of special route in the routing table? >> >> Would this be better as a tun or using a bridge through tap? > > Have you considered just using a http/socks proxy?, it would do away > with > all the routing magic. > > Andrew > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AE0C157F-936A-4DA7-B3DA-6EA652199623>