Re: [PLUG] Router Projects and VPNs

Rich Freeman on 23 Sep 2014 13:15:20 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Router Projects and VPNs

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Router Projects and VPNs
Date: Tue, 23 Sep 2014 16:15:15 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=hPYtf+nVrahlNPUPBx9po0SF2oiJ1unEHV9etWUpuSE=; b=VQFVCKT7CINSjUXNWAFK4IOHN2458wEohb+mVKwbgo4AYJPjW8ZJNxwIOj98mPfgAz kpIaf0lx4TF3pgoo5FvCE1S0rsSNoXeWTe04MIC/22DGGX/gfy2zWx9TT59AL9XvJeZK GUuwnTAkjNnbCVvsiJoESXXCD2Z3b+RCocoEF2zyAeRbJ5zj0MBHx4DL88XxeBtK9QcS c5eY9owwbqVD9pMclGgMmE0bPwICyPKSrgZ7bXCZtVXaMGcnRgBK6pFze6bwNXykYusq Mm6GroqtWnDMJUAID8AO+l+Cui+lxL0S68pUYiin/A9UOt2ko/iwbbnUHlNSw6kx0+lQ SlYg==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

Thanks for the info you provided - below is just the bit that needs
clarification.

On Tue, Sep 23, 2014 at 3:33 PM, brent timothy saner
<brent.saner@gmail.com> wrote:
>
> On 09/23/2014 03:05 PM, Rich Freeman wrote:
>> I have a Buffalo router that uses DD-WRT currently (though with a
>> heartbleed-vulnerable version of openssl), and was thinking about
>> changing my router setup, possibly including changing firmwares or
>> even implementing another router.
>>
>> Here are some of the features I was thinking about implementing, and
>> I'd like some opinion on whether any of the DIY projects out there
>> support this stuff:
>>
>> 1.  Obtain IP from ISP.  The IP assigned by the ISP should be
>> obtainable from within the LAN via some kind of interface (and not
>> just checkmyip/etc).
>
> [bts@workhorse ~]$ curl -s http://icanhazip.com
> 98.115.27.97
> [bts@workhorse ~]$

That will return the proxy IP, not my ISP-assigned IP, since the
router will route curl through the VPN if that originates within the
LAN.  I could run that on the router itself and get the IP, but from
there I could just check the interface list more reliably.

In the example below, I want to obtain 5.6.7.8, not 4.5.6.8.

>
>> 2.  Set up outgoing tunnel via a VPN to a proxy (flexibility may be
>> useful here so that I am not constrained in my choice of proxy).
>> Outgoing connections should use this route by default.
>
> why proxy AND VPN? ideally, one or the other should suffice. but i can
> help with this if it's via openvpn[0].

A VPN is the mechanism used to communicate with the proxy.  As in:
Client 192.168.1.2 -> Router 192.168.1.1 -> Router VPN IP 10.1.2.3 ->
Router WAN IP 5.6.7.8 -> ISP -> Internet -> Proxy Internet IP 4.5.6.7
-> Proxy VPN IP 10.1.2.4 -> proxy internal network -> Proxy Internet
IP 4.5.6.8 -> Internet -> destination

The VPN connects the router to the proxy over the internet, and the
proxy then forwards the traffic to wherever it is really going.

>
>> 4.  Allow for incoming connections direct to the ISP-assigned IP (not
>> via the proxy VPN), and these should be forwarded per a rules table.
>
> I'm not totally clear what you mean here; can you elaborate?

The incoming connection is made to 5.6.7.8 in the example above, not
to 4.5.6.7.

So, the router has interfaces:
wan
vpn-out
lan
wifi

The default route should be vpn-out.
The vpn should connect out to the proxy over wan, and place tunneled
traffic on vpn-out.
Incoming connections from wan should be routed to lan via a rules set.
Traffic from lan should be routed to wan via the default route.
New connections from vpn-out should probably be dropped, or at least
should use a different set of rules than traffic from wan.
Traffic from wifi should go to vpn-out via the default route, and any
traffic to lan should be filtered ideally.

>
>> 6.  Optional, but it would be ideal if I can control WiFi traffic to
>> the rest of the LAN, ideally not using NAT in-between (obviously
>> traffic to the internet would use NAT).
>
> VLAN tagging may be what you want here for your APs. How this is
> configured depends on the APs. (Sidenote; I highly recommend the
> Ubiquiti Unifi APs as they run linux- you can ssh right into them- but
> have a fantastic *centralized* web GUI and support VLAN tagging right
> out of the box)

Possibly.  Or I might just treat the Wifi as a separate interface and
filter it.

>
> I'm on a dedicated linux routerbox right now that does everything you
> mentioned above and a bit more. :) It takes a bit to set up, but it's
> worth it- much more flexible than a GUI-based one, for sure. I'd be more
> than happy to share configs if you'd like.

Thanks.  I could also do a lot more with traffic shaping with such a
config as has come up in past PLUG meetings.

>
> I use this:

Thanks for this and other data I didn't reply to in your email.  It
will all be helpful!

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Router Projects and VPNs
  - From: brent timothy saner <brent.saner@gmail.com>

References:
- [PLUG] Router Projects and VPNs
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] Router Projects and VPNs
  - From: brent timothy saner <brent.saner@gmail.com>

Prev by Date: Re: [PLUG] Router Projects and VPNs
Next by Date: Re: [PLUG] Router Projects and VPNs
Previous by thread: Re: [PLUG] Router Projects and VPNs
Next by thread: Re: [PLUG] Router Projects and VPNs
Index(es):
- Date
- Thread