brent timothy saner on 23 Sep 2014 16:26:04 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Router Projects and VPNs


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/23/2014 04:15 PM, Rich Freeman wrote:
>>> 1.  Obtain IP from ISP.  The IP assigned by the ISP should be
>>> obtainable from within the LAN via some kind of interface (and not
>>> just checkmyip/etc).
>>
>> [bts@workhorse ~]$ curl -s http://icanhazip.com
>> 98.115.27.97
>> [bts@workhorse ~]$
> 
> That will return the proxy IP, not my ISP-assigned IP, since the
> router will route curl through the VPN if that originates within the
> LAN.  I could run that on the router itself and get the IP, but from
> there I could just check the interface list more reliably.
> 
> In the example below, I want to obtain 5.6.7.8, not 4.5.6.8.
> 

OH, I see. You can actually just specify the interface/gateway to take
in the router's routing table for whatever IP checking service you want
to use, and all clients will inherit that if they're using your router
for the gateway! :)

e.g.:
[bts@workhorse ~]$ nslookup icanhazip.com
Server:		192.168.3.1
Address:	192.168.3.1#53

Non-authoritative answer:
Name:	icanhazip.com
Address: 23.253.218.205

SO, then we'd:

[root@routerbox ~]# ip route add 23.253.218.205 via <IP address of ISP
gateway> dev eth0
(or whatever eth0's equivalent would be)

That would cause not only the router but also all LAN members under that
router to use the ISP IP *only for that IP* (23.253.218.205).


>>> 2.  Set up outgoing tunnel via a VPN to a proxy (flexibility may be
>>> useful here so that I am not constrained in my choice of proxy).
>>> Outgoing connections should use this route by default.
>>
>> why proxy AND VPN? ideally, one or the other should suffice. but i can
>> help with this if it's via openvpn[0].
> 
> A VPN is the mechanism used to communicate with the proxy.  As in:
> Client 192.168.1.2 -> Router 192.168.1.1 -> Router VPN IP 10.1.2.3 ->
> Router WAN IP 5.6.7.8 -> ISP -> Internet -> Proxy Internet IP 4.5.6.7
> -> Proxy VPN IP 10.1.2.4 -> proxy internal network -> Proxy Internet
> IP 4.5.6.8 -> Internet -> destination
> 
> The VPN connects the router to the proxy over the internet, and the
> proxy then forwards the traffic to wherever it is really going.

Interesting, though I'd imagine that'd be incredibly bogged down.. if
anything, I'd probably just run a VPN or, worst-case, the proxy traffic
over the VPN, but we all have our desires I suppose. But a proxy over
the VPN would let you run the VPN on OSI-L2.

>>> 4.  Allow for incoming connections direct to the ISP-assigned IP (not
>>> via the proxy VPN), and these should be forwarded per a rules table.
>>
>> I'm not totally clear what you mean here; can you elaborate?
> 
> The incoming connection is made to 5.6.7.8 in the example above, not
> to 4.5.6.7.
> 
> So, the router has interfaces:
> wan
> vpn-out
> lan
> wifi
> 
> The default route should be vpn-out.
> The vpn should connect out to the proxy over wan, and place tunneled
> traffic on vpn-out.
> Incoming connections from wan should be routed to lan via a rules set.

AH, my confusion; this is done by default with shorewall if you specify
routeback.

> Traffic from lan should be routed to wan via the default route.
> New connections from vpn-out should probably be dropped, or at least
> should use a different set of rules than traffic from wan.
> Traffic from wifi should go to vpn-out via the default route, and any
> traffic to lan should be filtered ideally.
> 

>> I'm on a dedicated linux routerbox right now that does everything you
>> mentioned above and a bit more. :) It takes a bit to set up, but it's
>> worth it- much more flexible than a GUI-based one, for sure. I'd be more
>> than happy to share configs if you'd like.
> 
> Thanks.  I could also do a lot more with traffic shaping with such a
> config as has come up in past PLUG meetings.
> 

Sure thing; I'll have to review and see what needs to be scrubbed.. feel
free to grab me on IRC (root^2 on freenode) to remind me.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJUIgGBAAoJEIwATC+TSB9rznIP+waxc63FxC1iTM/ZKr98uCry
hcYxEyMomETA5l9KyvTQxqvkYYVZ7rgf7WDeWzTU7JiaJGn1etzOxQbBXrM1esP3
vcTPRK1qWFWC8OduTHb/nNtFWlf/aGmOcuftSwECM+S9UroK5TR43DM4yXFkPp3S
SgxclTKpw7tANPtii0tmeNTjFPo9GjnFNg6WPTj7awYLjykP187rx6f/5pnsa82W
7q3/QG09fzwLhAu9bc6A9+0DVQ4KsAQgock43bXxsWMK4IZlxLVCq5DLP3b6kdn2
Yle2HuBavpqCPEPnY19LYd5Ize9DlDdMg9qD+CO4SnbnpZ4PFJbKG8QgNBalSYxb
hX7Rg+qrF7BfFKIvMBiW301Dhr+//XB3a8wX35CIgLMKnW5xjbhVvSHcfCy7DiQN
O5n9qeKpkNXFSjdrh0bDYpl49QMxiGdeHaH+9scHZHn04LrHrxSRgvimWi3LV4yf
aYs2zuGaABPBWS7po4hi7tthu2Aszwgltn/xcXHYExUOiiLrtpPmXH77jJ7Nurbv
AkAaUo18jNw1BXlqlrAReMSVEFrDELDmVLS95Iiuq7vK9sdNvqXvq1AcRTSdobkQ
0Mtco6dC0stiL5MqcD+fLaSsxOHHMsjcxjs0YT/mapnQTIf6gpifQlPt+TLOESMD
e70/KrOCQKNL6QFc6scP
=+SGF
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug