| brent timothy saner on 23 Sep 2014 16:26:04 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Router Projects and VPNs |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/23/2014 04:15 PM, Rich Freeman wrote: >>> 1. Obtain IP from ISP. The IP assigned by the ISP should be >>> obtainable from within the LAN via some kind of interface (and not >>> just checkmyip/etc). >> >> [bts@workhorse ~]$ curl -s http://icanhazip.com >> 98.115.27.97 >> [bts@workhorse ~]$ > > That will return the proxy IP, not my ISP-assigned IP, since the > router will route curl through the VPN if that originates within the > LAN. I could run that on the router itself and get the IP, but from > there I could just check the interface list more reliably. > > In the example below, I want to obtain 5.6.7.8, not 4.5.6.8. > OH, I see. You can actually just specify the interface/gateway to take in the router's routing table for whatever IP checking service you want to use, and all clients will inherit that if they're using your router for the gateway! :) e.g.: [bts@workhorse ~]$ nslookup icanhazip.com Server: 192.168.3.1 Address: 192.168.3.1#53 Non-authoritative answer: Name: icanhazip.com Address: 23.253.218.205 SO, then we'd: [root@routerbox ~]# ip route add 23.253.218.205 via <IP address of ISP gateway> dev eth0 (or whatever eth0's equivalent would be) That would cause not only the router but also all LAN members under that router to use the ISP IP *only for that IP* (23.253.218.205). >>> 2. Set up outgoing tunnel via a VPN to a proxy (flexibility may be >>> useful here so that I am not constrained in my choice of proxy). >>> Outgoing connections should use this route by default. >> >> why proxy AND VPN? ideally, one or the other should suffice. but i can >> help with this if it's via openvpn[0]. > > A VPN is the mechanism used to communicate with the proxy. As in: > Client 192.168.1.2 -> Router 192.168.1.1 -> Router VPN IP 10.1.2.3 -> > Router WAN IP 5.6.7.8 -> ISP -> Internet -> Proxy Internet IP 4.5.6.7 > -> Proxy VPN IP 10.1.2.4 -> proxy internal network -> Proxy Internet > IP 4.5.6.8 -> Internet -> destination > > The VPN connects the router to the proxy over the internet, and the > proxy then forwards the traffic to wherever it is really going. Interesting, though I'd imagine that'd be incredibly bogged down.. if anything, I'd probably just run a VPN or, worst-case, the proxy traffic over the VPN, but we all have our desires I suppose. But a proxy over the VPN would let you run the VPN on OSI-L2. >>> 4. Allow for incoming connections direct to the ISP-assigned IP (not >>> via the proxy VPN), and these should be forwarded per a rules table. >> >> I'm not totally clear what you mean here; can you elaborate? > > The incoming connection is made to 5.6.7.8 in the example above, not > to 4.5.6.7. > > So, the router has interfaces: > wan > vpn-out > lan > wifi > > The default route should be vpn-out. > The vpn should connect out to the proxy over wan, and place tunneled > traffic on vpn-out. > Incoming connections from wan should be routed to lan via a rules set. AH, my confusion; this is done by default with shorewall if you specify routeback. > Traffic from lan should be routed to wan via the default route. > New connections from vpn-out should probably be dropped, or at least > should use a different set of rules than traffic from wan. > Traffic from wifi should go to vpn-out via the default route, and any > traffic to lan should be filtered ideally. > >> I'm on a dedicated linux routerbox right now that does everything you >> mentioned above and a bit more. :) It takes a bit to set up, but it's >> worth it- much more flexible than a GUI-based one, for sure. I'd be more >> than happy to share configs if you'd like. > > Thanks. I could also do a lot more with traffic shaping with such a > config as has come up in past PLUG meetings. > Sure thing; I'll have to review and see what needs to be scrubbed.. feel free to grab me on IRC (root^2 on freenode) to remind me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJUIgGBAAoJEIwATC+TSB9rznIP+waxc63FxC1iTM/ZKr98uCry hcYxEyMomETA5l9KyvTQxqvkYYVZ7rgf7WDeWzTU7JiaJGn1etzOxQbBXrM1esP3 vcTPRK1qWFWC8OduTHb/nNtFWlf/aGmOcuftSwECM+S9UroK5TR43DM4yXFkPp3S SgxclTKpw7tANPtii0tmeNTjFPo9GjnFNg6WPTj7awYLjykP187rx6f/5pnsa82W 7q3/QG09fzwLhAu9bc6A9+0DVQ4KsAQgock43bXxsWMK4IZlxLVCq5DLP3b6kdn2 Yle2HuBavpqCPEPnY19LYd5Ize9DlDdMg9qD+CO4SnbnpZ4PFJbKG8QgNBalSYxb hX7Rg+qrF7BfFKIvMBiW301Dhr+//XB3a8wX35CIgLMKnW5xjbhVvSHcfCy7DiQN O5n9qeKpkNXFSjdrh0bDYpl49QMxiGdeHaH+9scHZHn04LrHrxSRgvimWi3LV4yf aYs2zuGaABPBWS7po4hi7tthu2Aszwgltn/xcXHYExUOiiLrtpPmXH77jJ7Nurbv AkAaUo18jNw1BXlqlrAReMSVEFrDELDmVLS95Iiuq7vK9sdNvqXvq1AcRTSdobkQ 0Mtco6dC0stiL5MqcD+fLaSsxOHHMsjcxjs0YT/mapnQTIf6gpifQlPt+TLOESMD e70/KrOCQKNL6QFc6scP =+SGF -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug