brent timothy saner on 23 Sep 2014 16:26:04 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Router Projects and VPNs

Hash: SHA1

On 09/23/2014 04:15 PM, Rich Freeman wrote:
>>> 1.  Obtain IP from ISP.  The IP assigned by the ISP should be
>>> obtainable from within the LAN via some kind of interface (and not
>>> just checkmyip/etc).
>> [bts@workhorse ~]$ curl -s
>> [bts@workhorse ~]$
> That will return the proxy IP, not my ISP-assigned IP, since the
> router will route curl through the VPN if that originates within the
> LAN.  I could run that on the router itself and get the IP, but from
> there I could just check the interface list more reliably.
> In the example below, I want to obtain, not

OH, I see. You can actually just specify the interface/gateway to take
in the router's routing table for whatever IP checking service you want
to use, and all clients will inherit that if they're using your router
for the gateway! :)

[bts@workhorse ~]$ nslookup

Non-authoritative answer:

SO, then we'd:

[root@routerbox ~]# ip route add via <IP address of ISP
gateway> dev eth0
(or whatever eth0's equivalent would be)

That would cause not only the router but also all LAN members under that
router to use the ISP IP *only for that IP* (

>>> 2.  Set up outgoing tunnel via a VPN to a proxy (flexibility may be
>>> useful here so that I am not constrained in my choice of proxy).
>>> Outgoing connections should use this route by default.
>> why proxy AND VPN? ideally, one or the other should suffice. but i can
>> help with this if it's via openvpn[0].
> A VPN is the mechanism used to communicate with the proxy.  As in:
> Client -> Router -> Router VPN IP ->
> Router WAN IP -> ISP -> Internet -> Proxy Internet IP
> -> Proxy VPN IP -> proxy internal network -> Proxy Internet
> IP -> Internet -> destination
> The VPN connects the router to the proxy over the internet, and the
> proxy then forwards the traffic to wherever it is really going.

Interesting, though I'd imagine that'd be incredibly bogged down.. if
anything, I'd probably just run a VPN or, worst-case, the proxy traffic
over the VPN, but we all have our desires I suppose. But a proxy over
the VPN would let you run the VPN on OSI-L2.

>>> 4.  Allow for incoming connections direct to the ISP-assigned IP (not
>>> via the proxy VPN), and these should be forwarded per a rules table.
>> I'm not totally clear what you mean here; can you elaborate?
> The incoming connection is made to in the example above, not
> to
> So, the router has interfaces:
> wan
> vpn-out
> lan
> wifi
> The default route should be vpn-out.
> The vpn should connect out to the proxy over wan, and place tunneled
> traffic on vpn-out.
> Incoming connections from wan should be routed to lan via a rules set.

AH, my confusion; this is done by default with shorewall if you specify

> Traffic from lan should be routed to wan via the default route.
> New connections from vpn-out should probably be dropped, or at least
> should use a different set of rules than traffic from wan.
> Traffic from wifi should go to vpn-out via the default route, and any
> traffic to lan should be filtered ideally.

>> I'm on a dedicated linux routerbox right now that does everything you
>> mentioned above and a bit more. :) It takes a bit to set up, but it's
>> worth it- much more flexible than a GUI-based one, for sure. I'd be more
>> than happy to share configs if you'd like.
> Thanks.  I could also do a lot more with traffic shaping with such a
> config as has come up in past PLUG meetings.

Sure thing; I'll have to review and see what needs to be scrubbed.. feel
free to grab me on IRC (root^2 on freenode) to remind me.

Version: GnuPG v2
Comment: Using GnuPG with Thunderbird -

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --