Keith C. Perry on 26 Sep 2014 21:00:59 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OpenVPN Question


I've managed split horizon scenarios where NATing is using with iptables DNAT and SNAT rules but you'll have to be specific with them.  Its not going to do things "automatically".

However, you might be able to do some policy routing to help reduce the iptables rules.


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Owner, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com


From: "John Kreno" <john.kreno@gmail.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Friday, September 26, 2014 11:56:29 PM
Subject: Re: [PLUG] OpenVPN Question

If you are trying to host services on the WAN, you can try doing source routing, but that will keep that host effectively going over the WAN for all connections. Maybe there's a way to catch only certain ports and or related traffic. I'm almost certain that IPtables isn't going to do this automatically. Even it has to rely on the ip routing table.

On Fri, Sep 26, 2014 at 10:49 PM, Rich Freeman <r-plug@thefreemanclan.net> wrote:
I have a routing question and I'm not quite sure how linux will handle
this situation.

I have a router with interfaces for the lan, wan, and I'd like to set
up a vpn as well.

I'd like to forward some wan ports to lan ports, which normally is
trivial to do.

I'd like to NAT lan traffic to the vpn, NOT the wan.  On its own I'd
think that would be pretty simple to do as well.

What I'm not sure is what will happen if I combine the two.  How can I
configure the router to NAT outgoing connections over the VPN, but
have replies to connections coming in over the wan go out over the wan
(so that is NATed as well)?  I don't want a host to try to connect via
the wan interface and have the replies go out over the VPN where
they're going to end up having the wrong IP.

Is linux iptables/etc just going to do the right thing here automatically?

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug



--
John Kreno

"Those who would sacrifice essential liberties for a little temporary safety deserve neither liberty nor safety." - Ben Franklin

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug