Re: [PLUG] OpenVPN Question

Rich Freeman on 27 Sep 2014 03:36:18 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OpenVPN Question

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] OpenVPN Question
Date: Sat, 27 Sep 2014 06:36:12 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=N0/ck4kUOdh32c9VI7smbS4Li04GUgaRpDWxS2s/VW0=; b=mYo3AmOqKK1ogU01unPBsxejAAEgJRYVNynrHsSKSSdpDVH/rIhEcF+v8ThRErJZtz KlmtqDK/YFTrJKzriypGUkMqwr2KsoZvGZ+Bb4wKgOYBOBiXOZSsc5QdY5HayLzhSzQJ q6PvmXYQz5ODw/QIaHMDtew2HnD54u9dYBs0LhDz0PBdimuAOXhW6zi14oHpzOA9PwN4 6wc3rczTmv1gqVV4GkWVeG1iE7E3dwXhr6VFDRZxGiDDWQkzUCtjDl1pafv39wUTnrCy A3axD4aYtjOYMZwl0fjVCCxnZmIrmqP34Nv8V6hwLvlQ0sq7ihTxiyXpsxUUkgGII+ys 4tHw==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Fri, Sep 26, 2014 at 11:56 PM, John Kreno <john.kreno@gmail.com> wrote:
> If you are trying to host services on the WAN, you can try doing source
> routing, but that will keep that host effectively going over the WAN for all
> connections. Maybe there's a way to catch only certain ports and or related
> traffic. I'm almost certain that IPtables isn't going to do this
> automatically. Even it has to rely on the ip routing table.

Yeah, I did find a few hints so far:
http://linux-ip.net/html/adv-multi-internet.html
https://forum.openwrt.org/viewtopic.php?id=34263

The first uses source routing and suggests giving hosts multiple IPs,
forward traffic from each interface to a particular IP, and then use
source routing to get the traffic back to the correct interface.  That
would actually work just fine for me, especially since I really only
have one host I forward to anyway.

The other uses some rules to theoretically track the connections and
send them to the right place, but it has been a while since I've used
iptables (pre-netfilter days I think) so I can't vouch for whether
this will work.

The other issue I'll have to deal with is how to properly configure
openwrt.  That would have been the advantage of building my own box -
at least I'd understand how the init system worked.  With OpenWRT I'm
going to end up with a mix of gui and hand-created config files and
the need to make sure things get loaded in the right order (the VPN
interface obviously won't exist pre-VPN), and I'd like the config to
survive upgrades and such.  That could take some trial and error.  The
same would be true if I used any distro other than Gentoo - nothing
wrong with them per-se but every distro has its way of doing config so
that the distro doesn't blow it all away on package updates.  Gentoo's
method is config protection - files in /etc (and other places) are
never overwritten in place and tools exist to merge changes.  There is
a bit of a trend to combining that with the Fedora approach of distro
in /usr, overrides in /etc.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] OpenVPN Question
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] OpenVPN Question
  - From: John Kreno <john.kreno@gmail.com>

Prev by Date: Re: [PLUG] OpenVPN Question
Next by Date: [PLUG] 2 Nics, DHCP and no default gateway
Previous by thread: Re: [PLUG] OpenVPN Question
Next by thread: Re: [PLUG] OpenVPN Question
Index(es):
- Date
- Thread