Re: [PLUG] OpenVPN Question

Rich Freeman on 28 Sep 2014 04:44:05 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OpenVPN Question

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] OpenVPN Question
Date: Sun, 28 Sep 2014 07:43:59 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=exLZ9mwk72en0kHSk6/pJbBPQ7ehwcOTJlSsDRQNpXc=; b=XTgZk23tlad5Y8sXdsAk+93nEMvCS9AVz9KIaqTSHMZ3ArnBjYI8WmhnX1F1zNN7ep AvUBFbSdMrDco4TBrXZAwLrrX3Ys6cD8HaUN4OwhuMy8N2vwTBtsbTvmCArcbd30yR1O 7PKUtcsSU3cSO63ymVkhynQRykAJLyXaIjHSuy3SH2jkKR5sDLRQzY6fu6ISnwTsOH8A xY5l6VGSM4u/TIYXdbTRB5FkUeXty4s42Y1GY89nlalLVABOPv6/w8YIP9j0sdGWMBpD LaFBQY1ddrOZ4td9GbHENajb7C59LQhEfS3aJ6xXRTxUxhTd2///ZrqMn6XYbC0ckeuf fy+g==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Sat, Sep 27, 2014 at 10:42 PM, Keith C. Perry
<kperry@daotechnologies.com> wrote:
>
> Also, I'm not sure how these "containers" fit into the equation.
> Sounds like a docker or VM thing- are you trying to NAT (actually port
> forward would be the term) traffic to certain "containers" once the
> OpenVPN connection is established?
>

Imagine a physical linux box with one NIC eth0 - IP is 192.168.0.1.
You launch openvpn and now you have tun0 with IP of 10.0.0.1.

I want to forward all traffic received on eth0 to tun0.

Now, imagine that this isn't a physical box, but just a container.
So, instead of eth0 the "NIC" is a virtual interface vb-vpn which is
connected to a bridge interface brhost on the host which is connected
to the eth0 on the host.  brhost has the IP which the incoming
connections from the router happen to be coming in on.

So, within the container the iptables rules should NAT all connections
from vb-vpn to tun0.  Outside of the container the iptables rules on
the host should not interfere with traffic bound for containers (which
have their own IPs), but they should ensure that reply traffic coming
in for the host goes out to the real router and not to the vpn
container running on the host.

I believe Lee actually does something similar but he is doing it with
vmware and he wouldn't have anything running on the host as a result
other than whatever kind of management interface it has, and whatever
solution vmware has for virtual networking isn't going to work for
linux in general.

My "real" router is still running openwrt (which is also based on
linux).  It does fine, but the CPU is underpowered for putting 50Mbps
over the VPN.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] OpenVPN Question
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] OpenVPN Question
  - From: John Kreno <john.kreno@gmail.com>
- Re: [PLUG] OpenVPN Question
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] OpenVPN Question
  - From: "Keith C. Perry" <kperry@daotechnologies.com>

Prev by Date: Re: [PLUG] OpenVPN Question
Next by Date: Re: [PLUG] OpenVPN Question
Previous by thread: Re: [PLUG] OpenVPN Question
Next by thread: Re: [PLUG] OpenVPN Question
Index(es):
- Date
- Thread