Keith C. Perry on 28 Sep 2014 09:58:34 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] OpenVPN Question |
Ok, I actually have some similar things going on here too. I run 3 inbound VPN instances (tun0 - tun2) on server that also runs 2 customers vm. One on the public bridge (br0) interface and one on the private interface (br1). My NAT rules allow VPN clients to go into the private or public net so I can use the MASQUERADE targets of each of their nets. This server also acts as the gateway for the private network so it has a MASQUERADE rule for that. If I brought up a tun3 for outbound use and wanted to route either of those vm's out that way, as far as I know, the only thing I have to do is use a SNAT target rule to the tun3 IP endpoint (i.e the far side) for the IP of the vm I want routed out. I don't think I have to do anything inside the vm (container). The only difference I see is that you are putting NAT rules inside the container to begin with. This might be a case of context- either they ALL go on the host or they ALL go inside the containers. ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Keith C. Perry, MS E.E. Owner, DAO Technologies LLC (O) +1.215.525.4165 x2033 (M) +1.215.432.5167 www.daotechnologies.com ----- Original Message ----- From: "Rich Freeman" <r-plug@thefreemanclan.net> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org> Sent: Sunday, September 28, 2014 7:43:59 AM Subject: Re: [PLUG] OpenVPN Question On Sat, Sep 27, 2014 at 10:42 PM, Keith C. Perry <kperry@daotechnologies.com> wrote: > > Also, I'm not sure how these "containers" fit into the equation. > Sounds like a docker or VM thing- are you trying to NAT (actually port > forward would be the term) traffic to certain "containers" once the > OpenVPN connection is established? > Imagine a physical linux box with one NIC eth0 - IP is 192.168.0.1. You launch openvpn and now you have tun0 with IP of 10.0.0.1. I want to forward all traffic received on eth0 to tun0. Now, imagine that this isn't a physical box, but just a container. So, instead of eth0 the "NIC" is a virtual interface vb-vpn which is connected to a bridge interface brhost on the host which is connected to the eth0 on the host. brhost has the IP which the incoming connections from the router happen to be coming in on. So, within the container the iptables rules should NAT all connections from vb-vpn to tun0. Outside of the container the iptables rules on the host should not interfere with traffic bound for containers (which have their own IPs), but they should ensure that reply traffic coming in for the host goes out to the real router and not to the vpn container running on the host. I believe Lee actually does something similar but he is doing it with vmware and he wouldn't have anything running on the host as a result other than whatever kind of management interface it has, and whatever solution vmware has for virtual networking isn't going to work for linux in general. My "real" router is still running openwrt (which is also based on linux). It does fine, but the CPU is underpowered for putting 50Mbps over the VPN. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug