Lee H. Marzke on 28 Sep 2014 11:11:35 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OpenVPN Question



----- Original Message -----
> From: "Keith C. Perry" <kperry@daotechnologies.com>
> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
> Sent: Saturday, September 27, 2014 10:42:44 PM
> Subject: Re: [PLUG] OpenVPN Question
> 
> Welcome to the club !! :)  I've been using Linux for my router or security
> devices for years now.  I can't see doing things any other way.  Its one of
> the reasons I'm so excited about ARM devices (i.e. I can reduce physical
> space and power needs without the loss of functionality).

Keith,

Of course if you switched to virtual devices your power and physical space would be
virtually zero !    Are you running Docker or just Xen ?

But after this discussion on how difficult routing is, maybe that is why few
people seem to be using virtual routers on Linux. 

*** Drifing off topic a bit ***

This is all much simpler on vSphere, it is almost just like wiring physical networks.
You create a 'virtual' network , identified by vLAN.   The vLAN ID's are stripped
and added at the virtual switch,  so the VM's are not aware of the VLAN's. ( But they
could be if desired )

I connect VM's to this virtual network ( via a pick list in the VM config).    This
virtual network is then routed just like any other network.  I currently attach virtual
networks to a new vNIC on my pFsense virtual router ,  and then setup SNAT or DNAT
rules as needed for that network.   I can add quite a number of networks this way
that are all independent.  Cisco style private VLAN's are also supported on the
vSphere switch but inter-switch traffic requires a physical switch with pvlan support.

In the future I'll be converting this to NSX in which VMware virtualizes
not the hypervisor,  but the networking components.   This means that all your
DNS, DHCP, routing, NAT, and  VPN  is done via NSX.  So  ESXi provides
compute virtualization, and NSX provides network virtualization.   NSX
is vMotion aware ,  meaning that network security and state follow the VM
as it moves.

Docker containers are also being supported by VMware so you get all the VMware advantages
along with the ability to run a dozen isolated docker apps in a single VM.  A
different VM , running a different kernel ( or even Windows)  could run docker
instances on that OS.

Lee



> Anyway...
> 
> I'm not sure you need the route policies if the connections are terminating
> on the box (you said these were incoming connections).  You can "route" the
> traffic with just rules in the PREROUTING (or INPUT- newer feature I think)
> chain of NAT table.
> 
> Also, I'm not sure how these "containers" fit into the equation.  Sounds like
> a docker or VM thing- are you trying to NAT (actually port forward would be
> the term) traffic to certain "containers" once the OpenVPN connection is
> established?
> 
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
> Keith C. Perry, MS E.E.
> Owner, DAO Technologies LLC
> (O) +1.215.525.4165 x2033
> (M) +1.215.432.5167
> www.daotechnologies.com
> 
> ----- Original Message -----
> From: "Rich Freeman" <r-plug@thefreemanclan.net>
> To: "Philadelphia Linux User's Group Discussion List"
> <plug@lists.phillylinux.org>
> Sent: Saturday, September 27, 2014 10:13:51 PM
> Subject: Re: [PLUG] OpenVPN Question
> 
> On Fri, Sep 26, 2014 at 11:56 PM, John Kreno <john.kreno@gmail.com> wrote:
> > If you are trying to host services on the WAN, you can try doing source
> > routing, but that will keep that host effectively going over the WAN for
> > all
> > connections. Maybe there's a way to catch only certain ports and or related
> > traffic. I'm almost certain that IPtables isn't going to do this
> > automatically. Even it has to rely on the ip routing table.
> 
> Ok, I managed to get everything working with the openwrt mwan3 module
> (which apparently uses connection tracking to match packets up with
> the right interface).
> 
> However, I've found that my VPN is CPU-bound running on the router.  :)
> 
> So, now I'm thinking about setting up another host on the network to
> be my vpn gateway.
> 
> If I only had outgoing traffic I'd just make the vpn the default
> gateway for all hosts on the network except the vpn gateway, and make
> the actual router the gateway for the vpn host (I don't care about
> non-vpn traffic originating on the vpn host itself).
> 
> However, I'll still have traffic forwarded from the router to a host
> on the network, while wanting the bulk of traffic originating from
> that host to go to the vpn gateway.
> 
> So, I'm moving my routing problem from the router to my host.  The
> good news is that this host runs a standard distro and doesn't have
> any iptables rules/etc already on it, which gives me more flexibility.
> 
> One other detail - the vpn host is going to just be a container
> bridged to the same ethernet as the host whose packets need special
> treatment.  I don't think this is necessarily an issue, since they're
> different interfaces as far as the kernel is concerned.  The container
> would have its own routing table and I don't think any host iptables
> rules would apply to it.
> 
> It seems like there could be two strategies here.  One would be to try
> to identify incoming connections and then use a routing table for
> those connections.  All incoming connections would come from either
> the lan (where the default route doesn't matter), or the router (which
> is where the table would point).
> 
> The other strategy would be to use the local port - since these are
> all incoming connections the local port number is going to be
> something like 22, 25, 80, etc - I could route any connection that has
> this as the port on the local system to use the table with the router
> as the default gateway.  I'm not going to have outgoing connections
> from these ports in general, as would be expected (and if I did for
> some reason I don't really care if it goes out over the router).
> 
> Anybody have a rule that would work?  The closet thing I've found so
> far is something like this:
> iptables -A PREROUTING -t mangle -p tcp --dport 22 --set-mark 0x1 -j CONNMARK
> echo "200 ssh" >> /etc/iproute2/rt_tables
> ip rule add fwmark 1 table ssh
> ip route add default dev eth0 via 192.168.1.2 table ssh
> 
> (from
> http://unix.stackexchange.com/questions/1194/multigateway-routing-for-specific-src-port
> )
> 
> The only thing I'm not quite sure about is whether that should be
> source or destination port.  I'm not sure if that rule is intended to
> run when the packets come in, or when they go out.  I would just have
> one table, and then mark connections for each desired port.
> 
> Why is it that I can't have normal questions?
> 
> --
> Rich
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
> 

-- 
"Between subtle shading and the absence of light lies the nuance of iqlusion..." - Kryptos 

Lee Marzke, lee@marzke.net http://marzke.net/lee/ 
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM 
+1 800-393-5217 office +1 484-348-2230 fax 
+1 610-564-4932 cell sip://8003935217@4aero.com VOIP 


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug