| phreak--- via plug on 11 Sep 2023 12:50:19 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Outgoing VPN for Entire Network |
On 9/11/2023 3:16 PM, Rich Freeman via plug wrote:
On Mon, Sep 11, 2023 at 2:47 PM Keith C. Perry via plug <plug@lists.phillylinux.org> wrote:You're on the right track... regardless of how complex the internals of your net are, eventually you need to leave your network via a router so it that device is where you would set up OpenVPN so traffic flowing through it is sent to your VPN end point.You can certainly do that, but there is no requirement that your VPN gateway be on the router you use to connect to the internet. I run mine on a separate host. My DHCP server advertises the VPN gateway as the default network gateway. The VPN gateway has a default route to my network gateway. So traffic is sent to the VPN gateway, and it sends it via the router.
I do something similar, where the VPNs are separate from the router, with a slightly different approach. I have a couple site to site VPN tunnels that are set up as client VPNs, and I want all traffic to those networks to go over the appropriate VPNs. This way I can map drives on other LANs, SSH, etc.
To this end, I have different VMs (or physical servers) with a permanent VPN connection established. Mine are all Windows-based (SSTP or L2TP), but the details are immaterial. In Windows, Internet Connection Sharing needs to be enabled and it's a bit finicky; I'm sure there's a Linux equivalent for it but I haven't used it. The host just needs to accept traffic from other devices on the LAN and be able to forward it, which is what ICS does.
Then in my router, I have static routes assigned for the appropriate CIDR ranges to use those hosts as the routes. To make *everything* go over the VPN, I guess you could add a route for 0.0.0.0/0, though you might want to add an exception for the VPN peer itself that's a more specific match, so you don't end up with any circular routing. I haven't actually tried anything like that.
NA ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug