LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-31-2017, 08:25 PM   #1
JohnLocke
Member
 
Registered: Jun 2004
Location: Denver, Colorado
Distribution: Ubuntu
Posts: 240

Rep: Reputation: 31
Connect to VPN client by public IP?


I'm not quite sure where to start on this one so I'll just give my setup and ask how to get where I want to go .

I have an Ubuntu 16.04 server sitting on my home network. It's kind of my "everything" server. It automates some processes in the house, serves up mythtv, is a web server, a semi-public games server, is a bit of a dev box, etc. Now, I'd like this server to be behind a VPN for outgoing processes (automatic nightly searches it does), but still want to leave it open to connect to from its public IP and I'd rather /those/ connections didn't go through the VPN (latency / no need for it).

I have my router forwarding the necessary ports (80, 443, game ports, etc) and when the vpn client isn't turned on, everything works from my dynamic domain name, say, mydomain.com. I go there from an external network and am served up the various services I want. Perfect.

Once I'm connected as a client via openVPN, all my services still work perfectly even if I use the public dynamic domain name as long as I'm on the local network. Traceroute responds that the public IP is the route to the host.

If I try to connect from an external network, though, nothing connects and there's no route to mydomain.com.

Now I /suspect/ this is something to do with looped routing or with the VPN client turning off acceptance of connections that aren't coming through the VPN, but I'm not even 100% sure how to check that (iptables doesn't change and has almost nothing in it regardless of my connection through openVPN or not).

So I'm not interested in port forwarding through the VPN itself ... again, that introduces too much lag for the game server and isn't necessary for incoming connections. I know I'll have to do it that way if I ever decide to hook up the router itself as the VPN client, but for now I just want the outgoing connections to be going through the VPN.

Seems like this should be possible, but I'm not sure how to check what's going wrong or where the route is getting rejected. DNS still resolves to my network's public IP, of course, and port forwarding remains turned on in my router, so I'm relatively sure that the traffic is being forwarded to the server but likely being blocked or denied there somehow.
 
Old 04-01-2017, 11:35 AM   #2
Rickkkk
Senior Member
 
Registered: Dec 2014
Location: Montreal, Quebec and Dartmouth, Nova Scotia CANADA
Distribution: Arch, AntiX, ArtiX
Posts: 1,364

Rep: Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511Reputation: 511
Hey JohnLocke,

There are members here much more experienced in VPN than myself, so hopefully they will chime in.

It seems to me the crux could be the use of the dynamic domain service. This is associated with your internet-facing IP address and these services usually update themselves based on some schedule set up on the user's router. I'm not sure how this would react to a VPN service ... You are essentially appearing as another IP address on the Internet when using such a service and perhaps your dynamic domain setup cannot handle that.

Perhaps what you are looking for is a way for the VPN tunnel to include certain protocols (ports) but not others ? Assuming you are using OpenVPN on your server, you may be able to dig around and see if it can be granually configured in such a way ... Again, I'm throwing this out for the sake of idea generation, here - I'm a bit out of my depth.
 
Old 04-01-2017, 12:22 PM   #3
JohnLocke
Member
 
Registered: Jun 2004
Location: Denver, Colorado
Distribution: Ubuntu
Posts: 240

Original Poster
Rep: Reputation: 31
Good thoughts. I know that port forwarding via the VPN /would/ be an option to simply connect, but it'll introduce far too much latency to connect that way.

As to the dynamic domain service, I ruled that out in two ways. 1) DDNS is set up on the router, and the router's IP isn't going through the VPN so it remains on my network's "actual" public IP. 2) I can use the public IP directly and get the same result.

I did even try using the VPN IP, but of course, without port forwarding on the VPN server, that doesn't work either (and it's not the route that'll work for me).

So what I know I have is a public IP / domain name that remains the same to get onto my local network. The server is behind that IP, but VPN'd as a client out through a tunnel. Of course, its network card is still on the local network and /can/ receive all traffic and ports locally through its local network IP (the 192.168.1 network). What's /not/ working is the traffic that comes from external to the local network connecting to that server. If I turn off the VPN client on the server, that traffic connects fine, so port forwarding on the routing going to that server on the local network is also working fine.

I have /no/ idea why I can connect locally, but port forwarding from an external domain isn't working.
 
Old 04-04-2017, 11:00 AM   #4
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,409
Blog Entries: 4

Rep: Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836Reputation: 3836
When you set up the OpenVPN client, you can stipulate whether or not you want "all traffic" to be routed through the tunnel.

If you do not choose to do this, then only traffic destined for the remote subnets, and/or to the server (and perhaps, other directly connected client) by means of the special 10.8.0.x subnet, will be routed through the tunnel.

You can see this by printing the routes and noting which ones are sent through the utunX virtual device. (That's the portal to the OpenVPN process.)

"Port forwarding" is used to cause UDP/1192 traffic coming in from the outside to be sent to the proper IP-address on your internal network. (You should cause your router to give this machine a known IP, based on its MAC address, and then specify this IP in the port-forwarding specification.) It has nothing to do with outbound traffic, which is NATted by your router.

You also don't need dynamic-DNS.

Last edited by sundialsvcs; 04-04-2017 at 11:03 AM.
 
Old 04-04-2017, 03:33 PM   #5
JohnLocke
Member
 
Registered: Jun 2004
Location: Denver, Colorado
Distribution: Ubuntu
Posts: 240

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by sundialsvcs View Post
When you set up the OpenVPN client, you can stipulate whether or not you want "all traffic" to be routed through the tunnel.
So this is part of my question. I haven't figured out how to set that up and then how to test that outbound traffic (traffic that originates on the server locally) is going through the tunnel. I don't control the VPN server, but I tried "route-nopull" and while I'm able to connect this way (from outside in and inside out), I can go to various dnsleak sites and verify that I'm using a whole bunch of DNS servers, so I presume that my outbound traffic isn't actually using the VPN.

Quote:
Originally Posted by sundialsvcs View Post
If you do not choose to do this, then only traffic destined for the remote subnets, and/or to the server (and perhaps, other directly connected client) by means of the special 10.8.0.x subnet, will be routed through the tunnel.
And here one thing I don't get is that this seems true enough except for traffic that originates on the 192.168 network. That connects to the box just fine whether or not. I'll add to this by asking about the routing tables that are different between nopull and pull.

Quote:
Originally Posted by sundialsvcs View Post
"Port forwarding" is used to cause UDP/1192 traffic coming in from the outside to be sent to the proper IP-address on your internal network. (You should cause your router to give this machine a known IP, based on its MAC address, and then specify this IP in the port-forwarding specification.) It has nothing to do with outbound traffic, which is NATted by your router.
Yes, I do have the server set up with an assigned IP and this is what's specified in the port forwarding tables. For example, the server is at 192.168.1.2, and I have port 80 forwarded to 192.168.1.2:80 for the web server. This works perfectly fine when the tunnel is not on. But when I turn the tunnel on (with the full routing pull), then anything directed through the router from external (via the public IP) does not connect to the server. Presumably because it's dropped on the floor at the server because of the routing table.

Quote:
Originally Posted by sundialsvcs View Post
You also don't need dynamic-DNS.
I do realize that dynamic dns isn't needed to make this setup work. I have it because comcast changes my public IP frequently and I want to be able to connect reliably from outside the network to this server. For this discussion, we could ignore that it's dynamic dns and just say it's the public IP itself (pretend it's static) or that it's the domain name that's pointed at my public IP (not the tunneled IP, of course).

So on to the routing table question if that's how we figure this out. My default routing table looks like this:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 p5p1
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 p5p1
So obviously anything on the 192.168.1 network isn't being sent through a gateway and is using my "regular" ethernet device, and the 10.8 network on tun0 is my openvpn server (I'm also hosting a vpn server on this machine which I don't think is related to this discussion and has a longer explanation as to why I'd have it ... having it on or off doesn't impact the problem I'm talking about). And then there's the default left over at 192.168.1.1. Fine. This one makes enough sense to puzzle out to me.

If I pull the routing down from the public VPN, though, I get this:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.41.10.5      128.0.0.0       UG    0      0        0 tun1
default         192.168.1.1     0.0.0.0         UG    0      0        0 p5p1
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
10.41.10.1      10.41.10.5      255.255.255.255 UGH   0      0        0 tun1
10.41.10.5      *               255.255.255.255 UH    0      0        0 tun1
104.207.136.115 192.168.1.1     255.255.255.255 UGH   0      0        0 p5p1
128.0.0.0       10.41.10.5      128.0.0.0       UG    0      0        0 tun1
192.168.1.0     *               255.255.255.0   U     0      0        0 p5p1
So they're using device tun1, add a second default, give me (I think) a different public IP (of course, but no port forwarding there and I don't want to use the tunnel for inbound, so whatever) and operate on the 10.41.10 network themselves. All fine. I do see, I think, why local traffic still connects ... the last line there allows connections through p5p1 if it's already on the local network.

But I'm still not sure how to get the mix that I want. That traffic originating on the server and headed to the WAN goes through the tunnel, but traffic originating anywhere that's headed to the server goes through the normal comcast public IP. If I don't pull their network settings, I keep the same original route with one addition:
Code:
10.52.10.5      *               255.255.255.255 UH    0      0        0 tun1
So it wouldn't appear that the tunnel is being forced at all, and in fact, as mentioned, when I go to dnsleak.com or anything, I find the normal many, many DNS servers (both the VPN ones and the google ones declared by my own router / gateway).

I know I don't have a complete understanding of the config settings for the openvpn client config file, but I haven't found something that locks me into the tunnel for outbound, but allows inbound outside of the tunnel.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot connect to VPN via Cisco AnyConnect Client mattca Slackware 1 10-17-2014 02:28 PM
connecting to remote public ip VPN , client behind iptables NAT problem markotitel Linux - Networking 0 05-31-2013 02:44 AM
VPN client should not connect to special server nima0102 Linux - Networking 3 02-20-2009 12:31 PM
VPN client to connect to my school's network lowpro2k3 Linux - Networking 2 09-01-2005 10:10 PM
How do i connect Ciscos VPN client to Checkpoint VPN server Klas Linux - Networking 1 11-29-2003 09:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration