LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-23-2016, 10:46 PM   #1
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,575
Blog Entries: 4

Rep: Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890
OpenVPN as a portal to a secure subnet on a machine with two NICs


I have a cloud-server network of several (virtual) machines, each with two (virtual) NICs: one which faces a network that is bridged to "the outside world," and a second which is accessible only to the VMs themselves. Each network uses a separate range of IP addresses.

I would like to regard the first network as "demilitarized zone (DMZ)," and the second as more secure. I would like for an OpenVPN server, hosted by one of the machines, to be the only publicly-accessible avenue to the second network.

In other words: a DNAT-rule in the "edge network" will transfer traffic, by means of the first ("DMZ") network, to the OpenVPN server, which should allow that traffic to emerge into a range of IP-addresses on the second ("sanctum sanctorum") network. (Which has no need to access "the outside world," nor "the Internet.")

I can set up static-routing rules on both networks as I may need to, and I have already set up several successful OpenVPNs involving machines with one NIC, but I'm at-the-moment having a little trouble visualizing just how to do "what I now have in mind."
 
Old 05-24-2016, 06:14 AM   #2
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,219
Blog Entries: 3

Rep: Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705Reputation: 3705
SSH?

I am posting here mostly to get subscribed to see the replies about OpenVPN.

However, depending on what you need, you might be able to get away with OpenSSH alone instead of OpenVPN. By messing with the client's configuration file, usually ~/.ssh/config There you can put shortcuts for the two machines including a hop via the DMZ to get to the sanctum sanctorum

Code:
Host dmz
        Hostname server.example.org
        User sundialsvcs
        IdentityFile /home/sundialsvcs/.ssh/machine1_e25519
        IdentitiesOnly yes
        Port 22

Host sanctum
        Hostname 192.168.15.21
        User sundialsvcs
        IdentityFile /home/sundialsvcs/.ssh/machine2_e25519
        IdentitiesOnly yes
        Port 22
        ProxyCommand ssh -W %h:%p dmz
Thus you can reach the inner machine easily with the shortcut ssh sanctum

This works for port forwarding, too, so if you are testing services you can connect to them as localhost.

Last edited by Turbocapitalist; 05-24-2016 at 06:15 AM.
 
Old 05-24-2016, 09:06 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,575

Original Poster
Blog Entries: 4

Rep: Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890Reputation: 3890
Thank you for the kind suggestion, but, "in this case, 'no.'" The solution must be OpenVPN.

And, I know that it can do it, because I've done a similar thing (recently) before ... recently enough to remember how. The only twist in this case, that I haven't quite wrapped my sleepy-head around quite yet, is: "two NICs."

- - - - -

Well, on my third cup of coffee ... ... I looked over my notes from my previous OpenVPN work, and saw e.g. that https://community.openvpn.net/openvp...gingAndRouting describes a setup exactly like the one I've got to set up: two NICs. Last time, I had to set up "OpenVPN not running on the default network," as also well-described on that page.

Time to start the coffee-maker again.

Last edited by sundialsvcs; 05-24-2016 at 10:31 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Having multiple NICs with same IP/subnet Flowsen Linux - Networking 11 02-19-2014 10:19 AM
Routing between two NICS on the same subnet. pwatk Linux - Networking 10 08-06-2010 06:39 AM
Shorewall, 2 NICs, Same Subnet mxracer95 Linux - Security 1 07-13-2009 02:40 PM
two nics on one subnet on one machine mauricem Linux - Networking 2 04-27-2007 07:28 AM
2 nics on the same subnet mask wrexy Linux - Networking 6 10-11-2004 06:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration