Using VPN selectively?

fortknox · 01-26-2010, 12:05 PM

Sorry, this may be a newbie question (and if so, feel free to move it to the newbie forum):

I am running Ubuntu Karmic. I can VPN into my client's site, no problem. After I VPN in, I use noMachine to get to my desktop machine there, and that is where I do my work. I have all of this running, no issues.

Now, I want to connect to VPN but -only- use it for the nomachine connection, nothing else. But when I use VPN it takes over the entire network. (Basically, I want to avoid the client internet proxy and be able to use other ports for stuff around the house).

I'm alright with linux and using config files and such, but am -not- a networking guy, so I get lost in some of the howto's I've read. Is there a quick and easy way to do this?

Thanks!

ozanbaba · 01-26-2010, 01:13 PM

ip ranges and subnet masks. you need to create two different network, one for VPN (you can't change the configuration, right. in the end it's the work network) and one for home network (internet and such).

i did look into it some time ago for my home network. it goes roughy as like this: configure the router for using different subnetmesk and ip range. configure the computer to use one network for noMachine, one network for rest. i gave up at one point as my sh++y smc router can not be configured for using too much different works.

and i can't find the how-to about it. ahhh.

and by the way, what's your VPN system?

ilikejam · 01-26-2010, 02:11 PM

Hi.

There's two hoops to jump through:
1) Routes
2) DNS

Routes:
Start your VPN connection, the run 'route'. Here's what mine looks like

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
xxx.xxx.xx.xx   192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
10.254.202.96   *               255.255.255.224 U     0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     1002   0        0 eth0
default         *               0.0.0.0         U     0      0        0 tun0

That 'default' line is what routes all your traffic down the VPN (tun0), so you need to get rid of it. Doing that will mean that /nothing/ gets routed down the VPN or your Internet connection though, so you need to replace it with a rule for the VPN, and a rule for the Internet. My work's network is all 10.0.0.0 addresses (and there should be no 10.0.0.0 network addresses on the public Internet), so I add a route for 10.0.0.0/8 through tun0 (the VPN), and then add a default route for everything else through my Internet connection (eth0)

Code:

route del default
route add -net 10.0.0.0/8 tun0
route add default gw 192.168.0.1 eth0

(192.168.0.1 is my home ADSL router).
That's the routing taken care of. See if you can ping an IP on your work network, and an IP on the Internet.

DNS:
While the VPN is still open, and you've done the above, see if you can ping google.com . If you get an 'unknown host google.com', then read on, otherwise that should be you good to go.

Your VPN client will have replaced your normal internet DNS servers with its own DNS. Since you're VPN'ing into a firewalled network, it's likely that the VPN DNS server won't resolve Internet addresses, so you'll have to fix that. Close the VPN connection, if you haven't already, and copy /etc/resolv.conf to /etc/resolv.conf.home . Then start the VPN connection again and copy /etc/resolv.conf.home over the top of /etc/resolv.conf and you should be able to resolve Internet addresses again. Unfortunately, you won't be able to resolve addresses for your work network any more, so you'll have to use IP addresses to get to your desktop machine etc (or you can add addresses and names to /etc/hosts).

Post your 'route' outputs before and after connecting if you can't get it to work and we'll see if there's any tweaks that need to be made to the routes.

N.B. Doing all of this may well be a violation of the security policy for the network - you're basically putting an Internet facing machine into a firewalled network, and the network admins probably won't like that. Tread carefully.

Dave

fortknox · 01-26-2010, 03:22 PM

ilikejam, that is perfect. Figured it out without any trouble from your example. Even simplified it, since I'm using gnome's built in vpn configuration. I just enabled "Use this connections for only this resource" in the VPN configuration (that never worked for me in the past), and then added a route to point to my work machine through the tunnel, and everything worked exactly like I wanted!

Thanks!

FYI - you mention that the network admins probably won't like it. However, I only use this when I'm home sick, which is a rarity. Having said that, I can't imagine this is something they'll notice or be able to monitor, correct?

ilikejam · 01-26-2010, 03:32 PM

Hi.

Yeah, it's unlikely that your Comms would be able to detect this sort of setup, so I wouldn't be too worried about it. That said, if they hunt you down and beat you to death with a hardback copy of 'The Practice of System and Network Administration, Second Edition', we never had this conversation.

Have fun.

Dave