LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   how to reach internal VPN nodes from WAN ? (https://www.linuxquestions.org/questions/linux-software-2/how-to-reach-internal-vpn-nodes-from-wan-4175608074/)

pisti 06-17-2017 09:12 AM

how to reach internal VPN nodes from WAN ?
 
how do i reach from a VPN client outside on the web my machines inside a VPN beyond the first node 10.8.0.1 ? the other nodes are also connected via VPN to 10.8.0.1 and themself use 10.8.0.6 and 10.8.0.10 and so on... all nodes in the VPN are geographically quite separated and hence don't share physical subnets. all nodes use Slackware 14.2 and OpenVPN 2.4.1.

specifically, how can i reach from the VPN client via SSH - after connecting the client with VPN to 10.8.0.1 - directly the other remaining nodes in the VPN without going through the 10.8.0.1 node at the VPN front ? evidently the client for now can't ping those other nodes except for the entry node 10.8.0.1. how do i need to configure the server.conf file to 'shortcut' and go around that first node ?

or do i need to adjust other files for that ?

wpeckham 06-17-2017 09:35 AM

It will depend on how the networking was set up for this VPN. If the VPN was intended only for all satellite nodes to connect to that ONE, you may not be able to go directly from your node to any other.

Check your routing, if the route is for the entire subnet AND the remote nodes are configured the same AND the master node they all connect to is forwarding and can act as a gateway it MAY be possible.

That is a LOT of conditions.
Assume it will not work to go direct, have you any problem going to the maser node and from there to the client node you desire? There are several ways to 'automate' the connection so it appears as if you were going direct but you are really either using a session forward, or a network forward using the sshd service on the master.

pisti 06-17-2017 12:23 PM

thank you for your input, wpeckham.

the reason why we want to access directly the VPN satellite nodes (V1, V2, ...) from an external client C is that ssh tunnels from C to Vx need to be in place for subsequent VNC sessions with tigerVNC screen servers running on V1 (V2, ...) and the VNC viewer running on C - which i assume is easier done this direct way.

just to clarify : the access to this VPN is only possible through the VPN server V0 while the satellite nodes V1 (V2,...) are permanently connected to V0 using VPN.

it seems to me that some form of routing/forwarding (configured and enabled on VPN main node V0, a gateway in this respect) needs to be in place - unless you or others suggest differently. now, all this is newland for me and i am at the moment somewhat puzzled how to implement such - though i am sure we are not alone with such a plan.

routing table :
Code:

route -n

Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
0.0.0.0        AAA.BBB.CCC.1  0.0.0.0        UG    202    0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0  UG    0      0        0 tun0
10.8.0.2        0.0.0.0        255.255.255.255 UH    0      0        0 tun0
127.0.0.0      0.0.0.0        255.0.0.0      U    0      0        0 lo
AAA.BBB.CCC.0  0.0.0.0        255.255.255.0  U    202    0        0 eth0

and here the server.conf file :
Code:

grep -v "^#" /etc/openvpn/server.conf | grep -v "^;" | sed "/^$/d"

port 1194
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/certs/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt 0
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
askpass /root/password.ovpn
auth-nocache
daemon


wpeckham 06-17-2017 01:13 PM

Ok. Based upon that it MIGHT work. I take it that you have a node at AAA.BBB.CCC.6 that is one of those you want to reach. Have you tried to ping that node?

pisti 06-17-2017 01:24 PM

ok, problem solved, simply by linking two ssh tunnels :

1) build a first permanent ssh tunnel for a given PORT number Px from satellite VPN node Vx to main VPN node V0.

2) fire up a temporary VPN tunnel from client C to VPN portal node V0.

3) fire up a temporary second ssh tunnel for the very same PORT Px from VPN node V0 to client C.

4) start VNCviewer on client C for PORT Px.

that's it - works smoothly...

pisti 06-17-2017 01:28 PM

you are right, i still can't ping 10.8.0.6 (or any of the VPN satellite Vx) from client C - but it doesn't matter.

as described before, linking two ssh tunnels for a given port number via VPN node V0 works fine. thanks for your replies !


All times are GMT -5. The time now is 07:13 AM.