LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-17-2017, 09:12 AM   #1
pisti
Member
 
Registered: Jul 2006
Location: Montréal, Canada
Distribution: Slackware since v1.00
Posts: 175

Rep: Reputation: 18
how to reach internal VPN nodes from WAN ?


how do i reach from a VPN client outside on the web my machines inside a VPN beyond the first node 10.8.0.1 ? the other nodes are also connected via VPN to 10.8.0.1 and themself use 10.8.0.6 and 10.8.0.10 and so on... all nodes in the VPN are geographically quite separated and hence don't share physical subnets. all nodes use Slackware 14.2 and OpenVPN 2.4.1.

specifically, how can i reach from the VPN client via SSH - after connecting the client with VPN to 10.8.0.1 - directly the other remaining nodes in the VPN without going through the 10.8.0.1 node at the VPN front ? evidently the client for now can't ping those other nodes except for the entry node 10.8.0.1. how do i need to configure the server.conf file to 'shortcut' and go around that first node ?

or do i need to adjust other files for that ?
 
Old 06-17-2017, 09:35 AM   #2
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,793

Rep: Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710
It will depend on how the networking was set up for this VPN. If the VPN was intended only for all satellite nodes to connect to that ONE, you may not be able to go directly from your node to any other.

Check your routing, if the route is for the entire subnet AND the remote nodes are configured the same AND the master node they all connect to is forwarding and can act as a gateway it MAY be possible.

That is a LOT of conditions.
Assume it will not work to go direct, have you any problem going to the maser node and from there to the client node you desire? There are several ways to 'automate' the connection so it appears as if you were going direct but you are really either using a session forward, or a network forward using the sshd service on the master.
 
Old 06-17-2017, 12:23 PM   #3
pisti
Member
 
Registered: Jul 2006
Location: Montréal, Canada
Distribution: Slackware since v1.00
Posts: 175

Original Poster
Rep: Reputation: 18
thank you for your input, wpeckham.

the reason why we want to access directly the VPN satellite nodes (V1, V2, ...) from an external client C is that ssh tunnels from C to Vx need to be in place for subsequent VNC sessions with tigerVNC screen servers running on V1 (V2, ...) and the VNC viewer running on C - which i assume is easier done this direct way.

just to clarify : the access to this VPN is only possible through the VPN server V0 while the satellite nodes V1 (V2,...) are permanently connected to V0 using VPN.

it seems to me that some form of routing/forwarding (configured and enabled on VPN main node V0, a gateway in this respect) needs to be in place - unless you or others suggest differently. now, all this is newland for me and i am at the moment somewhat puzzled how to implement such - though i am sure we are not alone with such a plan.

routing table :
Code:
route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         AAA.BBB.CCC.1   0.0.0.0         UG    202    0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
AAA.BBB.CCC.0   0.0.0.0         255.255.255.0   U     202    0        0 eth0
and here the server.conf file :
Code:
grep -v "^#" /etc/openvpn/server.conf | grep -v "^;" | sed "/^$/d"

port 1194
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/certs/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt 0
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
askpass /root/password.ovpn
auth-nocache
daemon
 
Old 06-17-2017, 01:13 PM   #4
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,793

Rep: Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710Reputation: 1710
Ok. Based upon that it MIGHT work. I take it that you have a node at AAA.BBB.CCC.6 that is one of those you want to reach. Have you tried to ping that node?
 
Old 06-17-2017, 01:24 PM   #5
pisti
Member
 
Registered: Jul 2006
Location: Montréal, Canada
Distribution: Slackware since v1.00
Posts: 175

Original Poster
Rep: Reputation: 18
ok, problem solved, simply by linking two ssh tunnels :

1) build a first permanent ssh tunnel for a given PORT number Px from satellite VPN node Vx to main VPN node V0.

2) fire up a temporary VPN tunnel from client C to VPN portal node V0.

3) fire up a temporary second ssh tunnel for the very same PORT Px from VPN node V0 to client C.

4) start VNCviewer on client C for PORT Px.

that's it - works smoothly...
 
Old 06-17-2017, 01:28 PM   #6
pisti
Member
 
Registered: Jul 2006
Location: Montréal, Canada
Distribution: Slackware since v1.00
Posts: 175

Original Poster
Rep: Reputation: 18
you are right, i still can't ping 10.8.0.6 (or any of the VPN satellite Vx) from client C - but it doesn't matter.

as described before, linking two ssh tunnels for a given port number via VPN node V0 works fine. thanks for your replies !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up Kickstart server RHEL 6.5 for compute nodes, GPU nodes and PHI nodes sho1sho1 Red Hat 3 06-23-2015 04:20 PM
Reach ssh server when connected to VPN atengesdal Linux - Networking 5 04-04-2014 05:21 PM
PPTP Packets from the VPN Client Cannot Reach the VPN server SubZeroJake Linux - Networking 1 05-14-2012 06:52 PM
can not reach samba server from outside, no problem from internal network tellme Linux - Networking 4 07-26-2011 06:11 PM
bash: cant reach internal var from outside! kalleanka Programming 4 02-14-2011 03:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration