Re: [Astlinux-users] Access to VPN endpoint from external

Sun, 07 Oct 2018 12:09:01 -0700 


> On Oct 6, 2018, at 9:37 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> 
> wrote:
> 
> Ah of course. Basic routing really. Stupid me.
> I guess I could SSH tunnel through an SSH tunnel or just SSH tunnel to the 
> web interface.
> 
> Ah actually I have a better idea. I will set up a VPN from my PC to PBX1 so I 
> can access it directly. Problem solved!
> PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2

Alternatively, using SSH as a SOCKS proxy via PBX1 to the PBX2 over wireguard 
for HTTPS access.


But using a VPN from the PC may be simpler, which brings up a general question 
... Can I mix OpenVPN and WireGuard VPN's in AstLinux ?

The answer is "yes", but it deserves an example.

PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2

PBX1 OpenVPN Server: 10.8.0.0/255.255.255.0
PBX1 OpenVPN Server: "push" route 10.4.0.0 255.255.255.0
PBX1 WireGuard VPN: 10.4.0.1/255.255.255.0
PBX1 WireGuard VPN: (peer) AllowedIPs = 10.4.0.2/32

PBX2 WireGuard VPN: 10.4.0.2/255.255.255.0
PBX2 WireGuard VPN: (peer) AllowedIPs = 10.4.0.1/32, 10.8.0.0/24

This is almost all it takes, except the PBX1 firewall treats both openvpn and 
wireguard as LAN subnets, which are isolated from each other by default.  This 
can be allowed by adding a little custom rule code on the PBX1 box ...

-- /mnt/kd/arno-iptables-firewall/custom-rules --

allow_wireguard_openvpn()
{
  if [ -n "$WIREGUARD_IP" -a -n "$OVPN_SERVER" ]; then
    echo "[CUSTOM RULE] Allowing WireGuard VPN to/from OpenVPN Server"
    IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}${OVPN_DEV:-tun+} ${WIREGUARD_IF:-wg0}"
  fi
}
allow_wireguard_openvpn
--
This will allow packets to be forwarded between the typical tun0 and wg0 
interfaces on PBX1.  You can disable by commenting out the 
"allow_wireguard_openvpn" line.

I tested this, starting on my macOS box using OpenVPN to connect to the PBX1 
OpenVPN server and accessing the PBX2 web interface at 10.4.0.2 via macOS.  It 
works.

Lonnie



_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.






















					Reply via email to