Ah good point. I didn't think about connectivity between VPN's.
Thanks.
Regards
Michael Knill
On 8/10/18, 6:09 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
> On Oct 6, 2018, at 9:37 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>
> Ah of course. Basic routing really. Stupid me.
> I guess I could SSH tunnel through an SSH tunnel or just SSH tunnel to
the web interface.
>
> Ah actually I have a better idea. I will set up a VPN from my PC to PBX1
so I can access it directly. Problem solved!
> PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2
Alternatively, using SSH as a SOCKS proxy via PBX1 to the PBX2 over
wireguard for HTTPS access.
But using a VPN from the PC may be simpler, which brings up a general
question ... Can I mix OpenVPN and WireGuard VPN's in AstLinux ?
The answer is "yes", but it deserves an example.
PC -- [internet] -- PBX1 -- [WG VPN] -- PBX2
PBX1 OpenVPN Server: 10.8.0.0/255.255.255.0
PBX1 OpenVPN Server: "push" route 10.4.0.0 255.255.255.0
PBX1 WireGuard VPN: 10.4.0.1/255.255.255.0
PBX1 WireGuard VPN: (peer) AllowedIPs = 10.4.0.2/32
PBX2 WireGuard VPN: 10.4.0.2/255.255.255.0
PBX2 WireGuard VPN: (peer) AllowedIPs = 10.4.0.1/32, 10.8.0.0/24
This is almost all it takes, except the PBX1 firewall treats both openvpn
and wireguard as LAN subnets, which are isolated from each other by default.
This can be allowed by adding a little custom rule code on the PBX1 box ...
-- /mnt/kd/arno-iptables-firewall/custom-rules --
allow_wireguard_openvpn()
{
if [ -n "$WIREGUARD_IP" -a -n "$OVPN_SERVER" ]; then
echo "[CUSTOM RULE] Allowing WireGuard VPN to/from OpenVPN Server"
IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}${OVPN_DEV:-tun+}
${WIREGUARD_IF:-wg0}"
fi
}
allow_wireguard_openvpn
--
This will allow packets to be forwarded between the typical tun0 and wg0
interfaces on PBX1. You can disable by commenting out the
"allow_wireguard_openvpn" line.
I tested this, starting on my macOS box using OpenVPN to connect to the
PBX1 OpenVPN server and accessing the PBX2 web interface at 10.4.0.2 via macOS.
It works.
Lonnie
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
