On Mon, Aug 19, 2013 at 10:26:14AM +1000, Zenaan Harkness wrote: > The key I think is the word "routable" which you use.
Yes, exactly. > > After a successful VPN setup, your VPS becomes analogous to your home > internet modem router - the router has a public address dedicated to > _all_ of your home computers/phones/etc. > > Your home router can only "assign" its public ip (through its ppp > link) to an internal box by setting up port forwarding or a DMZ host. > Port forwarding eg for 80, 443 etc, or DMZ host where _all_ external > ports are mapped to one particular internal IP address. > > It sounds like you want the (laptop) client end of your VPN to be the > DMZ host for a particular VPS /29 external address. Close. The caveat is that the /29 is assigned to the VPS. That means that the VPS, network, and broadcast are all on that /29. So, what I actually want is to give one ip address out of that /29 to the laptop. The laptop is an endpoint in itself. It doesn't have any other machines sitting behind it. So yes, in a sense, the laptop is in the DMZ, since any firewalling for that single public IP would be done on the laptop. There wouldn't be any port forwarding or NAT going on here. The laptop would have it's own routable public IP address as if I had connected it to a modem, and dialed a dial--up provider. My VPS would in a sense be an ISP as far as the laptop is concerned. > > Set up OpenVPN: > OpenVPN will still have two endpoint addresses for each client, and > one for the server. Eg 10.1.1.1/24 for the server, eg 10.1.1.2 for the > VPN (laptop) client. > > Choose a /29 address on your VPS to dedicate to the VPN (laptop) client. > Configure the VPS kernel firewall rules to 1:1 map all public ports on > this chosen /29 address, to the VPN (laptop) client address eg to > 10.1.1.2. > > Does this sound like what you want? Yes! I was stuck in thinking of things how pppd does them, and it didn't occur to me I can map a private address onto a public one. I was hoping I could avoid using NAT here, which I know I wouldn't need to do if things worked out how I originally planed. But what you propose would do the job as well I think. Would something like this work on the VPS side? iptables -t nat -A POSTROUTING --source public_addr -j SNAT --to-source 10.0.0.2 iptables -t nat -A PREROUTING --destination 10.0.0.2 -J DNAT --to-destination public_addr Then of course assign the public address I want the laptop to get to eth0:0 on the VPS. > The VPN (laptop) client has address (in this example) 10.1.1.2. This > address is the address that the (laptop) client uses as its "publicly > routable" address. You can call it its DMZ address, since random > connection attempts (from the public) will appear on 10.1.1.2. Yes. > > Because it is DMZ, you need to be confident to set up firewall rules > to protect the VPN (laptop) client. > > Consider forwarding just those ports you want of course - eg a > bittorrent port, SSH, HTTP, HTTPS etc. Since you are configuring VPS > firewall rules for either forwarding or DMZ, shouldn't be much > difference either way. I actually want to do firewalling on the laptop. I don't want to control what goes in/out the laptop on the VPS side. > > Note in either scenario, PPP is not needed as part of the VPN setup. No, not if I'm doing NAT which I hadn't thought of like I said. > It is taken as given that both the VPN (laptop) client, and the VPS, > are connected already to public internet in some form (via modem > (PPP/PoE etc), wireless, etc). Yes. > > The VPN part just needs openVPN to be configured correctly. > If eg your VPN (laptop) client is egregiously firewalled and eg can > only access (public) port HTTP 80, then simply setup openVPN to listen > on a VPS address that has port 80 unused/available. > If the VPN (laptop) client internet firewalling is even more > egregious, use eg httptunnel Good point. I was planning to simply run openvpn on tcp 1194. I already have apache running on the VPS, so using port 80 would mean using yet another address from my /29 for openvpn. That's not something I want to do though. I believe openvpn has a http proxy pass-through mode or something like that, where it listens to port 80, but forwards http traffic somewhere else. I'll have to take a look at that. > Hopefully the above explanations make it clear for you now? Yes! I hadn't thought of using NAT as a possibility. Thanks! Greg -- web site: http://www.gregn.net gpg public key: http://www.gregn.net/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) -- Free domains: http://www.eu.org/ or mail dns-mana...@eu.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130819020200.ga17...@gregn.net