On Mon, 18 Apr 2022 10:23:19 +0100, Terry Coles wrote:
> > When a VPN client connects to the Web Server, in theory the web
> > server would see that connection coming in from a
> > address, not a one. So, it is a given that the
> > Webserver has to be configured to accept connections from
> > clients.
> So how would I do that?  I always assumed that the VPN Server
> included a router that would sort all that out.  The iptables
> output would indicate that it does.

I suppose there is some nuance here; the connection would come from a address, routed via the address of the VPN 
server. So, the Webserver would see that 192.168.0. had forwarded it 
some traffic that originated from 10.1.10.x.

If the VPN server were doing NAT routing/masquerading, as opposed to 
plain old routing, then the connection would appear to come directly 
from the VPN server's address. I suppose the VPN server 
*could* be doing NAT routing, but that would be a little surprising to 
me, because I am not seeing how NAT routing would be beneficial in 
this set-up.

But I only mentioned this in case you had configured the server to 
block connections that weren't from addresses, so if 
you haven't done that then I can't see it being a concern.

The only other thing that comes to mind on a brief reading of your 
response to me is that, if the web server isn't accessible by IP 
address, then it certainly isn't going to be accessible via hostname.

So, as you say, the routing falls under suspicion.

The finer points of iptables configuration are perhaps a bit lost on 
me, so while I can look at the broad-strokes of your config, and I 
think it seems OK, I could easily be missing some nuances that might 
send it off the rails.

I suppose one thing to check is whether, while connected to the VPN, 
you have any other (conflicting) routes to Or, indeed, 
whether there is a route to at all. E.g. run

    $ ip route show

on your VPN client computer and see where it thinks it should send 
traffic destined for

That raises the question of how the VPN client learns which networks 
it can route to via the VPN. Presumably it does learn something, since 
you can access the various non-Webserver devices in the 
network. Unless that's happening by fluke.

If there isn't a suitable route to on the VPN client 
computer, then manually adding one temporarily might be a worthwhile 

It seems you've got me hooked on this puzzle, Terry. I was only going 
to write a few paragraphs here, to clarify my previous remarks!


  Next meeting: Online, Jitsi, Tuesday, 2022-05-03 20:00
  Check to whom you are replying
  Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk
  New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk

Reply via email to