On 18/04/2022 20:26, Patrick Wigmore wrote:
On Mon, 18 Apr 2022 10:23:19 +0100, Terry Coles wrote:
When a VPN client connects to the Web Server, in theory the web
server would see that connection coming in from a 10.1.10.0/24
address, not a 192.168.0.0/24 one. So, it is a given that the
Webserver has to be configured to accept connections from
10.1.10.0/24 clients.
So how would I do that? I always assumed that the VPN Server
included a router that would sort all that out. The iptables
output would indicate that it does.
I suppose there is some nuance here; the connection would come from a
10.1.10.0/24 address, routed via the 192.168.0.0/24 address of the VPN
server. So, the Webserver would see that 192.168.0. had forwarded it
some traffic that originated from 10.1.10.x.
If the VPN server were doing NAT routing/masquerading, as opposed to
plain old routing, then the connection would appear to come directly
from the VPN server's 192.168.0.0/24 address. I suppose the VPN server
*could* be doing NAT routing, but that would be a little surprising to
me, because I am not seeing how NAT routing would be beneficial in
this set-up.
But I only mentioned this in case you had configured the server to
block connections that weren't from 192.168.0.0/24 addresses, so if
you haven't done that then I can't see it being a concern.
The only other thing that comes to mind on a brief reading of your
response to me is that, if the web server isn't accessible by IP
address, then it certainly isn't going to be accessible via hostname.
So, as you say, the routing falls under suspicion.
The finer points of iptables configuration are perhaps a bit lost on
me, so while I can look at the broad-strokes of your config, and I
think it seems OK, I could easily be missing some nuances that might
send it off the rails.
I suppose one thing to check is whether, while connected to the VPN,
you have any other (conflicting) routes to 192.168.0.0/24. Or, indeed,
whether there is a route to 192.168.0.0/24 at all. E.g. run
$ ip route show
on your VPN client computer and see where it thinks it should send
traffic destined for 192.168.0.0/24.
That raises the question of how the VPN client learns which networks
it can route to via the VPN. Presumably it does learn something, since
you can access the various non-Webserver devices in the 192.168.0.0/24
network. Unless that's happening by fluke.
If there isn't a suitable route to 192.168.0.0/24 on the VPN client
computer, then manually adding one temporarily might be a worthwhile
experiment.
It seems you've got me hooked on this puzzle, Terry. I was only going
to write a few paragraphs here, to clarify my previous remarks!
Patrick
Note: The VPN Server does not do NAT, as is evidenced by the "Last login
from 10.1.10.x" prompt that I get after SSHing into one of the pis
periodically.
Hamish
--
Next meeting: Online, Jitsi, Tuesday, 2022-05-03 20:00
Check to whom you are replying
Meetings, mailing list, IRC, ... http://dorset.lug.org.uk
New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
