On 18/04/2022 20:26, Patrick Wigmore wrote:
On Mon, 18 Apr 2022 10:23:19 +0100, Terry Coles wrote:
When a VPN client connects to the Web Server, in theory the web
server would see that connection coming in from a
address, not a one. So, it is a given that the
Webserver has to be configured to accept connections from clients.
So how would I do that?  I always assumed that the VPN Server
included a router that would sort all that out.  The iptables
output would indicate that it does.
I suppose there is some nuance here; the connection would come from a address, routed via the address of the VPN
server. So, the Webserver would see that 192.168.0. had forwarded it
some traffic that originated from 10.1.10.x.

If the VPN server were doing NAT routing/masquerading, as opposed to
plain old routing, then the connection would appear to come directly
from the VPN server's address. I suppose the VPN server
*could* be doing NAT routing, but that would be a little surprising to
me, because I am not seeing how NAT routing would be beneficial in
this set-up.

But I only mentioned this in case you had configured the server to
block connections that weren't from addresses, so if
you haven't done that then I can't see it being a concern.

The only other thing that comes to mind on a brief reading of your
response to me is that, if the web server isn't accessible by IP
address, then it certainly isn't going to be accessible via hostname.

So, as you say, the routing falls under suspicion.

The finer points of iptables configuration are perhaps a bit lost on
me, so while I can look at the broad-strokes of your config, and I
think it seems OK, I could easily be missing some nuances that might
send it off the rails.

I suppose one thing to check is whether, while connected to the VPN,
you have any other (conflicting) routes to Or, indeed,
whether there is a route to at all. E.g. run

     $ ip route show

on your VPN client computer and see where it thinks it should send
traffic destined for

That raises the question of how the VPN client learns which networks
it can route to via the VPN. Presumably it does learn something, since
you can access the various non-Webserver devices in the
network. Unless that's happening by fluke.

If there isn't a suitable route to on the VPN client
computer, then manually adding one temporarily might be a worthwhile

It seems you've got me hooked on this puzzle, Terry. I was only going
to write a few paragraphs here, to clarify my previous remarks!


Note: The VPN Server does not do NAT, as is evidenced by the "Last login from 10.1.10.x" prompt that I get after SSHing into one of the pis periodically.


 Next meeting: Online, Jitsi, Tuesday, 2022-05-03 20:00
 Check to whom you are replying
 Meetings, mailing list, IRC, ...  http://dorset.lug.org.uk
 New thread, don't hijack:  mailto:dorset@mailman.lug.org.uk

Reply via email to