Hi
On Mon, Jan 9, 2017, at 09:25 AM, Simon Hobson wrote:
> OK, stop thinking about a VPN as "something special" - as far as the rest fo
> the network is concerned it's "just another network link".
Well, I'd started poking at the VPN routes only, per Tom's comment. Now
considering yours too ...
> 1) The different networks should all have separate and non-overlapping
> subnets. If you do this, then there is no need for any NAT whatsoever (within
> the network).
The VPS uses a dummy network of 10.2.0.0/24
The local server+LAN use 10.1.0.0/24
The vpn endpoints are 10.99.99.{1,2} -- nothing else on that subnet
So IIUC that meets the non-overlapping subnet requirements
> 2) You must have routing set up.
Everybody always says that like it's supposed to be self-explanatory! :-)
...
> So far this is basic IP addressing/routing stuff and doesn't (need to)
> involve Shorewall.
So that's all in/on OpenVPN, like Tom said, right?
> 3) Your rules/policies must allow the packet.
> The only NAT you need to is to masq traffic out via the public ethernet
> connections. This most likely to masq the subnet for LAN1 via the public IP
> of server 1, and masq traffic for LAN2 via the public IP of server 3.
> It would be possible to configure masq for traffic from LAN2 via the public
> IP of server 1 and there may be valid uses for it. You could route traffic
> from LAN2 via the internet connection of server 1. In practical terms it's
> not useful since if server 3's internet is down then so is the VPN tunnel,
> and the traffic has to go via both internet connections before it gets masq'd
> out - so you can't take advantage of more generous bandwidth allowances.
Ok, that just makes my head hurt. Too much "I understand this stuff already"
speak.
Printing it out in double-spaced, large-type to re-read! ;-)
> So using your numbers (and making assumptions of masks), on server 1 you need
> to masq :
> 10.1.0.0/24 and optionally 10.99.99.0/24 and 10.2.0.1/24 to 192.0.2.1
> On server 3 you need to mask :
> 10.0.1/24 and optionally 10.99.99.0/24 and 10.1.0.1/24 to 198.51.100.1
And by "need to masq" (or mask), that DOES mean rules in the Shorewall 'masq'
file?
> As for routing, two ways of doing it.
> You can do it at the OS layer - so when you bring up the VPN, add a post-up
> action to install routes to the other end (LAN2 on server1 and LAN1 on
> server 3). Or you can have Shorewall set it up by (IIRC) using the route
> rules (rtrules) file.
Right now I'm no better off UNDERSTANDING, but at least I have stuff to read &
start at some more !
Thanks!
-AJ
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
