Trash Talk - VPN/Network setup Solo Ace - Thu Nov 17, 2005 2:26 pm Post subject: VPN/Network setup
I just have a few questions for some issues I'm currently having with a few network setups I'd like to use.
Say my router would be a Linux box (I'd actually prefer that over a Windows box).
On this box also a VPN client is running to establish a link over the Internet to another remote LAN.
The remote LAN's VPN server would also be a Linux box.
LAN <--> [Router/VPN client] <--> Internet <--> [Router/VPN server] <--> Remote LAN
but now I'm wondering how I could bypass this VPN connection from certain programs on a system on the LAN behind the [Router/VPN client].
Would this only require a routing rule or would I need to setup a (socks) proxy server on the [Router/VPN client] to let programs use that instead of the VPN? I do want the VPN as default route for the other traffic, though...
Any ideas? Dr Brain - Thu Nov 17, 2005 4:12 pm Post subject:
My understanding of VPNs is that if you address something to an address on the other side of the VPN bridge, the server will route it automagically. And if you want something outside the VPN in the wide world, all you have to do is send it to an address outside both LANs.
An example usage would be helpful in determining exactly what you're looking for.
Mine GO BOOM - Thu Nov 17, 2005 11:16 pm Post subject:
Here is how my network is setup.
My network, with myself, my servers, my brother, and my roommate, are all on 192.168.1.0/24. So anything inside that range stays within our LAN. The router is running m0n0wall. My parents are 120 miles south of here, and run on a private network of 192.168.2.0/24. They are also behind a m0n0wall router.
On both of those routers, I have IPSec setup. Anytime my computer tries to connect to anything in the 192.168.2.0 - 192.168.2.255 range, my router goes out over the internet, talks to the other router, and sets up a secure IPSec tunnel. Then, the packet I originally wanted to go to 192.168.2.102 gets sent over this encrypted tunnel. So now, I can have Windows setup a file sharing network with my parent's computer, and can easily copy files to/from them without having to make sure a FTP server is setup. Also allows me to do things such as VNC without having them have an open port on their network for every computer.
Sadly, the m0n0wall project doesn't support broadcasting over IPSec or VPN, so can't do LAN games of things such as Starcraft.
Solo Ace - Fri Nov 18, 2005 8:32 am Post subject:
Well, I'd like to setup my stuff as yours, MGB (which I tried to make clear with my stuff in the code boxes), but I want to have the VPN as the default route, and let specific traffic (from certain software) actually bypass it...
I tried using m0n0wall already, though, but it didn't feel like responding on the networks, so I dumped it. Dr Brain - Fri Nov 18, 2005 10:08 am Post subject:
Default route? Uh, there is no default route. If you send the packet to an address on the other LAN, it will go there. If you send it to an address not on either LAN, it'll head out into the wide wide world.
Again, why do you think you want to do this?
Mine GO BOOM - Fri Nov 18, 2005 10:47 am Post subject:
So, you'd roughly want a transparent proxy on one network, which forwards all packets to the other network over the internet, so the other end will send it out to the world? Or you want all traffic to be denied, except LAN traffic and a few other specific IP addresses?
Solo Ace - Wed Dec 14, 2005 5:53 am Post subject:
Brain, yes, except if it's setup to make all (except those for the local LAN) go over the VPN.
This would make a "transparent" proxy as MGB asked about.
So yeah, the packets would go over the VPN first, then actually get shot into the world.
Why I'd want to do this? To get around the restrictions on my dad's internet connection.
I'm not sure why only outgoing FTP, VPN and HTTP/HTTPS connections are allowed to be made, but the company that set it up probably thought it'd be secure.
But whatever, I guess that's what the government wants.
I got some solution, but I think I'll end up running VNC again anyway.
