On Mon, Aug 19, 2013 at 01:07:06PM +1000, Zenaan Harkness wrote:
I wrote:
> > actually want is to give one ip address out of that /29 to the
> > laptop. The laptop is an endpoint in itself. It doesn't have any other
>
> You need to question yourself, imagine an isolated network of three computers:
> A <-> B <-> C
>
> Lets say A is your isolated "public" computer wanting to access C,
> your "clandestine" routed laptop.
>
> So B has a "public" ip address block, let's say a /29 subnet :)
>
> In your thinking, using any technology you choose whatsoever, how
> would you "assign" one of B's IP addresses to C?
I would put a route in B's routing table to C's interface to B. To
make this more concrete, on B I would:
route -A inet add -host public_addr_assigned_to_C iface_connected_to_C
I think you might be taking what I said too literally and maybe that's
why we aren't on the same page. I didn't mean that the laptop would
literally be an endpoint onto itself. The only way that would happen
is if I disconnected the laptop from any ethernet/wifi networks. I
only meant to say that the laptop wouldn't be routing to any machines
attached to it through a second interface (it wouldn't act as a router).
> Well, the VPS needs its own firewalling.
> Part of that can be routing of packets hitting your "chosen public ip
> address which really goes to the clandestine server".
Yes, I agree.
>
> > There wouldn't be any port forwarding or NAT going on
>
> Here is perhaps your misunderstanding.
>
> VPS has a public IP address, which "looks like" a web server say. In
> reality this web server is a clandestine server behind a restrictive
> firewalling regime, which however is able also to connect to the VPS.
>
> A connection, means 2 endpoints, each of which needs it's own address
> (eg MAC address, IP address, or whatever happens with PPP I don't
> know).
>
> So in my diagram above, A of course has a unique public (possibly
> NATed) ip address, and connects to B, your VPS, which has this
> specially chosen-by-you IP special-address.
>
> And all requests that hit this special-address on B, need to somehow
> get to machine C. Machine C has its own address, but B cannot
> ordinarily access C - this is the reason you are using a VPN in the
> first place.
>
> So instead, C connects into B, and a virtual (private-encrypted)
> network is set up, with TWO ip addresses, for VPS server B, and laptop
> clandestine machine C.
I agree. Let me [paste the part of the openvpn man page where I see the
problem. Maybe I'm misunderstanding something:
"--ifconfig l rn
Set TUN/TAP adapter parameters. l is the IP
address of the
local VPN endpoint. For TUN devices, rn is the IP
address of the remote VPN endpoint. For TAP devices,
rn is the subnet mask
of the virtual ethernet segment which is being created
or con
nected to.
For TUN devices, which facilitate virtual point-to-point
IP con
nections, the proper usage of --ifconfig is to use two
private
IP addresses which are not a member of any existing
subnet which
is in use. The IP addresses may be consecutive and
should have
their order reversed on the remote peer. After
the VPN is
established, by pinging rn, you will be pinging across
the VPN."
So, because I want a point-to-point connection, I have to use two
private addresses that are on the same subnet. That means I have to
assign the laptop a private address, not a public one. For me to map
data from the private address to the public one means doing NAT. By
doing NAT, laptop would have a private address on its end of the VPN,
but any connections laptop made to the internet would look like they
came from the public address assigned to it. That means doing NAT.
> You need to set up firewalling on VPS B, to route all packets to (eg)
> 10.1.1.2.
>
> Yes, this is forwarding. Yes this implies a type of NAT for packets
> coming back out of C, over the VPN, through B, back out to the
> "public" Internet (to A).
>
> But how else do you expect to do this?
>
Like I showed above. I think we both agree the VPS would need to serve
as a router. My question still stands. If I have to assign private
addresses that aren't part of the same subnet, then the laptop can't
have a public address. I could of course have a statement like:
--config 10.0.0.1 public_addr
in the server config file on the VPS. If I do that though, I see no
way to tell openvpn that the subnet here is /32.
> This is unclear. But the public IP address of course needs to be
> public - it has to appear on the public internet. Your VPS, to make
> use of it, will need to "host" that IP address of course.
Right. On the VPS I would setup routing as I showed above. On the
laptop I would do ifconfig iface public_addr netmask 255.255.255.248. In the
case of a ptp link, that would become ifconfig iface public_addr
pointopoint VPN_addr netmask 255.255.255.255. Is there something I'm
not getting here? Thanks for taking the time to work through this
with me. I think we mostly agree. It just seems to me you're saying
that the VPN interface on the laptop would be configured with the
public address, and I don't see how that's possible with openvpn.
Greg
--
web site: http://www.gregn.net
gpg public key: http://www.gregn.net/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)
--
Free domains: http://www.eu.org/ or mail dns-mana...@eu.org
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130819062836.ga21...@gregn.net
