What I'm trying to achieve is:
Connect to a VPN as client and route all my internal network's traffic over the VPN.
Run a VPN server, so that people from outside can connect to my internal network and get routed over the a.m. VPN client.
I'm trying to achieve that with a router running dd-wrt (netgear D6200), and / or a raspberry pi.
Can someone tell me if this can be achieved, and if, direct me to what would be a possible solution?
(I'm not looking for a tutorial, just a direction)
Thanks!
This thread probably does not belong here.
Consider using OpenWRT instead of dd-wrt. OpenWRT gives you a usable build system and easier to customize and build. I am not advocating OpenWRT. This can be a stop gap measure.
You can setup a OpenVPN server and OpenVPN client using the standard
documentation available on OpenWRT Wiki and also OpenVPN site.
Add to OpenVPN server.conf the following directive redirect-gateway def1. This will push the default gateway to clients connecting to OpenVPN server. Further, make sure you are using a unique network IP pool for VPN clients and does not clash with the remove VPN server.
Make sure you are masquerading the VPN traffic (Clients of local VPN server) before forwarding to remove VPN server. This can be tricky as this interface does not exist at boot time. It needs to be configured using up and down scripts
Make sure you are allowing traffic (clients of local VPN Server) on VPN interface to be forwarded in your firewall rules
Before setting up the OpenVPN server, make sure
The remove VPN server is pushing the default gateway to your VPN
client
You have setup the firewall correctly
You are able to reach the cloud through the Remote VPN Server. Checking with some site like www.whatismyip.com will help
Yes this is possible with dd-wrt on Netgear.
There is no need of Raspberry (unless you meant to run the remote VPN server on it).
Configure and run VPN server on dd-wrt - and try connectivity by connecting clients. Both tun/tap should work in general (with VPN client running). I tested with tun.
Configure and run VPN client on dd-wrt and try connecting to your VPN server. By default, the router should start directing all traffic (for its own LAN clients) via the VPN server.
So far so good.
The problem comes when you want dd-wrt's VPN clients (and not just LAN clients) to take the same route. With a VPN client running on dd-wrt, dd-wrt's own VPN clients will not be able to connect to the VPN server running on dd-wrt as such. To make it work, see below.
This is only possible via PBR - i.e. you run VPN client on dd-wrt, but take the router itself off this client, and route only specific clients through this VPN client running on dd-wrt.
With some tweaks using subnet masks, it is possible to include all your LAN and VPN IPs in the PBR policy so that everything (except the router itself) routes through the remote VPN server.
The key is to include dd-wrt's VPN clients' virtual IPs in the PBR. While configuring VPN server on dd-wrt, there is a field for specifying the clients' network and netmask.
If you use this network IP and netmask in client process's PBR policy, your (dd-wrt's) VPN clients will be able to connect to the VPN server running on dd-wrt, and will in turn be routed through the remote VPN server to which dd-wrt is connected as a client.
Related
I want to connect to a Cisco Anyconnect VPN (which I believe does NOT act as a proxy -- my IP address doesn't change when connecting to this VPN).
However I wish to hide my true IP to the Cisco Anyconnect server I'm connecting to.
Can I connect to another VPN service like TunnelBear first, then connect to the Cisco Anyconnect server, and be sure the Cisco Anyconnect server is seeing my TunnelBear proxy IP and not my real IP?
The scenario you are describing should be possible, using the technology you described. I would assume the sequence of events would follow:
Initiate OpenVPN connection
Initiate Cisco VPN connection
However, keep in mind that you may need to install a client to access the Cisco VPN. These clients tend to interact with and potentially manipulate your operating system's network configuration, this makes sense when you consider that these applications are built to re-route your network traffic. These clients would most likely have the ability to see your VPN configuration.
A possible workaround to the issues outlined above, regarding the local client being able to recognize your network configuration: one might configure their host's entire gateway (router or perhaps virtual machine host) to route traffic through the primary VPN.
You should keep in mind the resource usage and computation power required in order to maintain each VPN's security and (possibly) compression layers.
Even if the second VPN connection is established, I wouldn't expect quality performance, and multiple compression layers could be suboptimal.
I don't have a public ip address so I'm looking to host a server while connected to a VPN, the VPN server is running on a VPS that I own and its running SoftEther VPN server.
In my machine I connect to the VPN and then run the server app, however I check in http://www.canyouseeme.org/ to see if its successfully hosted and can be accessed from internet but its not and it shows "connection refused", if I host the server on the VPS machine it works, but I don't want that, it should be hosted on my machine and should be accessible using the ip address of the VPS/VPN.
You probably want to set up port forwarding on your VPN server.
When you connect to the VPN, your traffic goes through it, but you don't "become" it - the traffic directed to the VPN server (like an attempt to connect to your app) will not be forwarded to your VPN client machine - this is not the purpose of VPNs.
There is a page with port forwarding setup here. This is to be done on the VPN server.
The alternative I use is to setup port forwarding via SSH on the application server and ditch the need for VPN. Check Remote Port Forwarding here. It works fine, encrypts your data between the application server and the gateway, but there might be bigger overhead and it may be more prone to die when the network connection is temporarily lost.
I need to build some software infrastructure to manage computers which are connected to the internet using a 3G modem (about 30-40 clients).
The scenario that I came up with for project needs:
Client established internet connection (this is made on OS startup - no user action needed)
Client make connection to some server in internet (I named it "PROXY" - maybe there is a better name)
From now client is connected to PROXY server and it is listening for connections on some port (static or dynamic port?)
The same is true for all other machines.
What I need:
When I connect to PROXY server I want to see list of all connected clients to it (optionaly time of connection, client IP etc)
I can make connection to any clients but not P2P I want to connect using PROXY server (some kind of tunneling?)
Access to client should be impossible without PROXY server.
Example:
Client connect to internet using 3G modem - received IP: 149.10.20.30
Client connect to PROXY (79.10.11.12)
I connect to PROXY (terminal / VNC / putty / whatever). I can list connected clients (ex. using some command: $ show_connected_clients). And I see list: IP / MAC or other informations.
From my computer (or PROXY server if this is simpler) I can make connection to client (terminal / VNC / RDP whatever) using for this PROXY server.
$ connect_to 149.10.20.30 using 79.10.11.12
Is such a thing is to realize with the help of the built-in OS services? Or maybe I need to use some commercial software or write my own application?
Writing this from scratch is possible but I do not want to reinvent the wheel.
Some advice? Thanks in advance for any help.
PS. Clients OS (probably all) is Linux. PROXY server OS - I can make decision by my own.
I've decide to use VPN. Perfect in its simplicity. If someone is interested.
Client connects to VPN. Gets IP from VPN network
VPN server on PROXY server
My machine connects to VPN
On PROXY server I can list connected clientes to VPN
Using (ex RDP) I can connect to any client by VPN network
I think I can configure client to deny connection from other network then VPN. If so, I have everything I need.
Simple :)
I'm currently working on my group voice chatting program. This is my plan:
Build up a server on 192.168.1.125. Listen to port 3490 and forward it to the router.
Clients connect to the server and get the user IP list(Whenever a client connects to the server, its IP address is recorded by the
server)
Clients communicate with each other using UDP multicast(is this ever possible across the router?).
But now I'm running into troubles. If a client inside the LAN, e.g. 192.168.1.120, connects to the server, it's taken down as 192.168.1.120, which won't work for clients from WAN.
I'm wondering if there is any way to convert the LAN IP to public IP? (this might have something to do with the router, I think)
Thanks.
You will have to be prepared for the case where direct client-to-client communication fails. Relaying through the server or NAT traversal/penetration may be necessary. Significant expertise is required to do this correctly.
In our network a proxy server is used to give all the clients, which are all Windows XP computers, access to the internet. Now, we want setup a Wireless LAN to allow people to connect their own mobile phones, computers, etc. to the internet. However if we simply connect a wireless access point to our network everyone has to configure the proxy server on their devices.
What can I do, that the WLAN router can act as a gateway to the internet using the proxy server?
You can NAT all the traffic destined to port 80 to a proxy machine. This is a so called forced or intercepting proxy.
For example, if you have a RouterOS router, you would simply add a rule
/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=<proxy IP address>
If you proxy other protocols apart from HTTP, you would do the same for them changing the port.
Many proxy solutions can run in intercepting mode (such that you have a machine with two network interfaces that filter all the traffic that is coming through). See this tutorial for setting it up with Squid.
Otherwise, if you already have a proxy server you can use the solution above by placing a router or a server running the routing software between the access point and your network, for example Vyatta or Mikrotik RouterOS (commercial but pretty powerful), some open-source/freeware router/firewall distribution (pfSense, Openwall, m0n0wall, ...) or even a vanilla OpenBSD (with pf firewall) / Linux (with iptables) to achieve the desired effect.
Once you get the straight through routing in place it should be pretty straightforward to setup proxy NAT asnoted above.
You should consider applying this setting on the router that your access-point connects to for it may save you the trouble of setting up a new machine.