Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

vpn/ssl, openconnect or openvpn? [solved]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
nordic bro
Guru
Guru


Joined: 25 Oct 2003
Posts: 585
PostPosted: Thu Mar 28, 2013 8:01 pm    Post subject: vpn/ssl, openconnect or openvpn? [solved] Reply with quote
does it matter which? I think I have simple requirements (vpn is for my job from a home computer), got an openconnect 3.02 ebuild and can currently get logged onto the vpn. my concern is that I only want work-related web browser page accesses to go to the vpn with all others and unrelated internet activity to continue using my non-vpn internet access. I think I can do this with openconnect using dnsmasq and the gentoo vpnc how-to but I'm wondering if starting off by using openvpn would be a better choice?

thanks.

Last edited by nordic bro on Mon Apr 01, 2013 10:00 pm; edited 1 time in total
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3509
PostPosted: Fri Mar 29, 2013 3:44 pm    Post subject: Reply with quote
Using dnsmasq to separate work-related dns requests is part of your solution. The other part is to run "netstat -nr" and see how you're packets are being routed.

I just happen to be logged in to my employer's VPN with openconnect at this very moment, though I'm not interested in separating traffic, as you are. When I run "netstat-nr" I see that the default route is still through my internet connection, and I only go through the vpn for employer-specific subnets. This may well depend on your employer's policies - they could set a route to get to their VPN server through your normal connect, and make the default route through the VPN - if they wanted.

I've also used OpenVPN to get to my own LAN, though not lately. Last time I tried it, I got the connection OK and could get to the system where OpenVPN was running OK, but could not get routed to any of my other systems. Others suggested bridged mode instead of routed, but I'd rather not do that.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
nordic bro
Guru
Guru


Joined: 25 Oct 2003
Posts: 585
PostPosted: Sun Mar 31, 2013 2:24 am    Post subject: Reply with quote
ok thanks, think I'll stick with openconnect then since it's already set up and seems to do all I need.

would you or anyone else know if I'm understanding the routing?

no vpn:

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

logged in to vpn:

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.33.56.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.100.79.0     0.0.0.0         255.255.255.240 U     0      0        0 tun0
10.200.202.0    0.0.0.0         255.255.255.0   U     0      0        0 tun0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.196.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.197.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.197.3   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.197.4   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.198.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0
209.company_IP  192.168.1.1     255.255.255.255 UGH   0      0        0 eth0

after reading (mostly in vain :oops:) about how to interpret a routing table, I think my company's vpn already has it set up such that only addrs it's interested in actually go to it? if so that's perfect.

iow if all my traffic was going through the vpn their 209.* addr would be somewhere in the gateway column? or no? this is so confusing :lol:

anyway presuming vpn is only looking for work-related traffic, if I did 'route del 209.company_IP eth0' after being logged into vpn, route -n confirmed all the above were still there w/the exception of 209.*, and my browser still works elsewhere, does that mean the company's vpn path truly is separate from non-work traffic?
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3509
PostPosted: Sun Mar 31, 2013 11:22 am    Post subject: Reply with quote
That first line under "Destination" with "0.0.0.0" is you default gateway, and it is indeed not your VPN. Default traffic goes out through eth0, as well as the traffic to the VPN server at 192.168.1.0. Besides the loopback entry, the rest routes through tun0 - your VPN.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
nordic bro
Guru
Guru


Joined: 25 Oct 2003
Posts: 585
PostPosted: Mon Apr 01, 2013 10:00 pm    Post subject: Reply with quote
great, thanks so much for the help, think I'm all set.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy