View previous topic :: View next topic |
Author |
Message |
nordic bro Guru
Joined: 25 Oct 2003 Posts: 585
|
Posted: Thu Mar 28, 2013 8:01 pm Post subject: vpn/ssl, openconnect or openvpn? [solved] |
|
|
does it matter which? I think I have simple requirements (vpn is for my job from a home computer), got an openconnect 3.02 ebuild and can currently get logged onto the vpn. my concern is that I only want work-related web browser page accesses to go to the vpn with all others and unrelated internet activity to continue using my non-vpn internet access. I think I can do this with openconnect using dnsmasq and the gentoo vpnc how-to but I'm wondering if starting off by using openvpn would be a better choice?
thanks.
Last edited by nordic bro on Mon Apr 01, 2013 10:00 pm; edited 1 time in total |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Fri Mar 29, 2013 3:44 pm Post subject: |
|
|
Using dnsmasq to separate work-related dns requests is part of your solution. The other part is to run "netstat -nr" and see how you're packets are being routed.
I just happen to be logged in to my employer's VPN with openconnect at this very moment, though I'm not interested in separating traffic, as you are. When I run "netstat-nr" I see that the default route is still through my internet connection, and I only go through the vpn for employer-specific subnets. This may well depend on your employer's policies - they could set a route to get to their VPN server through your normal connect, and make the default route through the VPN - if they wanted.
I've also used OpenVPN to get to my own LAN, though not lately. Last time I tried it, I got the connection OK and could get to the system where OpenVPN was running OK, but could not get routed to any of my other systems. Others suggested bridged mode instead of routed, but I'd rather not do that. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
nordic bro Guru
Joined: 25 Oct 2003 Posts: 585
|
Posted: Sun Mar 31, 2013 2:24 am Post subject: |
|
|
ok thanks, think I'll stick with openconnect then since it's already set up and seems to do all I need.
would you or anyone else know if I'm understanding the routing?
no vpn:
Code: | Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 |
logged in to vpn:
Code: | Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.33.56.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.100.79.0 0.0.0.0 255.255.255.240 U 0 0 0 tun0
10.200.202.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.196.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.197.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.197.3 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.197.4 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.198.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
209.company_IP 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0 |
after reading (mostly in vain ) about how to interpret a routing table, I think my company's vpn already has it set up such that only addrs it's interested in actually go to it? if so that's perfect.
iow if all my traffic was going through the vpn their 209.* addr would be somewhere in the gateway column? or no? this is so confusing
anyway presuming vpn is only looking for work-related traffic, if I did 'route del 209.company_IP eth0' after being logged into vpn, route -n confirmed all the above were still there w/the exception of 209.*, and my browser still works elsewhere, does that mean the company's vpn path truly is separate from non-work traffic? |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Sun Mar 31, 2013 11:22 am Post subject: |
|
|
That first line under "Destination" with "0.0.0.0" is you default gateway, and it is indeed not your VPN. Default traffic goes out through eth0, as well as the traffic to the VPN server at 192.168.1.0. Besides the loopback entry, the rest routes through tun0 - your VPN. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
nordic bro Guru
Joined: 25 Oct 2003 Posts: 585
|
Posted: Mon Apr 01, 2013 10:00 pm Post subject: |
|
|
great, thanks so much for the help, think I'm all set. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|