| View previous topic :: View next topic |
| Author |
Message |
Akaihiryuu
l33t
Joined: 08 May 2003
Posts: 794
Location: Columbus, OH
|
 Posted: Wed Aug 30, 2017 10:39 pm Post subject: VPN but only want to use for certain traffic |
 |
|
| Basically, in my current apartment, I'm not provided with a public IP address. I'm using a VPN service with OpenVPN to get a public IP. However, I only want traffic to/from ports 8022, 8888, 8080, and 8443 on that machine to be routed through the VPN, and I want everything else to use my regular connection. Is there an easy way to do this? |
|
| Back to top |
|
 |
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Wed Aug 30, 2017 10:51 pm Post subject: |
|
|
You have two different kinds of http traffic.
You have traffic related to your web server and the static IP, and then you have all the browser traffic from your home. Your VPN endpoint will be accepting http traffic and forwarding it to you, probably on a non-routable ip address, or ipv6 maybe.
Full disclosure: I've never used the sort of service you're talking about. I've configured OpenVPN so my coworkers and I can get into the office, but you're doing something different.
In the former instance the requests are inbound and all going to your public IP, which is going to be translated into some sort of a 10.x.y.z probably. So you set up routes for that and pretty much everything else is taken care of. Make sure your web server box routes all vpn response traffic back through the vpn rather than direct. |
|
| Back to top |
|
|
Akaihiryuu
l33t
Joined: 08 May 2003
Posts: 794
Location: Columbus, OH
|
| Posted: Wed Aug 30, 2017 11:11 pm Post subject: |
|
|
| 1clue wrote: | You have two different kinds of http traffic.
You have traffic related to your web server and the static IP, and then you have all the browser traffic from your home. Your VPN endpoint will be accepting http traffic and forwarding it to you, probably on a non-routable ip address, or ipv6 maybe.
Full disclosure: I've never used the sort of service you're talking about. I've configured OpenVPN so my coworkers and I can get into the office, but you're doing something different.
In the former instance the requests are inbound and all going to your public IP, which is going to be translated into some sort of a 10.x.y.z probably. So you set up routes for that and pretty much everything else is taken care of. Make sure your web server box routes all vpn response traffic back through the vpn rather than direct. |
Yeah that's more or less what I want to do. All incoming traffic on those ports is going to come through tun0. Obviously response traffic back out also needs to go over tun0. But I want all other traffic originating on the machine or routing through it to go out through eth1...what do I need to do to do this? |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Thu Sep 07, 2017 7:56 am Post subject: |
|
|
| Quote: | | . I'm using a VPN service with OpenVPN to get a public IP. |
The first question you need to ask is does this service allow inbound connections to their public ip and route it through your VPN connection?
I doubt if they do myself as this would require them to provide a public ip for each client they have, what is the name of the service/provider that you are using?
Most services of this nature only provide you with outbound traffic option. |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Sep 07, 2017 1:39 pm Post subject: |
|
|
| chiefbag wrote: | | Quote: | | . I'm using a VPN service with OpenVPN to get a public IP. |
The first question you need to ask is does this service allow inbound connections to their public ip and route it through your VPN connection?
I doubt if they do myself as this would require them to provide a public ip for each client they have, what is the name of the service/provider that you are using?
Most services of this nature only provide you with outbound traffic option. |
While I'm definitely NOT a VPN expert, this doesn't make sense.
Web servers are really good at ganging up. Most publicly hosted web servers have lots of domain names all using the same IP address and the same port. The web server is really fast at switching the connection off to some private port.
The way I understand it, the VPN will add significant latency which will make the site seem more sluggish than if it were hosted on a public port right at the site, but it should without lots of ip addresses. |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Thu Sep 07, 2017 1:49 pm Post subject: |
|
|
| Quote: | | While I'm definitely NOT a VPN expert, this doesn't make sense. |
| Quote: | | The way I understand it, the VPN will add significant latency which will make the site seem more sluggish than if it were hosted on a public port right at the site, |
The second statement is true, however there may well be valid reasons why the person would want to make a home based server accessible via public ip address, for example they may want to access Internet of Things gadgets etc, ie turn the heating or kettle on.  |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Sep 07, 2017 2:26 pm Post subject: |
|
|
| One possible solution would be to switch from tun to tap. At that point all traffic from the VPN hits your network, and you're responsible at your local vpn endpoint to handle firewall rules. |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Thu Sep 07, 2017 2:29 pm Post subject: |
|
|
EDIT
| Quote: | | One possible solution would be to switch from tun to tap. At that point all traffic from the VPN hits your network |
That's still based on the assumption that the service the user is using actually routes traffic inbound from the ascribed public ip address. |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Thu Sep 07, 2017 2:53 pm Post subject: |
|
|
Assuming the following case then try the below rule:
1: Your traffic is flowing inbound from the VPN service public ip to tun0 for port 8080
1: webserver is running on 10.10.10.10
| Code: | | iptables -t nat -I PREROUTING -i tun0 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j DNAT --to-destination 10.10.10.10 |
|
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Thu Sep 07, 2017 5:57 pm Post subject: |
|
|
I guess this is a little late, but most ISPs allow you to buy a public IP address to facilitate people accessing their home systems from work.
Or you could use dynamic dns? |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Thu Sep 07, 2017 6:44 pm Post subject: |
|
|
| Quote: | I guess this is a little late, but most ISPs allow you to buy a public IP address to facilitate people accessing their home systems from work.
Or you could use dynamic dns? |
Some don't even give you a public ip address unless you are a business customer therefor dyndns etc. won't work 
I'm in the same situation with my current internet provider, my workaround is that I have an external sever and an IPSec VPN from my home gateway server to the external server, the gateway is configured as a road warrior client.
I can then access from the external server to home.
Let's see if @Akaihiryuu will give us any further info/update? |
|
| Back to top |
|
|
curmudgeon
Veteran
Joined: 08 Aug 2003
Posts: 1741
|
| Posted: Mon Sep 11, 2017 11:38 am Post subject: |
|
|
| chiefbag wrote: | The first question you need to ask is does this service allow inbound connections to their public ip and route it through your VPN connection?
I doubt if they do myself as this would require them to provide a public ip for each client they have, what is the name of the service/provider that you are using?
Most services of this nature only provide you with outbound traffic option. |
Doesn't every VPN provider that allows torrent traffic (as most do) therefore allow inbound connections? |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Mon Sep 11, 2017 12:14 pm Post subject: |
|
|
| Quote: | | Doesn't every VPN provider that allows torrent traffic (as most do) therefore allow inbound connections? |
So you reckon every VPN provider ascribes an individual public ip to each client? |
|
| Back to top |
|
|
1clue
Advocate
Joined: 05 Feb 2006
Posts: 2569
|
| Posted: Mon Sep 11, 2017 4:06 pm Post subject: |
|
|
| chiefbag wrote: | | Quote: | | Doesn't every VPN provider that allows torrent traffic (as most do) therefore allow inbound connections? |
So you reckon every VPN provider ascribes an individual public ip to each client? |
I'd be willing to bet that they have multiple clients per ip address. When you login to a corporate VPN it's one IP address and they have potentially thousands of clients. Think IBM.
This configuration is a bit different but I seriously doubt the VPN service has a separate ipv4 address per client. They might have ipv6 configured that way but this whole problem comes from the fact that ipv4 addresses are hard to come by now. |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Tue Sep 12, 2017 7:12 am Post subject: |
|
|
| Quote: | | This configuration is a bit different but I seriously doubt the VPN service has a separate ipv4 address per client. |
I totally agree. |
|
| Back to top |
|
|
|
Networking & Security
