Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Connecting via ssh to a machine on a VPN
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
don quixada
l33t
l33t


Joined: 15 May 2003
Posts: 738

PostPosted: Thu Jan 29, 2015 5:22 am    Post subject: Connecting via ssh to a machine on a VPN Reply with quote

Hi, I'm trying to connect to my PC from the outside using ssh. I can connect to it normally when the PC is not on VPN but I'm a bit over my head in configuring the PC to port-forward and such. Basically I'm not sure where to start.

I have configured OpenVPN according to this guide:

http://wiki.gentoo.org/wiki/VPN_Services

I also have shorewall running for my firewall.

Do I need to configure OpenVPN or Shorewall to get this to work? Thanks!

dq
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1770

PostPosted: Thu Jan 29, 2015 5:55 pm    Post subject: Reply with quote

Do you mind showing ifconfig -a and iptables-save?
And route -n
Back to top
View user's profile Send private message
don quixada
l33t
l33t


Joined: 15 May 2003
Posts: 738

PostPosted: Thu Jan 29, 2015 6:24 pm    Post subject: Reply with quote

OK, here it is (while not connected to the VPN since I am remotely ssh'd in now). I had to mess around with my firewall in order to get it to play nicely with the VPN...

Code:
# ifconfig -a
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.151  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::62a4:4cff:fe64:1a90  prefixlen 64  scopeid 0x20<link>
        ether 60:a4:4c:64:1a:90  txqueuelen 1000  (Ethernet)
        RX packets 29082634  bytes 35249514072 (32.8 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19788860  bytes 4582166724 (4.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0nnnnn
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 3933  bytes 377230 (368.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3933  bytes 377230 (368.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480
        sit  txqueuelen 0  (IPv6-in-IPv4)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Code:
# iptables-save
# Generated by iptables-save v1.4.21 on Thu Jan 29 13:14:47 2015
*nat
:PREROUTING ACCEPT [3492:1552714]
:INPUT ACCEPT [163:8498]
:OUTPUT ACCEPT [61594:5891022]
:POSTROUTING ACCEPT [61754:5897422]
:tun0_masq - [0:0]
-A POSTROUTING -o tun0 -j tun0_masq
-A tun0_masq -s 192.168.2.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jan 29 13:14:47 2015
# Generated by iptables-save v1.4.21 on Thu Jan 29 13:14:47 2015
*raw
:PREROUTING ACCEPT [7168295:9226094783]
:OUTPUT ACCEPT [4253510:838519763]
COMMIT
# Completed on Thu Jan 29 13:14:47 2015
# Generated by iptables-save v1.4.21 on Thu Jan 29 13:14:47 2015
*mangle
:PREROUTING ACCEPT [7168295:9226094783]
:INPUT ACCEPT [7168295:9226094783]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4253510:838519763]
:POSTROUTING ACCEPT [4280865:846810749]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Thu Jan 29 13:14:47 2015
# Generated by iptables-save v1.4.21 on Thu Jan 29 13:14:47 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Reject - [0:0]
:dynamic - [0:0]
:fw2net - [0:0]
:fw2vpn - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:net2vpn - [0:0]
:net_frwd - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:shorewall - [0:0]
:vpn2fw - [0:0]
:vpn2net - [0:0]
:vpn_frwd - [0:0]
-A INPUT -i enp3s0 -j net2fw
-A INPUT -i tun0 -j vpn2fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -g reject
-A FORWARD -i enp3s0 -j net_frwd
-A FORWARD -i tun0 -j vpn_frwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o enp3s0 -j fw2net
-A OUTPUT -o tun0 -j fw2vpn
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A Broadcast -d 127.255.255.255/32 -j DROP
-A Broadcast -d 192.168.2.255/32 -j DROP
-A Broadcast -d 255.255.255.255/32 -j DROP
-A Broadcast -d 224.0.0.0/4 -j DROP
-A Reject
-A Reject -j Broadcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -j reject
-A Reject -p udp -m udp --dport 137:139 -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
-A Reject -p udp -m udp --dport 1900 -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -j DROP
-A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw2net -j ACCEPT
-A fw2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw2vpn -j ACCEPT
-A logdrop -j DROP
-A logreject -j reject
-A net2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p tcp -m tcp --dport 80 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 443 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 110 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 1050 -j ACCEPT
-A net2fw -p udp -m udp --dport 137 -j DROP
-A net2fw -p udp -m udp --dport 138 -j DROP
-A net2fw -j Reject
-A net2fw -j LOG --log-prefix "Shorewall:net2fw:REJECT:" --log-level 6
-A net2fw -g reject
-A net2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net2vpn -j Reject
-A net2vpn -j LOG --log-prefix "Shorewall:net2vpn:REJECT:" --log-level 6
-A net2vpn -g reject
-A net_frwd -o enp3s0 -g sfilter
-A net_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A net_frwd -o tun0 -j net2vpn
-A reject -d 127.255.255.255/32 -j DROP
-A reject -d 192.168.2.255/32 -j DROP
-A reject -d 255.255.255.255/32 -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
-A sfilter -j DROP
-A vpn2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A vpn2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpn2fw -j Reject
-A vpn2fw -j LOG --log-prefix "Shorewall:vpn2fw:REJECT:" --log-level 6
-A vpn2fw -g reject
-A vpn2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpn2net -j Reject
-A vpn2net -j LOG --log-prefix "Shorewall:vpn2net:REJECT:" --log-level 6
-A vpn2net -g reject
-A vpn_frwd -o tun0 -g sfilter
-A vpn_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A vpn_frwd -o enp3s0 -j vpn2net
COMMIT
# Completed on Thu Jan 29 13:14:47 2015


Code:
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.2.1     0.0.0.0         UG    2      0        0 enp3s0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 enp3s0


Last edited by don quixada on Fri Jan 30, 2015 3:41 pm; edited 1 time in total
Back to top
View user's profile Send private message
don quixada
l33t
l33t


Joined: 15 May 2003
Posts: 738

PostPosted: Fri Jan 30, 2015 1:20 pm    Post subject: Reply with quote

If it helps, here is the info while connected to the VPN:

Code:
# ifconfig -a
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.151  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::62a4:4cff:fe64:1a90  prefixlen 64  scopeid 0x20<link>
        ether 60:a4:4c:64:1a:90  txqueuelen 1000  (Ethernet)
        RX packets 29385881  bytes 35499237766 (33.0 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20073989  bytes 4680792501 (4.3 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 3963  bytes 380805 (371.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3963  bytes 380805 (371.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480
        sit  txqueuelen 0  (IPv6-in-IPv4)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.107.1.10  netmask 255.255.255.255  destination 10.107.1.9
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 3760  bytes 4219242 (4.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3430  bytes 399991 (390.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Code:
# iptables-save
# Generated by iptables-save v1.4.21 on Fri Jan 30 07:57:18 2015
*nat
:PREROUTING ACCEPT [5013:2257706]
:INPUT ACCEPT [240:12502]
:OUTPUT ACCEPT [72693:6921313]
:POSTROUTING ACCEPT [72853:6927713]
:tun0_masq - [0:0]
-A POSTROUTING -o tun0 -j tun0_masq
-A tun0_masq -s 192.168.2.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Jan 30 07:57:18 2015
# Generated by iptables-save v1.4.21 on Fri Jan 30 07:57:18 2015
*raw
:PREROUTING ACCEPT [7485765:9481050061]
:OUTPUT ACCEPT [4541164:933547418]
COMMIT
# Completed on Fri Jan 30 07:57:18 2015
# Generated by iptables-save v1.4.21 on Fri Jan 30 07:57:18 2015
*mangle
:PREROUTING ACCEPT [7485765:9481050061]
:INPUT ACCEPT [7485765:9481050061]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4541164:933547418]
:POSTROUTING ACCEPT [4580715:945548980]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-xmark 0x0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Fri Jan 30 07:57:18 2015
# Generated by iptables-save v1.4.21 on Fri Jan 30 07:57:18 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Broadcast - [0:0]
:Reject - [0:0]
:dynamic - [0:0]
:fw2net - [0:0]
:fw2vpn - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:net2vpn - [0:0]
:net_frwd - [0:0]
:reject - [0:0]
:sfilter - [0:0]
:shorewall - [0:0]
:vpn2fw - [0:0]
:vpn2net - [0:0]
:vpn_frwd - [0:0]
-A INPUT -i enp3s0 -j net2fw
-A INPUT -i tun0 -j vpn2fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -g reject
-A FORWARD -i enp3s0 -j net_frwd
-A FORWARD -i tun0 -j vpn_frwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o enp3s0 -j fw2net
-A OUTPUT -o tun0 -j fw2vpn
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A Broadcast -d 127.255.255.255/32 -j DROP
-A Broadcast -d 192.168.2.255/32 -j DROP
-A Broadcast -d 255.255.255.255/32 -j DROP
-A Broadcast -d 224.0.0.0/4 -j DROP
-A Reject
-A Reject -j Broadcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Reject -m conntrack --ctstate INVALID -j DROP
-A Reject -p udp -m multiport --dports 135,445 -j reject
-A Reject -p udp -m udp --dport 137:139 -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
-A Reject -p udp -m udp --dport 1900 -j DROP
-A Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p udp -m udp --sport 53 -j DROP
-A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw2net -j ACCEPT
-A fw2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw2vpn -j ACCEPT
-A logdrop -j DROP
-A logreject -j reject
-A net2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p tcp -m tcp --dport 80 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 443 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 110 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 1050 -j ACCEPT
-A net2fw -p udp -m udp --dport 137 -j DROP
-A net2fw -p udp -m udp --dport 138 -j DROP
-A net2fw -j Reject
-A net2fw -j LOG --log-prefix "Shorewall:net2fw:REJECT:" --log-level 6
-A net2fw -g reject
-A net2vpn -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net2vpn -j Reject
-A net2vpn -j LOG --log-prefix "Shorewall:net2vpn:REJECT:" --log-level 6
-A net2vpn -g reject
-A net_frwd -o enp3s0 -g sfilter
-A net_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A net_frwd -o tun0 -j net2vpn
-A reject -d 127.255.255.255/32 -j DROP
-A reject -d 192.168.2.255/32 -j DROP
-A reject -d 255.255.255.255/32 -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
-A sfilter -j DROP
-A vpn2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A vpn2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpn2fw -j Reject
-A vpn2fw -j LOG --log-prefix "Shorewall:vpn2fw:REJECT:" --log-level 6
-A vpn2fw -g reject
-A vpn2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpn2net -j Reject
-A vpn2net -j LOG --log-prefix "Shorewall:vpn2net:REJECT:" --log-level 6
-A vpn2net -g reject
-A vpn_frwd -o tun0 -g sfilter
-A vpn_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic
-A vpn_frwd -o enp3s0 -j vpn2net
COMMIT
# Completed on Fri Jan 30 07:57:18 2015


Of course that last outside IP address changes all the time...

Code:
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.165.1.5      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.2.1     0.0.0.0         UG    2      0        0 enp3s0
10.165.1.1      10.165.1.5      255.255.255.255 UGH   0      0        0 tun0
10.165.1.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
50.23.115.95    192.168.2.1     255.255.255.255 UGH   0      0        0 enp3s0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
128.0.0.0       10.165.1.5      128.0.0.0       UG    0      0        0 tun0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 enp3s0
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1770

PostPosted: Fri Jan 30, 2015 6:08 pm    Post subject: Reply with quote

Of course it's connected setup that matters. It is the part you have some problems with ;)
Well, it's pretty complex, so let's do that step by step.

This is wrong, you can only use one default gateway at any time.
Quote:
0.0.0.0 10.165.1.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.2.1 0.0.0.0 UG 2 0 0 enp3s0

You either use enp3s0 as default gw and think about vpn as your LAN, or you use tun0 as default gw and don't think about enp3s0 at all: like use it only for a single host you use as the other endpoint for your tunel.

The firewall rules look weird to me. I don't understand what do you want to achieve. What setup do you want? Where should ssh be available?
Back to top
View user's profile Send private message
don quixada
l33t
l33t


Joined: 15 May 2003
Posts: 738

PostPosted: Fri Jan 30, 2015 6:58 pm    Post subject: Reply with quote

I'm not surprised that you find the firewall rules to be weird, they are a result of many iterations of trying to get things to work over the years. Normally I connect to my PC remotely using SSH. So the OpenSSH server is on my (Gentoo) PC and I connect to it from outside. The server is set-up and running and I can connect no problem. Also, I have a cron job similar to dyndns that updates a domain name that points to my ip address if the ip address changes. However, recently I subscribed to an anonymizing VPN service and I want to do the same thing while the PC connected to the VPN (which won't always be the case).

So just to rephrase, the new situation is this:

1. Home PC (Gentoo) running a firewall (shorewall setup) connected to an anonymizing VPN provider
2. Laptop outside of network connecting to the home PC via SSH (putty)

Apparently it is possible to connect through the VPN by port-forwarding but I'm not sure how to set it up. The VPN provider offers an ip-forwarding script but it is specific to Ubuntu so it doesn't work for Gentoo. I've been trying to configure manually but have had no luck due to my lack of knowledge in this area. I found this thread which contains an adapted script that may be useful but I haven't tried it yet:

https://www.privateinternetaccess.com/forum/discussion/3359/port-forwarding-without-application-pia-script-advanced-users/p2

I hope that all makes sense. Is what I'm trying to do even possible? The VPN provider offers little help in this area since it is a rather advanced situation. I don't always plan to be connected to the VPN on my home PC but sometimes it will be and I want to be able to connect to it.

Thanks for your help so far...

dq
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1770

PostPosted: Fri Jan 30, 2015 7:41 pm    Post subject: Reply with quote

Ok, so what you want is setup like this:


Your PC ==VPN_over_ethernet==> anonimizer =====> internet

for this setup you want tun0 to be your default gateway
You also want to have enp3s0 to have a route to host providing you with VPN

Finaly, you need some route between your laptop and pc. That script you linked doesn't look very ubuntu speciffic. What does it print? Perhaps some information you need to connect from the internet to your PC through that tunnel?

Bypassing VPN would require your PC to know the public IP of your laptop in advance, as you would have to set another direct route: the very same way you hae to set direct route to VPN provider, one that bypases tunel so you can send traffic it generates from stuff you send via tunnel
Back to top
View user's profile Send private message
don quixada
l33t
l33t


Joined: 15 May 2003
Posts: 738

PostPosted: Fri Jan 30, 2015 8:34 pm    Post subject: Reply with quote

Hmm, the laptop ip would be variable. Could I use the dyndns-type service to point to the VPN ip-address? Or if I knew this address beforehand. I could be wrong, but I think that if I can port forward to this VPN address then I can see it from the outside...

dq
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1770

PostPosted: Sat Jan 31, 2015 9:23 am    Post subject: Reply with quote

Don't you think using dyndns defeats the purpose of anonymizing VPN?

You can easily bypass VPN with routing table if you know the IP. Within LAN it's easy, as you can simply create a route to a subnet. Over WAN it's getting more tricky as the IP is no longer predictable.
One idea is to use steppng-stone machine with fixed IP and NAT. This way incoming connections can be translated to a predefined IP.
As you seem to know your WAN adress, another idea is to send UDP packed from your laptop to PC WAN address instead of VPN one to let it know what side route should it create. Of course you'd have to handle such a packet and process it with some daemon on your PC. Probably not the cleanest solution, but a simple shell script involving netcat can make it work.
Back to top
View user's profile Send private message
don quixada
l33t
l33t


Joined: 15 May 2003
Posts: 738

PostPosted: Fri Feb 06, 2015 4:56 am    Post subject: Reply with quote

Sorry I've been away on business. I may have figured-out my problem. But I need a second opinion. I have a cron job running on my PC and checking my ip every hour or so. When my PC is anonymized it is returning a different external ip; however, the local ip is still the same for my machine and the router is the device that actually has the external ip (with the respective ports being opened etc.) and the router is not being anonymized. So I think the cron is updating the ip address when it shouldn't. I have yet to test this theory but I will and get back to you...

dq
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum