Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Ideal L2TP server configuration?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1342
Location: Fayetteville, NC, USA

PostPosted: Thu Oct 29, 2015 4:55 pm    Post subject: Ideal L2TP server configuration? Reply with quote

I am ditching PPTP at our main office for L2TP/IPSec. I have two options for setting this up. The server is a PowerEdge 2900 running XenServer 6.2 which will host three Debian 7.8 VMs. One will be the VPN server. The box has two LAN ports. One is connected to our router and functions inside our network for the domain controller (DC is Samba4). The other port goes right to a cable modem and grants VMs direct access to the outside world. Our SIP server (second VM) uses this network. I was debating giving the VPN server access to both. If I do this, I can assign a static IP to the virtual NIC on the external network and a LAN IP to the internal one. Connections could come directly from the WAN into the box on the external interface and be routed to the internal interface.

My other idea was what I've always done. Give it access to just the internal NIC and forward the UDP ports (500 and 4500 IIRC) to the internal LAN IP. Would there be any advantages to one way over the other? I have three unused static IP addresses for the WAN, so if it is better in some way, I do not mind doing it, but it means I have to be VERY strict with an iptables firewall to avoid hacking attempts. If I do it the traditional way it will be behind a Watchguard Firebox router and have a regular iptables firewall.

Thoughts?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
TigerJr
Guru
Guru


Joined: 19 Jun 2007
Posts: 483
Location: /dev/x0

PostPosted: Thu Oct 29, 2015 9:13 pm    Post subject: Reply with quote

you can try to use network aliases on you router WAN side and iptables rules to redirect network packets to LAN area.

Maybe you need SNAT rule to change source address, but i didn't clearly understand all network topology... If you post block-scheme what is done and what is need, it's would be a half of the answer

i.e
Code:

ifconfig eth0:1 11.11.11.1/24 up
ifconfig eth0:2 11.11.11.2/24 up
ifconfig eth0:3 11.11.11.3/24 up


After aliases up
Code:

# IRC ?
iptables -t nat -A PREROUTING -p udp -s 0/0 -d 11.11.11.1 --dport 4500 -j DNAT --to-destination 192.168.0.1:4500
iptables -t nat -A PREROUTING -p udp -s 0/0 -d 11.11.11.1 --dport 500 -j DNAT --to-destination 192.168.0.1:500
# DC ?
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 11.11.11.2 --dport 445 -j DNAT --to-destination 192.168.0.2:445
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 11.11.11.2 --dport 139 -j DNAT --to-destination 192.168.0.2:139
# SIP ?
iptables -t nat -A PREROUTING -p udp -s 0/0 -d 11.11.11.3 --dport 5060 -j DNAT --to-destination 192.168.0.3:5060


If it helps you ....

P\S

In a fact you can use one alias WAN IP for transferring packets to each other servers... But ... whatever
_________________

Do not update portage without hotdog!

Xenogentooway?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1342
Location: Fayetteville, NC, USA

PostPosted: Fri Oct 30, 2015 2:00 pm    Post subject: Reply with quote

I know about aliases, but my question was whether it would be better to have the VPN listening on a WAN connection and routing into a LAN connection or simply to listen on the LAN and route to the LAN without a direct WAN connection. I appreciate the input, but this is my dilemma right now.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
TigerJr
Guru
Guru


Joined: 19 Jun 2007
Posts: 483
Location: /dev/x0

PostPosted: Sat Oct 31, 2015 4:49 pm    Post subject: Reply with quote

If i really understand you...

Listening VPN on WAN interfaces gives you only iptables rules to manage connection.

Transferring VPN packets to LAN VPN server gives you functionality of route decision and iptables rules on two side but with the slight performance degradation. So in that way you need to choose performance vs functionality. I will choose functionality, cause performance degradation not huge.
_________________

Do not update portage without hotdog!

Xenogentooway?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1342
Location: Fayetteville, NC, USA

PostPosted: Sat Oct 31, 2015 5:06 pm    Post subject: Reply with quote

You're saying that using a single interface increases functionality? I am not sure I follow you here. In the Microsoft world, all of their guides require a public interface and an internal one. Their VPN setup is a nightmare though, and obviously does not apply to GNU/Linux. I was just looking at it because I thought it would be a better setup.

Can you give me a little more detail as to why a single interface increases functionality? I am not opposed to going this route.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
TigerJr
Guru
Guru


Joined: 19 Jun 2007
Posts: 483
Location: /dev/x0

PostPosted: Sat Oct 31, 2015 7:07 pm    Post subject: Reply with quote

I didn't tell you to use single interface. I mean that you use alias IP for VPN connection and transfer IP VPN packets in to LAN there are server is located.
_________________

Do not update portage without hotdog!

Xenogentooway?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum