[gentoo-user] VPN question

[gentoo-user] VPN question

[Timur Aydin]

Hello everybody,

I have a gentoo linux PC at home that I am using as my internet gateway.
It is also running a web server and a mail server with a static IP.
Everything is working fine.

Now I have installed a VPN server on this system (OpenVPN) and I am
using a VPN service provider to get a USA IP address. This, in its own,
works fine as well. But once I bring up the VPN tunnel, the web server
and the mail server become unavailable.

So, I need a way to have both the VPN tunnel and my web/mail servers
available simultaneously. I think some ip routing magic is required to
accomplish this, but all my experiments so far didn't yield any result.
I would appreciate if somebody can put me in the right direction for
finding a solution.

-- 
Timur

[gentoo-user] VPN question

[Timur Aydin]

Hello everybody,

I have a gentoo linux PC at home that I am using as my internet gateway.
It is also running a web server and a mail server with a static IP.
Everything is working fine.

Now I have installed a VPN server on this system (OpenVPN) and I am
using a VPN service provider to get a USA IP address. This, in its own,
works fine as well. But once I bring up the VPN tunnel, the web server
and the mail server become unavailable.

So, I need a way to have both the VPN tunnel and my web/mail servers
available simultaneously. I think some ip routing magic is required to
accomplish this, but all my experiments so far didn't yield any result.
I would appreciate if somebody can put me in the right direction for
finding a solution.

-- 
Timur

Re: [gentoo-user] VPN question

[Michael Orlitzky]

On 12/23/2013 07:47 AM, Timur Aydin wrote:
> Hello everybody,
> 
> I have a gentoo linux PC at home that I am using as my internet gateway.
> It is also running a web server and a mail server with a static IP.
> Everything is working fine.
> 
> Now I have installed a VPN server on this system (OpenVPN) and I am
> using a VPN service provider to get a USA IP address.

Can you give us a better idea of what is running where? Who is the VPN
client, who is the server, what are the IP addresses, hostnames, etc?

Re: [gentoo-user] VPN question

[Timur Aydin]

On 12/23/13 17:55, Michael Orlitzky wrote:
> On 12/23/2013 07:47 AM, Timur Aydin wrote:
>> Hello everybody,
>>
>> I have a gentoo linux PC at home that I am using as my internet gateway.
>> It is also running a web server and a mail server with a static IP.
>> Everything is working fine.
>>
>> Now I have installed a VPN server on this system (OpenVPN) and I am
>> using a VPN service provider to get a USA IP address.
> Can you give us a better idea of what is running where? Who is the VPN
> client, who is the server, what are the IP addresses, hostnames, etc?
>
>

I am located in Turkey. The VPN service provider is
http://www.strongvpn.com and they have servers all over the world. I am
using their server located in New York. Once I establish the SSL VPN
tunnel, the NY server effectively becomes my internet gateway. I need to
do this to get around websites that impose geographical restrictions on
their service (example, netflix.com, pandora.com). With the tunnel, I
look like I am located in NY and the website has no way of knowing that
I am in Turkey.

Regarding IP address, do you mean the USA IP address I receive from the
VPN service provider or my ISP assigned static IP?

Timur

Re: [gentoo-user] VPN question

[Michael Orlitzky]

On 12/23/2013 11:01 AM, Timur Aydin wrote:
> 
> I am located in Turkey. The VPN service provider is
> http://www.strongvpn.com and they have servers all over the world. I am
> using their server located in New York. Once I establish the SSL VPN
> tunnel, the NY server effectively becomes my internet gateway. I need to
> do this to get around websites that impose geographical restrictions on
> their service (example, netflix.com, pandora.com). With the tunnel, I
> look like I am located in NY and the website has no way of knowing that
> I am in Turkey.
> 
> Regarding IP address, do you mean the USA IP address I receive from the
> VPN service provider or my ISP assigned static IP?
> 

Anything you can provide, it's not clear to the rest of us how many
computers are involved. Is the web/mail server only the gatway, or is
that the workstation that you're using (when, for example, trying to
access the website)?

What IP address are you using to access the web server? Its internal
one, or its external one? Is the website supposed to be visible externally?

It might also help to know which routes are set up by the VPN. Once
you've connected to an OpenVPN server, it usually pushes a bunch of
routes to the client (so that the client knows how to route to the VPN
without caring about the details). A `sudo route -n` or `sudo ip route
show` should suffice once we know which IPs belong to whom.

Re: [gentoo-user] VPN question

[Burak Arslan]

Selamlar,

On 12/23/13 18:01, Timur Aydin wrote:
> On 12/23/13 17:55, Michael Orlitzky wrote:
>> On 12/23/2013 07:47 AM, Timur Aydin wrote:
>>> Hello everybody,
>>>
>>> I have a gentoo linux PC at home that I am using as my internet gateway.
>>> It is also running a web server and a mail server with a static IP.
>>> Everything is working fine.
>>>
>>> Now I have installed a VPN server on this system (OpenVPN) and I am
>>> using a VPN service provider to get a USA IP address.
>> Can you give us a better idea of what is running where? Who is the VPN
>> client, who is the server, what are the IP addresses, hostnames, etc?
>>
>>
> I am located in Turkey. The VPN service provider is
> http://www.strongvpn.com and they have servers all over the world. I am
> using their server located in New York. Once I establish the SSL VPN
> tunnel, the NY server effectively becomes my internet gateway. I need to
> do this to get around websites that impose geographical restrictions on
> their service (example, netflix.com, pandora.com). With the tunnel, I
> look like I am located in NY and the website has no way of knowing that
> I am in Turkey.
>
> Regarding IP address, do you mean the USA IP address I receive from the
> VPN service provider or my ISP assigned static IP?
>

Note that as we don't have actual data, the following is mostly
speculation:

Once the VPN connection is established, among the routes pushed by your
OpenVPN provider is also a default gateway entry which routes every
non-local packet through the vpn.

Your daemons at home receive a packet via your static Turkish address
but, because you got your default gw configured to be your vpn provider,
the response packet goes through NY. Due to reverse-path filtering or
some other fact of nature, it's dropped somewhere along the way.

If that's the case (big if :)), here's what you need to do:
http://lartc.org/lartc.html#AEN267

Hope that helps.

Best,
Burak

Re: [gentoo-user] VPN question

[Timur Aydin]

On 12/23/13 18:12, Michael Orlitzky wrote:
> Anything you can provide, it's not clear to the rest of us how many
> computers are involved. Is the web/mail server only the gatway, or is
> that the workstation that you're using (when, for example, trying to
> access the website)?

This is my home network, 10.2.0.0/16. Multiple computers with
Windows/Linux/Mac. On some subnets, I have gadgets that also need access
to the internet.

The linux PC is the internet gateway with a static IP from my ISP. But
it is also used as my Linux workstation. The web server and email server
must be accessible from the internet and they are accessible if the
tunnel isn't up.

> What IP address are you using to access the web server? Its internal
> one, or its external one? Is the website supposed to be visible externally?

I can access both the web server and the mail server from the internal
network, no problems there. But, when the VPN tunnel comes up, all
external accesses stop working.

> It might also help to know which routes are set up by the VPN. Once
> you've connected to an OpenVPN server, it usually pushes a bunch of
> routes to the client (so that the client knows how to route to the VPN
> without caring about the details). A `sudo route -n` or `sudo ip route
> show` should suffice once we know which IPs belong to whom.

bonsai ~ # ip route show
default via 92.44.0.41 dev ppp0  metric 4007
10.2.1.0/24 dev eno1  proto kernel  scope link  src 10.2.1.254
10.2.2.0/24 dev enp1s0  proto kernel  scope link  src 10.2.2.254
10.2.3.0/24 dev enp8s0  proto kernel  scope link  src 10.2.3.254
92.44.0.41 dev ppp0  proto kernel  scope link  src 176.41.233.165
127.0.0.0/8 dev lo  scope host
127.0.0.0/8 via 127.0.0.1 dev lo

Here, 10.2.1.0 is the main subnet with the various Windows/Linux/Mac
PC's. The other two subnets have electronic gadgets that also need
internet access. I keep them on separate subnets while I do embedded
software development on them so that the are isolated them from the main
subnet.

Re: [gentoo-user] VPN question

[Timur Aydin]

On 12/23/13 18:24, Burak Arslan wrote:
> Once the VPN connection is established, among the routes pushed by your
> OpenVPN provider is also a default gateway entry which routes every
> non-local packet through the vpn.

Here is the routing setup after the tunnel is up:

bonsai ~ # /etc/init.d/openvpn start
 * Starting openvpn
 * WARNING: openvpn has started, but is inactive
bonsai ~ # ip route show
0.0.0.0/1 via 10.8.2.213 dev tun0
default via 92.44.0.41 dev ppp0  metric 4007
10.2.1.0/24 dev eno1  proto kernel  scope link  src 10.2.1.254
10.2.2.0/24 dev enp1s0  proto kernel  scope link  src 10.2.2.254
10.2.3.0/24 dev enp8s0  proto kernel  scope link  src 10.2.3.254
10.8.2.209 via 10.8.2.213 dev tun0  metric 1
10.8.2.213 dev tun0  proto kernel  scope link  src 10.8.2.214
92.44.0.41 dev ppp0  proto kernel  scope link  src 176.41.233.165
127.0.0.0/8 dev lo  scope host
127.0.0.0/8 via 127.0.0.1 dev lo
128.0.0.0/1 via 10.8.2.213 dev tun0
173.195.6.91 via 92.44.0.41 dev ppp0

> Your daemons at home receive a packet via your static Turkish address
> but, because you got your default gw configured to be your vpn provider,
> the response packet goes through NY. Due to reverse-path filtering or
> some other fact of nature, it's dropped somewhere along the way.

> If that's the case (big if :)), here's what you need to do:
> http://lartc.org/lartc.html#AEN267

Thanks for this link! I will need some time to digest this information
and will report back with my progress.

-- 
Timur

Re: [gentoo-user] VPN question

[Michael Orlitzky]

On 12/23/2013 12:39 PM, Timur Aydin wrote:
> On 12/23/13 18:12, Michael Orlitzky wrote:
>> Anything you can provide, it's not clear to the rest of us how many
>> computers are involved. Is the web/mail server only the gatway, or is
>> that the workstation that you're using (when, for example, trying to
>> access the website)?
> 
> This is my home network, 10.2.0.0/16. Multiple computers with
> Windows/Linux/Mac. On some subnets, I have gadgets that also need access
> to the internet.
> 
> The linux PC is the internet gateway with a static IP from my ISP. But
> it is also used as my Linux workstation. The web server and email server
> must be accessible from the internet and they are accessible if the
> tunnel isn't up.
> 
>> What IP address are you using to access the web server? Its internal
>> one, or its external one? Is the website supposed to be visible externally?
> 
> I can access both the web server and the mail server from the internal
> network, no problems there. But, when the VPN tunnel comes up, all
> external accesses stop working.
> 

Ah, OK. Suppose the external IP address of your gateway is 1.2.3.4. Then
that's the external address of your web/mail server as well. As a
visitor, if I send a packet to 1.2.3.4, I get a response from 1.2.3.4,
and everything is great.

When you turn on the VPN on the gateway, it begins routing all outgoing
traffic through some host in the USA. Now, as a visitor, if I send a
packet to 1.2.3.4, here's what happens:

  me -> 1.2.3.4 (request)
     -> Your server's VPN IP (response)
     -> VPN server in the USA (response)
     -> me

Now my TCP/IP stack wonders what a random packet from the USA is doing,
and drops it, because I expected a response from 1.2.3.4.

To see why there's no simple fix for this, imagine what happens if
someone at Netflix HQ tries to visit your website via 1.2.3.4. If your
routes would send the response back over 1.2.3.4, then they would also
send your browser traffic there over 1.2.3.4. But that won't work. And
if your routes would send your browser traffic over the VPN, then the
web server response will go over the VPN as well. And that breaks the
website.

The not-simple solutions are probably going to involve reorganizing your
network a bit; having a workstation, web server, and VPN client all on
one box is giving you conflicting requirements. But maybe if you're
lucky, you have a static public IP address on the VPN. In that case you
can always access the website via the VPN address.

Re: [gentoo-user] VPN question

[Michael Orlitzky]

On 12/23/2013 07:04 PM, Michael Orlitzky wrote:
> 
> The not-simple solutions are probably going to involve reorganizing your
> network a bit; having a workstation, web server, and VPN client all on
> one box is giving you conflicting requirements. But maybe if you're
> lucky, you have a static public IP address on the VPN. In that case you
> can always access the website via the VPN address.

The thing that you really want to enforce is that incoming packets "go
out" over the same connection that they came in on. Ignoring the fact
that the last sentence doesn't really make sense, it can be done for
multiple (redundant) upstream providers:

  http://www.lartc.org/howto/lartc.rpdb.multiple-links.html

However, the routing table in that scenario is fixed. I wouldn't bet on
OpenVPN being able to add its routes without messing something up.

Re: [gentoo-user] VPN question

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1845 bytes --]

On Monday 23 Dec 2013 17:44:17 Timur Aydin wrote:
> On 12/23/13 18:24, Burak Arslan wrote:
> > Once the VPN connection is established, among the routes pushed by your
> > OpenVPN provider is also a default gateway entry which routes every
> > non-local packet through the vpn.
> 
> Here is the routing setup after the tunnel is up:
> 
> bonsai ~ # /etc/init.d/openvpn start
>  * Starting openvpn
>  * WARNING: openvpn has started, but is inactive
> bonsai ~ # ip route show
> 0.0.0.0/1 via 10.8.2.213 dev tun0
> default via 92.44.0.41 dev ppp0  metric 4007
> 10.2.1.0/24 dev eno1  proto kernel  scope link  src 10.2.1.254
> 10.2.2.0/24 dev enp1s0  proto kernel  scope link  src 10.2.2.254
> 10.2.3.0/24 dev enp8s0  proto kernel  scope link  src 10.2.3.254
> 10.8.2.209 via 10.8.2.213 dev tun0  metric 1
> 10.8.2.213 dev tun0  proto kernel  scope link  src 10.8.2.214
> 92.44.0.41 dev ppp0  proto kernel  scope link  src 176.41.233.165
> 127.0.0.0/8 dev lo  scope host
> 127.0.0.0/8 via 127.0.0.1 dev lo
> 128.0.0.0/1 via 10.8.2.213 dev tun0
> 173.195.6.91 via 92.44.0.41 dev ppp0
> 
> > Your daemons at home receive a packet via your static Turkish address
> > but, because you got your default gw configured to be your vpn provider,
> > the response packet goes through NY. Due to reverse-path filtering or
> > some other fact of nature, it's dropped somewhere along the way.
> > 
> > If that's the case (big if :)), here's what you need to do:
> > http://lartc.org/lartc.html#AEN267
> 
> Thanks for this link! I will need some time to digest this information
> and will report back with my progress.

Also have a look here for OpenVPN specific split tunnelling (split routing):

  http://dltj.org/article/openvpn-split-routing/

  https://forums.openvpn.net/topic7065.html

HTH.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] VPN question

[Michael Orlitzky]

On 12/23/2013 11:24 AM, Burak Arslan wrote:
> 
> If that's the case (big if :)), here's what you need to do:
> http://lartc.org/lartc.html#AEN267
> 

Oh, this is the same link I posted later. Impressive guess =)