sfx2000
Part of the Furniture
Here's a brain teaser for you VPN fans... and a lesson learned
use case - OpenVPN is set up for client/server, with server being routable, sitting behind a router, with ovpn and ssh ports forwarded - basically offsite access into the LAN resources
Here's a rough graphic
OpenDNS is pushed to client for VPN access - otherwise uses the DHCP assigned DNS from hotspot provider when VPN not in use
Router is running unbound DNS server as a caching/resolver on FreeBSD 10.2
Backend is statically configured to use Google Public DNS - and is set to no block any outgoing connections (multiple services supporting the LAN side)
LAN side is heavy on mDNS deployment, and IPv6 is running inside in a link-local config, OpenVPN is configed as IPv4 only, and IPv6 is disabled on the router for WAN side.
Scenario:
Laptop connects to Ovpn endpoint via vpn.example.net at 68.0.d.e, assigned 10.0.8.5 as remote. OvenVPN see the 166.170.a.b address, pushes the right routing info, DHCP, DNS, etc - no problem
Laptop connects to OpenSSH vis user@192.168.1.85, no problem - backend host sees the connection from 10.0.8.5 - This is expected behavior
Now keep in mind - all IPv4 traffic on the client is configured transit the OpenVPN tunnel
Laptop then does an ssh connection to user@example.com - guess what happens?
Yep, the SSH server now sees the connection coming not from 10.0.8/5. but from 166.170.a.b - which was unexpected as it exposed the Hotspot IP connected from (the hotspot NAT's the laptop)
Now here's where it gets weird... internally, the router also has SSH running, so inside the LAN, the router is resolving example.com to 192.168.1.1, which again is expected behavior, so it doesn't go to the backend server - to get the to backend server from LAN side, either user@192.168.1.85, or user@hostname.local
What happened? Is it the client doing the wrong thing, or the router/gw, or the OpenVPN server?
How to correct?
(I did eventually sort out what happened, but this is an excellent thought exercise on what can happen with VPN if one is not careful, not only in the OpenVPN setup, but the Router/GW setup)
use case - OpenVPN is set up for client/server, with server being routable, sitting behind a router, with ovpn and ssh ports forwarded - basically offsite access into the LAN resources
Here's a rough graphic
Code:
Laptop ----- MobileHotSpot -------- Router-------- Server (OVPN/SSH/etc..)
(LocalIP) 166.170.a.b 68.0.d.e 192.168.1.85
172.20.20.8 TCP/22 assigns OPVPN IP's
(OvpnIP) UDP/1194
10.0.8.5 (port forward from backend host)
OpenDNS is pushed to client for VPN access - otherwise uses the DHCP assigned DNS from hotspot provider when VPN not in use
Router is running unbound DNS server as a caching/resolver on FreeBSD 10.2
Backend is statically configured to use Google Public DNS - and is set to no block any outgoing connections (multiple services supporting the LAN side)
LAN side is heavy on mDNS deployment, and IPv6 is running inside in a link-local config, OpenVPN is configed as IPv4 only, and IPv6 is disabled on the router for WAN side.
Scenario:
Laptop connects to Ovpn endpoint via vpn.example.net at 68.0.d.e, assigned 10.0.8.5 as remote. OvenVPN see the 166.170.a.b address, pushes the right routing info, DHCP, DNS, etc - no problem
Laptop connects to OpenSSH vis user@192.168.1.85, no problem - backend host sees the connection from 10.0.8.5 - This is expected behavior
Now keep in mind - all IPv4 traffic on the client is configured transit the OpenVPN tunnel
Laptop then does an ssh connection to user@example.com - guess what happens?
Yep, the SSH server now sees the connection coming not from 10.0.8/5. but from 166.170.a.b - which was unexpected as it exposed the Hotspot IP connected from (the hotspot NAT's the laptop)
Now here's where it gets weird... internally, the router also has SSH running, so inside the LAN, the router is resolving example.com to 192.168.1.1, which again is expected behavior, so it doesn't go to the backend server - to get the to backend server from LAN side, either user@192.168.1.85, or user@hostname.local
What happened? Is it the client doing the wrong thing, or the router/gw, or the OpenVPN server?
How to correct?
(I did eventually sort out what happened, but this is an excellent thought exercise on what can happen with VPN if one is not careful, not only in the OpenVPN setup, but the Router/GW setup)