This may or may not be a hypothetical question. Let’s say I don’t trust my ISP. Let’s say that I don’t want any traffic at all to pass in the clear across my broadband connection. No DNS, no SMTP email, nothing.
Let’s also say that I have control of a server Out There On The Internet that I can use for anything that Debian/Linux can provide.
Given the above, what would be a good way to ‘tunnel’ traffic from a PC behind said ISP’s broadband (running Ubuntu) via the server? IPSec/VPN?
Note that I don’t simply want to proxy web traffic – that’s easy using a web proxy server; that’s only half the picture, though.
Suggestions, thoughts, pointers to HOWTOs etc. most welcome. Bear in mind that I likely just need a very simple setup here: I don’t need anything in place to support multiple connections from multiple locations, really.
This is quite easy using OpenVPN – it has a default gateway setting, which will divert everything through the remote gateway (aside from a single route so stuff can find it’s way to the vpn server).
PermalinkI’ve been looking at OpenVPN since I posted this and haven’t quite got my head around it yet. I will read the docs some more. I think the complications I have are (a) my PC is behind a NAT-ed router whose public IP is dynamic and (b) the endpoint server is a single machine, not an entire network.
http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html looks like the minimal case, but I think I need something more complex to take care of the NAT/dynamic IP.
/me must read more about it
PermalinkI think you’re looking at it from the wrong way 🙂 What you need is a standard openVPN ‘road warrior’ setup.
Looking at it from your home connection it might seem troublesome, but looking at it from your remote machine it’s easy 🙂
Your remove machine is the VPN sever, and you *ARE* trying to give access to an entire network ‘The internet’ of which your PC is one!
Read up on the ‘road warrior’ setup for OpenVPN, I’m pretty sure you’ll figure it out soon enough.
Permalink@Hein-Pieter: Thanks for the comment, much appreciated. I’ll read up on that very subject. Cheers 🙂
PermalinkOK, I think I’ve got it figured out. Seems to be working as expected and tunneling all the traffic. There’s a bug – see https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/355509 – with Ubuntu’s Network Manager which means I can’t do this in a pretty GUI way, but running ‘openvpn…’ from the command line with an appropriate config seems to do the job.
The trick I missed initially was remembering to NAT the outgoing traffic from the OpenVPN server so that it appears to come from the OpenVPN server, i.e.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
where 10.8.0.x is my private LAN space for point-to-point activity.
Thanks David/Hein-Pieter.
Permalink