pppx and bind not playing nice
I'm setting up a server running OpenBSD 5.3-stable. I want to access the box using one name in public, i.e. vpn.example.com, and one name in private for both LAN users and VPN users, i.e. red.example.com. That way, when I'm home, on my LAN, I can connect to the box using red.example.com, and when I'm out in the world and I'm using VPN to connect, I can use red.example.com to refer to the same box. To be clear, I don't want to just open all the services to the public, thus the private services are restricted to LAN and VPN users.
I went about configuring PF to lock things down, permitting access to public services like vpn and ssh on the public interface, and then private services were restricted to access on the private and vpn interfaces. I setup VPN using npppd roughly following these directions:
...so L2TP/IPSec using PPPX instead of TUN.
Got everything working with the LAN on one subnet, i.e. 192.168.0.0/24 and the VPN machines on another, i.e. 192.168.1.0/24. I can connect to VPN, ping the VPN gateway IP. But to access the LAN over the VPN connection, I need a route. No problem, my laptop VPN client has a configuration area for adding a route after connecting and tearing it down after. And that did the trick, I could ping the LAN IPs after setting up the proper route. BUT my iPhone doesn't support manual route configuration. I can connect to the VPN using my iPhone, but there's no way to setup a route manually. So I went looking for how to push routes up from the server to the client at connection time, like I've done before using OpenVPN. But Googling around, it seems the L2TP/IPSec protocol doesn't support pushing routes in this way, i.e. http://serverfault.com/questions/343...us-vpn-clients.
So, onto plan B. I thought, if I can get red.example.com to resolve to its LAN IP for LAN users, and it resolves to its VPN IP for VPN users, that would work. And a connection specific DNS server may be pushed to client according to TFM (aka nppd.conf(5)). So I gave it a try, with a split DNS based on the subnet (LAN or VPN) the client connects from. I got everything fired up, connected via VPN, and...could not connect to the DNS server, though I could ping the machine (it was after all, the same machine I was connecting to as the VPN server). After some experimentation, I discovered that named doesn't listen to an interface that came into existance after named started up. And since using pppx means I've got a new interface each time I connect via VPN, I'd have to restart named somehow each time I connect to VPN in order to get this approach to work...unless I switch to TUN, since in that case, the interface persists across VPN connections.
And that's what I did, and everything works, I can connect via LAN and connect via VPN including with the L2TP VPN client on the iPhone. But I can't help but wondering...I have the impression pppx is positioned for these sort of dynamic/temporary VPN connections, but bind on the same box doesn't play nice with pppx, at least in the way I'm trying to use them together...does that seem right or am I missing something?
Last edited by quisquous; 8th September 2013 at 01:57 AM. Reason: more accurate title
|bind, named, npppd|
|Thread||Thread Starter||Forum||Replies||Last Post|
|Nice try, Amazon: 'One-click' payment too obvious to patent||J65nko||News||1||8th July 2011 10:16 AM|
|Have nice fonts in OpenBSD 4.6||mfaridi||OpenBSD General||10||11th April 2010 01:38 PM|
|Playing a CD.||maxrussell||FreeBSD General||2||22nd July 2009 07:24 PM|
|Not nice PS/2 mouse :/||latorion||FreeBSD General||21||11th October 2008 06:02 PM|
|Nice Forum||whispersGhost||Feedback and Suggestions||0||9th May 2008 06:12 AM|