DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th September 2013
quisquous quisquous is offline
Port Guard
 
Join Date: Sep 2013
Posts: 10
Default pppx and bind not playing nice

I'm setting up a server running OpenBSD 5.3-stable. I want to access the box using one name in public, i.e. vpn.example.com, and one name in private for both LAN users and VPN users, i.e. red.example.com. That way, when I'm home, on my LAN, I can connect to the box using red.example.com, and when I'm out in the world and I'm using VPN to connect, I can use red.example.com to refer to the same box. To be clear, I don't want to just open all the services to the public, thus the private services are restricted to LAN and VPN users.

I went about configuring PF to lock things down, permitting access to public services like vpn and ssh on the public interface, and then private services were restricted to access on the private and vpn interfaces. I setup VPN using npppd roughly following these directions:

http://www.slideshare.net/GiovanniBe...n-with-openbsd

...so L2TP/IPSec using PPPX instead of TUN.

Got everything working with the LAN on one subnet, i.e. 192.168.0.0/24 and the VPN machines on another, i.e. 192.168.1.0/24. I can connect to VPN, ping the VPN gateway IP. But to access the LAN over the VPN connection, I need a route. No problem, my laptop VPN client has a configuration area for adding a route after connecting and tearing it down after. And that did the trick, I could ping the LAN IPs after setting up the proper route. BUT my iPhone doesn't support manual route configuration. I can connect to the VPN using my iPhone, but there's no way to setup a route manually. So I went looking for how to push routes up from the server to the client at connection time, like I've done before using OpenVPN. But Googling around, it seems the L2TP/IPSec protocol doesn't support pushing routes in this way, i.e. http://serverfault.com/questions/343...us-vpn-clients.

So, onto plan B. I thought, if I can get red.example.com to resolve to its LAN IP for LAN users, and it resolves to its VPN IP for VPN users, that would work. And a connection specific DNS server may be pushed to client according to TFM (aka nppd.conf(5)). So I gave it a try, with a split DNS based on the subnet (LAN or VPN) the client connects from. I got everything fired up, connected via VPN, and...could not connect to the DNS server, though I could ping the machine (it was after all, the same machine I was connecting to as the VPN server). After some experimentation, I discovered that named doesn't listen to an interface that came into existance after named started up. And since using pppx means I've got a new interface each time I connect via VPN, I'd have to restart named somehow each time I connect to VPN in order to get this approach to work...unless I switch to TUN, since in that case, the interface persists across VPN connections.

And that's what I did, and everything works, I can connect via LAN and connect via VPN including with the L2TP VPN client on the iPhone. But I can't help but wondering...I have the impression pppx is positioned for these sort of dynamic/temporary VPN connections, but bind on the same box doesn't play nice with pppx, at least in the way I'm trying to use them together...does that seem right or am I missing something?

Last edited by quisquous; 8th September 2013 at 01:57 AM. Reason: more accurate title
Reply With Quote
  #2   (View Single Post)  
Old 8th September 2013
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Hi quisquous, and welcome to daemonforums.

I can only offer a tidbit of experience that I think is relevant to your question, but my situation isn't nearly like yours. But it involves named and pppd, that latter used for dial-up PPP so the interfaces are temporary.

Looking in /var/log/messages, I see entries like this for NetBSD:

Code:
Sep  4 19:29:12 dirty named[184]: listening on IPv4 interface ppp0, aaa.bbb.ccc.dd#53
Sep  4 19:29:12 dirty named[184]: creating IPv4 interface ppp0 failed; interface ignored
and on Linux:

Code:
Sep  6 23:18:25 dirty named[1719]: listening on IPv4 interface ppp0, aaa.bbb.ccc.ddd#53
(I don't understand why the error message in the one case, but I don't care about it as I'm not trying to use the DNS from outside.) At the moment I don't have an OpenBSD system set up fully enough to try this out there.

Anyway, it seems that in both of these cases named is picking up on and trying to listen to the dynamic ppp0 interface when it comes up. Have you looked into your messages* files?
Reply With Quote
  #3   (View Single Post)  
Old 8th September 2013
quisquous quisquous is offline
Port Guard
 
Join Date: Sep 2013
Posts: 10
Default

Hi IdOp!

I looked through messages files and found plenty of entries for named, but none mentioning ppp or ppp0. I think my logging severity level isn't high enough. I tried fiddling with the logging settings, but then I realized I can just run named from the command line with debugging turned all the way up.

When I run this while no vpn client is connected, there is no mention of ppp0:

Code:
sudo named -g -d 99 2>&1 | grep ppp
After I connect, still no mention. Then I quit and run that command again while the vpn is connected and I see this:

Code:
07-Sep-2013 22:02:46.907 listening on IPv4 interface pppx0, 192.168.1.1#53
I wonder if there's some config that would change named's behavior so that it picks up new interfaces while running. I haven't come across anything yet, but I'll keep digging.
Reply With Quote
  #4   (View Single Post)  
Old 8th September 2013
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

teoma is our friend. There's a named.conf parameter called interface-interval, which specifies how often named should check for new interfaces. The default is 60 minutes, which is probably too long for it to find pppx0 if you're testing it right away. You could try setting it to 1 minute and see if it finds the interface. If that works, you could adjust it a bit longer if that wouldn't be too inconvenient in actual use.
Reply With Quote
  #5   (View Single Post)  
Old 8th September 2013
quisquous quisquous is offline
Port Guard
 
Join Date: Sep 2013
Posts: 10
Default

Wow, awesome sleuthing!

It looks like 1 minute is the shortest configurable interval, which would make for a bit of an awkward gap between connecting to the VPN and being able to access the DNS server, in my scenario.

But its great to know that's how it works.
Reply With Quote
Reply

Tags
bind, named, npppd

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Nice try, Amazon: 'One-click' payment too obvious to patent J65nko News 1 8th July 2011 10:16 AM
Have nice fonts in OpenBSD 4.6 mfaridi OpenBSD General 10 11th April 2010 01:38 PM
Playing a CD. maxrussell FreeBSD General 2 22nd July 2009 07:24 PM
Not nice PS/2 mouse :/ latorion FreeBSD General 21 11th October 2008 06:02 PM
Nice Forum whispersGhost Feedback and Suggestions 0 9th May 2008 06:12 AM


All times are GMT. The time now is 04:31 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick