DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 8th September 2013
quisquous quisquous is offline
Port Guard
 
Join Date: Sep 2013
Posts: 10
Default pppx and bind not playing nice

I'm setting up a server running OpenBSD 5.3-stable. I want to access the box using one name in public, i.e. vpn.example.com, and one name in private for both LAN users and VPN users, i.e. red.example.com. That way, when I'm home, on my LAN, I can connect to the box using red.example.com, and when I'm out in the world and I'm using VPN to connect, I can use red.example.com to refer to the same box. To be clear, I don't want to just open all the services to the public, thus the private services are restricted to LAN and VPN users.

I went about configuring PF to lock things down, permitting access to public services like vpn and ssh on the public interface, and then private services were restricted to access on the private and vpn interfaces. I setup VPN using npppd roughly following these directions:

http://www.slideshare.net/GiovanniBe...n-with-openbsd

...so L2TP/IPSec using PPPX instead of TUN.

Got everything working with the LAN on one subnet, i.e. 192.168.0.0/24 and the VPN machines on another, i.e. 192.168.1.0/24. I can connect to VPN, ping the VPN gateway IP. But to access the LAN over the VPN connection, I need a route. No problem, my laptop VPN client has a configuration area for adding a route after connecting and tearing it down after. And that did the trick, I could ping the LAN IPs after setting up the proper route. BUT my iPhone doesn't support manual route configuration. I can connect to the VPN using my iPhone, but there's no way to setup a route manually. So I went looking for how to push routes up from the server to the client at connection time, like I've done before using OpenVPN. But Googling around, it seems the L2TP/IPSec protocol doesn't support pushing routes in this way, i.e. http://serverfault.com/questions/343...us-vpn-clients.

So, onto plan B. I thought, if I can get red.example.com to resolve to its LAN IP for LAN users, and it resolves to its VPN IP for VPN users, that would work. And a connection specific DNS server may be pushed to client according to TFM (aka nppd.conf(5)). So I gave it a try, with a split DNS based on the subnet (LAN or VPN) the client connects from. I got everything fired up, connected via VPN, and...could not connect to the DNS server, though I could ping the machine (it was after all, the same machine I was connecting to as the VPN server). After some experimentation, I discovered that named doesn't listen to an interface that came into existance after named started up. And since using pppx means I've got a new interface each time I connect via VPN, I'd have to restart named somehow each time I connect to VPN in order to get this approach to work...unless I switch to TUN, since in that case, the interface persists across VPN connections.

And that's what I did, and everything works, I can connect via LAN and connect via VPN including with the L2TP VPN client on the iPhone. But I can't help but wondering...I have the impression pppx is positioned for these sort of dynamic/temporary VPN connections, but bind on the same box doesn't play nice with pppx, at least in the way I'm trying to use them together...does that seem right or am I missing something?

Last edited by quisquous; 8th September 2013 at 01:57 AM. Reason: more accurate title
Reply With Quote
 

Tags
bind, named, npppd

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Nice try, Amazon: 'One-click' payment too obvious to patent J65nko News 1 8th July 2011 10:16 AM
Have nice fonts in OpenBSD 4.6 mfaridi OpenBSD General 10 11th April 2010 01:38 PM
Playing a CD. maxrussell FreeBSD General 2 22nd July 2009 07:24 PM
Not nice PS/2 mouse :/ latorion FreeBSD General 21 11th October 2008 06:02 PM
Nice Forum whispersGhost Feedback and Suggestions 0 9th May 2008 06:12 AM


All times are GMT. The time now is 12:32 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick