0

I have a quite strange problem and I'm not sure how to set it up properly.

I have 2 Windows servers in the cloud with RDP (I know, not the smartest thing to do, but I don't have the place for physical server). They are connected together via a vRack. The connections from the outside to the server are very limited - only a handful of external IP's are allowed. But also the Internet connection on that machine is unavailable. This internal connection is for database usage.

I had this crazy idea to install on it an VPN client and connect it to outside world through it - thanks to that I would be able to access the Internet on it. But a second after I connect to the VPN I lose all internal communications to that server (and external, from the whitelisted addresses).

The general schematic would be like this:

General net scheme

Now, I would like to be able to access the Internet form server B while keeping the network restrictions to WAN. Is it even possible? I assume that I need to create some weird static routes but I'm not sure which and in what direction.

Moorti
  • 3
  • 1
  • Windows really doesn't do split VPNs all that well. Assuming I understand your request, I suspect what you are trying to do isn't going to be possible. – Zoredache Feb 12 '20 at 23:55
  • I've read somewhere that Windows server has a role or function called "Routing and remote access" - but I can't figure it out. – Moorti Feb 13 '20 at 11:17
  • RAS wouldn't really help. For your use case, you would need something like Linux's policy routing and multiple route-table support. But Windows doesn't have that. – Zoredache Feb 13 '20 at 20:17

1 Answers1

0

Yes and no. It is possible to route only some traffic through a dial up VPN - to a designated network, for example. It it not possible to route all IP traffic through your VPN as the default gateway, but some IP traffic through the NIC with it's own default gateway. That would beat the purpose of dial up VPNs and/or need some serious "telepathic" features, as the routing engine would have to "guess" where a packet should go.

If you just want to use some http/https, you can employ a proxy server like squid, apache or nginx. This proxy could be connected through a vpn from your server (unticking the 'default gateway' box in the advanced options of the connection). The adress ist just one IP, so it's routeable without using the defaalt gateway.

Even easier than that: it could be just anywhere on the web, as long as the server is able to reach it. I do this somethimes through SSH tunnels (on my home box) when working on firewalled servers.

bjoster
  • 4,805
  • 5
  • 25
  • 33
  • 1
    OH. Oh my God. I'm dumb. I forgot about a proxy. I was able to use a Synology NAS from one of those whitelisted IP's, install on it a proxy server and forward a port. After that it worked. It worked like charm. Maybe not the fastest thing on earth but I was able to browser the net with all the restrictions. – Moorti Feb 16 '20 at 13:04