1

I manage a small-office network but have very little actual networking knowledge / understanding.

The network has a consumer grade wifi router (Netgear DG834G), several PCs/Macs, some iPads connected via Wifi, and a couple of file servers (also consumer-grade Netgear ReadyNAS boxes)

I have setup a VPN between one PC (WinXP) on our network and a distant VPS box (AWS EC2), with openVPN; I use the VPN connection in order to have a US-based IP address (since I'm not in the US).

Here's what I would like to do: I would like to be able to use the VPN from the other machines on the network, including the Wifi connected ones (iPads), without setting up a VPN client on each machine.

I think I need to either have one machine setup as a gateway that the other machines would use, or maybe connect another router that would act as both a gateway and a VPN client, that one could choose to connect to in order to go through the VPN tunnel? Or am I looking for a proxy?

(I'm a little confused, sorry if the above is unclear).

What's the simplest way to achieve that? There must already be tutorials describing what I want to do, but I can't seem to find any after numerous Google searches...

Bambax
  • 113
  • 3
  • Is this to access a specific US-Only service? – SuperBOB Jul 12 '11 at 10:08
  • @SuperBOB: in part, yes; for example certain news websites only serve content to US IPs. But we initially set this up for a client who told us they preferred that any communication between them and us not leave the US unencrypted. – Bambax Jul 12 '11 at 12:22

4 Answers4

1

Yes, you need to setup a device which will act as the router for all of the connections that go via the VPN. If this device is also your default gateway, the clients don't need to have any further configuration applied -- they'll use the default gateway for everything, and the gateway will need to be told what destinations get routed via the VPN. Otherwise, you can tell your client machines to route VPN traffic via any machine that has the VPN running, but that gets a lot more complicated for everyone.

womble
  • 96,255
  • 29
  • 175
  • 230
  • Thank you but I don't completely understand your answer. The current router and default gateway (Netgear DG834G) can't have OpenVPN installed (unless I'm mistaken): should I replace it? By what? Since it's working fine and has a lot of configuration already done in it (static IPs for machines on the LAN), I'd rather not replace it (but I don't mind adding another router). – Bambax Jul 12 '11 at 12:22
  • I'd replace it with a small Linux box. If you can't, then it's time to get complicated with an in-LAN VPN router. Good luck with that. – womble Jul 12 '11 at 22:52
0

I see two problems that you need a solution to; unfortunately none of them are really "easy" and I would recommend getting assistance from a 3rd-party small business consultant in your area as you're dealing with client's trust here, and losing that would probably be a very bad thing.

  • a client wants to maintain an encrypted connection with your office at all times. This is traditionally solved with a site-to-site IPSec VPN tunnel that's established (usually) between both firewalls. With routes setup (and making sure there's no overlap between LAN subnets), you can ensure that traffic to and from your office to their office is always encrypted, so long as each side is accessing each other's resources via their LAN subnets. i.e. if there's an application or Web service (like an Intranet) that you would need to access on their side, you would pull up http://192.168.1.5, where 192.168.1.0/24 is their LAN subnet and 192.168.1.5 is their Webserver running the Intranet.

  • You want to access US-only websites office-wide. I would look into setting up a proxy in a micro Amazon EC2 instance with authentication and firewall rules to only permit access to your office's WAN IP. Squid could easily be setup, or even tinyproxy, as you wouldn't really benefit from having caching enabled. You could then setup FoxyProxy in FireFox with a whitelist of the US-only sites so that only the US-only websites are accessed through the proxy, or you could do the same with another proxy sitting on your LAN that would determine which upstream proxy to use (if any) by requested URL (domain). I would also google around for "Hulu proxy services" or "Hulu VPN" as there might be a more canned solution out there that takes alot of this guess work out.

gravyface
  • 13,957
  • 19
  • 68
  • 100
  • I chose your answer because the second part with tinyproxy led to a solution that seems to work well, without any new hardware. I tried both squid and tinyproxy and found the configuration of squid to be daunting. Tinyproxy is sufficient for our needs (see the description of my setup below). I think the first part of the problem could be addressed in the same manner (with dynamic port forwarding on both sides?) or maybe with a VPN tunnel on the machine with tinyproxy, where the traffic from tinyproxy would be systematically redirected? – Bambax Jul 13 '11 at 10:52
  • @Bambax: would really need more information on how your office and your client share data and applications. Post another question and I'll try to answer it. – gravyface Jul 13 '11 at 11:27
0

We recently replaced our Cisco RV082 VPN routers with Netgate m1n1wall VPN routers. By running pfSense, we are able to configure:

  1. A persistent IPsec VPN tunnel between two sites, each site contains a Netgate m1n1wall VPN router
  2. An IPsec-based VPN connections for our road warriors

You could purchase one Netgate m1n1wall and configure it to create a persistent OpenVPN tunnel with your AWS EC2 VPS and you could configure an IPsec mobile connection for your iPads and other client systems.

Netgate m1n1wall Configuration

  • Netgate m1n1wall for $214 + S/H, which contains:
    • ALIX.2D13 system board with 500 MHz AMD Geode LX800 CPU and 3 10/100 Enet ports
    • 2GB Sandisk Ultra CF Card pre-loaded with pfSense
    • Desktop case
    • 120 VAC/DC 15V power supply
    • pfSense — "a free, open source customized distribution of FreeBSD tailored for use as a firewall and router."
  • VPN1411 accelerator card for $72 + S/H
Matthew Rankin
  • 1,175
  • 5
  • 15
  • 32
0

Here's what I did for now, following an idea found in gravyface's answer (part 2).

On a NAS (Netgear NV+) I setup dynamic port forwarding using the command

ssh -f -N -D ip:port user@machine

and tinyproxy. Tinyproxy as such can't work with SOCKS, but it can with tsocks that wraps the connections from tinyproxy and sends them through the dynamic port forwarding.

So tinyproxy receives requests from machines on the LAN and uses dynamic port forwarding to transfer those requests to the Internet.

As for accessing US-only websites:

  • services such as "what is my ip" detect the proxy but think the request comes from the US (the proxy is detected because the version of tinyproxy available on the readyNAS is an old one that does not allow the suppression of the 'via' header)
  • hulu.com works fine (except when using an AWS endpoint)

I don't know how secure this kind of setup is, though.

As I understand it, traffic from the LAN to the proxy isn't encrypted, but it doesn't matter since the proxy is also on the LAN; traffic between the proxy and the endpoint is encrypted. Therefore, if I'm not mistaken, someone snooping on our LAN could read our traffic, but someone outside our LAN (our ISP) cannot (for the machines that use the proxy).

Bambax
  • 113
  • 3