2

i have a network which is isolated from the Internet and I need to remotely connect to it from time to time for maintentance purposes. Please note that i do not need to connect to a specific computer on this network, but i need to be able to connect to any computer on the network.

This is my idea:

I would provide a linux-box (probably RaspBerry PI) which should be connected to the isolated network which also has a GPRS connection to the Internet.

Once turned on the linux-box should automatically connect to the Internet via GPRS and should provide a way for me to connect to it (after proper authentication) and access the isolated network transparently.

I should be able to see and use their intrantet websites straight from my own (linux) computer as if my own computer was directly wired to the isolated network. I should be able to upload files to the remote computers on the isolated network, i should be abple to ping and connect through ssh to any of the computers on the isolated network, i should be able to access the messaging system provided by a local XMPP server on the same network and so on. In few words, my home computer should take the same local IP address of my remote linux-box on the isolated network exactly as if i was there with my own computer.

To create a linux-box which automatically connects to the Internet once turned on should not be a problem... but how do i create this "bridge" from the isolated network to my home computer after proper login? Any idea, solution or link that could be useful?

I use linux for home/work from several years now but i have never tried anything like this so my knowledge on VPNes and network-sharing issues are near to zero. Of course i am willing to study any link/book relative to this issue but i have no idea where to start from.

P.S.: Sorry for my horrible english, i hope the question is understandable.

Luca
  • 23
  • 2

3 Answers3

2

If you're connecting remotely, it's not isolated.

What you're describing could conceivably work. You probably just want to throw OpenVPN on it and be done, as far as the remote connectivity thing is concerned. Lots of guides for OpenVPN are available, but I don't have a specific one to recommend. Start with the documentation on their site: OpenVPN.net

Jesus, I really hope this isn't a classified network you're exposing.

Hyppy
  • 15,608
  • 1
  • 38
  • 59
  • For "isolated" of course i mean that it is isolated right now. And no, it is not a "classified" network. Just a network without Internet connection. – Luca Jun 14 '12 at 00:14
  • Well, then yeah. You're really just looking to act as if you're on the network, which is exactly what OpenVPN is made for. – Hyppy Jun 14 '12 at 00:14
0

You used a right word - "bridge".

Just use openvpn in layer2 (tap) mode, and brige the other end to the "isolated"* network. You can use 'brctl' to set up the bridge. After that, and connecting, it will be the same (network-wise), as being diretly connected to the switch on that "isolated"* network.

*if you connect to it from outside, it's not isolated. It is virtually the same then, if you used a PC instead of the rPi, or if you set up another interface on any of the computers already in the network.

mulaz
  • 10,682
  • 1
  • 31
  • 37
0

You need to make the server connected to the internet into a VPN server, openvpn is very useful for this. There are various ways to configure openvpn. I would configure it to use UDP and the TUN interface.

Once you have set up openvpn you need to create some special iptables rules and a routing entry to get this working.

Besides it's internet connecting interface the openvpn server also has an interface that connects it to the other servers that are shielded and those are all in the same subnet of course, let's make that 10.11.11.0/24.

Assuming your openvpn network has subnet 10.2.2.0/24 the following iptables rules should be created on the server:

# Allow TUN interface connections to openvpn server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

# Allow TUN interface connections to get out
iptables -A OUTPUT -o tun+ -j ACCEPT

# allow routing from openvpn tunnels
iptables -t nat -A POSTROUTING -s 10.2.2.0/24 -j MASQUERADE
iptables -A FORWARD -i tun+ -s 10.2.2.0/24 -j ACCEPT

In your gateway/router you need to create a routing entry that routes traffic for the 10.2.2.0/24 subnet to the openvpn server and back. In linux it'd be something like:

route add -net 10.2.2.0/24 gw 10.11.11.1  <-- IP of openvpn server

What this means in practice is that once you establish a remote connection to that openvpn server you can reach computers in the shielded network. These computers should be able to reach your computer also, through the same openvpn connection.

It also means these shielded computers now send and recieve traffic that is going over the internet, albeit through an encrypted vpn connection. This means they're now less secure (if ever so slightly) than before, which may be a problem.

Realise that your home computer now is a gateway to access this shielded network... depending on how determined someone is to access it this may pose a problem. :-)

aseq
  • 4,610
  • 1
  • 24
  • 48
  • Thank you for your detailed answer. I'll have to practice a bit with OpenVPN, as i said i have never used it before. I understand the risks of opening an access to the network but since this connection will be available only around 5 hours per week, since the openvpn connection requires authentication and since my computer is quite safe (never had intrusion/virus problems on my linux box) i believe this risk is tiny. Any suggestion about making it safer? – Luca Jun 14 '12 at 01:13
  • I was being somewhat tongue in cheek. I mean if this was a top secret government network, then your home being a way into it would pose a problem. But otherwise using openvpn is very safe. – aseq Jun 14 '12 at 07:35