2

A Linux VPN Router has the IP 192.168.1.1/24 (eth0), in the same network there are other network devices with fixed IPs Machine A 192.168.1.20 and Machine B 192.168.1.21. To access this devices over VPN, I connect to the VPN Server and enter the VPN IP Address of the router and just change the last octet.

For instance if the VPN IPof the router is 10.1.1.1/24, then to access Machine A I go to 10.1.1.20 and to access Machine B 10.1.1.21... All this works perfectly.

The problem is: Sometimes a Machine C and Machine D are also present on the network, but they have another (fixed) IPs out of the subnet, for example: 192.168.2.50 and 192.168.2.51.

On the VPN Router I added a virtual network interface (eth0:0) with IP 192.168.2.1... now I can reach Machine C and D from the router directly using SSH, but neither from Machine A nor B nor over VPN.

Over VPN I'm only allowed to access devices with IP 192.168.1.X.

My goal (or first idea) is to map in the Router the IPs from Machine C and D to another IP to make the VPN Server think that there are two more devices with "reachable" IPs...

For instance, Machine C's real IP 192.168.2.50 should be mapped as 192.168.1.50.. and from VPN I would like to access it as 10.1.1.50.

Is this possible? Or maybe someone has a better/simpler idea?

Update 16.11.2015:

The VPN Router has an option where you can add Startup Scripts, in this part I have the following:

#This part comes automatically
iptables -t nat -D PREROUTING -d '10.1.1.0/24' -i tun0 -j NETMAP --to '192.168.1.0/24'
iptables -t nat -I PREROUTING -d '10.1.1.0/24' -i tun0 -j NETMAP --to '192.168.1.0/24'
iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o tun0 -j NETMAP --to '10.0.1.0/24'
iptables -t nat -I POSTROUTING -s '192.168.1.0/24' -o tun0 -j NETMAP --to '10.0.1.0/24'
#Start of manually entered data
ifconfig eth0:1 192.168.2.1
#Reach machine C
iptables -t nat -D PREROUTING -d '10.1.1.50' -i tun0 -j NETMAP --to '192.168.2.50'
iptables -t nat -I PREROUTING -d '10.1.1.50' -i tun0 -j NETMAP --to '192.168.2.50'
iptables -t nat -D POSTROUTING -s '192.168.2.50' -o tun0 -j NETMAP --to '10.1.1.50'
iptables -t nat -I POSTROUTING -s '192.168.2.50' -o tun0 -j NETMAP --to '10.1.1.50'
#Reach machine D
iptables -t nat -D PREROUTING -d '10.1.1.51' -i tun0 -j NETMAP --to '192.168.2.51'
iptables -t nat -I PREROUTING -d '10.1.1.51' -i tun0 -j NETMAP --to '192.168.2.51'
iptables -t nat -D POSTROUTING -s '192.168.2.51' -o tun0 -j NETMAP --to '10.1.1.51'
iptables -t nat -I POSTROUTING -s '192.168.2.51' -o tun0 -j NETMAP --to '10.1.1.51'

Adding the manual entries after the automatically generated, makes it possible to reach Machine C and Machine D using VPN.. The downside is clear, if I have 20 Machines I need a long list to add with iptables. Or is there a better way of doing this?

Direct communication from 192.168.1.X Family (e.g. Machine A and Machine B) to 192.168.2.X Family (e.g. Machine C and Machine D) and vicecersa is still not possible.

Ñhosko
  • 123
  • 5
  • Isn't that where NAT comes in? – John Keates Oct 30 '15 at 13:01
  • Using iptables -nat solved the issue for reaching Machine C and and D from VPN, but still no communication between Machine C and Machine A. – Ñhosko Nov 12 '15 at 10:28
  • I'd like to help you out, but I'm going to need a bit more information. For example, do you want to use NAT auto mapping or manual mapping, or mapping of ranges? Can you tunnel additional subnets over the tunnel? What hosts need to talk to what subnets? What routers are on the network? What hosts are multi homed? – John Keates Nov 14 '15 at 18:05
  • I wrote an update on the question, does that answers all your questions? Thanks for helping! – Ñhosko Nov 16 '15 at 08:22

0 Answers0