0

Problem

I need to access multiple different VPN networks simultaneously, mainly for HTTP and sometimes SSH. Further, I am not allowed to use openvpn on my workstation (no legal restriction, rather an infrastructure issue). Port forwardings are fine.

The following diagram is an attempt to picture the involved parties. My workstation wants to access host1.private-network1.de and host2.private-network1.de which are not visible to the internet. The institution requires me to enter their VPN for accessing this machine. The same applies for the third host in the second private network. I need to access the machine on port 22 but this is only possible inside the VPN.

Visualization: Workstation accessing two hosts in private network 1 via port 22 and 80, while also accessing a third host in private network 2 via port 22

My Intended Solution

(Other solutions are also perfectly fine)

I plan on using a proxy server under my control (e.g. a RPI) to connect to the different networks via openvpn. In place, the proxy server allows for port forwardings using SSH. On my workstation I could now setup port forwardings like:

The solution I have in mind: Proxy host connecting to multiple VPNs simultaneously, providing port forwardings to the target hosts

The question is how to configure multiple OpenVPN networks in Linux, such that I can use simple port forwardings (as shown in the picture) to access different hosts in different private networks. The VPNs should only be used for this port forwardings. The remaining traffic on the proxy host (like updates) should not be routed via any of these VPN connections. It is even desirable that all the remaining traffic could still be routed via a third VPN, but this may be another question.

OT: Happy Christmas :)

Michael Hoff
  • 59
  • 4
  • Feel free to ask for clarification if the question is unclear. – Michael Hoff Dec 24 '16 at 15:48
  • If you feel an urge to downvote I would be very pleased if you could tell me why is that. A comment does not hurt. Maybe my question contains an obvious mistake. If so, I'd like to know. – Michael Hoff Dec 26 '16 at 13:13
  • The question is very unclear. Explain what hosts are involved. (I am guessing you need to access VPN1, VPN2, VPN3 and the actual network from workstation, and you have another host, ProxyServer which can access the VPNs). Also what hosts are you forwarding the ports to, and why? – Tanmay Dec 28 '16 at 11:25
  • Thank you for your feedback. Is the question more clear now? – Michael Hoff Dec 28 '16 at 14:47
  • So, why not just connect all OpenVPN servers simultaneously and use `iptables` for port forwarding? – Tanmay Dec 28 '16 at 15:11
  • `The remaining traffic on the proxy host (like updates) should not be routed via any of these VPN connections` - Won't be a problem as long as you have the correct default gateway. – Tanmay Dec 28 '16 at 15:13
  • Okay, so do I simply execute multiple openvpn clients (without any special configuration)? Or do I have to tell openvpn not to take over routing? I did not look into `iptables` yet, how would I roughly set up port forwarding over a VPN connection? – Michael Hoff Dec 28 '16 at 19:13
  • I've shown the `iptables` commands in the answer. See if it works out. – Tanmay Dec 28 '16 at 19:56

1 Answers1

1

I'm assuming both private networks provide a publicly accessible OpenVPN server, and push the appropriate routes.

Just connect to all OpenVPN servers simultaneously from the proxy server. Run ip route show to make sure that default traffic is not passing through VPN.

Now use iptables on the proxy server to forward the ports to the private hosts:

iptables -t nat -A PREROUTING -p tcp --dport 2223 -j DNAT --to host1.private-network1.de:22
iptables -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to host2.private-network1.de:80
iptables -t nat -A PREROUTING -p tcp --dport 2224 -j DNAT --to host.private-network2.de:22
iptables -t nat -A POSTROUTING -s <WORKSTATION_IP> -j MASQUERADE

Replace <WORKSTATION_IP> with the IP address of Workstation (as seen by the proxy server) and host1.private-network1.de with the IP address through which the private host is accessible to the proxy server.

Now if you want to ssh into host1.private-network1.de, do:

ssh <proxy_server_ip> -p 2223

In place, the proxy server allows for port forwardings using SSH.

Don't use SSH tunneling. It is unreliable and slow. It's mostly used for creating temporary tunnels.

Tanmay
  • 225
  • 1
  • 2
  • 9
  • What if `host1.private-network1.de` is only resolvable via the DNS server of the private network 1? I am missing the magic which tells the system to resolve `host1.private-network1.de` in the context of `tun0`. Also, what if I wanted to use a SOCKS proxy for the web stuff in private network 1? Maybe other hosts inside the private network are to be resolved via this proxy. I am planning to configure a web browser instance with this web proxy to be able to access all the private web sites. – Michael Hoff Dec 29 '16 at 11:55
  • Also, what if the ip of the workstation is not known nor fixed. What if I wanted to use this type of proxy for multiple workstations? – Michael Hoff Dec 29 '16 at 13:25
  • Resolve `host1.private-network1.de` from proxy server using DNS server of `Private Network 1`. `iptables` stores resolved IPs rather than hostnames, anyway. This is assuming that `host1.private-network1.de` has a fixed private IP (which is the case most probably). – Tanmay Dec 29 '16 at 13:28
  • `Also, what if the ip of the workstation is not known nor fixed. What if I wanted to use this type of proxy for multiple workstations?` Then instead of `iptables -t nat -A POSTROUTING -s -j MASQUERADE`, do `iptables -t nat -A POSTROUTING -j MASQUERADE` – Tanmay Dec 29 '16 at 13:29