0

What I have is simple but I got a VPN issue that I don't know how to solve. In general I want to route public domains differently within a VPN. See the current role of a Debian host:

  • A public available foo.example.com with HTTPS served by a reverse proxy
  • This host (that runs the reverse proxy) may also be the VPN-Server
  • Same host has a virtualization running as the counterpart for foo.example.com:443
  • Same thing for other public (sub-)domains, each mapping to one virtualization withing the 10.0.0.0/8 network on the host.

So this host is the VPN-Server and contains some virtualizations to serve HTTPS for some public (sub-)domains. So currently a traceroute foo.example.org ends up on the Host-Machine.

For people connected to the VPN resolving things shall be different:

  1. curl foo.example.org shall no longer connect to the Host-Machine (as a reverse proxy) but directly to the virtualization (10.1.2.3).
  2. ssh foo.example.org shall also no longer connect to the Host-Machine but to the virtualization (10.1.2.3).
  3. Optional: All other domains can be resolved as the ISP of the client likes to.

I hope that all of this can be configured within the OpenVPN-Server, in the .ovpn-Config-File or on the Host-Machine. Because I like to keep it dead simple for clients by just giving them the .ovpn config and nothing else (almost).

Hint: The ovpn-Config contains a cert for connecting to the VPN if that is of interest.

Cornfused
  • 1
  • 1
  • Perhaps we need to know a bit more about your current VPN & DNS configuration, like which DNS servers are being used by the VPN clients? – Tommiie Oct 03 '18 at 09:22

1 Answers1

0

With OpenVPN, you can use the push option to send that address of DNS server(s) to the client.

The bind DNS server can be configured to serve different data to different views. Views can be assigned depending on originating IP addresses.

So you can configure your DNS server to give different answers to the range of IP addresses that you assign to your VPN clients.

Another option is to push the VPN server as the default gateway and then use iptables to redirect packets to your virtual machines. This would make the whole redirect transparent to the clients.

RalfFriedl
  • 3,108
  • 4
  • 13
  • 17