Answer the question
In order to leave comments, you need to log in
One IP address or DNS name for a host both on the local network and on the other side of the OpenVPN tunnel
There is a host that is usually located on the local subnet (10.0.0.0/24), and sometimes connected through an openvpn tunnel (then it is transferred to the VPN subnet 10.0.1.0/24).
It is required to organize the accessibility of the node by IP address from the local subnet 10.0.0.0/24 or by DNS name, regardless of how the node is connected, locally or via VPN. I think the situation is common, but I could not find a stable and fast working ready-made solution.
The VPN server is installed on a device running openwrt with an OpenVPN server and a dnsmasq daemon that comes by default, like DHCP and DNS. I would not like to change dnsmasq to any other DNS server, but options are being considered. In combination, the device is engaged in routing.
Actually, I already solved the problem in the way that I will describe below. But I am very worried about the complexity of the solution. I am convinced that there is an easier and more obvious way, please share your thoughts and criticize the following solutions.
I solved it using iptables by redirecting all traffic from IP AAAA from the local subnet 10.0.0.0/24 to IP BBBB from the VPN subnet 10.0.1.0/24 at the time the host was connected via vpn.
To do this, a parameter was added to openvpn.conf
script-security 2
learn-address /etc/openvpn/scripts/redirect.sh
iptables -t nat -I PREROUTING -d A.A.A.A -j DNAT --to-destination B.B.B.B # Собственно перенаправление
iptables -I FORWARD -d B.B.B.B -j ACCEPT
ifconfig br-lan:1 A.A.A.A netmask 255.255.255.0 up # Самое интересное! Что бы перенаправление работало для узлов из локальной подсети приходится поднимать виртуальный интерфейс на VPN сервере с IP A.A.A.A. Иначе узлы в локальной подсети не пользуются шлюзом и правила перенаправления для них не работают, и их ARP запросы к IP A.A.A.A обречены...
ifconfig br-lan:1 down # Удаляем интерфейс заглушку, чтобы узел снова смог получить свой A.A.A.A IP и не было конфликта
iptables -t nat -D PREROUTING -d A.A.A.A -j DNAT --to-destination B.B.B.B # Удаляем перенаправление трафика
iptables -D FORWARD -d B.B.B.B -j ACCEPT
Answer the question
In order to leave comments, you need to log in
In bind-e, views are used for this case.
That is, for one subnet, the zone is given, for example, as internal, for another - external.
Not sure if this option is right for you.
Maybe it will be easier for you to bridge OpenVPN and in both cases there will be the same ip
The easiest way is to take two Mikrotiks (cisco, juniper) and throw IPSEC from point A to point B in tunnel mode.
True, you can also throw SSL on OPENWRT the same way.
In a word, Site-2-Site and you will forget about the problems.
Or 2 network card through which you will run to the VPN, while marking the traffic from which network card came to that one and give it away ... (in my opinion, crutches .......)
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question