S
S
sixhundredsixtyfive2013-11-18 12:03:31
linux
sixhundredsixtyfive, 2013-11-18 12:03:31

One IP address or DNS name for a host both on the local network and on the other side of the OpenVPN tunnel

There is a host that is usually located on the local subnet (10.0.0.0/24), and sometimes connected through an openvpn tunnel (then it is transferred to the VPN subnet 10.0.1.0/24).
It is required to organize the accessibility of the node by IP address from the local subnet 10.0.0.0/24 or by DNS name, regardless of how the node is connected, locally or via VPN. I think the situation is common, but I could not find a stable and fast working ready-made solution.
The VPN server is installed on a device running openwrt with an OpenVPN server and a dnsmasq daemon that comes by default, like DHCP and DNS. I would not like to change dnsmasq to any other DNS server, but options are being considered. In combination, the device is engaged in routing.
Actually, I already solved the problem in the way that I will describe below. But I am very worried about the complexity of the solution. I am convinced that there is an easier and more obvious way, please share your thoughts and criticize the following solutions.
I solved it using iptables by redirecting all traffic from IP AAAA from the local subnet 10.0.0.0/24 to IP BBBB from the VPN subnet 10.0.1.0/24 at the time the host was connected via vpn.
To do this, a parameter was added to openvpn.conf

script-security 2
learn-address /etc/openvpn/scripts/redirect.sh

which, when connecting and disconnecting clients, runs the redirect.sh script.
If a node is connected that was on the local network under IP AAAA, and after connecting its IP in the VPN subnet became BBBB, then the script does this:
iptables -t nat -I PREROUTING  -d A.A.A.A -j DNAT --to-destination B.B.B.B # Собственно перенаправление
iptables -I FORWARD -d B.B.B.B -j ACCEPT
ifconfig br-lan:1 A.A.A.A netmask 255.255.255.0 up # Самое интересное! Что бы перенаправление работало для узлов из локальной подсети приходится поднимать виртуальный интерфейс на VPN сервере с IP A.A.A.A. Иначе узлы в локальной подсети не пользуются шлюзом и правила перенаправления для них не работают, и их ARP запросы к IP A.A.A.A обречены...

And when a node is disconnected from the VPN and moved back to the local subnet under IP AAAA, the redirect.sh script does this:
ifconfig br-lan:1 down # Удаляем интерфейс заглушку, чтобы узел снова смог получить свой A.A.A.A IP и не было конфликта
iptables -t nat -D PREROUTING  -d A.A.A.A -j DNAT --to-destination B.B.B.B # Удаляем перенаправление трафика
iptables -D FORWARD -d B.B.B.B -j ACCEPT

Thus the node always remains available under ip AAAA It works.
Let's get a little specific. A node that moves from the local subnet to the VPN subnet is a mobile device that is connected either via WiFi or VPN. VPN server and router is a router running openwrt. The rest of the nodes in the network work under Windows, Linux, Android, etc., that is, the solution must be universal and not affect the configuration of clients, only the router decides everything.
Please suggest your solutions. For example, a solution using one DNS name to different ip, raising a DDNS server, some kind of smart routing, and so on. Criticism is welcome. First of all, from the point of view of security and fault tolerance and irrationality.

Answer the question

In order to leave comments, you need to log in

3 answer(s)
L
lutskyy, 2013-11-18
@lutskyy

In bind-e, views are used for this case.
That is, for one subnet, the zone is given, for example, as internal, for another - external.
Not sure if this option is right for you.

A
alz, 2013-11-19
@alz

Maybe it will be easier for you to bridge OpenVPN and in both cases there will be the same ip

A
artjomtro, 2014-09-05
@artjomtro

The easiest way is to take two Mikrotiks (cisco, juniper) and throw IPSEC from point A to point B in tunnel mode.
True, you can also throw SSL on OPENWRT the same way.
In a word, Site-2-Site and you will forget about the problems.
Or 2 network card through which you will run to the VPN, while marking the traffic from which network card came to that one and give it away ... (in my opinion, crutches .......)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question