VPN connection: dynamic route, bldg. DNS

T

The_Immortal2019-04-22 02:12:21

Domain Name System

The_Immortal, 2019-04-22 02:12:21

VPN connection: dynamic route, bldg. DNS | GRE tunnel?

Greetings!
Gentlemen, I have a general question on the optimal organization of the connection between home and corporate networks, which consists of several sub-questions.
So, at work there is a LAN network (192.168.32.0/25) and a VPN for accessing the Internet (192.168.33.0/25). External IP of the VPN server: 91.215.218.123, also known as the DNS server.
Everything is trivial at home: 192.168.1.0/24; external IP white, dynamic.
It is necessary to organize a connection between the home and corporate networks, but at the same time:
a) without using the corp. networks in the form of a common;
b) There must be one DNS server that would resolve the names of corp machines. networks and global names.
I. _ Routing.
Everything is standard here. On the home Win-machine (192.168.1.20) I set a permanent route to access the corp. networks:

route add 192.168.32.0 MASK 255.255.255.128 192.168.33.85 IF 38 METRIC 1 -p

- where "IF 38" (192.168.33.85) is the IP of the VPN.
As a result, in the table I have the following:

spoiler

===========================================================================
Список интерфейсов
 38...........................VPN
 11...f4 d1 08 2b 64 ca ......Intel(R) Wireless-AC 9462
===========================================================================

IPv4 таблица маршрута
===========================================================================
Активные маршруты:
Сетевой адрес           Маска сети      Адрес шлюза       Интерфейс  Метрика
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.20     50
   91.215.218.123  255.255.255.255      192.168.1.1     192.168.1.20     51 // нафег не нужен
      192.168.1.0    255.255.255.0         On-link      192.168.1.20    306
     192.168.1.20  255.255.255.255         On-link      192.168.1.20    306
    192.168.1.255  255.255.255.255         On-link      192.168.1.20    306
     192.168.32.0  255.255.255.128         On-link     192.168.33.85     36 // добавленный маршрут
   192.168.32.127  255.255.255.255         On-link     192.168.33.85    291
    192.168.33.85  255.255.255.255         On-link     192.168.33.85    291
        224.0.0.0        240.0.0.0         On-link      192.168.1.20    306
        224.0.0.0        240.0.0.0         On-link     192.168.33.85    291
  255.255.255.255  255.255.255.255         On-link      192.168.1.20    306
  255.255.255.255  255.255.255.255         On-link     192.168.33.85    291
===========================================================================
Постоянные маршруты:
  Сетевой адрес            Маска    Адрес шлюза      Метрика
     192.168.32.0  255.255.255.128    192.168.33.85       1
===========================================================================

After that, I can access corp machines by IP. networks.
However, two nuances arise here:
1. After raising the VPN, a completely unnecessary route is automatically created: "91.215.218.123 255.255.255.255 192.168.1.1 192.168.1.20 51" - how can I also automatically delete it?
2. The network administrator reported that the solution is from the category through one place and that it is necessary to create a route dynamically when changing the corresponding interfaces. Is it really more correct? Tried to google for a solution but couldn't find it. Tell me, please, how to do this: with some kind of script or are there built-in solutions?
II . DNS server.
"There must be one DNS server that can resolve corporate network machine names as well as global names." - for this you need to use the corp. The DNS server is 91.215.218.123, but it is not accessible from the outside.
I decided to get around this problem in the following way. Added two DNS to the client interface settings (192.168.1.20):
- preferred: 91.215.218.123 (corporate network);
- alternate: 192.168.1.1. (home network).
And also added the following permanent route:

route add 91.215.218.123 MASK 255.255.255.255 192.168.32.1 IF 38 METRIC 1 -p

As a result, the table is as follows:

spoiler

Список интерфейсов
 38...........................VPN
 11...f4 d1 08 2b 64 ca ......Intel(R) Wireless-AC 9462
===========================================================================

IPv4 таблица маршрута
===========================================================================
Активные маршруты:
Сетевой адрес           Маска сети      Адрес шлюза       Интерфейс  Метрика
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.20     50
   91.215.218.123  255.255.255.255      192.168.1.1     192.168.1.20     51 // по-прежнему нафег не нужен
   91.215.218.123  255.255.255.255     192.168.32.1    192.168.33.85     36 // добавленный маршрут
      192.168.1.0    255.255.255.0         On-link      192.168.1.20    306
     192.168.1.20  255.255.255.255         On-link      192.168.1.20    306
    192.168.1.255  255.255.255.255         On-link      192.168.1.20    306
     192.168.32.0  255.255.255.128         On-link     192.168.33.85     36
   192.168.32.127  255.255.255.255         On-link     192.168.33.85    291
    192.168.33.85  255.255.255.255         On-link     192.168.33.85    291
        224.0.0.0        240.0.0.0         On-link      192.168.1.20    306
        224.0.0.0        240.0.0.0         On-link     192.168.33.85    291
  255.255.255.255  255.255.255.255         On-link      192.168.1.20    306
  255.255.255.255  255.255.255.255         On-link     192.168.33.85    291
===========================================================================
Постоянные маршруты:
  Сетевой адрес            Маска    Адрес шлюза      Метрика
     192.168.32.0  255.255.255.128    192.168.33.85       1
   91.215.218.123  255.255.255.255     192.168.32.1       1
===========================================================================

Accordingly, when the VPN is up, the resolving of all names goes through the corp. DNS server 91.215.218.123. When the VPN goes down, the alternate home DNS server 192.168.1.1 takes over.
However, here, too, a professional networker slowed me down, saying that in this way a delay would be created.
Therefore, I ask you to tell me how to solve the issue with the DNS server in my case according to my mind?
III . An alternative solution is a GRE tunnel.
In general, the comrade mentioned above recommended to raise a permanent GRE tunnel on a centralized device (router). However, I'm a little stunned by this recommendation.
First, as far as I understand, the GRE tunnel involves the use of static IP addresses at both ends. I have "external IP white, dynamic" at home. Of course, there is DDNS, but it seems that the name in the GRE tunnel organization is inappropriate.
Secondly, when I clarified that while on the road, I would use an Android phone as a router, but I received an answer that there were no problems organizing a GRE tunnel under Android. However, the situation is the same there: dynamic IP addresses and, moreover, they are still sitting behind the provider's NAT.
The questions here are:
1. Is it possible to organize a GRE tunnel with a white dynamic IP address at one end?
2. Is it possible to organize a GRE tunnel with a gray IP address at one end?
3. Does the GRE tunnel exempt from prescribing the same permanent route that was specified in question I?
Thanks to!!!

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CityCat4, 2019-04-22
@CityCat4

For a tunnel with an office, a permanent tunnel, if it is required by work - an admin, for example, is not an option, but actually a necessity, moreover, a tunnel that fits exactly with the router (hardware), and not with the software server on the virtual machine (because the host holding the virtual machine can lie corny).
I don't know what about GRE - but here IPSec easily rises in the so-called roadwarrior mode, when "your" IP may be generally unknown in advance, you only know the IP of the gateway.
With Windows, I really did not succeed. Mikrotiki knitted like this, linux and android.