All Road Warrior IP routed through office(VPN) possible ?

Guus Sliepen guus at sliepen.eu.org
Fri Aug 15 21:51:05 CEST 2003 

On Fri, Aug 15, 2003 at 02:31:00AM -0700, gary ng wrote:

> What I want to know is if there is a way to have all
> traffic go through VPN back to office(192.168.x.x) and
> out to internet from there(assuming the gateway is
> 192.168.1.1). I understand that some form of proxy arp
> is needed at the office side.

There are two ways to do this, one is, as you say, using proxy arp on
the office side. The other way is to bridge the office LAN with the VPN.
This first way is easier to set up, the second way is more powerful
(you'll even be able to communicate via IPX and AppleTalk over the VPN
that way).

> What I don't know is how to setup the road warrior.
> 
> I see two issues(for the moment) that I don't know how
> to solve :
> 
> 1. DNS/WINS
> 
> When I get the public internet access, the DNS is
> usually setup by the ISP through DHCP or PPP. But once
> I have linked to the office, I want the DNS to point
> to the office DNS as there may be internal servers
> that the public DNS don't know and I need to access.
> However, at the same time, tinc should still use the
> public DNS for lookup the VPN gateway back at office
> or other branches(am I right about this?)

If the Address variable in the host config file of your office contains
a hostname, then tinc has to do a hostname lookup when connecting to the
office. In that case, it needs to use the ISP's DNS server. If you know
that your office has a fixed IP address, you can use that instead. tinc
will not have to do a DNS lookup then, so you can let the road warrior
use the company's VPN all the time.

In the former case, you can use the fact that tinc will start the script
hosts/office-up when it has made a connection to the office, and
hosts/office-down when that connection goes down. You can let that
script update your DNS settings. On UNIX, this script could be as
trivial as making a backup of /etc/resolv.conf and replacing another
one. On Windows, I wouldn't know how to do that :).

> 2. routing
> 
> If I set the default gateway to the one on VPN(
> 192.168.1.1), tinc would have problem sending the UDP
> packet through the real public interface(10.0.1.10)
> back to office(as it should be through the gateway
> provided by the ISP). If I use the ISP setting(default
> gateway to 10.0.1.1), any ip outside the
> VPN(192.168.x.x) will go out nake. This may not be
> desirable as for example in some countries, the
> authority may block access to certain address(say
> CNN.COM) but if I go through my office network back in
> USA, there won't be such restrictions.

Add a default route via 192.168.1.1 on the VPN, and add another route
that just says the IP address of the office (as seen on the Internet)
should be routed via the gateway of the ISP. This way tinc's traffic to
the office will go via the normal way, but everything else will go via
the VPN.

> Is this possible for road warrior ?

So, yes.

> The problem is with road warrior where
> it serve two roles as a gateway for tinc itself(to the
> public) and a VPN gateway for private communication at
> the same time.

You're right, it will be tricky. It certainly is doable, but I don't
know how easy it is to automate it, since different locations may have
different problems for your road warrior.

-- 
Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030815/fa9883a7/attachment.pgp

More information about the Tinc mailing list