Discussion:
multiple openvpn servers???
Steve Holdoway
2011-02-03 04:06:23 UTC
Permalink
The problem I'm trying to solve is how to connect road warrior pcs, with
redirected gateways, and dedicated DNS servers to the same server that I
want to connect my local network to, just routing the necessary, and
leaving my dns well alone.

The simplest solution is to run more than one vpn server - using
separate ports, but it didn't work when I tried it. Is it possible? or
are there clever config things I can use to identify my net and modify
the config accordingly?

Any suggestions gratefully received. Google and I aren't seeing eye to
eye on this one.

Cheers,

Steve
--
Steve Holdoway BSc(Hons) MNZCS <***@greengecko.co.nz>
http://www.greengecko.co.nz
MSN: ***@greengecko.co.nz
Skype: sholdowa
David Pando
2011-02-03 04:51:42 UTC
Permalink
Post by Steve Holdoway
The problem I'm trying to solve is how to connect road warrior pcs, with
redirected gateways, and dedicated DNS servers to the same server that I
want to connect my local network to, just routing the necessary, and
leaving my dns well alone.
The simplest solution is to run more than one vpn server - using
separate ports, but it didn't work when I tried it. Is it possible? or
are there clever config things I can use to identify my net and modify
the config accordingly?
Any suggestions gratefully received. Google and I aren't seeing eye to
eye on this one.
Not sure if I understood your problem correctly. By default not all traffic
is routed through the VPN interface, unless you set the *redirect-gateway
option. If you need the clients to resolve your DNS internal names you'll
need to push the address of your internal DNS servers using the *push
"dhcp-option DNS" directive.
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Steve Holdoway
2011-02-03 05:02:21 UTC
Permalink
Post by David Pando
Post by Steve Holdoway
The problem I'm trying to solve is how to connect road warrior pcs, with
redirected gateways, and dedicated DNS servers to the same server that I
want to connect my local network to, just routing the necessary, and
leaving my dns well alone.
The simplest solution is to run more than one vpn server - using
separate ports, but it didn't work when I tried it. Is it possible? or
are there clever config things I can use to identify my net and modify
the config accordingly?
Any suggestions gratefully received. Google and I aren't seeing eye to
eye on this one.
Not sure if I understood your problem correctly. By default not all traffic
is routed through the VPN interface, unless you set the *redirect-gateway
option. If you need the clients to resolve your DNS internal names you'll
need to push the address of your internal DNS servers using the *push
"dhcp-option DNS" directive.
The problem is that I want this to happen for everyone except me!

Steve
--
Steve Holdoway BSc(Hons) MNZCS <***@greengecko.co.nz>
http://www.greengecko.co.nz
MSN: ***@greengecko.co.nz
Skype: sholdowa
David Pando
2011-02-03 07:00:58 UTC
Permalink
Post by David Pando
Post by David Pando
Post by Steve Holdoway
The problem I'm trying to solve is how to connect road warrior pcs,
with
Post by David Pando
Post by Steve Holdoway
redirected gateways, and dedicated DNS servers to the same server that
I
Post by David Pando
Post by Steve Holdoway
want to connect my local network to, just routing the necessary, and
leaving my dns well alone.
The simplest solution is to run more than one vpn server - using
separate ports, but it didn't work when I tried it. Is it possible? or
are there clever config things I can use to identify my net and modify
the config accordingly?
Any suggestions gratefully received. Google and I aren't seeing eye to
eye on this one.
Not sure if I understood your problem correctly. By default not all
traffic
Post by David Pando
is routed through the VPN interface, unless you set the *redirect-gateway
option. If you need the clients to resolve your DNS internal names you'll
need to push the address of your internal DNS servers using the *push
"dhcp-option DNS" directive.
The problem is that I want this to happen for everyone except me!
You can apply different configuration policies to different clients by using
the client-config-dir directive*

*http://workaround.org/openvpn-faq#client-config-dir*

*
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Dave Lane
2011-02-03 06:57:49 UTC
Permalink
Steve,

We run 3 OpenVPN servers on our main VPN server simultaneously,
listening on 3 different ports. No problems.

Cheers,

Dave
Post by Steve Holdoway
The problem I'm trying to solve is how to connect road warrior pcs, with
redirected gateways, and dedicated DNS servers to the same server that I
want to connect my local network to, just routing the necessary, and
leaving my dns well alone.
The simplest solution is to run more than one vpn server - using
separate ports, but it didn't work when I tried it. Is it possible? or
are there clever config things I can use to identify my net and modify
the config accordingly?
Any suggestions gratefully received. Google and I aren't seeing eye to
eye on this one.
Cheers,
Steve
_______________________________________________
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
--
Dave Lane, Egressive Ltd ***@egressive.com m +64212298147 p +6439633733
http://egressive.com Free/OpenSourceSoftware: because to share is human
Only use Open Standards - w3.org, Drupal powers communities - drupal.org
Effusion Group http://effusiongroup.com Software Patents kill innovation

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Ben M.
2011-02-03 07:13:11 UTC
Permalink
Given the increasing bias of our governments (AU/NZ) to monitor our net
communications (all in the name of horrid child pornography/war on error) .... is
there any real merit in an ordinary user subscribing to a commercial VPN
provider for TCP tunneling or is that being too paranoid?




________________________________
From: Dave Lane <***@egressive..com>
To: NZLUG Mailing List <***@linux.net.nz>
Sent: Thu, 3 February, 2011 7:57:49 PM
Subject: Re: [nzlug] multiple openvpn servers???

Steve,

We run 3 OpenVPN servers on our main VPN server simultaneously,
listening on 3 different ports. No problems.

Cheers,

Dave

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Mark Foster
2011-02-03 07:56:40 UTC
Permalink
I don't follow your post, Ben -

The VPN is only going to encapsulate (and thus encrypt) data between your
endpoints.

If endpoint (near) is your laptop and endpoint (far) is your home, or
office, then it's effectively providing 'local loop' protection. This
might be important for ...

Routing purposes (giving you access to resources on the inside of your home
or corporate LAN which sit on RFC1918 space)

or for authentication purposes (if you can get onto your VPN,
you've established your credibility and thus are permitted to get past
your RFC1918/NAT or past your Firewall and into said resources on your
home/corporate LAN)

or for simple privacy and protection (so you can use wifi hotspots, which
are not encrypted, and not stress so much about your unencrypted Layer 4+
stuff (such as pop3, or web browsing)

or for your own security (firesheep, anyone?)

All of the above are perfectly good reasons to run VPN's and have nothing
whatsoever to do with ISP-to-ISP communications (which you're still
dependent on if your intention is to access resources _beyond_ the remote
VPN endpoint.)

Mark.
Post by Ben M.
Given the increasing bias of our governments (AU/NZ) to monitor our net
communications (all in the name of horrid child pornography/war on error) .... is
there any real merit in an ordinary user subscribing to a commercial VPN
provider for TCP tunneling or is that being too paranoid?




________________________________
From: Dave Lane <***@egressive..com>
To: NZLUG Mailing List <***@linux.net.nz>
Sent: Thu, 3 February, 2011 7:57:49 PM
Subject: Re: [nzlug] multiple openvpn servers???

Steve,

We run 3 OpenVPN servers on our main VPN server simultaneously,
listening on 3 different ports. No problems.

Cheers,

Dave
Post by Ben M.
_______________________________________________
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Jim Cheetham
2011-02-03 08:44:25 UTC
Permalink
Post by Mark Foster
I don't follow your post, Ben -
I think he's talking about using a VPN that terminates on the public
Internet, but in a different jurisdiction.

So if NZ are 'watching everything' that's cleartext, he will set up a
VPN to a US-based server, sending all his traffic offshore so that NZ
cannot understand it, and the VPN endpoint will re-send in cleartext
to the actual destinations requested.

This is really a solution looking for a problem; if you think NZ are
wanting to examine your traffic, you can bet your bottom dollar that
the US already are, and/or that the VPN server provider either
currently is, or soon will be.

Ben, you should read up on the Tor Project,
http://www.torproject.org/, who will do what you describe but in a
much more extreme form. They can describe the implications, god and
bad, of their model much better than a commercial operator who is
looking for your $$$ ever can.

Another use of VPNs like that is to access services that are blocked
by "country of origin"; generally TV on-demand services. So if you
tunneled everything to a server in the UK, you could watch some of the
BBC on-demand programmes. Actually you only really need a proxy to do
that, the encryption part of the VPN is un-necesary overhead if that's
your real goal.

-jim

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Nevyn
2011-02-03 09:43:24 UTC
Permalink
Post by Jim Cheetham
This is really a solution looking for a problem; if you think NZ are
wanting to examine your traffic, you can bet your bottom dollar that
the US already are, and/or that the VPN server provider either
currently is, or soon will be.
This is assuming that he's looking at the U.S. Tunneling through to...
There's a few more countries in the world other than the U.S., U.K.,
Australia and NZ right?

I vaguely remember hearing of someone doing that sort of thing with a
group of friends though they were mainly into piracy - in which case
it was easier for them to put a torrent client on the VPS and scp the
files over.

This has the feel of a question you might ask a magic 8 ball to me. I
can't for the life of me explain why.

Regards,
Nevyn
http://nevsramblings.blogspot.com/

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Ben M.
2011-02-03 09:50:32 UTC
Permalink
Thank you Mark for taking the time to reply.

Yes, Jim is correct, in that I was talking about remote termination on the
Internet but my query was poorly termed or phrased. I do nothing on the WWW that
would warrant attention by any LE entity but my query was in response for my
Privacy/Civil Liberty concerns regarding the cleartext transmission of all my
(and others') internet-based communications.

I have read about Tor and had always gained the impression that it was a tool
for dissidents, people who reside in unfriendly jurisdications etc however I
will look again and assess it for my needs.




________________________________
From: Jim Cheetham <***@gonzul.net>
To: NZLUG Mailing List <***@linux.net.nz>
Sent: Thu, 3 February, 2011 9:44:25 PM
Subject: Re: [nzlug] openvpn servers
Post by Mark Foster
I don't follow your post, Ben -
I think he's talking about using a VPN that terminates on the public
Internet, but in a different jurisdiction.

So if NZ are 'watching everything' that's cleartext, he will set up a
VPN to a US-based server, sending all his traffic offshore so that NZ
cannot understand it, and the VPN endpoint will re-send in cleartext
to the actual destinations requested.

This is really a solution looking for a problem; if you think NZ are
wanting to examine your traffic, you can bet your bottom dollar that
the US already are, and/or that the VPN server provider either
currently is, or soon will be.

Ben, you should read up on the Tor Project,
http://www.torproject.org/, who will do what you describe but in a
much more extreme form. They can describe the implications, god and
bad, of their model much better than a commercial operator who is
looking for your $$$ ever can.

Another use of VPNs like that is to access services that are blocked
by "country of origin"; generally TV on-demand services. So if you
tunneled everything to a server in the UK, you could watch some of the
BBC on-demand programmes. Actually you only really need a proxy to do
that, the encryption part of the VPN is un-necesary overhead if that's
your real goal.

-jim

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Nevyn
2011-02-03 10:03:03 UTC
Permalink
Post by Ben M.
Thank you Mark for taking the time to reply.
Yes, Jim is correct, in that I was talking about remote termination on the
Internet but my query was poorly termed or phrased. I do nothing on the WWW that
would warrant attention by any LE entity but my query was in response for my
Privacy/Civil Liberty concerns regarding the cleartext transmission of all my
(and others') internet-based communications.
I have read about Tor and had always gained the impression that it was a tool
for dissidents, people who reside in unfriendly jurisdications etc however I
will look again and assess it for my needs.
Speaking of civil liberties and the like - I noticed last night a
camera on a busy intersection near where I live. A funky piece of
equipment - has the ability to swivel and pan. And wasn't pointed at
the intersection....

Went up rather quietly...

Regards,
Nevyn
http://nevsramblings.blogspot.com/

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Ben M.
2011-02-03 11:23:55 UTC
Permalink
Hi Nevyn,

Hope all is well with you. Location of said "traffic camera"? Will have to email
the Team @ OSM and suggest that for a future project of the week ... Identify by
Location and/or Type, visible IP cameras in your local area.




________________________________
From: Nevyn <***@gmail.com>
To: NZLUG Mailing List <***@linux.net.nz>
Sent: Thu, 3 February, 2011 11:03:03 PM
Subject: Re: [nzlug] openvpn servers
Post by Ben M.
Thank you Mark for taking the time to reply.
Yes, Jim is correct, in that I was talking about remote termination on the
Internet but my query was poorly termed or phrased. I do nothing on the WWW that
would warrant attention by any LE entity but my query was in response for my
Privacy/Civil Liberty concerns regarding the cleartext transmission of all my
(and others') internet-based communications.
I have read about Tor and had always gained the impression that it was a tool
for dissidents, people who reside in unfriendly jurisdications etc however I
will look again and assess it for my needs.
Speaking of civil liberties and the like - I noticed last night a
camera on a busy intersection near where I live. A funky piece of
equipment - has the ability to swivel and pan. And wasn't pointed at
the intersection....

Went up rather quietly....

Regards,
Nevyn
http://nevsramblings.blogspot.com/

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Nevyn
2011-02-03 21:48:09 UTC
Permalink
Post by Ben M.
Hi Nevyn,
Hope all is well with you. Location of said "traffic camera"? Will have to email
Location and/or Type, visible IP cameras in your local area.
Not a bad idea. Robin? Corner Dominion Rd and Valley Rd on "The
Dominion" corner.

Yeah not bad with me - a little stressed. Loads going on. Overseas
travel in the near future. Possibly losing my "unemployed" status
soonish. - weird because I was thinking I seem to be working very hard
to be unemployed ;)

Regards,
Nevyn
http://nevsramblings.blogspot.com/

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Robin Paulson
2011-02-04 02:29:48 UTC
Permalink
Post by Nevyn
Post by Ben M.
Hi Nevyn,
Hope all is well with you. Location of said "traffic camera"? Will have to email
Location and/or Type, visible IP cameras in your local area.
Not a bad idea. Robin? Corner Dominion Rd and Valley Rd on "The
Dominion" corner.
we're starting open street map new zealand meetings soon, i'm always
open to hearing about mini projects to get people interested
--
robin

http://tangleball.org.nz/ - Auckland's Creative Space
http://bumblepuppy.org/blog/

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Ben M.
2011-02-04 20:30:51 UTC
Permalink
Haha, great to hear about your travel and maybe employment ... you deserve a
break.

Sometimes the greatest plans...



________________________________
From: Nevyn <***@gmail.com>
To: NZLUG Mailing List <***@linux.net.nz>
Sent: Fri, 4 February, 2011 9:48:09 AM
Subject: Re: [nzlug] openvpn servers

Not a bad idea. Robin? Corner Dominion Rd and Valley Rd on "The
Dominion" corner.

Yeah not bad with me - a little stressed. Loads going on. Overseas
travel in the near future. Possibly losing my "unemployed" status
soonish. - weird because I was thinking I seem to be working very hard
to be unemployed ;)

Regards,
Nevyn

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

Jim Cheetham
2011-02-03 22:46:46 UTC
Permalink
Post by Ben M.
would warrant attention by any LE entity but my query was in response for my
Privacy/Civil Liberty concerns regarding the cleartext transmission of all my
(and others') internet-based communications.
I have read about Tor and had always gained the impression that it was a tool
for dissidents, people who reside in unfriendly jurisdications etc however I
will look again and assess it for my needs.
What's the difference?

You are dissenting from the view that "they" should be able to examine
everything. You feel that examining everything you do is "unfriendly".
You are a prime candidate to use Tor ...

However using Tor has side-effects, normally around the speed and
reliability of access (and there are some edge cases worthy of
consideration if you think you or Tor are being actively targeted by
someone). The "dissidents" you seem to be talking about probably have
no choice but to put up with the side-effects; you might decide that
it is too big a sacrifice.

Mind you, Tor is mostly about anonymity. You still have to encrypt the
conversations you use over Tor so that the last node doesn't see what
you are doing (even though it won'r know who you are).

Encrypt everything. Make sure your mail client is using TLS or SSL for
everything, switch providers if necessary. Use SSL on as many websites
as possibly (see the Firefox extension
http://www.eff.org/https-everywhere HTTPS-Everywhere). Stop using
protocols and servers that don't do encryption. Stop using services
that store and/or sell your data (Facebook, etc). Read what the EFF
says!

-jim

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Ben M.
2011-02-04 09:14:37 UTC
Permalink
Fair point ... never really thought of non-compliance with the norm as being
dissent but it is.

As for the Firefox HTTPS Everywhere, I had that installed on FF 3.6 and there
were few sites that were not capable of HTTPS connections. Sadly, the bug bear
for me was the default Google search page not being the "normal" one but the
HTTPS one which is quite limited in terms of search flexibility, and that was
enough to hasten it's disabling.

Have not enabled it for FF 4.0, but I will. Appreciate the advice.




________________________________
From: Jim Cheetham <***@gonzul.net>
To: NZLUG Mailing List <***@linux.net.nz>
Sent: Fri, 4 February, 2011 10:46:46 AM
Subject: Re: [nzlug] openvpn servers

What's the difference?

You are dissenting from the view that "they" should be able to examine
everything. You feel that examining everything you do is "unfriendly".
You are a prime candidate to use Tor ...

However using Tor has side-effects, normally around the speed and
reliability of access (and there are some edge cases worthy of
consideration if you think you or Tor are being actively targeted by
someone). The "dissidents" you seem to be talking about probably have
no choice but to put up with the side-effects; you might decide that
it is too big a sacrifice.

Mind you, Tor is mostly about anonymity. You still have to encrypt the
conversations you use over Tor so that the last node doesn't see what
you are doing (even though it won'r know who you are).

Encrypt everything. Make sure your mail client is using TLS or SSL for
everything, switch providers if necessary. Use SSL on as many websites
as possibly (see the Firefox extension
http://www.eff.org/https-everywhere HTTPS-Everywhere). Stop using
protocols and servers that don't do encryption. Stop using services
that store and/or sell your data (Facebook, etc). Read what the EFF
says!

-jim

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Loading...