Mailing List Archive: vpnc: devel

VPN without messing with routes.

Index | Next | Previous | View Threaded

dwmw2 at infradead

Jun 4, 2009, 5:12 PM

Post #1 of 6 (1372 views)
Permalink

VPN without messing with routes.

I've been playing with ways to maintain a fairly clean separation
between real-world networking and the VPN. Keeping them in order can be
really painful when there are a lot of 'real' IP addresses which need to
be routed through your VPN and you can't just have a simple rule of
"RFC1918 addresses through VPN, real addresses to the real world".

The network namespace support which has been added to the Linux kernel
recently means that there are a bunch of interesting things we can do.

You start by moving vpnc's tundev into a private namespace of its own,
where it's the _only_ network device (and, of course the default route).
Then do whatever you like to expose that to the 'real' network namespace
in a controlled fashion.

One option, of course, is just to run a SOCKS server in the VPN's
network-namespace, set up so that it can listen for requests from the
normal network-namespace, and forward them on the VPN. You could perhaps
use this script as the basis for something which does that, but this
script does something different instead...

What this script does it make any address xx.yy.zz.ww on the VPN
reachable not by IPv4, but instead by making an _IPv6_ connection to the
address fec0:0:0:ffff:0:0:xxyy:zzww -- using the same mechanism (NAT-PT)
that lets IPv6-only hosts talk to Legacy IP networks.

So rather than messing with the IPv4 routing in the 'normal' system, you
just hijack an otherwise-unused tiny corner of the IPv6 address space
instead -- and you can get to _all_ hosts on the VPN, and all hosts in
your normal IPv4 address space simultaneously.

I haven't yet completely sorted out DNS. Obviously you want to couple
this with a trick DNS server that will return appropriately-mapped IPv6
addresses whenever it's asked for a host within the VPN domain.

There's totd which does almost mostly what we want, but it's not quite
right -- if we ran that we'd _also_ have to run dnsmasq to split VPN
queries from real-world queries anyway. Since dnsmasq can do a huge
amount of munging of queries already, it's probably best to add
this kind of support to dnsmasq. It shouldn't be hard.

Based on an earlier implementation by Johannes.

--
dwmw2

Attachments:

vpnc-netns.sh (4.22 KB)

dwmw2 at infradead

Jun 6, 2009, 4:39 AM

Post #2 of 6 (1299 views)
Permalink

Re: VPN without messing with routes. [In reply to]

On Fri, 2009-06-05 at 01:12 +0100, David Woodhouse wrote:
> I've been playing with ways to maintain a fairly clean separation
> between real-world networking and the VPN. Keeping them in order can be
> really painful when there are a lot of 'real' IP addresses which need to
> be routed through your VPN and you can't just have a simple rule of
> "RFC1918 addresses through VPN, real addresses to the real world".
>
> The network namespace support which has been added to the Linux kernel
> recently means that there are a bunch of interesting things we can do.

Here's another option -- this script will set up a new network namespace
for the VPN, and run sshd in it. Then it's just as if you had a SSH
bastion host which granted access to your VPN, and you don't have to
screw with your _real_ routing and DNS.

Hm, I just realised that I haven't fixed DNS. We can't
change /etc/resolv.conf inside the VPN 'namespace' because that's shared
with the rest of the system. I think we need to point /etc/resolv.conf
at localhost and then run dnsmasq in both environments.

I'll git that and commit it -- I've created a git repository at
git.infradead.org/users/dwmw2/vpnc-scripts.git where I'll continue to
play silly buggers with scripts that work with both vpnc and openconnect
(and possibly other VPN dæmons). I also fixed the standard vpnc-script
so that it doesn't need to be created from vpnc-script.in any more.

Perhaps it would make sense to ship that as a separate package so that
both vpnc and openconnect can depend on it? I currently have openconnect
packages pulling in all of vpnc, which is kind of suboptimal.

--
dwmw2

Attachments:

vpnc-script-sshd (7.84 KB)

dcbw at redhat

Jun 7, 2009, 10:13 AM

Post #3 of 6 (1289 views)
Permalink

Re: VPN without messing with routes. [In reply to]

On Sat, 2009-06-06 at 12:39 +0100, David Woodhouse wrote:
> On Fri, 2009-06-05 at 01:12 +0100, David Woodhouse wrote:
> > I've been playing with ways to maintain a fairly clean separation
> > between real-world networking and the VPN. Keeping them in order can be
> > really painful when there are a lot of 'real' IP addresses which need to
> > be routed through your VPN and you can't just have a simple rule of
> > "RFC1918 addresses through VPN, real addresses to the real world".
> >
> > The network namespace support which has been added to the Linux kernel
> > recently means that there are a bunch of interesting things we can do.
>
> Here's another option -- this script will set up a new network namespace
> for the VPN, and run sshd in it. Then it's just as if you had a SSH
> bastion host which granted access to your VPN, and you don't have to
> screw with your _real_ routing and DNS.
>
> Hm, I just realised that I haven't fixed DNS. We can't
> change /etc/resolv.conf inside the VPN 'namespace' because that's shared
> with the rest of the system. I think we need to point /etc/resolv.conf
> at localhost and then run dnsmasq in both environments.

For NM, I've wanted for a long time to just run dnsmasq as a local
caching nameserver by default. We tried that with bind a few years
back, but people for some reason had severe allergic reactions to
running bind in that config (even though it only ever listened on
127.0.0.1). Whatever. Time to push local caching NS by default again
perhaps?

Dan

> I'll git that and commit it -- I've created a git repository at
> git.infradead.org/users/dwmw2/vpnc-scripts.git where I'll continue to
> play silly buggers with scripts that work with both vpnc and openconnect
> (and possibly other VPN dæmons). I also fixed the standard vpnc-script
> so that it doesn't need to be created from vpnc-script.in any more.
>
> Perhaps it would make sense to ship that as a separate package so that
> both vpnc and openconnect can depend on it? I currently have openconnect
> packages pulling in all of vpnc, which is kind of suboptimal.
>
> _______________________________________________
> vpnc-devel mailing list
> vpnc-devel [at] unix-ag
> https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
> http://www.unix-ag.uni-kl.de/~massar/vpnc/

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

johannes at sipsolutions

Jun 7, 2009, 10:30 AM

Post #4 of 6 (1074 views)
Permalink

Re: VPN without messing with routes. [In reply to]

On Sun, 2009-06-07 at 13:13 -0400, Dan Williams wrote:

> > Hm, I just realised that I haven't fixed DNS. We can't
> > change /etc/resolv.conf inside the VPN 'namespace' because that's shared
> > with the rest of the system. I think we need to point /etc/resolv.conf
> > at localhost and then run dnsmasq in both environments.

I only ran dnsmasq outside and never needed any DNS inside, why would
you need DNS inside?

> For NM, I've wanted for a long time to just run dnsmasq as a local
> caching nameserver by default. We tried that with bind a few years
> back, but people for some reason had severe allergic reactions to
> running bind in that config (even though it only ever listened on
> 127.0.0.1). Whatever. Time to push local caching NS by default again
> perhaps?

Yeah, that would be nice, if the VPN plugins could specify what to
resolve how/where, but it would also need to be configurable.

johannes

Attachments:

signature.asc (0.78 KB)

dwmw2 at infradead

Jun 7, 2009, 11:22 AM

Post #5 of 6 (1295 views)
Permalink

Re: VPN without messing with routes. [In reply to]

On Sun, 2009-06-07 at 19:30 +0200, Johannes Berg wrote:
> On Sun, 2009-06-07 at 13:13 -0400, Dan Williams wrote:
>
> > > Hm, I just realised that I haven't fixed DNS. We can't
> > > change /etc/resolv.conf inside the VPN 'namespace' because that's shared
> > > with the rest of the system. I think we need to point /etc/resolv.conf
> > > at localhost and then run dnsmasq in both environments.
>
> I only ran dnsmasq outside and never needed any DNS inside, why would
> you need DNS inside?

There has to be _some_ DNS inside. You ssh into this 'host' and run
netcat there to connect to internal machines -- and you're using the
SOCKS5 (or SOCKS4A) support in sshd inside it. It needs to see the
'internal' DNS.

But the _outside_ probably _doesn't_ want to be afflicted with the
internal DNS. Especially when companies do this moronic schizodns thing
where they override the 'company.com' namespace for the internal domain
instead of using something separate like 'company.internal', you really
don't want it to infect your real setup.

The VPN netns needs to have DNS for the VPN; the normal netns needs to
have proper _external_ DNS. So you just point both of them at localhost
and have a different instance of dnsmasq running in each.

--
dwmw2

_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

nick at nick-andrew

Jun 11, 2009, 1:48 AM

Post #6 of 6 (1274 views)
Permalink

Re: VPN without messing with routes. [In reply to]

On Fri, Jun 05, 2009 at 01:12:34AM +0100, David Woodhouse wrote:
> What this script does it make any address xx.yy.zz.ww on the VPN
> reachable not by IPv4, but instead by making an _IPv6_ connection to the
> address fec0:0:0:ffff:0:0:xxyy:zzww -- using the same mechanism (NAT-PT)
> that lets IPv6-only hosts talk to Legacy IP networks.

That sounds pretty nifty ... I will google NAT-PT and see how it works.

Nick.
_______________________________________________
vpnc-devel mailing list
vpnc-devel [at] unix-ag
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads