[HLUG] DNS and VPN query

Mark Broadbent mgjbroadbent at gmail.com
Sat Nov 18 11:58:17 UTC 2017


Hi Julian,

My first question would be, if you just need a secure connection, why not just use HTTPS on the web server and use a IP whitelist to restrict access to your office outbound gateway?  What additional security is the VPN providing over a modern TLS profile?

If the VPN is required and I’m making the assumption that it only needs access from your office network.  Then you could do something like this: (note I’m using IPSec not OpenVPN as I’ve not used the latter).
* Setup an IPsec transport mode link between the office router and the VPS.
* Define a policy that only permitted IPSec encrypted traffic to the VPS IP.
* Likewise in the VPS only permit traffic that arrives over IPSec.

The advantage of both these ways is there’s no private IP ranges in use, so the FQDN is the public IP.

For the setup you have now, you could insert a DNAT rule in the prerouting table to remap the destination IP to the internal IP address (presuming the OpenVPN connection is made from the office router, not the clients).  

The only other way would be to run a DNS server on the VPS, you can then configure the connecting client to use that DNS server and then override the domain, so called split horizon DNS, to provide the correct mapping.  This may not work depending on the DNSSEC status of the domain and comes with an ongoing maintenance requirement.

Thanks
Mark


> On 17 Nov 2017, at 16:40, Julian Robbins via Herefordshire <herefordshire at mailman.lug.org.uk> wrote:
> 
> Hi all
> 
> I've setup a web server on a remote machine VPS on Linode.
> 
> I want to keep the connection between the web server on the Linode secure
> so have installed OpenVPN server on the Linode too.
> 
> I have setup openvpn clients on a few pcs and phones  in my company locally
> that will connect via the VPN to the secure web server.
> 
> The web server is set up with a Fqdn but I only want to be able to connect
> via the VPN and ban any traffic to it from the web not via the VPN which I
> have setup various  firewall rules and forwarding which works nicely in
> this respect.
> 
> My problem is that now I reach the web server via https via the VPN it's
> via a local address in the 10.0.0.0 address range.
> 
> So how can I set up a mapping of my Fqdn of the web server to this internal
> IP address? I tried setting up some Lan forwarding IP rules in my local
> router but as the Lan is via the VPN it's not able to set this DNS as the
> client pcs etc are using a local 192.168.0.x range. I tried adding VLANS to
> the router so I can have two LANS on it but this wasn't successful.
> 
> I could set up a DNS server on the VPS or just add some simple host entries
> to the clients so they resolve the Fqdn but it appears you can't do this on
> android phones unless rooted which they are not ..
> 
> Any ideas ?
> 
> Please let me know if you need any clarification of the above to answer ...
> 
> Thanks
> Julian
> -- 
> Herefordshire LUG mailing list
> Web:  http://www.herefordshire.lug.org.uk
> List: https://mailman.lug.org.uk/mailman/listinfo/herefordshire




More information about the Herefordshire mailing list