VPN stuff

Discuss Networking
Post Reply
Tux
guru
guru
Posts: 689
Joined: Wed Jan 08, 2003 10:40 am

VPN stuff

Post by Tux »

Right guys I have a little problem for ye.

Background:
I am going to be setting up a small network for a new business. I wan't to be able to remotely administer all of the boxes from home (saving a 600mile round trip). I am planning to do this using FreeS/wan IPSEC between their firewall box and mine at home.

The Problem:
Although I want to be able to get into their boxes to administer things I don't particularly wan't all of my home network appearing to them!
What i'm asking then is what is the best way for me to get into their network to do my funky stuff without them being confused by the appearance of all my boxes on their network?

My initial though was maybe I could set up the tunnel between my box and their firewall so that only my main box connected to their network. I could then use IPtables to make myself invisible. It would be like this:

x,y,z----A------'big bad net'------B-----D

Where:
x,y,z Represents their private subnet.
A Represents their firewall.
B Represents their firewall.
D Represents my machine.

But I think this is flawed in that my firewall, B, is going to mangle the packets and upset VPN, no?

TIA

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

I take it basic SSH access will not be enough? You can do quite a lot with an SSH connection. I usually forward ssh to a server, but restrict to just your home IP address. You can even put it on a port other than 22 if you wanted to obfuscate it slightly. Unless something has changed recently, setting up FreeS/WAN can be a big hairy deal (I used to have a 3 way VPN between my house and my two other partners using FreeS/WAN). I have some ideas if you must use it. But what can't you do via ssh?

Tux
guru
guru
Posts: 689
Joined: Wed Jan 08, 2003 10:40 am

Post by Tux »

Their internal desktops will be Windows machines :roll:

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

You can still use ssh. I used to use ssh port forwarding to forward Windows VNC and terminal server ports over an ssh tunnel:

http://www.uk.research.att.com/archive/vnc/sshvnc.html

Worked pretty good, as long as you had ssh access into a Linux or UNIX server. Of course if you do set up an encrypted tunnel with FreeS/WAN you will still be able to use iptables to set up firewall rules between your network and theirs just as you do between your network and the internet.

Tux
guru
guru
Posts: 689
Joined: Wed Jan 08, 2003 10:40 am

Post by Tux »

Good idea, can I do the same with rdesktop and how would I go about it?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

You should be able to do it with anything. Just forward the ts port rather than the VNC port (what is that 3389?). You just have to know the ports to forward. I used to have a Linux server that I ssh'd directly into (ssh was forwarded on the firewall to this server). I had created several little scripts on that server so I didn't have to type the long ssh commands in for the various forwarding I wanted to do. In fact if you are really good you should be able to create scripts on your local machine to do the ssh into the remote machine and set up the tunnel directly. That would require more than one level of ssh commands. I don't have any Winblows machines here at home so I'll have to check the port and get the right ssh command tomorrow at work. Basically you'll forward the port to your loopback address and connect to it with your client (e.g. rdesktop localhost).

Tux
guru
guru
Posts: 689
Joined: Wed Jan 08, 2003 10:40 am

Post by Tux »

Thanks void it worked great thanks.
I used,
ssh -L 3389:192.168.0.7:3389 root@remotefw

Thanks again.

Post Reply