Accessing a subnet behind a VPN client from outside - possible?
June 9, 2012 9:31 AM Subscribe
I use (a variant of) TomatoVPN to allow a Linksys E4200 to connect as a client to a VPN server on a hosted machine elsewhere. Every machine behind the client can access the server too, and other clients connected to the server. But I cannot access those machines behind the router/client from a machine outside of their network.
Is there a way of setting up routing so that those machines are not only able to access the VPN, but able to be accessed from the VPN?
Is there a way of setting up routing so that those machines are not only able to access the VPN, but able to be accessed from the VPN?
If I misunderstood that, by the way, can you give me a more concrete example of what's NOT working? Your description has left me fairly confused about what you're trying to accomplish.
posted by Malor at 3:35 PM on June 9, 2012
posted by Malor at 3:35 PM on June 9, 2012
This is what you network looks like?
(HostA)---(VPNSrv)---{Internet}---(E4200)---(HostB)
So HostB can access VPNSrv and HostA (along with others on the subnet) but you'd also like HostA to be able to access HostB?
If this is the case, I suspect your B-to-A works because all traffic -- the default route -- is through the VPN to VPNSrv. So when you try to get to HostA, the route goes through VPNSrv, which knows how to contact it.
You need to set up the reverse. Add a route to the VPNSrv that points to HostB's subnet through the VPN tunnel. You might need to muck around with iptables (or equivalent) firewall rules.
Don't forget to handle ARP. Use tcpdump to trace how far you're getting.
posted by lalas at 7:03 PM on June 9, 2012
(HostA)---(VPNSrv)---{Internet}---(E4200)---(HostB)
So HostB can access VPNSrv and HostA (along with others on the subnet) but you'd also like HostA to be able to access HostB?
If this is the case, I suspect your B-to-A works because all traffic -- the default route -- is through the VPN to VPNSrv. So when you try to get to HostA, the route goes through VPNSrv, which knows how to contact it.
You need to set up the reverse. Add a route to the VPNSrv that points to HostB's subnet through the VPN tunnel. You might need to muck around with iptables (or equivalent) firewall rules.
Don't forget to handle ARP. Use tcpdump to trace how far you're getting.
posted by lalas at 7:03 PM on June 9, 2012
Response by poster: lalas: "This is what you network looks like?
(HostA)---(VPNSrv)---{Internet}---(E4200)---(HostB)
So HostB can access VPNSrv and HostA (along with others on the subnet) but you'd also like HostA to be able to access HostB?"
Yup, this is basically the situation. I think messing around with routing might be a little beyond me, so I may be on a hiding to nothing with this. I was hoping to be able to connect to the VPNSrv with my mobile device while away from home and access certain machines in my home network through the VPN, but it looks like I'd need the E4200 to run a server rather than a client, right? Can you run two VPN servers on the same "virtual network", or does that just confuse things too much?
posted by benzo8 at 10:08 AM on June 11, 2012
(HostA)---(VPNSrv)---{Internet}---(E4200)---(HostB)
So HostB can access VPNSrv and HostA (along with others on the subnet) but you'd also like HostA to be able to access HostB?"
Yup, this is basically the situation. I think messing around with routing might be a little beyond me, so I may be on a hiding to nothing with this. I was hoping to be able to connect to the VPNSrv with my mobile device while away from home and access certain machines in my home network through the VPN, but it looks like I'd need the E4200 to run a server rather than a client, right? Can you run two VPN servers on the same "virtual network", or does that just confuse things too much?
posted by benzo8 at 10:08 AM on June 11, 2012
« Older An odd property of Eigenvectors | what websites/apps for tracking the nutrition of... Newer »
This thread is closed to new comments.
If so, you start OpenVPN (what TomatoVPN is using) with the --client-to-client option. But I'm not sure how to specify arguments like that on Tomato. Maybe there's something in the configuration pages?
Note that this completely bypasses the firewalling engine, so that all clients will be completely open to all other clients. If this is undesirable behavior, there are ways around that, but they're all pretty involved.
posted by Malor at 3:34 PM on June 9, 2012