[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Is OpenVPN the right tool for me?

  • Subject: Re: [Openvpn-users] Is OpenVPN the right tool for me?
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Mon, 19 May 2003 08:06:51 -0000


Yes, what you are asking for is possible.  In fact, OpenVPN is well suited for
these kinds of tasks (i.e. operating in an environment where there are
firewalls or NAT translation existing between the VPN peers that you have no
control over).

First, set up a tunnel between your laptop and your FreeBSD server.  On the
FreeBSD side, don't use --remote so that OpenVPN will be in listen mode.  Open
up a UDP port in the firewall for OpenVPN on the FreeBSD side (I'm assuming
that you have full control of the FreeBSD server).  On the laptop side, use
--remote (pointing to the FreeBSD side) and --ping 10.  We are assuming that
your client's firewall will see the pings going out, and therefore allow the
return packets from the FreeBSD side to come back in, also peforming the
necessary NAT.  While this is the default case with most firewalls, a firm
that leans on the more paranoid side could conceivably disable this
capability.  Start the tunnel and confirm that packets are going in both
directions (such as by using --verb 7 and pinging across the tunnel).  Now
configure the routing.  What you want to do in order to achieve maximum
security against a sniffer on your client/employer's LAN is set up your
default route to point to the remote tunnel endpoint (i.e. the second IP
address the --ifconfig option), but then (to keep an infinite forwarding loop
from occurring) create another route that explicitly forwards any traffic
bound to your FreeBSD server through your client/employer's gateway.  On the
FreeBSD side, you will need to configure NAT on the remote tunnel endpoint
(which would be the laptop side) of the tunnel.  If everything works
correctly, your FreeBSD server will essentially become a transparent proxy for
all of your laptop's IP traffic.  The one extra detail to note, is that when
referencing your FreeBSD server from your laptop for services such as mail,
ftp, X, nfs, etc., you will need to use the OpenVPN remote endpoint address. 
If you use the public IP address, traffic will NOT use the tunnel.  And then
you might want to add a route for your client/employer's LAN as well (on the
laptop), so that traffic doesn't get thrown over the tunnel to the FreeBSD
side, only to find there's no way to get back.

Good luck,


"John A. Kilpatrick" <john@xxxxxxxxxxxxx> said:

> Here is the problem I am trying to solve:
> I want to be able to ensure that the network I am using (mostly likely that
> of an employer/client) isn't sniffing traffic going to/from my laptop.
> Seems pretty simple in theory.  Right now I am able to handle mail, at
> least, via an SSH tunnel.  I can do SOCKS/web proxy stuff via that as well.
> What I'm looking to do though is set up an encrypted tunnel between my
> co-located server (running FreeBSD) and my laptop (Mac OS X) such that all
> network traffic to/from my laptop is sent over this tunnel and my server
> forwards it to the internet, so that I can not only read mail and browse the
> web but run things like AIM/ICQ/etc in a secure manner (in the sense of the
> work-site being able to sniff it).  And in addition to security I want to be
> able to avoid their firewall restrictions (since if I can forward it over
> the tunnel then it doesn't matter if the firewall blocks AIM or not).
> So is OpenVPN the right tool for me?  Or am I misunderstanding it's
> functionality?
> -- 
>                                John A. Kilpatrick
> john@xxxxxxxxxxxxx                Email|     http://www.hypergeek.net/
> john-page@xxxxxxxxxxxxx      Text pages|          ICQ: 19147504
>                  remember:  no obstacles/only challenges
> -------------------------------------------------------
> This SF.net email is sponsored by: If flattening out C++ or Java
> code to make your application fit in a relational database is painful, 
> don't do it! Check out ObjectStore. Now part of Progress Software.
> http://www.objectstore.net/sourceforge
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users


Openvpn-users mailing list