Using a remote internet connection.

Using a remote internet connection.

[Pete Zieba]

Hi !

I have a somewhat odd situation. I am trying to use
the internet connection of a friend through a vpn
tunnel. My reason for this stems from the fact that my
ISP is rather restrictive. I cannot even ping machines
on the internet.
My setup is as follows:

*I have a linux machine, and so does my friend.
*I have iptables and OpenVPN running on both linux
machines. The VPN is functional, so is routing.
*Both linux machines have two NICS, eth0, and eth1.
Both act as a firewall/gateway for the LAN side.
*eth0 is the LAN side, eth1 the WAN.

*My friend connects to the internet using a cable
modem, and has a real IP on the net.
*I would like to use this connection as if I were on
his LAN side.

*OpenVPN creates a device, "tun0", which is what my
PPP ip is on.
my LAN subnet is 10.0.0.XXX
my VPN PPP ip is 10.0.1.2, which connects to 10.0.1.1
friend's LAN subnet is 10.0.3.XXX
friend's VPN PPP ip is 10.0.1.1, which connects to
10.0.1.2

With this setup, I am currently able to get out to the
internet, as well as ping machines on his network.
I would also like to be able to use his gateway.

openVPN adds this entry, which allows me to see
machines on his network:
route add -net 10.0.3.0 netmask 255.255.255.0 gw
10.0.1.1

everything up to this point is functional.

This is how I am using his machine as a gateway:
On my linux box, I am doing the following steps:

1. route del default
2. route add -host [friends cable modem IP] gw [my
former default gateway]
3. route add default gw 10.0.1.1

Logic in steps:
1. Don't want my old default gateway for all traffic.
2. I am using my former default GW in step 2 as a
means of connecting to his WAN IP, so that the VPN
connection is maintained. This works.
3. I am adding his PPP VPN ip as my default gateway.
This kinda' works.

I then do the following:
I reconfig my workstation to use his ISP's nameserver.
I can now ping domains (yahoo, etc.)
I CANNOT get to MOST websites. (msn.com is one of my
few successes)

*Note that everything works fine if I try to get to
websites using "links" as a browser in the console of
my linux box. It is only machines on my LAN side that
have problems.

My theory on why this does not fully work:
I am using my workstation, which uses my linux box as
a gateway.
My linux box uses the remote machine as a gateway.
The remote machine uses the cable modem as the
gateway.

Wouldn't the packets trying to get to the net from me
have an extra HOP? Could this be the cause of the
problem?

This is my linux box's routing table before my crazy 3
step idea:
Destination     Gateway         Genmask         Flags
Metric Ref    Use Iface
10.0.1.1        *               255.255.255.255 UH   
0      0        0 tun0
localnet        *               255.255.255.0   U    
0      0        0 eth0
10.0.3.1        10.0.1.1        255.255.255.0   UG   
0      0        0 tun0
[my WAN subnet] *               255.255.254.0   U    
0      0        0 eth1
loopback        *               255.0.0.0       U    
0      0        0 lo
default         [my WAN gw]     0.0.0.0         UG   
0      0        0 eth1


This is my linux box's routing table after my crazy 3
step idea:
Destination     Gateway         Genmask         Flags
Metric Ref    Use Iface
[friends WAN IP][my WAN GW]     255.255.255.255 UGH  
0      0        0 eth1
10.0.1.1        *               255.255.255.255 UH   
0      0        0 tun0
localnet        *               255.255.255.0   U    
0      0        0 eth0
10.0.3.1        10.0.1.1        255.255.255.0   UG   
0      0        0 tun0
[my WAN subnet] *               255.255.254.0   U    
0      0        0 eth1
loopback        *               255.0.0.0       U    
0      0        0 lo
default         10.0.1.1        0.0.0.0         UG   
0      0        0 tun0

Sorry about the long explanation. I do not have a mail
account capable of receiving any decent amount of
mail, so I cannot subscribe to the mailing list, so if
anyone has any ideas, I would appreciate it if replies
could also be sent to my address. Thanks for your time

Peter Zieba

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: Using a remote internet connection.

[Ralf Spenneberg]

Am Sam, 2003-10-04 um 02.30 schrieb Pete Zieba:
> I then do the following:
> I reconfig my workstation to use his ISP's nameserver.
> I can now ping domains (yahoo, etc.)
> I CANNOT get to MOST websites. (msn.com is one of my
> few successes)
> 
> *Note that everything works fine if I try to get to
> websites using "links" as a browser in the console of
> my linux box. It is only machines on my LAN side that
> have problems.
You might have some problems with the PMTU-Discovery since you probably
have several different MTUs on the Path and firewalling in between.
Either get the firewalls to allow ICMP-frag-needed through or you might
want to try the 
TCPMSS target to confine TCP-packet to a maximum size, like:
-j TCPMSS --set-mss 1300 or -j TCPMSS --clamp-mss-to-pmtu
I do not know if 1300 would be the best value but at least it should get
the connection working if thats the problem.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org