Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Use a VPN without it taking over the network' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use a VPN without it taking over the network
Authored by: kshetline on Sep 10, '05 09:53:34PM

First of all, I do use the built-in dynamic DNS support in my router for dyndns.org, rather that DDNS client software on one of my computers, so the resolution of my personal domain wouldn't get changed by hooking up to my company VPN, no matter how I have the VPN connection configured.

But even if I was using client software instead of my router, consider this:

Suppose my IP on the VPN is 172.18.99.99
Suppose the WAN-facing IP for my computer -- along with many other computers at the office sharing the same WAN-facing IP -- is 42.43.44.45.

When the client software phones home to dyndns.org, myhomedomain.org will be mapped to 42.42.44.45.

If someone types http://myhomedomain.org into their web browser, an attempt will be made to connect to 42.43.44.45 at port 80.

The connection attempt then hits my company's router and firewall... and those incoming packets will NOT get routed to 172.18.99.99 and its port 80. Nor will any other attempt to connect to any other ports on my home computer for SSH, Timbuktu, etc. get through, not without convincing my company to poke all of those holes in their firewall and to do all of that special port forwarding just for me and me alone -- that ain't gonna happen.

Further, even if my friendly company sys admin were so obliging, I wouldn't want her to set all of that up for me anyway. I really don't want my personal domain becoming my company's IP address on and off all of the time. Also, while dyndns.org works pretty well, the less remapping of my domain to different IP addresses all of the time -- with all of the propagation delays that can entail -- the better.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: beauh on Sep 12, '05 04:18:39AM

The issue lies in the fact that OS X does not support source-based routing. Any traffic that is not link-local is going to be sent out via your default route, which by default is going to be your IPSec tunnel when your VPN connection is active. When he's connecting from work to his home computer, his home machine sees an incoming connection from his office WAN IP: a publicly routable IP, notes that it is not link-local, and then fires the response via default route, straight down the VPN tunnel and ultimately to a destination that's going to drop it. Setting the internal subnet to be the default interface would then make all traffic go out through the nat router. Your still not going to have a problem on the VPN side, as the company subnet appears to be link-local.

The IPSec tunnel serves well as the default route as it adds a layer of intrusion prevention, leaving your company's site less vulnerable (unless your internal subnet is otherwise compromised). --> enabling this script might piss off yer admin.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: ferret-slayer on Sep 12, '05 06:23:40AM

suggestion:

Set up a second dyndns.org name for the Mac itself (not the router); the first five host names are free. Tell the DNS-update client to report the IP number of the Mac's Ethernet interface (ie, "internal", not "external").

When you are at work, and you find you left VPN running, you use the Mac's dyndns.org lookup to find your IP on the VPN, Timbuktu into your machine, and turn off VPN manually.

No routing magic required. If the DNS has failed to propogate, you can always go to the dyndns.org page and read the VPN IP number.



[ Reply to This | # ]
Use a VPN without it taking over the network
Authored by: kshetline on Sep 12, '05 03:26:31PM
No routing magic required. If the DNS has failed to propogate, you can always go to the dyndns.org page and read the VPN IP number.
No, no, no...

Before I did any hacking or playing with VPN settings at all, reaching my Mac at home was never the issue. I was indeed reaching the Mac -- I could see the packets coming in. The problem lay completely in having the computer at home respond to an external request via the correct route. Imagine that the speaker in the handset of your telephone was hooked up to one telephone number, but the microphone to a different telephone number. Someone calls you, you pick up the phone, you can hear the other guy saying "Hello? Hello?", but he never hears a word you say -- that's what my computer was doing with incoming and outgoing packets.

Further, I could never get back to my computer via the VPN WAN IP, because that IP would be for a whole block of computers at my company, not for my one specific computer, and nothing would reach my home computer via the VPN LAN IP which I'm assigned while connected to the VPN -- not past the company firewall and internal routing.

If you're suggesting that I actually try to make my domain name map to a LAN IP, rather than a WAN IP -- a LAN IP which is only meaningful on my company's network -- that's just weird. I don't even know if that would work -- if dyndns.org would accept a LAN IP and propagate it -- but if it did work, I'd have a domain name which was only useful for people on the company LAN. Anyone else would get the same IP address using my domain name, numerically speaking, but either nothing would be there to respond at that IP for them, or a random server which happened to have the same LAN IP on a different LAN would respond.

[ Reply to This | # ]

Use a VPN without it taking over the network
Authored by: ferret-slayer on Sep 18, '05 12:42:49PM
if it did work, I'd have a domain name which was only useful for people on the company LAN.

It does work. You're the only one who would want to use it. It doesn't matter if it's useful to others. (They can use your original dyndns.org name to find your router.)

[ Reply to This | # ]