On Sun, 17 Apr 2022 08:32:23 +0100, Terry Coles wrote:
> 10.1.10.0/24 is the network set up by
> the VPN Server to forward remote traffic on and each device on the
> WMT Network is allocated an address in that range
If I understand you correctly, I think you are saying that each device
on the WMT Network is allocated an address in the 10.1.10.0/24 range.
This does not make sense. Why would the WMT Network devices need
10.1.10.0/24 addresses, in addition to their 192.168.0.0/24 ones?
More likely, the 10.1.10.0/24 range is only used for the VPN server
and the VPN clients, and VPN clients can simply address WMT Network
devices directly, using their 192.168.0.0/24 addresses. As you've
shown, the VPN server is configured to route between these subnets, so
that should be fine and dandy. This is how I remember the VPN working
before.
This works in the same way that you can communicate to, say, a Google
server in the range 216.58.192.0/19 from a computer that has a local
IP address in the range 192.168.1.0/24. Clearly, Google's servers do
not get renumbered to suit your local network. Neither are the WMT
Network devices going to be renumbered to suit the VPN. It is not
necessary or useful.
The VPN clients are having their IP addresses allocated by the VPN
server. I think it uses the VPN's own protocol as opposed to DHCP to
communicate these addresses to the clients, but I can't remember for
sure. Either way, the VPN server is responsible.
This also means that the VPN clients will not be getting told about
the 192.168.0.1 DNS server via DHCP, so they won't automatically use
it. This means their traffic won't get forwarded to the web server
automatically. If you wanted them to know about that DNS server, you
would need to configure the VPN server to tell them about it. They
won't discover it automatically via DHCP like an on-site network
client would.
Be aware that VPN clients will sometimes use a VPN-provided DNS server
for EVERYTHING, which could have the effect of intercepting DNS
queries for traffic that has nothing to do with the VPN, which might
break networking for things that are running on the same machine as
the VPN client, and could cause a privacy issue. If possible, it may
be better to configure the VPN clients so that the WMT DNS server is
only used to query domain names that are part of the WMT network.
So, when you said:
> The VPN Server doesn't know the IP Address of the
> Webserver, but it doesn't need to because all traffic should be
> forwarded to it.
The second part of the statement was untrue. The VPN server DOES need
to know the IP address of the Webserver (assuming you want it to tell
its clients), because the automatic forwarding to the Webserver only
works for DHCP clients in the local network.
It is safe to assume that on-site Visitors devices, connecting via
WiFi, are all configured to use DHCP, both to obtain an IP address and
to learn about a DNS server. It is not safe to assume the same for VPN
clients. Not only have the VPN clients already got an IP address from
the VPN server, so they won't be looking for another one, but DHCP
works using broadcast messages, which are only received by devices in
the same subnet.
So, given that they have 10.1.10.0/24 addresses, the VPN clients
cannot make use of the 192.168.0.1 DHCP server. They should, however,
be able to make use of the 192.168.0.1 *DNS* server, provided that
they are told about it.
> The DNS Server does not work for clients logged into the VPN Network
> via VPN.
Do you mean that it does not work automatically, or do you mean that
clients logged in via the VPN cannot query this server at all. What
happens if you say explicitly which server to query, by doing:
$ dig @192.168.0.1 [webserver domain name]
or
$ nslookup [webserver domain name] 192.168.0.1
on a device that is connected via the VPN?
> The Webserver is inaccessible to clients logged into the VPN Network
> via VPN unless an intermediate device is used as a 'stepping
> stone'. (eg, log into another Pi and then log in to the Webserver
> from there.
Based on all of the above, I would expect that VPN clients cannot
access the Webserver using its domain name, but they can do using its
IP address. Is this true, or is it inaccessible even by IP address?
If the Webserver is inaccessible even by IP address, what happens if
you try to ping it?
When a VPN client connects to the Web Server, in theory the web server
would see that connection coming in from a 10.1.10.0/24 address, not a
192.168.0.0/24 one. So, it is a given that the Webserver has to be
configured to accept connections from 10.1.10.0/24 clients.
With that all said, that is far from the only way to configure IP
addressing on an IPSec VPN. I'm relying on the fact I've used the WMT
VPN in the past to fill in some of the blanks, and it is possible
things could have moved on from that. (Or I could have misremembered.)
Anyone coming across this thread from a web search should bear in mind
that their VPN might be configured completely differently.
Patrick
--
Next meeting: Online, Jitsi, Tuesday, 2022-05-03 20:00
Check to whom you are replying
Meetings, mailing list, IRC, ... http://dorset.lug.org.uk
New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
