On 12/29/18 2:26 PM, C. Cook wrote: > > On 12/28/18 1:34 PM, Tom Eastep wrote: >> On 12/28/18 10:08 AM, C. Cook wrote: >>> Idk whether this is a Shorewall question or not. >>> >>> My LAN has a class C of 192.168.1.0. The gateway for all LAN members is >>> 192.168.1.1 >>> >>> Now one of the LAN members is a KVM VM at 192.168.1.16, and it is the >>> Wireguard VPN server. Remote machines come in through the gateway and >>> are port-forwarded to the VPN server for full access to the LAN. This >>> works fine now. (Thank you) >>> >>> First Question: Remote VPN members can access any node in the LAN, but >>> can not get back out through the gateway for internet access. Any idea >>> where I should look? The VPN server does have its gateway set to >>> 192.168.1.1. >> Is the remote VPN client configured to use the VPN as a default route? > > It's set so that no applications are exempted from using the VPN. I > should think this would be equivalent. Seems to be my only option. >
I doubt that the setting you are talking about redirects all traffic through the tunnel. > >> >>> Second Question: Another member of the LAN, 192.168.1.4, is the backups >>> server. And the backups server runs a KVM VM which handles all security >>> cameras (ZoneMinder) through a dedicated port in the class C of >>> 10.1.50.0. This security cam VM has a second IP in the class C of the >>> LAN and serves Zoneminder to the LAN this way. >>> >>> I would like to serve Zoneminder to the outside only on the VPN. Does >>> that mean I port-forward 80 to the VPN server, either through a reverse >>> SSH tunnel or by Shorewall DNAT? Then to access it from remote on the >>> VPN server? Is this the best way? Would it then also still be >>> accessible to the LAN? >> I'm confused. Who initiates this TCP connection on port 80 and where is >> the http server? > > The remote phone could initiate it using the ZM app, or any random > machine inside the LAN could initiate it. Only the WireGuard server is > running Wg so no internal communications is VPN. > > Communication with the cameras could be via port 80 to get ZoneMinder > functionality, or directly from the cameras by getting the rtsp stream > with something like VLC. Then, since the backup server is on the LAN, VPN clients should be able to connect to it directly. > >> >>> Third Question: The cameras on 10.1.50.0 are only visible to the >>> cameras server on a dedicated port. These cameras provide a high-res >>> RTSP stream and a low-res RTSP stream, the latter being appropriate for >>> a remote phone. Can anyone see how I can pipe the low-res stream to the >>> VPN server so it's accessible by a remote phone? >>> >> Is this stream accessible from other hosts on the LAN? If so, how? > To access the camera directly, the Shorewall box needs to have a route to the 10.1.50.0/24 subnet via the backup server's 192.168.1.4 address and the backup server would need to enable IP forwarding. Assuming that you can get default routing from the VPN client to go through the tunnel, then the VPN clients can access the server directly. > It's not, because the cameras are in a different class C than the LAN. > The rtsp streams can be reached by the backups server (KVM host to the > cameras VM) because it has a dual IP, one of which is in the cameras' > domain. > > If I add IPs to all machines in the LAN I'm concerned that this would > put them in the collision domains of the cameras, defeating the purpose > of having them in a different class C. > > If you are concerned about 10.1.50.0/24 colliding with a network local the the VPN client, you can use DNAT on the Shorewall box. You could have VPN clients connect to port 81 on IP 192.168.1.4, which would be DNATted to the dedicated port on the camera. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
