On 12/31/18 10:32 AM, Tom Eastep wrote: > On 12/29/18 2:26 PM, C. Cook wrote: >> On 12/28/18 1:34 PM, Tom Eastep wrote: >>> On 12/28/18 10:08 AM, C. Cook wrote: >>>> Idk whether this is a Shorewall question or not. >>>> >>>> My LAN has a class C of 192.168.1.0. The gateway for all LAN members is >>>> 192.168.1.1 >>>> >>>> Now one of the LAN members is a KVM VM at 192.168.1.16, and it is the >>>> Wireguard VPN server. Remote machines come in through the gateway and >>>> are port-forwarded to the VPN server for full access to the LAN. This >>>> works fine now. (Thank you) >>>> >>>> First Question: Remote VPN members can access any node in the LAN, but >>>> can not get back out through the gateway for internet access. Any idea >>>> where I should look? The VPN server does have its gateway set to >>>> 192.168.1.1. >>> Is the remote VPN client configured to use the VPN as a default route? >> It's set so that no applications are exempted from using the VPN. I >> should think this would be equivalent. Seems to be my only option. >> > I doubt that the setting you are talking about redirects all traffic > through the tunnel.
Maybe true. I wasn't getting access on the phone before while on VPN, but I've made a number of Shorewall changes in my LAN. I do have internet access on my phone now. > >> >>> >>>> Second Question: Another member of the LAN, 192.168.1.4, is the backups >>>> server. And the backups server runs a KVM VM which handles all security >>>> cameras (ZoneMinder) through a dedicated port in the class C of >>>> 10.1.50.0. This security cam VM has a second IP in the class C of the >>>> LAN and serves Zoneminder to the LAN this way. >>>> >>>> I would like to serve Zoneminder to the outside only on the VPN. Does >>>> that mean I port-forward 80 to the VPN server, either through a reverse >>>> SSH tunnel or by Shorewall DNAT? Then to access it from remote on the >>>> VPN server? Is this the best way? Would it then also still be >>>> accessible to the LAN? >>> I'm confused. Who initiates this TCP connection on port 80 and where is >>> the http server? >> The remote phone could initiate it using the ZM app, or any random >> machine inside the LAN could initiate it. Only the WireGuard server is >> running Wg so no internal communications is VPN. >> >> Communication with the cameras could be via port 80 to get ZoneMinder >> functionality, or directly from the cameras by getting the rtsp stream >> with something like VLC. > Then, since the backup server is on the LAN, VPN clients should be able > to connect to it directly. Well I don't allow ports open on LAN machines, to reduce attack surface. But I've realized that I can set up a reverse SSH tunnel from the VPN server on wg0, to the cameras server. This way Zoneminder is available only to the VPN. > >> >>> >>>> Third Question: The cameras on 10.1.50.0 are only visible to the >>>> cameras server on a dedicated port. These cameras provide a high-res >>>> RTSP stream and a low-res RTSP stream, the latter being appropriate for >>>> a remote phone. Can anyone see how I can pipe the low-res stream to the >>>> VPN server so it's accessible by a remote phone? >>>> >>> Is this stream accessible from other hosts on the LAN? If so, how? >> > To access the camera directly, the Shorewall box needs to have a route > to the 10.1.50.0/24 subnet via the backup server's 192.168.1.4 address > and the backup server would need to enable IP forwarding. Assuming that > you can get default routing from the VPN client to go through the > tunnel, then the VPN clients can access the server directly. Good idea, thanks. > >> It's not, because the cameras are in a different class C than the LAN. >> The rtsp streams can be reached by the backups server (KVM host to the >> cameras VM) because it has a dual IP, one of which is in the cameras' >> domain. >> >> If I add IPs to all machines in the LAN I'm concerned that this would >> put them in the collision domains of the cameras, defeating the purpose >> of having them in a different class C. >> > If you are concerned about 10.1.50.0/24 colliding with a network local > the the VPN client, you can use DNAT on the Shorewall box. You could > have VPN clients connect to port 81 on IP 192.168.1.4, which would be > DNATted to the dedicated port on the camera. Will do, thanks.
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
