Fog Creek Software
Discussion Board




VPN to the VPN server?

It suddenly struck me over the weekend that I didn't know how one only communicates to a VPN server via. the VPN that it gives you. And I couldn't work out how you achieve it.

If I can see a server on the net and I open a VPN connection to it, when I then send requests to the server I want those requests to go over the VPN (for privacy reasons) but my client seems to send it via. the standard IP (non-VPN) route.

I understand how VPN would give me access to a subnet that I don't normally see, because the only way of getting to the subnet is through VPN but the VPN server itself... well that's already visible.

I presume it must be achievable... or is it?

Any ideas folks?

Gwyn
Monday, October 13, 2003

It depends on how the VPN is configured, and how the VPN server is configured.

Let's presume that your VPN is configured to permit non-VPN communication (it sounds like it is). Then, what is the purpose when you VPN in? To communicate with one machine, or with a whole network of machines? Presumably the latter, on some private subnet, yes? Then ensuring private communication to the VPN server (i.e., via the VPN) means you should be using its PRIVATE IP address, not its PUBLIC IP address.

Brad Wilson (dotnetguy.techieswithcats.com)
Monday, October 13, 2003

The server is not the entry point to a subnet in this instance. It is a single server that primarily provides standard web services (http, ftp, smtp). However I need a secure way to administer it.

Terminal services seems good but I think I should access that over VPN. VPN also means I can see network shares and don't need to ftp files around.

Gwyn
Monday, October 13, 2003

As stated above, you need to use the private IP address to administer the machine over a VPN.  Of course, you shouldn't be able to administer it using a public IP address because all unnecessary ports are blocked by the firewall, right?  Good to hear.

Usually, a VPN server routes traffic, so accesing it over the VPN can be as simple as using the IP address of the internal NIC.

If your VPN server has only a single NIC, you must then connect using the private IP address on that NIC.  If I remember correctly, it tries to pull an address from DHCP by default, but you can set a static IP if you want.

Using Computer Management On the VPN server go to:

Services and Applications > Routing and Remote Access > Routing Interfaces > [interface]

Replace [interface] with the routing interface your dialing into. Right-click [interface], select properties.  Click the Networking tab. Highlight Internet Protocol (TCP/IP).  Click properties.

From here, you can leave the default configuration or configure a static IP address.

Michael Mata
Monday, October 13, 2003

You probably want to have your public servers in a DMZ network and your other servers on seperate subnet.  You should route traffic between the external, DMZ, and private networks with a firewall that supports NAT such as checkpoint, watchguard, smoothwall, Cisco PICs etc. 

If you have multiple IP addresses you can use static NAT to pass one IP address to your private network and another to the DMZ.  Close all ports except VPN ports to the private network and HTTP ports to the DMZ. 

If you only have one IP address, you can use the port forwarding functionality of the firewall to achieve the same thing.  Multiple ports on the same address go to different machines on different networks.  This magic is part of the base functionality of nearly all firewall products.

I say purchase a firewall and read the manual carefully.

christopher baus www.summitsage.com
Monday, October 13, 2003

*  Recent Topics

*  Fog Creek Home