Connecting between vpnserver and vpnbridge

[Venky]

Hi

We have two servers, one is setup with VPNServer and another setup as vpnbridge.
On vpnbridge server, a web server application runs.

When user connects to our vpnserver and want to access the webserver. but this does not happens untill the vpnserver gets connected to bridge,

How to connecte between vpnserver and vpnbridge?

Thanks
Venky

[kh_tsang]

Use tap device in the vpnbridge side and add a cascade connection.

[Venky]

Thanks now able to create the cascade connection. but not able to ping the webserver or not able to access web server.

The Client machine gets 192.168.1.5 , what will be IP set to vpnbridge once it gets cascade.

Does this require any port forwarding or NAT to forward the request to webserver?

[kh_tsang]

You need to configure it by yourself. You need to add the IP address by yourself. It is an ethernet connection that is not configured yet.

[Venky]

where should i set the IP. the vpnbridge installed on the VM Server which has public IP 192.19.17.164.
By this IP aim able to browse site, but not when connected to VPNserver.

How can i reach this webserver when connected over VPN?

[kh_tsang]

By using "ip addr add" command.

Also, why don't you use private IP address to reach the web server?
Secondly, your public IP is not listening port 80 and 443 from the internet.

[Venky]

i cannot use the Private IP for webserver becuase the VPN server VM hosted on separate ESX host server and Web server hosted on a different ESX host .

[kh_tsang]

I mean why don't you use private IP for the tap device and connect using the private IP after the connection is established.

[Venky]

I really did not understand your suggestions.

Here is the attached images which explain how the setup done.
VPNServer has secure NAT enabled also with DHCP services ON.

If you can provide me the steps to configure, that would be great.

[kh_tsang]

Treat the cascade connection as an Ethernet cable and the virtual hub as a switch. The tap device is a device connected to the switch and you need to add a private IP on it so the host is listening on that private IP.

[Venky]

I have done the setup as suggested, but still not able to understand how to setup a private IP.
if you can provide some linke or instructions that would be a great help

[kh_tsang]

You should see tap_vpn3brdg3 in ifconfig. Add a new private IP for it.

[Venky]

For the tap device gave a private IP 192.168.30.3
vpnserver :192.168.30.1
vpnbridge : 192.168.30.2

command to add IP tap_device " ip addr add 192.168.30.3 dev eth0 "

but still not able to ping vpnbridge ip.

[kh_tsang]

You need to specify the subnet and the broadcast address as well.

ip addr add 192.168.30.2/24 broadcast 192.168.30.255 dev tap_vpn3brdg3

eth0 should be your own NIC and should not be used in the command. The virtual ethernet interface connecting to the virtual hub is tap_vpn3brdg3.

[Venky]

Applied the command on vpnbridge is this correct?

Iam able to ping the vpn bridge interface IP from the VPNServer.

But still not able to ping public IP webserver. do i need to make same setting on vpnbridge server too?

Also one more test conducted, From VPN Client connected to VPN Server, but not able to ping IP of the vpnserver and also bridge. Is this Ping disabled from client connection?

[kh_tsang]

Is ping from the internet blocked?

About pinging from the VPN server to the VPN bridge,
When you ping by using public IP address, the echo request will go through the internet.

About pinging from the VPN client to the VPN server,
When you ping the same public IP as the VPN connection, the packet will be routed through your original gateway. You should either use a private IP address or another public IP address on the vpn server so that you can ping the vpn server. You may use a tap device on the vpn server so that the vpn server host itself gets a private IP address in the VPN subnet.

About pinging from the VPN client to the web server,
When you ping the public IP of the web server, it will go through the Secure NAT gateway and then the internet, not the cascade connection.

[Venky]

Able to fix the issue as there was security policy enabled for user

I can ping the vpnbrige server ip, default gateway but for vpnbridge ping does not work as this default policy set on it . please check the attachment.

When ping webserver there is lot of TTL time 1573ms and request time out in between, how to fix this issue?

[kh_tsang]

Are you pinging the web server using public or private IP?

[Venky]

Pinging webserver with Public ip. as this does not have a priviate ip.

[Venky]

Can the Public IP can be NAT to Private IP?

IF yes please share the details,

[kh_tsang]

Venky wrote:
> Can the Public IP can be NAT to Private IP?
>
> IF yes please share the details,


You can try DNAT the traffic of the web server to the private IP of the vpn server on the vpn connection(please add the private IP by yourself). After that, SNAT that traffic to the vpn server private IP. Please use iptables for NAT instead of SecureNAT. Otherwise, change the DNS resolution result by setting up a DNS resolver on the vpn network.

[Venky]

Thanks for the reply,

I just lost a bit with your answer.

Can you please explain with an example, that really helps to understand.

[kh_tsang]

For example, the client is 182.168.30.11 and the web server is 192.168.30.2, you should visit the web server using 192.168.30.2 instead of its own public IP.

Also, you may want to change the DNS result of the web server domain so that it points to its private IP.

[Venky]

Client range IP : 192.168.30.10 (DHCP range : 192.168.30.10 to 192.168.30.200)
VPN Server interface eth0: 192.168.30.1
VPN bridge interface eth0 192.168.30.2
webserver IP : 158.68.4.221

iptables -A PREROUTING -d 192.168.30.0/24 eth0 -j DNAT --to-dest 192.168.30.2

iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j etho0 SNAT --to 158.68.4.221


Based on your reply built the above the iptables, is this correct?

[kh_tsang]

No, the private IP should be on the adapter with the name with tap_ as the prefix.

The commands should be

iptables -A PREROUTING -s 192.168.30.0/24 -d 158.68.4.221 -j DNAT --to-dest 192.168.30.2

iptables -A POSTROUTING -s 192.168.30.0/24 -d 192.168.30.2 -j SNAT --to-source 192.168.30.1

[thisjun]

Why don't you use VPN client on the web server?