Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Connecting either single clients/whole lan together (VPN?)

Mar 12, 2016 3:43AM PST

Hello everyone,

I have some client PCs that have to access to a remote database and internal (also remote) system that I don't want to be accessible through the internet. I would prefer to have it only at a intranet level and in a secure way.
If possible I would like that only the internal traffic would transit through the tunnels and all the internet related traffic to go "out" through the normal gateway (like it was a normal network).
I thought about VPN, but the VPN, as far as I know, redirects ALL traffic through the tunnel. I thought about configuring a proxy in the specific program, but then I would have also the configure the proxy on the browser of the client PCs so they could connect to the internal websites (not accessible from the internet).
Then I thought about using a ROUTER with ddwrt or something similar to make the VPN connection and with some routes (I have fixed public IP on my server in another location) redirect all "internal" traffic to the VPN connection and all others through the normal connection.
What would be, in your opinion, the best option taking in account also security? (the best option does not necessarely need to be one of those mentioned above).

Thanks a lot!
FreiheitPT

Discussion is locked

- Collapse -
P.S.
Mar 12, 2016 3:46AM PST

I require that my other LAN use my server as the main DNS (with caching and forwarding), and I would like to keep the DNS on the LAN and not internet. I don't want the internet to be able to know about my internal "websites/links", etc.

- Collapse -
And that broke the idea of the VPN.
Mar 12, 2016 10:04AM PST

Sorry but your VPN goal conflicts with this idea so no. You'll have to chat with your IT staff about a new plan. This is going to take more words than fit in this text box to cover so I'll keep it short.

- Collapse -
SSL/HTTPS and restricted access as a option?
Mar 12, 2016 10:26AM PST

Well, there is no IT staff Silly
It is only as a "study case".
I suppose then, that the best way would to have all this services online, but restrict the access to it to only those who I want (only allowing specific IPs) and with SSL encryption. Or am I wrong?
As I don't have enterprise internet, I don't have "mega" uploads, and I just wanted to keep the "VPN" traffic to a minimum.
I was trying around, and I managed to configure the openVPN in almost the way I would like.
Client to server VPN connection, with some routes configs that the server passes to the client, and I'm able to ping any PC on the server side. But I can't ping any client from the Server (until now).
But thanks for your time in answering me.
Best Regards

- Collapse -
This sounds more like a filter than a VPN.
Mar 12, 2016 10:44AM PST

Maybe a SQUID box will do what you wanted? That way you can filter as you wish. SQUID, it's use and configuration is something the size of a textbook so again I must be short.

- Collapse -
Thanks
Mar 12, 2016 10:59AM PST

No worries about that.
I can also google for how to configure. For sure there is enough infos about that.
Pointing me out to the right direction is what I need =).
In your opinion, what would you do in my scenario?
(to be specific: if someone has to make a download, goes to youtube, etc, it doesn't go through an encripted tunnel, but if you want to access, for example, IPs beggining at 192.168.X.X, then that traffic goes through that tunnel).
And DNS requests would always go through that tunnel, so internal websites can be resolved on a internal network level and does not "go to the internet".
that squid box?

- Collapse -
keep in mind what a VPN is.
Mar 12, 2016 1:00PM PST

A VPN would not be a VPN if it mixed security like that so no to that idea.

Squid and such would let you get this from that interface and that from another interface. Most folk I know buckle under the work this takes to setup but it is something you would do in Squid and Iptables.

Squid alone without all that bother may be enough since we can cache almost all things locally if your real goal was to preserve your internet bandwidth and byte count.

- Collapse -
Interesting...
Mar 12, 2016 2:00PM PST

I'm interested in that squid box. Going to read about it.
I know that VPN is supposed do join various lans into one (so to speak). I didn't know about squid box. Thanks for the information!

- Collapse -
That would be news to me.
Mar 12, 2016 2:52PM PST

A VPN is used when I want to plug my PC into another network over a "virtual connection." All local traffic and what's on my LAN vanishes. This can really trouble folk that want to VPN and print to a local LAN printer.


Think of the VPN like this. Your PC has one Ethernet cable. You plug it into your LAN or you plug it into your VPN host's LAN. It can't plug in both places.

- Collapse -
Why news?
Mar 12, 2016 2:58PM PST

Well, if you use your router as the VPN "client". (that is what I had on my mind - my router even has openVPN client and server capabilities).
So if I would connect using the computer itself, than only that computer would be connected (although one can play around with routes).
At least that is what I've learned about VPNs.

- Collapse -
If that fufills your need. Use it.
Mar 12, 2016 3:04PM PST

But I read above you wanted to do more than what a VPN does. And part of what you wrote broke what I see VPNs do so it was time to discuss other solutions.

But if you say this works, go for it.

- Collapse -
Gonna check squid box out
Mar 12, 2016 3:11PM PST

Well, i'm aware that this is not the way VPN would normally work. but I didn't know about any other solutions.
But i'm definitely going to check the squid box out.
yes, i want to do more than what a VPN normally does Silly
that is why I asked for other solutions =)

- Collapse -
To me this would be Squid and Iptables.
Mar 12, 2016 3:17PM PST

And again, to me and now decades of network, VPN is, in it's simplest description, me plugging into a network. What a VPN is, is tightly defined so I have to take the short version here.

If I read your top post right and I did read it more than once, that's not a VPN but something else.

-> I'm guessing here you are trying to preserve bandwidth but that wasn't really stated.

My answer is to get a Squid with Iptables to do what you want.

Post was last edited on March 12, 2016 3:36 PM PST

- Collapse -
You are right. Sorry that I wasn't specific enough
Mar 12, 2016 3:21PM PST

Yes, i definitly want to save bandwidth, having secure connections and internal websites beeing only internally accessable.

- Collapse -
(NT) Then, definitely, Squid and Iptables.
Mar 12, 2016 3:37PM PST
- Collapse -
(NT) Going to do that then. Thanks a lot!
Mar 12, 2016 3:38PM PST