[TriLUG] linode, VPN, SSH

Brian McCullough bdmc at buadh-brath.com
Thu Aug 28 11:39:20 EDT 2014 

On Wed, Aug 27, 2014 at 05:12:02PM -0400, Kevin Otte wrote:
> You generally want to avoid running anything GUI on the Linode. It's
> doable, but you will experience pain. Also, you'll probably want to keep
> the F5 NAP on the laptop so that your experience is similar to what you
> already have.
> 
> What I envision (with some made up addresses in the hopes the commands
> make sense):
> 
>            eth0
> +--------+ 192.0.1.1    198.51.100.1 +-----------------+
> | linode | ------------------------- | vpn.federal.gov |
> +---------                           +-----------------+
>     | tun0
>     | 10.0.100.1
>     |
>     |
>     | 10.0.100.2
> +--------+
> | laptop |
> +--------+
> 
> Configure OpenVPN to create a tunnel to your Linode in private address
> space. This should be doable with the documentation I provided in
> response to [1], namely
> https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7.
> 
> Configure the Linode to do NAT on packets coming from our VPN to the
> Internet:
> root at linode:~# iptables -t nat -s 10.0.100.0/24 -o eth0 -j MASQUERADE
> (exact syntax may differ. I'm doing this from memory)
> 
> Configure the laptop to route traffic to vpn.federal.gov over the Linode
> VPN:
> root at laptop:~# ip route add 198.51.100.1 via 10.0.100.1
> 
> At this point we can verify all is working: If you do a traceroute to
> vpn.federal.gov you should see the first hop be 10.0.100.1, the next hop
> thereafter the Linode gateway, and so on. All the rest of your usual
> traffic should be flowing through your normal default route.
> 
> Now you can bring up the F5 NAP on your laptop just like you normally
> would. It won't see any difference. This mitigates the lack of proxy
> support because as far as the NAP is concerned, it's still just using a
> straight connection. You've just bent the pipe a little bit. :)

I also support this plan, very nicely described.

It is very similar to something that I had to do a couple of weeks ago,
while I was travelling.  In my case, my laptop was in the place of
Kevin's linode machine, and another machine was where he shows "laptop."
That second machine was trying to authenticate to the ".gov" machine,
but didn't have a path to it.

Once we got the firewall rules straightened out, everything worked like
a charm.


Brian

More information about the TriLUG mailing list