I establised a ipsec tunnel using StrongSwan between two counties far away, and I want to deploy a “relay” server between these two counties to accelerate the tunnel network.
what should I do? Any help?
Related
I hope someone can point me in the right direction.
I have a Windows Server 2012R2 running Bitvise SSH server, for the sake of simplicity it has only one ethernet card. SSH listens to 192.168.1.115 port 22.
When the server is connected to the internet with VPN (NordVPN client > I cannot edit config) the SSH connection is no longer working. I believe this is very normal as the VPN changes the gateway and routes all, including SSH, packages through it.
I was hoping it is possible to simply edit the routing table or similar so that all SSH packages on 192.168.1.115 port 22 are routed to the original gateway (the gateway before VPN is connected so to speak) and that all other are routed via the VPN gateway.
Alas, I have no idea how to start with this split tunneling. Maybe there are tools or other solution for this? I have search high and low but did not find an easy answer.
Looking really forward to your expertise. Thank you.
With best regards,
ShadowHunter
I have a client who is remote. I need to debug some weird problem that none of my other clients are having. Before I try and set up a conference with this client, I would like to know if there is some way of remotely debugging our application.
I see that there are remote debugging tools available for Visual Studio, but from what I've read, I need to be on the same subnet. As the person is remote, this is not a possibility. Also, as I'd like to keep our connection secure, I would need to connect up some sort of encrypted tunnel (this is where I'm a little fuzzy as my networking skills are mostly theoretical).
As I understand it, an encrypted tunnel is a bridge to another (different) subnet. This is to ensure that those computers on the other side won't interfere with the local subnet computers.
So, because the client's computer is on a different subnet, I think that this is not possible. Or is it? Should there not be a way of making the client's computer show up as a virtual computer on my subnet, by forwarding packets from one subnet to another? I would think that this is theoretically possible, but I'm not exactly sure how I would go about this.
Also, at the moment, my current way that we connect to clients is through GoToMeeting, but I don't think that it supports tunneling. If not, then I may need some way of generating a tunnel, so I was also thinking of maybe using some SSH programme like PuTTY.
As I have said before, my knowledge of networking is quite theoretical, so if the tools that I am suggesting are not the correct ones, please correct me. (I'm a programmer, damm it! Not a network engineer!)
Both computers are Windows boxes. Windows 10 (client) and Windows 8.1 (development).
If you can connect to an ssh server in the remote network, you can (subject to configuration on the server) create a tunnel such that you connect to a socket on your local pic and the connection appears from the server to an endpoint on the remote network.
You'll want to investigate the -L command of OpenSSH, which combined with the PuTTY docs, should help explain what's required.
By default, the endpoint would be a port on the ssh server, but it could be a port on a different host that the remote server can connect to.
I'm not familiar with the current state of Windows SSH servers, but even if there isn't a system server to hand, you should be able to have on run 'on demand' - if you run it on a non-privileged port and by the user you want to connect in as, it shouldn't even need Admin privileges.
I'm not familiar with GoToMeeting, but the one thing with SSH tunnelling it that IT depts should be familiar with SSH. If trying that, focus on getting a working connection in, then setting up the tunnel, then connecting through it as separate steps.
Once you have an SSH connection, then it doesn't need to do something itself, and you can then investigate connecting while specifying the port forwarding, but will will need to get the basic connection working correctly first.
The website says:
Tunnlr uses SSH remote tunneling. It securely connects a port on your
local machine to an open port on our public server. Once you start
your Tunnlr client, the web server on your local machine will be
available to the rest of the world through your special Tunnlr URL.
Could someone please go into a bit more detail over how this entire process works? Or maybe point to something open source that allows the same thing?
The SSH protocol allows tunneling of connections in either direction. So based on the description above here's what is happening:
You download a client program (an SSH client) to your computer and run it.
The client establishes an SSH connection out from your computer to the tunnlr remote server
On the tunnlr server an access port is opened for incoming connections. Let's say port 1234.
Now when anyone connects to tunnlr:1234 the tunnlr server will instruct your client program through the connection established in step 2 to open a connection inside your computer - let's say to port 80 (e.g. you're running a webserver there).
The tunnel connection will now shuffle data between tunnlr:1234 and your_computer:80.
So effectively this is what is running:
[some_remote_computer]<->[tunnlr:1234]<->[SSH tunnel]<->[your_computer:80]
Assume some_remote_computer is your friend or anyone else you want to be able to connect to your local web server.
SSH is available for many platforms (Linux, Windows, OSX and more). You can build such tunnels quite easily with it, but you will of course need access to both computers you want to build the tunnel between. Let's say one computer is your own computer and another is a VPS you've rented (or any other remote server with SSH access). Now you can run exactly the same setup.
The advantage with tunnlr is they manage the remote server for you, and they have a registered hostname you can use for your tunnels.
Does anyone know how to use Openswan to create an IPSec tunnel to a Cisco router on EC2?
I keep reading that people can or they cannot set up the IPSec tunnels on Amazon's cloud. Is it possible or not?
If so, can someone point me to a tutorial where it was successful?
Update
AWS has just dropped the requirement to establish Border Gateway Protocol (BGP) peerings in order to use the built in VPN connectivity to an Amazon Virtual Private Cloud (VPC), see Amazon VPC - Additional VPN Features:
You can now create Hardware VPN connections to your VPC using static
routing. This means that you can establish connectivity using VPN
devices that do not support BGP such as Cisco ASA and Microsoft
Windows Server 2008 R2. You can also use Linux to establish a
Hardware VPN connection to your VPC. In fact, any IPSec VPN
implementation should work. [emphasis mine]
The outlined reason for this change specifically highlights BGP as a previous barrier to adoption of this otherwise very appealing VPN connectivity to a VPC:
First, BGP can be difficult to set up and to manage, [...]. Second, some firewalls and entry-level
routers support IPSec but not BGP. These devices are very popular in
corporate branch offices. As I mentioned above, this change
dramatically increases the number of VPN devices that can be used to
connect to a VPC. [...]
I couldn't agree more - accordingly you should now be able to facilitate Openswan (or the built in Linux IPSec stack) to connect to the respective built in VPC IPSec functionality.
Initial Answer
A related tutorial based on Racoon is available at Amazon VPC with Linux. However, before you dive into that, I highly recommend to read the referring article Connecting to Amazon VPC first, at least section Using Linux as VPN Server:
Let us say you have decided to use some linux for your VPN server. For
an IPSec newbie there is no obvious reason that this is a bad idea.
And because one soon finds a tutorial like
http://openfoo.org/blog/amazon_vpc_with_linux.html it seems possible
to perform that task. Following this tutorial you should be able to
ping the two BGP servers from your VPN server. [...] But after that point you will
start to get in trouble. Maybe you are able to connect to a server in
your VPC. But there is one thing you won’t get working stable:
Connecting from the VPC to some server in your home net
192.168.1.1/24. That is because linux has a policy-based IPSec implementation. [...]
Consequently the author concludes:
And the last and most important reason is that Openswan is not
intended to be used that way. Abusing software in a security relevant
place doesn’t seem to be a good idea. [emphasis mine]
YMMV as usual, but you have been warned ;)
I would like to setup an Amazon's VPC gateway to my server. I do not have a Cisco or Juniper router, but found the OpenSolaris VPC Gateway, supposedly addressing this use case (see their wiki for details).
Anyone tried to build this on Linux?
I ended up using openvpn access server ami in a vpc:
http://openvpn.net/index.php?option=com_content&id=493
and
http://sysextra.blogspot.com/2011/01/creating-virtual-private-cluster-with.html
for setting the iptables or using your own openvpn server
Using an Amazon Virtual Private Cloud (VPC) gateway without advanced/expensive hardware routers is meanwhile much easier, because AWS has just dropped the requirement to establish Border Gateway Protocol (BGP) peerings in order to use the built in VPN connectivity, see Amazon VPC - Additional VPN Features:
You can now create Hardware VPN connections to your VPC using static
routing. This means that you can establish connectivity using VPN
devices that do not support BGP such as Cisco ASA and Microsoft
Windows Server 2008 R2. You can also use Linux to establish a
Hardware VPN connection to your VPC. In fact, any IPSec VPN
implementation should work. [emphasis mine]
The outlined reason for this change specifically highlights BGP as a previous barrier to adoption of this otherwise very appealing VPN connectivity to a VPC:
First, BGP can be difficult to set up and to manage, [...]. Second, some firewalls and entry-level
routers support IPSec but not BGP. These devices are very popular in
corporate branch offices. As I mentioned above, this change
dramatically increases the number of VPN devices that can be used to
connect to a VPC. [...]
I couldn't agree more - accordingly, if so desired, you could drop OpenVPN now in favor of a connection between the built in Linux IPSec stack (or a dedicated package like Openswan/strongSwan) and the respective built in VPC IPSec functionality.