Networking question.

[pinback]

I figure this is the only place I can ask stuff like this without instantly getting fifty-three "UMM WHY ARE YOU DOING THAT?" answers. Just in the event anyone actually knows the answer, here is my question, copy-and-pasted from the ifmud:

18:48 You say, "I got a Comcast cable router. It's hooked into a Netgear wifi
router. I have both of them port forwarding port 80 to my desktop,
so I can host websites from it."
18:48 You say, "That works great."
18:48 You say, "However, when I fire up an openVPN client on that desktop,
nobody can get to the websites any longer."
18:48 You ask, "Is there a way around that?"
18:48 You say, "Thanks. I'll hang up and listen."

I realize now, what I meant to say was, I have the Comcast router port forwarding 80 to the netgear router, and then the netgear router port forwarding it to my desktop.

The issue remains, though, when I fire up openVPN, nobody can get in any longer.

I assume this is a dumb-ass rookie question, but I'm a dumb-ass rookie.

[AArdvark]

That's like a whole 'nother language.


THE
SPEEK ENGLISH
AARDVARK

[Flack]

I've never specifically used OpenVPN. That being said, I assume once you establish a VPN connection it is either (a) changing your IP address or (b) there's no network route for incoming packets to find the web server, at which point you would need the two on two different subnets and some way to route traffic between the two.

[pinback]

can...

can u do that 4 me??

[RealNC]

Are you using VPN as a way to mask your IP when using the Internet, or as a way to access the network the computer running the VPN server is on?

If it's the latter, then all you need to do is remove the "redirect-gateway" option from the OpenVPN configuration.

If it's the former, then it gets complicated.

[RealNC]

Also, post your OpenVPN config file here.

[pinback]

Are you using VPN as a way to mask your IP when using the Internet, or as a way to access the network the computer running the VPN server is on?

The latter.

If it's the latter, then all you need to do is remove the "redirect-gateway" option from the OpenVPN configuration.

No shit?!

[pinback]

Christ, it (adding "route-nopull") to the client file worked.

You are the MAN!!

Can you explain to a moron (me) what that actually means/does?

[RealNC]

This option is there to disallow traffic being redirected (routed) to the VPN, unless that traffic is going towards the VPN network (its subnet) to begin with.

Normally, everything goes through the VPN. When watching porn, the VPN server is actually downloading the porn and then sends it your way. The porn site doesn't see you, it only sees the VPN server. When connecting to a workplace network, you want to avoid that. When connecting to a "hide my identity" type of VPN service, then you want that.

The default settings assume you want the latter (hiding your identity) rather than the former (connecting to your workplace.)

[RealNC]

Some documentation on this:

https://community.openvpn.net/openvpn/w ... ectGateway

[RealNC]

Wait, I didn't explain why that was a problem with running a web server...

The issue is that a computer tries to connect to your web server by using your IP and the appropriate port. Say, 1.1.1.1:80. That step works just fine. The bytes are sent by that remote computer to 1.1.1.1, and they are received by your modem. The router then takes them and sends them to your desktop computer (because you forwarded port 80). The web server sees those bytes, and replies back. That reply, however, is taken by OpenVPN and send to the VPN server. The VPN server, which has a different IP, say 2.2.2.2, then forwards them to the remote computer that initiated the connection.

So what the remote computer sees, is that some bytes arrived from IP 2.2.2.2, even though it tried to connect to 1.1.1.1. It expects an answer from 1.1.1.1, but the answer came from 2.2.2.2. That doesn't work. The remote computer ignores that reply, because it came from a different place.

[pinback]

Excellent. However, I now realize that it doesn't quite work, as I'm unable to reach private IPs on the remote network.

So close!

[The Happiness Engine]

Look, don't try to do these two things at the same time. It's not the answer you want, but it's the sane answer unless you want to become a network engineer. Run more computers, or virtual machines, or something, but splitting all your routing around will become just more and more nightmarish.

[RealNC]

Or get a Pi and run the server there.

[pinback]

More computers! Got it! CAN DO!

What is the best raspberry pi anymore and how do I serve webs from there? A flash drive or something?

[Flack]

Let the record show I suggested you buy a Raspberry Pi back in May.

http://www.joltcountry.com/phpBB2/viewtopic.php?t=9649

Also let the record show that every single active poster on JC disagreed with me. Except for Tdarcos, who I think was dealing with coconut balls or something.

[pinback]

can someone just tell me what to buy

[pinback]

Alright, I bought this for $70:



I look forward to hearing why that was totally the wrong thing.

[RealNC]

For a web server, any Pi will do, really, even the crappiest you can find.

$70 in order to avoid network configuration hell and also being able to power off your PC, is a small price to pay, imo.

On the other hand, you will now have to deal with setting up a Linux web server and keeping the new system up to date.

[pinback]

Well, I already have the webserver running on my local linux box, that's how this problem came up in the first place.

But yeah, http://nightowlx.net is hosted on my box, as well as everything that it links to. (Which is everything I've ever done.)

Once the pi arrives I will move the nginx config over there and have it handle it.