Here is a problem I’ve been struggling with for weeks. If you know the solution, I will give you $150. If you point me somewhere else where I find the solution, I will give you $50.
The environment:
- The whole office network is behind a BEFVP41 V2
- The BEFVP41 V2 forwards http and mail ports to the web and mail servers.
- There is no local DNS server
- When on the local network, if we try to hit the webserver using the domain name, it DOES works. This makes intuitive sense, but has always seemed a bit strange to me. If I knew more about networking I would know if this was standard behavior, or if Linksys is doing some hackish static routing to make its consumer-level routers more user-friendly. So anyway to clarify: the domain name resolves to the router’s WAN IP. So internal traffic to that domain name goes to the router, expecting to find the host outside of the network, but then the request gets forwarded back inside the network to the mail or web servers. (all the mail logs report requests as coming from 192.168.1.1, the router’s internal address).
What works: I have successfully created a vpn connection between a remote machine and the office network. While connected I can ping and ssh onto machines on the office network using their local addresses. I can even use the OS X Server administration tools, Server Admin and Workgroup Manager.
What doesn’t work:
- I have Apache configured so that certain parts of our website, like the documentation wiki, can only be accessed from the local network. When I try to access these areas when connected via the VPN, it says access denied. SO: Apache is seeing my Internet IP and not my local IP.
- Our mail server is (of course) set up to not be able to act as a relay. From my remote location, even if I hardcode the incoming and outgoing mail servers to the mail server’s local network IP, I can receive email and send email to addresses inside our domain, just as I can with no VPN. But it won’t let me send email to addresses outside of the domain.
CONCLUSION: the VPN is essentially acting as an encrypted port forwarder, but my presence on the office network is still that of an Internet IP.
(updated to simplify some language and remove irrelevent symptoms)
Drop me a line of when you’re in CH next; it’ll be a lot easier for me to look at this from one the VPN (i could troubleshoot it without that, but it’s a total pain in the butt =).
Oh, and if you’re not going to be in town for a bit: check the VPN IP block assignment. You’re interested in the Remote Secure Group: it’s usually 192.168.2.0/255.255.255.0. You’ll probably want to add this to your configurations. Alternately, you can change your Local Secure Group to 192.168.1.0/255.255.255.128 and your Remote Secure Group to 192.168.1.128/255.255.255.128 . This will cut your two subnets in half, but should be fine. You’ll still have 126 Local IPs and 126 VPN IPs, without having to change any server configs. You _will_ want to twiddle the settings of any static IPs you have, though.
All that said: you really want to just add 192.168.2.0/255.255.255.0 (or whatever your Remote Secure Group is) to your server configs as “local” addresses.
Thanks Josh. That’s exactly what I did in the end actually. The only problem now is that since the remote machine doesn’t consider centerline.net in the secure group, it just hits the router using en0, so the router and web and mail server don’t think that it’s local.
Solution is to run my own dns server. Although even then people will _have_ to be on the vpn in order to hit the web server.
Gah.
Maybe more expensive routers take care of these things.
Anyway thanks anyway Josh. Since you are the only one who responded I will buy you lunch sometime.
Oh and I forgot to specify that I did that setup before you suggested it, hence lunch instead of 150 bones :-)