Simulate VPN connection in docker - linux

I want to simulate a VPN traffic on my machine. I've set up VPN server which runs inside a docker image. I can successfully log in. The problem is that the docker image is running on my machine on the default docker's bridge - docker0.
There is no change if I do connect to machine using VPN or not. It is still reachable due to the bridge. I'm wondering machine should be on different (simulated) LAN. Is there some solution how to simulate a VPN connection in docker?

The client needs to be on a different subnet from that of docker0 otherwise you will always connect directly.
Think about the basics of setting up a VPN tunnel: you run a VPN so that you can connect a two endpoints and make it so that those two endpoints on the same subnet can talk to each other across a public net.
When both your client and your server VPN are running on the same subnet then, well there's not need to setup a VPN !
Hope it helps.

Related

GCE Linux VM Can't access peer VPN hosts

I have an issue with Google Cloud VPN and tunneling to a peer VPN. The tunnel is up and running but I cannot connect to any points on the peer network from my GCE VM.
My setup looks like the following:
A custom VPC network with one interal IP-range. Let's call it custom-net
A classic VPN Gateway with a IPSec tunnel to a peer VPN. The tunnel has status Established. The VPN Gateway has a Reserved IP address to it. The VPN Gateways VPC network is custom-net.
Three routes on custom-net:
Local route to the only subnet, prio 1000
To default internet gateway, prio 900
To the gateway tunnel, prio 1000
A fresh Linux VM in GCE. Let's call it vm1. It has one network interface on custom-neton its only sub network.
Two firewall rules in GC that allow everything Ingress and Egress.
I can connect to vm1 with ssh and access the internet from it, but I cannot access any points in the peer VPN despite the tunnel being status Established. The IP-range on custom-net does not interfere with any ranges on the peer network.
What could be the issue here? I'm novice in network setups. Could it be something missing in the routing, or do I have to do some configuration in vm1 to get this to roll?
Any help appreciated!
For the routes Google Cloud automatically creates one route for each remote IP range you specify. This shouldn't be an issue
That said, several points can be checked to further troubleshoot this:
If you use policy based tunnel make sure the ip addresses you are trying to reach are declared in your traffic selectors. Moreover check on stackdriver logs for the tunnel, to see if the aforementioned IP ranges are being negotiated. You can use this advanced filter:
resource.type="vpn_gateway"
resource.labels.gateway_id="your_gateway_id"
textPayload="established"
Kindly expand the logs and check in the “textPayload:” field to see if the destination ip range is being negotiated.
Confirm you can ping the Remote Peer Gateway from VMs in gcp
Run mtr from both sides and see where packets are being dropped at some point.
Get tcpdumps from the remote gateway and another from the Google Compute Engine Instance while doing connectivity tests(ping, mtr) so you can analyze packet flow.
See the VPN Interop Guides page for guides that describe some supported third-party VPN devices and services. This may give you some tips on how to configure specific devices to work with Cloud VPN.
Consult Cloud VPN Troubleshooting for additional details
I hope this helps

Connect to server behind

I have a newly installed MikroTik switch, and have successfully configured it for VPN traffic. However, behind the switch is a Linux server to which I am unable to connect via PuTTY. I can see the server and its IP address in Winbox->IP->DHCP Server->Leases, but as I say, I can't connect from within the VPN. I've made several attempts to add a rule to the firewall that would permit access and I've even gone so far as to uncheck the firewall router box in Quick Set, but no matter what I've tried, it always times out. To be clear, I'd like the server to be visible to all machines connected to the switch - both via ethernet and via pp2p.
I've been googling for hours, and I'm completely new to network engineering, so any help would be greatly appreciated.
I think the problem may be due to NAT and your VPN IP Subnet. I have my VPN users in 192.168.4.0/24 the main subnet is 192.168.0.0/22. In Winbox got to IP>Firewall then in the NAT tab make sure you have a masquerade action on your VPN subnet. I think the VPN quick set adds one but if your using different subnets it gets confused. See the image for what I have set for my VPN users to access servers and resources on the main network.

Prevent client from using internet via my RRAS VPN

I have a windows server 2016 running in Azure with RRAS VPN + NAT.
I use this RRAS VPN to be able to RDP to my other VM's in the virtual network.
However, when I connect my client (windows 10) computer to the RRAS VPN, my internet will stop working on the client (because internet access is blocked on the RRAS VM).
How can I prevent the client from trying to use the internet that my RRAS VPN VM provides? I tried disabling the use-default-gateway checkbox, but then I can no longer connect to my other VM's in the virtual network.
Thanks!
According to this link it seems that when you disable the "use-default-gateway checkbox" that the default routes are not added to your machine. In specific:
If “User default gateway on remote network” is turned on, the VPN client on successful VPN tunnel connection adds the default route on VPN interface with highest precedence. This way all the IP packets (except those destined to local subnet) go to VPN server. If this parameter is turned off, the default route is not added on VPN tunnel. This scenario will require user to add specific network specific route on the VPN interface – in order to reach the corpnet resources
So, you are left with editing your routes manually to ensure that they work. You can do this pretty easily in windows by working with the route table. The following article gives the basics of how to set this.
Essentially you will want to run something like this:
route ADD <azure network> MASK <azure mask> <azure gw ip>
After you have done this, you should be able to use the internet (via your local configuration) and access to your Azure servers (via the route you created above).

Starting with AZURE VPN. IPSEC as method and Cisco 2611 router (4.x vpn client)

I'm starting with Azure's VPN network.
I'm little bit confused about site-to-site and point-to-point methods.
What I need to do is, connect to a remote server that runs some SIP & H323 PBX server. The cisco router is used as a FXO/FXS lines/phone gateway.
I mean this cisco router is not used as router only as a H323 gateway, is like a remote client connecting trough a VPN and running a softphone.
So.. client-to-client is the easy method.. or is site to site ( I don't have any other device or host in my router so is not a remote site is only one terminal)
The thing with this router is the IOs version (12.2) a little bit older. It runs IPSEC client 4.X.. So it will work ?
Test first witha IPSEC in a PC first is a good idea I think
Ideas & comments are welcome !!!
Best Regards!!
Frank
I am not familiar with the model (2611). In general though, if this box is really acting as an endpoint (client or server), you have two choices:
Connect from 2611 directly to the virtual machine (VIP) without using Azure VPN. Of course you will need to ensure the connection is secure.
Create an Azure VPN gateway and establish a S2S VPN tunnel between your network and the Azure virtual network hosting your VM. Azure uses standard IPsec/IKE VPN (for route-based VPN, you will need IKEv2, policy-based VPN uses IKEv1).
Either option should work. Point-to-site VPN will not work for you though. Point-to-site requires a Windows machine as a VPN client connecting to Azure.
Please let us know if you have any questions.
Thanks,
Yushun [MSFT]

Azure VMs Virtual Network inter-communication

I'm new to Azure (strike 1) and totally suck at networking (strike 2).
Nevertheless, I've got two VMs up and running in the same virtual network; one will act as a web server and the other will act as a SQL database server.
While I can see that their internal IP addresses are both in the same network I'm unable to verify that the machines can communicate with each other and am sort of confused regarding the appropriate place to address this.
Microsoft's own documentation says
All virtual machines that you create in Windows Azure can
automatically communicate using a private network channel with other
virtual machines in the same cloud service or virtual network.
However, you need to add an endpoint to a machine for other resources
on the Internet or other virtual networks to communicate with it. You
can associate specific ports and a protocol to endpoints. Resources
can connect to an endpoint by using a protocol of TCP or UDP. The TCP
protocol includes HTTP and HTTPS communication.
So why can't the machines at least ping each other via internal IPs? Is it Windows Firewall getting in the way? I'm starting to wonder if I've chose the wrong approach for a simple web server/database server setup. Please forgive my ignorance. Any help would be greatly appreciated.
If both the machines are in the same Virtual Network, then just turn off Windows Firewall and they will be able to ping each other. Other way is to just allow all incoming ICMP traffic in Windows Firewall with Advanced Settings.
However there is a trick. Both the machines will see each other by IP Addresses, but there will be no name resolution in so defined Virtual Network. Meaning that you won't be able to ping by name, but only by direct IP address. So, if want your Website (on VM1) to connect to SQL Server (on VM2), you have to address it by full IP Address, not machine name.
The only way to make name resolution within a Virtual Network is to use a dedicated DNS server, which you maintain and configure on-premises.
This article describes in details name resolution scenarios in Windows Azure. Your particular case is this:
Name resolution between virtual machines and role instances located in
the same virtual network, but different cloud services
You could potentially achieve name resolution, if you put your VMs is same cloud service. Thus you will not even require dedicated virtual network.
If your VMs are inside a Virtual Network in Azure, then you have to make sure two things.
Required Port is enabled.
Firewall is disabled on the server.
I was trying to connect to one VM where SQL Server DB was installed, from another VM. I Had to enable 1433 port in the VM where SQL was installed. For this you need to add an MSSQL endpoint to the VM on the azure management portal. After that i disabled windows firewall. Then i was able to connect to the VM from another.

Resources