Routing insecure traffic through a trusted connection

Dieter@be · 2009-04-19 20:15:20

Hi all.
I like to route some specific traffic through my home connection, because I don't trust some other networks where I am. (public networks, work,..). I'm talking about mail accounts who do not support ssl, and some sensitive http traffic where no https is available (I have 2 firefox profiles, one with and one without proxying)
Right now I have something like this

# remote
alias tunnel_http='ssh -fND localhost:12345             dieter@foodns.com'
alias tunnel_imap='ssh -fN -L 1143:mail.priorweb.be:143  dieter@foodns.com'
alias tunnel_smtp='ssh -fN -L 1025:mail.priorweb.be:25  dieter@foodns.com'
alias tunnel_imap2='ssh -fN -L 1144:192.168.1.2:143 dieter@foodns.com'

# home
alias tunnel_http_local='ssh -fND localhost:12345  localhost'
alias tunnel_imap_local='ssh -fN -L 1143:mail.priorweb.be:143 localhost'
alias tunnel_smtp_local='ssh -fN -L 1025:mail.priorweb.be:25  localhost'

So when I'm on a remote site, I connect to foodns.com (my home), i open a socks proxy on 12345 and for the applications that don't support socks i make tunnels. (I could use tsocks for that too).
Since this way I need to configure some apps (eg browser) to use the socks proxy, and the apps that don't support it to connect to localhost:someport. i have to make similar tunnels when I'm home. they don't serve much purpose, other then avoiding the need to reconfigure my applications.
Note that the aliases are essentially the same except the target host for ssh.

The problems with my approach:
1)depending on my location, I need to use a different target host. I'm not aware of any clean way to use the same target hostname for every location i might be in.
2)I have multiple ssh connections open. which is less efficient. I could just use 1 socks connection and use tsocks but then there is the (very little I have to admit) overhead of using tsocks. But tsocks is also configured globally, i would like to keep all my fancy tricks inside my home directory.

Actually I was just wondering if using something like openvpn would be more suited for "portable, allround and finegrained (eg this mail account yes, the other one not)" rerouting. Because then I could always connect to my box at home on a local address (eg 192.168.1.2) no matter where from. But I think on some networks I may run into ip range conflicts.

Anyone has tips?
Thanks

Last edited by Dieter@be (2009-04-19 20:30:15)

fukawi2 · 2009-04-19 22:51:10

Dieter@be wrote:

Actually I was just wondering if using something like openvpn would be more suited for "portable, allround and finegrained (eg this mail account yes, the other one not)" rerouting. Because then I could always connect to my box at home on a local address (eg 192.168.1.2) no matter where from. But I think on some networks I may run into ip range conflicts.

That would be a better solution -- then you don't have to configure the apps to do any tunnelling, just route everything down the VPN tunnel.

As for IP range conflicts, if you change your range at home to something OTHER than 192.168.[0-10].x then you should be fine in most cases. I use 192.168.62.0/27 (LAN) and 192.168.244.0/29 (DMZ) and have never had a conflict. If you do ever have a conflict using address space like this, then I'd have to say you're just having a bad day.

Dieter@be · 2009-04-20 20:18:18

fukawi2 wrote:

Dieter@be wrote:
Actually I was just wondering if using something like openvpn would be more suited for "portable, allround and finegrained (eg this mail account yes, the other one not)" rerouting. Because then I could always connect to my box at home on a local address (eg 192.168.1.2) no matter where from. But I think on some networks I may run into ip range conflicts.
That would be a better solution -- then you don't have to configure the apps to do any tunnelling, just route everything down the VPN tunnel.

So how would I do selective routing? (one email account rerouted, another one not. same for http traffic). I don't mind making an extra firefox profile for proxying or adding specific settings per-account in my mail client. But how would that work with openvpn?

fukawi2 · 2009-04-20 22:50:34

Dieter@be wrote:

So how would I do selective routing? (one email account rerouted, another one not. same for http traffic). I don't mind making an extra firefox profile for proxying or adding specific settings per-account in my mail client. But how would that work with openvpn?

You would have to add a static route for each host you want to access AFAIK.. Something like:

route add -host x.x.x.x gw y.y.y.y

Replace x.x.x.x with the IP address of your mail server, and y.y.y.y with the remote IP address of the OpenVPN /30 tunnel (The address next to "P-t-P" in the output of `ifconfig tun0`)

Arch Linux

#1 2009-04-19 20:15:20

Routing insecure traffic through a trusted connection

#2 2009-04-19 22:51:10

Re: Routing insecure traffic through a trusted connection

#3 2009-04-20 20:18:18

Re: Routing insecure traffic through a trusted connection

#4 2009-04-20 22:50:34

Re: Routing insecure traffic through a trusted connection

Board footer