Webserver behind VPN client

[OmegaHack]

I just want someone to work through this with me to make sure I'm not going to be wasting my time implementing it.

I currently run a Linux server running ddclient for a DDNS service (afraid.org) among other services, and does not currently have a VPN client.

I am planning on installing a VPN client which would cause ddclient to stop reporting the correct IP to the DDNS. So I was going to run a virtual machine on eth1 (non-VPN) running ddclient and have the full server running on eth0 (VPN). That way ddclient is reporting the correct wan IP for my connection, then port forwarding to the local IP should allow the domain to see the web services/ssh/etc remotely while keeping other network traffic protected by the VPN... or at least that's what I am imagining.

Can anyone tell me if I over-thought this or if this will actually work?

Thanks!

[+BudMan MVC]

port forwarding to what IP, the VMs IP?

If I hit you from say 24.13.a.b to your publicIP.nonvpn to be forwarded to your webserver. When your webserver answers back if default route to internet is through vpn -- it will go back through the vpn to answer me on 24.13.a.b

I don't think my box would like the connection coming from a different IP, etc.

Now if webservices/ssh going to run on the vm your fine - and you don't even need a second nic for that. Just bridge the VM to your 1 physical nic on the server so it gets an IP in your private network.

[OmegaHack]

Port forwarding to the VPN protected IP.

The reason I'm doing this is there are some applications that need to be run behind the VPN but I need to be able to access them remotely. Is there another way of doing that?

This is a full fledged enterprise rackmount server, so it has the two nics built in already. I was going to trunk them for redundancy but if I have to run them independent to get this working that's okay.

I see what you're saying about the different IP responding. Didn't really think of it that way... There has to be a way to do this though.

[+PeterUK MVC]

The bit I'm confused with is a VPN client on the same server as (afraid.org)? Do you not mean install a VPN server on the same server as (afraid.org)?

Do you want (afraid.org) on the WWW for everyone or only accessed by VPN? If only by VPN then DDNS will only help you get to the VPN WAN IP not (afraid.org) and so VPN DNS server will have to point you to (afraid.org) by VPN LAN IP.

[OmegaHack]

afraid.org is the DDNS provider. I want specific ports available to web access instead of being behind the VPN client. However the other traffic those applications create need to be behind the VPN.

[+PeterUK MVC]

afraid.org is the DDNS provider. I want specific ports available to web access instead of being behind the VPN client. However the other traffic those applications create need to be behind the VPN.

So you do want (afraid.org) on the WWW for everyone and connect to this server by VPN for other things? In which case you need a VPN server (not client) setup on (afraid.org) and this will not affect DDNS in pointing to (afraid.org) by WAN IP.

[Nas]

@PeterUK, I think he just wants to know if he can segment his 2 NICs so that some traffic (vpn) is bound/routed via NIC #1 and all other traffic (non-vpn) is bound/routed via NIC #2.

@OmegaHack, it sounds like you're talking about proxying 2-way VPN traffic thru NIC #1 while allowing non-VPN traffic thru NIC #2 undisturbed. If that's the case, then it shouldn't be a problem -- provided that all client/server services are explicitly bound to the appropriate ethX device.

(For reference, this bifurcation is very typical for managed environments since the secondary Ethernet device can either serve a different VLAN or even upstream provider [think back-up/spare network bandwidth].)

Edit: bold-faced "proxying" since the OP wants more to proxy than to necessarily port-forward

[OmegaHack]

@PeterUK I don't think you understand. freedns.afraid.org is the service I have my dynamic DNS through, ddclient is the application that gives my WAN IP to freedns.afraid.org so that a domain that I have points to my WAN IP. I am trying to set up a VPN client on here to protect the data that is sent/received by the applications running on the server. I need to be able to access certain ports on that server for those applications though. If I run ddclient on the primary server it will report the wrong (anonymous) IP address to freedns.afraid.org hence the VM to run ddclient on it's own ethernet device (I suppose I could just use a virtual switch though). So now the correct IP is being reported to the DDNS provider but will port forwarding on the router to the primary server allow me to access those specific ports/applications remotely. That is the question.

@NAS I am trying to leave the traffic on the VM undisturbed but also need to access certain ports on the primary system remotely.

[+PeterUK MVC]

If its the other way round as in (afraid.org) wants to connect to another VPN end point then you only need to disable for the VPN client do not use the remote gateway which will give you a LAN access to the other end without it affecting DDNS because you disabled the the VPN use the remote gateway option.

[OmegaHack]

Maybe I'm not explaining the situation correctly.

@NAS It sounds like a proxy server may be the solution. I'll have to look into it some more. Thanks.

[+PeterUK MVC]

Are you VPN out of freedns.afraid.org to some where?

or

Are you VPN in to freedns.afraid.org from some where?

[OmegaHack]

Neither.

[+PeterUK MVC]

Neither.

Whats the point in saying VPN if thats not what you need?