Ideally, I like to run one vpn. I have OpenVPN/PiVPN working just fine.
On the PiVPN server, I'd like to run a VPN client to my work office.
It's difficult to get Cisco VPN client and Tunnelblick clients running side-by-side on the same machine, ie my local dev machine, without a seeming hack(see below).
I have it working locally.
- Cisco AnyConnect Client connect to work VPN. Only specific resources are made available. All other traffic is routed as normal.
- Tunnelblick will connect my personal vpn (PiVPN) routing all other traffic.
- With an entry in
/etc/hosts
, ie an entry like123.45.67.89 work-resource.my-company.com
I'm able to access URL's that are for work only. - Without the
/etc/hosts
entry, the work resource URL's do not resolve. this seems like a hack. :( - Maybe this is a DNS or IP mask issue that can be handled through a local OpenVPN config? TBD.
A few notes about what is working for PiVPN:
- OpenConnect connects to my work VPN when logged into the VPN server via ssh. Successfully able to route traffic to my work VPN if I am logged into the server as a user.
- When connected through the VPN, this will NOT route work specific URL's though PiVPN and then through the OpenConnect Client
- WIP/TODO need to figure out how to route select PiVPN traffic throught a local PiVPN server OpenConnect client connection.
- after openconnect install, this works for connection. I did not have any issues getting this to work.
sudo openconnect https://vpn.my-company.com
- I installed the OpenVPN app, Version 3.1.0 (890), on my OS X dev machine as a replacement for Tunnelblick. The OpenVPN app works MUCH better.
- Regardless of app I use to connect to my PiVPN, I first need to connect to my work VPN using the Cisco AnyConnect app and then launch the OpenVPN PiVPN client.
- I still need the dns entry in
/etc/hosts
for my work resource as mentioned above. - I'm now using
openconnect
instead of Cisco AnyConnect to connect to my work vpn. Install withbrew install openconnect
. Run withsudo openconnect https://vpn.my-office.com
. Enter username and password. ez pz. - UPDATE/TODO: find
openconnect
settings that allow okta/totp link
When on my local network, without running a OpenVPN client on my local machine, I still want to have Pi-Hole handle the the DNS resolution. I followed a few of the instructions online, but mostly this one from Marc Stan. The key to getting DNS resolution to work locally with DHCP, was adding the eth0
entry to the the config file. The /etc/dnsmasq.d/02-ovpn.conf
file looks like this:
interface=eth0
interface=tun0
This change allows Pi-hole to listen to both the tunnel connection and the traffic coming into the Pi-Hole DNS from the local network.
Note this Pi-Hole Admin Console DNS setting:
I'm running dd-wrt
on my router.
Third Update
Sometimes networks block 1194/UDP. Running on 443/TCP might be a way around this.
documented elsewhere
Please note, I initially used the recommened udp
protocol and port 1194
when setting up PiVPN. I also made modifiations to my conf files to get PiVPN and PiHole to play nice together for both the VPN connections and local network traffic.
My router handles all port forwarding. (another topic and documented elsewhere.)
Duplicate the current server.conf
file. We'll edit the new version below.
The only lines I need to update were the following:
dev tun_tcp
proto tcp
port 1194
server 10.9.0.0 255.255.255.0
Keep the rest of the conf file the same.
I'm running pi-hole to resolve dns queries for both vpn and internal network traffic. The dnsmasq
file looks like this:
interface=eth0
interface=tun0
interface=tun_tcp
I needed to add one line, -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
Generated by iptables-save v1.4.21 on Thu Dec 29 19:17:57 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:184]
:POSTROUTING ACCEPT [1:184]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
COMMIT
This is the easiest way to restart the services, but there are quicker ways to restart services for dnasmasq
, iptables
, and openvpn
. The Raspberry Pi restarts so fast, whatev's. :)
I left a comment here. good info on running
openconnect
. though it's not as difficult as it once was to install. 😄