[NTLUG:Discuss] pass all packets between two nics

Jack Snodgrass jack+ntlug at mylinuxguy.net
Thu Jun 5 12:10:28 CDT 2003 

On Thu, 05 Jun 2003 08:17:58 -0500, Kenneth Loafman wrote:

> Jack Snodgrass wrote:
>> On Wed, 04 Jun 2003 22:38:11 -0500, severia wrote:
>> 
>>>>So... you make a VPN connection from your home to work and get a
>>>>172.16.14.x address assigned to your home machine. You have a
>>>>secure, encrypted tunnel set up.
>>>

> One question about the above scenario.  When I worked at Sabre and used 
> VPN to access their local network, all internet connections went via 
> VPN, including browsing, ftp, and so on.  So when you went to some site 
> and forgot about your VPN connection, the work systems were still 
> logging your activity.  That's not good for separating your work and 
> private lives.
> 
> Is that problem still in VPN connections, or was there something we 
> needed to unset to get the system to not use VPN for everything?
> 
> It would be handy to use VPN (ssh is somewhat limited), but not at the 
> cost of user privacy when at home.
> 
>  ...Ken


There is something called a 'default route' with TCP/IP. It's the 
0.0.0.0 netmask 0.0.0.0 route.  Any addresses that are not 
specifically listed in your route table to go via a specific ip 
address will go over your default route. 

i.e. 
Destination  Gateway      Genmask         Flags Iface
192.168.0.0  10.3.0.1     255.255.255.0   UG    vpn1
0.0.0.0      209.225.8.1  0.0.0.0         UG    eth0

say anything that doesn't go to 192.168.0.0 - 192.168.255.255 
goes via 209.225.8.1 ( eth0 - isp ). Anyything for 
192.168.0.0 - 192.168.255.255 goes via the vpn1 ( 10.3.0.1 ) 
gateway. 


some VPN setup scripts might try and do:
Destination  Gateway      Genmask         Flags Iface
0.0.0.0      10.3.0.1     0.0.0.0         UG    vpn1
209.225.8.0  209.225.8.1  0.0.0.0         UG    eth0

so that everything but 209.225.8.0-209.225.8.255 goes
via your VPN. This is what you were talking about. 

If you know the route commands for your OS, you can 
manaully set ( or do your own script ) that will 
change the default route so that it goes via your ISP
and only work related stuff goes via the VPN. It's not 
something that your local MIS people want to have to 
explain to everyone, so they take the default... let 
it go via the VPN and not worry about setting up 
work routes only for the VPN stuff. 


When I worked at compaq, I had 45 differnt subnets that 
went via the compaq VPN. It was complex... but it let 
me do my own private surfing even when I had the VPN
active. 

jack

More information about the Discuss mailing list