[clug-talk] VPN name resolution question

Wendell Nichols wcn00 at shaw.ca
Wed Apr 8 07:12:40 PDT 2009


I have this exact problem.  I use several machines in my home network to 
do my job (primarily down the vpn) but my family also have computers and 
do "their" thing.  It would be silly to use name servers thousands of 
miles away for them, and those dns servers wouldn't even resolve 
important names like our local ISP's POP server.  So here's what I do:
-set up a linux box to be my firewall.
-run the vpn client on the firewall such that all machines in my home 
network can route through it.
-set up a forwarding dns server on the firewall such that requests for 
my work domain are satisfied by servers down the vpn tunnel; queries for 
the WWW use my ISP's servers, and my local addresses are served by the 
dns server on the firewall.
-set up a dhcp server on the linux firewall such that local machines are 
dynamically registered in dns.

This works great and if people are really interested I can share my 
config files.
Things I haven't done (cause I'm lazy):
-set up two pools of dhcp addresses such that only my "work" machines 
get addresses from a designated subnet.
-set up routing tables so that only machines from my "work" subnet are 
routable down the tunnel.
That would protect my employer's network from all the trojans and 
virus's that my kids bring home on their windoze boxes.

There are several great firewall dists fro linux but I just use fc9 with 
shorewall for now.  My logs show that for 18 hrs of most days somone is 
trying to get in and noone ever has...

wcn

Shawn wrote:
> Royce's question regarding name resolution triggered a neuron for me...
>
> When I establish a VPN connection to a remote network, I need name 
> resolution to work for servers there.  At the moment the only way to 
> do this seems to be to change my /etc/resolv.conf file to use their 
> nameserver.  But that means that all name requests are now going 
> through their network - even for things that have nothing to do with 
> their network.
>
> I have set up a script to establish the VPN connection, backup my 
> resolv.conf file and replace it with one that has the remote name 
> server.  But there's probably a better way.
>
> Any tips?
>
> Shawn
>
> _______________________________________________
> clug-talk mailing list
> clug-talk at clug.ca
> http://clug.ca/mailman/listinfo/clug-talk_clug.ca
> Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
> **Please remove these lines when replying
>



More information about the clug-talk mailing list