Help in designing my perfect network environment

Hey guys.

i want to comunicate via ssh and vnc (is there a better alternative?) with 3 ubuntu machines running behind a openwrt router. The router itself is in a LAN that can be accessed from WAN with a VPN.

i am a total noob, i my head it would be best to setup a vpn server at the openwrt router -> lan1
and to connect, first use the vpn from wan to lan2 and than the vpn to lan1 over the openwrt.

to be honest that is my first time trying something like that and i am fighting with all the new stuff in the linux world (switched from windows 5 days ago, and flashed my xiaomi router).
thanks for your help!

Do i need to open any ports?
I have no access to the hardware of the wan->lan2 vpn, so i cant change any settings there.

I assume you aren't able to use ipv6.

What client do you use? On Android for example you wouldn't be able to set that up. Otherwise it may be a solution.

If you think lan2 is secure then you could also set up a tunnel without encryption to openwrt using for example gre or vxlan over the existing vpn.

Without using a tunnel, encrypted or unencrypted, you would have to forward ports in OpenWRT.

If you can connect to LAN2 via VPN, then you only need to enable the proper routing to access the ubuntu servers that reside in LAN1.

Right, currently does the OpenWrt router masquerade LAN1? And is ipv6 on the table?

If LAN2 is a private ipv4 LAN that is untrusted, then I think your best bet is a VPN server on the internet that OpenWrt connects to, and that server routes internet clients to the LAN1.

ok than forward for example ubuntu 1 (ssh on port 33) ubuntu 2 (ssh on port 34) and so on?

lan 2 is NOT trusted!

i have no idea how to find that ipv6 thing out? any advice :smiley:

i use a ubuntu laptop as a client.

thanks guys for helping me out.

This is port forwarding. You need to do that in case there is NAT on Openwrt.

Use SSH and you don't have to care about that.

ok :smiley:
now sum it up:

  1. install ssh on all machines in LAN1:
    192.168.11 port 22
    192.168.12 port 22
    192.168.13 port 22
  2. configure openwrt to forward
    externalip(lan2) port 22 -> 192.168.11 port 22
    externalip(lan2) port 23 -> 192.168.12 port 22
    externalip(lan2) port 24 -> 192.168.13 port 22

Do i need to open the firewall somehow?
To connect, i connect to the VPN to LAN2 first, than connect via SSH to externalip(lan2) port 22 and get forwarded to 192.168.11 port 22. BOOM :sunny:

Maybe do the same for VNC ports.
Is there a good open source alternative for VNC ? what are you guys using? :slight_smile:

There are plenty of Free Software VNC servers and clients. GNOME which the default Ubuntu user interface is built on has a VNC server built in, go to settings > sharing > screen sharing

for clients, I think Vinagre is default for GNOME.

yes, in your example config, for the router itself, you need to accept INPUT on WAN for ports 22,23,24 and whatever ports you forward for VNC (note, VNC by itself doesn't encrypt its traffic, so you're really best off to tunnel the VNC over the ssh connection, which Vinagre can set up for you (in its connect dialog "use ..... as a ssh tunnel" or some such thing). In that case, you just only forward the ssh ports.

BTW: I would recommend to use different ports for all of these, try 1322 1323 1324, this way you're not interfering with ssh itself on the router.

uh very good to know! thanks :slight_smile: any disadvantages for the "use ssh as a tunnel"?
that sound too good to be true :smiley:

thanks i will set that up tomorrow!
So good to learn something new every day, thanks for sharing your knowledge

not really.