[ale] multiple vpn's at the same time?
Michael H. Warfield
mhw at WittsEnd.com
Wed Oct 10 10:21:47 EDT 2012
On Wed, 2012-10-10 at 09:40 -0400, Michael Campbell wrote:
> All,
> I'm pretty network-challenged, but I wondered if it was possible to
> run 2 VPNs at the same time from on an Ubuntu based box (Mint,
> actually).
Well, it's a very VERY big "it depends" especially if you are "network
challenged" because it can be very challenging with a number of
pitfalls.
First and foremost, it depends on the types of VPNs. Because of design
limitations in NetworkManager, you can only run one VPN at a time from
NM aka NetworkMangler.
If you are trying to use two different types of VPN, say OpenVPN and
Openswan (IPsec), this should be readily doable as they don't generally
conflicted, subject to proviso's below. Same thing with Openconnect
(Cisco ASA DTLS based VPN). OTOH, you can NOT run a vpnc (Cisco ASA
IPsec based VPN) in NM and run Openswan in the base operating system
because they actually are the same, IPsec, onlying using different
processes which then conflict over the IKE port (500/udp) and protocol
handlers. Other SSL based VPN's should be no problem as well.
Multiple OpenVPN based vpn's should be no problem at all since you can
set them up on different UDP ports. Multiple Openswan vpns are no
problem since IPsec is a policy based vpn using an IKE keying daemon
(pluto) in common managing all the sessions.
I commonly do all of the above and run multiple vpns of both differing
and same types on my servers without conflict.
All that being said, you can still run into problems.
If two vpns what to "own" /etc/resolv.conf and update it for their
resources, you can rapidly deteriorate into an indeterminate food-fight
over the settings in that file. Anyconnect, Openconnect, vpnc, Openvpn,
and others are all capable of that. It can cause your dns lookups to
break badly.
You can also run into conflicts with policy and routing if the two vpns
disagree with each other. This is especially true when you're combining
a policy based vpn such as any sort of IPsec (Openswan, StrongSWAN,
vpnc) with a route based vpn (Anyconnect, Openconnect, Openvpn). These
can be very difficult to diagnose, especially when a route breaks a
policy or a policy conflicts with a route. If either or both are trying
to set up default routing you can get into trouble rapidly and something
going to break.
So yes you can do it. Keep it very very simple and it can be easy. If
you're not careful, it can be very difficult to get to work and
difficult to understand when it breaks.
> I already run one through the network manager, but I want to run
> another (to work boxes in europe), and be able to use that as a proxy
> server so I don't have to keep going in and out of the VPN on my
> normal work machine (a windows box).
> So what I want to do is set up another VPN on my home Linux box, then
> on my windows box, point my work domains (in /etc/hosts) to the Ubuntu
> box which is VPN'd to europe, so URLs I hit on my windows box go
> through my Linux box, through the VPN to europe.
> But, as I said, I'm already using another VPN on the Linux box for
> another reason.
You haven't specified what types of VPNs you are talking about.
> Is this even possible?
Possible yes. But impossible to say for certain in your case.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20121010/29b4b644/attachment-0001.bin
More information about the Ale
mailing list