[ale] Virtual networks

[DJ-Pfulio]

You don't need any VLANs at all.

I've never had luck using the auto-generated bridges from libvirt - I always
manually create it.
Different distros do this differently - which disto are you?

Vlans are just tagging - nothing to do with security. Think of it as a "this
way" sign when there is a fork in a road.  Good, honest people will go the
suggested way, then there are the rest of us with time to "explore" down the
other way.

OpenVPN is extremely flexible - that is a plus and a minus. Perhaps if you
described the environment for it, someone smarter than me could help?  Things
like how many clients, which mix of OSes, do you need samba to work across it
(ugly and abusive to the network), how cleanly are the LAN devices to be
provided with access grouped?  For example, I group servers that other people
need access over VPN together so only 1 rule is needed for those.  As an admin,
I wanted access to the entire subnet and a few other networks.  Some people
needed access to their desktops + a few servers ... you get the idea.

Manually dealing with the certs sucks.  Of course, you can pay the openvpn guys
to make it easier.

In this case, flexibility = complexity.

Generally, I use ssh for remote access. It is 100x easier, provided the clients
you need/want to use support it easily. |)


On 05/12/2015 12:39 PM, Dustin Strickland wrote:
> Thanks for the link, however I am already somewhat familiar with bridging
> outside the context of virtual interfaces. I already have a bridge set up for
> each of the physical eth controllers. Reading back over my initial post, it
> looks like I wasn't too clear about what I was asking.
> 
> So, the VLAN I have set up now was created through virt-manager. I would like to
> access this from outside the host machine(and away from home), hence a VPN. From
> what I can tell about OpenVPN, it requires a bridged interface. In order to make
> one for the VLAN I have, I would need to define the VLAN itself in the
> interfaces file in order to keep the bridge from trying to come up before the
> interface it's bridging exists(I assume?) which I do not know how to do. Reading
> about manually-created VLANs produces curious lines like "iface eth1:200 inet
> static" which appear to be bound to a physical interface. Is this what is going
> on, and is that necessary for an isolated network?
> 
> On 5/12/2015 11:20 AM, DJ-Pfulio wrote:
>> http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/what-is-a-bridge.html
>>
>>
>> On 05/12/2015 09:55 AM, Dustin Strickland wrote:
>>>      My understanding of networking does not extend past physical interfaces. I
>>> have a Wheezy VM host that runs many different services for my LAN; OS testing,
>>> various database, LDAP, web, etc. servers. Currently all running under KVM. All
>>> of the VMs aside from OS testing are connected to a virtual network I created
>>> with virt-manager (0.9.1), which I have set as 172.16.0.0/12 (a little
>>> excessive, maybe? :P). Some don't even have an upstream connection, so can only
>>> be accessed from the host. This all works great on my LAN, but I am thinking of
>>> adding OpenVPN on the host so I and other users can more easily access these
>>> services from mobile devices.
>>>
>>>      From what I read about OpenVPN's setup, it's required to bridge an
>>> interface. I haven't looked too much in to this as it seems a little
>>> over-my-head and I haven't had sufficient time to dedicate to the task as of
>>> yet. Would the bridged interface be a bridge of the VLAN interface?
>>> Additionally, if this is the case, I would need to define this bridge in
>>> addition to the VLAN in /etc/networking/interfaces (or else the bridge that
>>> OpenVPN is trying to attach to would be created before the interface that it's
>>> bridging), correct? Or am I just thinking about this entirely the wrong way? Any
>>> suggestions/explanations/this-is-an-IT-nightmare-have-you-considered-doing-it-this-way's
>>>