Redirect traffic from VM to proxy machine using policy based routing via tunnel

+-----------------------------+ | +---------+                 |               +-------------+ | | VM(eth0)|---vnic0---br0   |               | Machine B   +------- external | +---------+                 |-------------- |             | | Mothership                  |               +-------------+  +-----------------------------+            Machine A 

As described in the diagram, I have two machines A and B. In machine-A, Hypervisor is running. There is one VM created in the Machine-A.

I want to setup machine-B as a proxy to redirect the non-private IP traffic from machine-A to external world and send the response back. The setup is as follows

Machine A  echo 300 Tunnel >> /etc/iproute2/rt_tables ip rule add pref 32000 to 74.125.0.0/16 lookup Tunnel ip tunnel add tunnel1 mode ipip local machine-A remote machine-B ip link set tunnel1 up ip addr add A.B.C.D/22 dev tunnel1 ip route add default dev tunnel1 table Tunnel sysctl -w net.ipv4.conf.eth0.rp_filter=0 sysctl -w net.ipv4.conf.vnic0.rp_filter=0 sysctl -w net.ipv4.conf.br0.rp_filter=0 sysctl -w net.ipv4.conf.tunnel1.rp_filter=0  sysctl -w net.ipv4.ip_forward=1  Machine B  ip tunnel add tunnel1 mode ipip local machine-B remote machine-A ip link set tunnel1 up ip addr add X.Y.Z.W/22 dev tunnel1 sysctl -w net.ipv4.conf.tunnel1.rp_filter=0  sysctl -w net.ipv4.ip_forward=1 

If I ping 74.125.200.100 from machine-A(host), then the traffic is going through the tunnel and receiving at the machine-B. But If I ping 74.125.200.100 from VM, the traffic is coming to br0 and not honoring policy-based routing and traffic is not getting redirected to the tunnel.

The questions are

  1. Why is policy-baed routing not honored if the traffic originating from VM?

  2. How to accomplish to redirect the VM traffic to Machine-B via tunnel?

How to Route (only) DNS over Router OpenVPN Client Tunnel?

I am using a AsusWRT Router, it uses a Unix kernel with entware repos; I’m running DNSCrypt and dnsmasq, and OpenVPN runs on the router as well. I would like to forward all DNS globally on the network through the VPN client tunnel. How can I do this?

I can easily route any client on the subnet through OpenVPN; Must I create a client routed through VPN and route all DNS traffic to that client running its own dns-server? For example, 192.168.50.150. Or is there a better way, a way I can route all traffic directly on the router without needing an extra client/gateway for DNS?

Thank you

VPN/SSH Tunnel from outside a network to inside

I have a game server, on machine A on my local network, and I want people to be able to connect to it from machine B, a VPS on the WAN. I first thought of using a VPN, so I did some Googling however I cannot find a suitable tutorial – they all either are for a different use case (i.e. the clients all connect to the VPN instead of just the two servers) or are too confusing for a newbie to this kind of networking like me.

I want the architecture to look a little like this:
game-server <===> routers <===> vps <===> clients
The connection between the vps and the clients is easy because it is outbound from the clients, thus any NAT that might be there would not be an issue, however the vps needs an inbound connection to the game-server, forwarding all requests (on a single port (I think the games only use one port))

I cannot simply port-forward on my home router as my internet connection comes from the 4G-LTE network, which has NAT and I can’t port-forward on that for obvious reasons.

EDIT #2: It might be more easy to understand this way: to the clients, vps looks like game-server. vps should be totally transparent to the game.

How to configure strongswan peer-to-peer vpn tunnel using public IP as encryption domain?

I’m required to configure an ipsec tunnel to communicate with a remote vpn (Cisco ASA 5555). I have created an Amazon Lightsail instance with ubuntu 18.04 installed. Upon doing some studying i came across Strongswan which I’ve used to configure the tunnel. The remote side provided a list of parameters I should use to configure my tunnel, I’ve listed them below and my settings found in ipsec.conf file. My problem is, whenever i initiate traffic to the remote side the traffic originates from my private ip (aa.aa.aa.aa) instead of my public ip AA.AA.AA.AA – since the remote side refused to use my private ip as encryption domain (something to do with it has been used in their local network) they had to allow my public ip. How can i configure strongswan such that the remote side sees traffic originating from my public ip (that way we’ll have a successful tunnel connection).

Local site A:

  • Public IP: AA.AA.AA.AA
  • Private IP: aa.aa.aa.aa
  • Subnet: aa.aa.aa.aa.aa/20

Remote site B:

  • Public IP: BB.BB.BB.BB
  • Private IP: bb.bb.bb.bb
  • Subnet: bb.bb.bb.bb/32

Conf Parameters:

Phase 1

  • Authentication method: Pre-Shared Key
  • Encryption Scheme: IKE
  • DH: Group 2
  • Encryption Algorithm: ESP-AES-256
  • Hashing Algorithm: SHA1
  • Main Mode
  • Lifetime (for negotiation): 86400s

Phase 2

  • Encapsulation: ESP
  • Encryption Algorithm: AES-256
  • Authentication Algorithm: SHA1
  • No PFS
  • Lifetime (for negotiation): 3600s
  • Key Exchange: Yes

Any help is appreciated!


ipsec.conf . charon log

How does Tunnel Fighter’s reaction attack interact with Sentinel’s speed-reduction effect?

So lets say I’m a Fighter, and a Creature is standing to my side, within my reach (*), like this:

o o o o o o * * * o o * F * o o * C * o o o o o o  

If that creature attempts to move past me (to the left or right) and exit my reach (into the o-zone), will Tunnel Fighter’s reaction attack trigger as he’s leaving my reach? I would guess yes, because he has to move a few inches to begin the process of leaving my reach, at which point he’s “moved more than 5 feet”, which triggers Tunnel Fighter’s reaction.

If I’m right about that, Tunnel Fighter and Sentinel have an interesting interaction that I’d like clarification on. Assuming I’m in the Tunnel Fighter stance when this happens, I can potentially take an Attack of Opportunity upon the creature as he leaves my reach and use my Reaction to attack him with Tunnel Fighter’s trigger. However, Sentinel makes that AO stop the creature in its tracks.

So my question is: can I take both an Opportunity Attack and the Tunnel Fighter reaction attack in this particular situation?

If the creature starts in the bottom-right *, I assume the answer is a cut and dry “Yes”, since he’s clearly “moving more than 5 feet while within my reach” and won’t get stopped by Sentinel until he’s already moved 10 feet. The uncertainty arises when Sentinel’s OA effect prevents him from taking the second 5 feet of movement.

And in the same vein, it’s clear that the answer is “No” if the creature moves directly down. It has left my reach before it has moved more than 5 feet, so Tunnel Fighter’s reaction attack definitely won’t trigger.

cheap tunnel light led

Our History
Founded in 2005, located in Linglong Industrial Park, the west of Hangzhou.
Our Factory
ZGSM is a hi-tech and private Enterprise devoted to R&D, producing and selling of high quality LED indoor/outdoor lights, LED traffic lights, solar panels and solar powered LED lighting system and so on. As one of the patent model enterprises and the first batch of Energy-saving Service Company in Zhejiang Province, we have registered more than fifty products; we are also the members of Illuminating Engineering Society and Semiconductor Industry Association in China.
Our Product
Our products covers LED street lights, LED high bay lights, LED gas station lights, LED flood lights, LED tunnel lights, LED stadium lights and other indoor/outdoor LED lights; LED traffic lights and signal controllers; PV modules, solar LED street lights and solar powered generation systems. Our products take the advantage of energy saving, environmental friendly, long life and so on.
Product Application
Been widely used in indoor/outdoor lighting, city lighting, traffic instruction, solar power generation projects and other fields.
Our Certificate
CE, GS, UL, RoHS, CB, ENEC, SAA, DLC, LM79,LM80, ISO9001, ISO14001
Production Equipment
Chip mounter,EVERFINE GO-2000 Photometric test equipment, Vigor VG2302 Leakage current Tester, Vigor VG2679 Insula?on Resistance Tester, Vigor VG2670A Dielectric strength tester, Vigor VG2678A Ground Resistance Tester, TDS1002 Integra?ng sphere
Production Market
our products have been exported to more than 80 countries and regions
Our Service
Sales, technical and aftersales is 24hours on line for servicecheap tunnel light led
website:http://www.zgsmlightings.com/
website2:http://www.zgsm-outdoorlighting.com/

What are the best ciphers in terms of performance for SSH tunnel?

From a security standpoint, there are few good cipher options to use with SSH, such as ChaCha20, AES 128/256 GCM/CTR. As I understand (please correct me if I wrong), all of these offer pretty strong encryption.

However, what are the performance differences between aforementioned ciphers? In certain SSH tunneling applications (like tunneling NFS, for example) the performance is absolutely critical. How does one chose the cipher for the best performance, while maintaining reasonable security?

Of course I could just try and measure the difference, but this data will only be applicable to my specific hardware and particular measurement technique (in my simple benchmark AES 128 GCM seems to show the best results both in terms of throughput and low CPU load).

Speaking more general (and assuming CPU has AES-NI support):

  1. Does ChaCha20 take advantage of AES-NI?
  2. Is GCM mode faster than CTR?
  3. How does key size (128 vs 256) affects performance?
  4. Apart from the raw throughput, what ciphers tend to load CPU more?

Are there any softwares/websites that provides a service to tunnel a public URL to my localhost with port number without being timed out/terminated?

I came across Ngrok and Localtunnel but after a while, the tunnel gets disconnected/discontinued, meaning I cannot link my localhost (with port number) in Visual Studio 2015 to a public URL. Are there any free softwares/platforms to do the same thing but permanent?