Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home
-
I've got an Ubuntu server out on Azure (and before someone asks, Azure is perfect for this since it's included in my MS Partner subscription) that I'm using to learn and test on. I currently have a single network interface added and enabled and configured firewall rules to allow HTTPS and SSH traffic through. Here is what I'd like to do and I'm hoping I can get some pointers from folks with Linux experience here (I'm a newbie at Linux)...
I'd like to add a second interface to Ubuntu and have that interface VPN back home to me. The purpose would be to only allow SSH via the VPN connection and manage all admin tasks on VPN. I've already setup SSH keys to securely access over the internet but because I could use one of many devices to access the Ubuntu server, I'd like to be able to do this over VPN instead. I don't want all traffic on the VPN because I have a dynamic IP address so ideally, eth0 = internet facing for HTTPS traffic and eth1 = VPN that autoconnects back home to Sophos UTM for all admin related activities.
Thoughts? Suggestions? Am I overcomplicating things?
-
You don't "add an interface" for this. Don't think of Linux as special here, treat it the same way that you would with Windows.
In both cases, you would pick your VPN technology, install it and the VPN software creates the needed adapter for it to use. You do not create the adapter ahead of time. Let the VPN soflware do the work.
-
What VPN are you planning to use?
-
@scottalanmiller said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
What VPN are you planning to use?
Good question. I'm interested in recommendations since Linux is still so new. I'm essentially looking to create a site-to-site VPN between Ubuntu and Sophos UTM. And if I'm using a single network interface, I'm assuming this will require some sort of split dns setup?
-
@NashBrydges said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
@scottalanmiller said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
What VPN are you planning to use?
Good question. I'm interested in recommendations since Linux is still so new. I'm essentially looking to create a site-to-site VPN between Ubuntu and Sophos UTM. And if I'm using a single network interface, I'm assuming this will require some sort of split dns setup?
So it is the Sophos that is the limiting factor here. What does Sophos support? It does not support ZeroTier, Pertino or Hamachi so those are ruled out. Does it support OpenVPN or IPSec?
-
@NashBrydges said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
And if I'm using a single network interface, I'm assuming this will require some sort of split dns setup?
What does the interface have to do with it? DNS is not dependent on interface.
-
@scottalanmiller said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
@NashBrydges said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
@scottalanmiller said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
What VPN are you planning to use?
Good question. I'm interested in recommendations since Linux is still so new. I'm essentially looking to create a site-to-site VPN between Ubuntu and Sophos UTM. And if I'm using a single network interface, I'm assuming this will require some sort of split dns setup?
So it is the Sophos that is the limiting factor here. What does Sophos support? It does not support ZeroTier, Pertino or Hamachi so those are ruled out. Does it support OpenVPN or IPSec?
Sophos does dupport IPSec.
-
@scottalanmiller said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
@NashBrydges said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
And if I'm using a single network interface, I'm assuming this will require some sort of split dns setup?
What does the interface have to do with it? DNS is not dependent on interface.
To be clear about my intended use, I want to have HTTPS traffic from the internet continue to route to the server via its public IP address. The site-to-site VPN is to allow all other traffic. If I setup a simple site-to-site VPN, then ALL traffic will route through the VPN. This is not what I want to do since I have a dyamic IP and the server needs to be reachable via the domain name. My public DNS records can't point to my dynamic IP without having to be changed whenever my IP changes.
-
This is more a matter of routing by port number than by DNS.
@NashBrydges said in [Ubuntu Server 2 Network Interfaces
To be clear about my intended use, I want to have HTTPS traffic from the internet continue to route to the server via its public IP address. The site-to-site VPN is to allow all other traffic. If I setup a simple site-to-site VPN, then ALL traffic will route through the VPN. This is not what I want to do since I have a dyamic IP and the server needs to be reachable via the domain name. My public DNS records can't point to my dynamic IP without having to be changed whenever my IP changes.
-
@NashBrydges said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
To be clear about my intended use, I want to have HTTPS traffic from the internet continue to route to the server via its public IP address. The site-to-site VPN is to allow all other traffic. If I setup a simple site-to-site VPN, then ALL traffic will route through the VPN.
No, that is not what happens. You are mixing the concepts of routing, traffic origination and such. If you set up a VPN, your web server will still be listening to the public IP address. You are imagining a problem to solve that does not exist.
Also, no relationship to DNS.
-
@scottalanmiller said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
@NashBrydges said in Ubuntu Server 2 Network Interfaces whith 1 that is public + 1 that VPNs back home:
To be clear about my intended use, I want to have HTTPS traffic from the internet continue to route to the server via its public IP address. The site-to-site VPN is to allow all other traffic. If I setup a simple site-to-site VPN, then ALL traffic will route through the VPN.
No, that is not what happens. You are mixing the concepts of routing, traffic origination and such. If you set up a VPN, your web server will still be listening to the public IP address. You are imagining a problem to solve that does not exist.
Also, no relationship to DNS.
the only time you might run into a problem is if you Ubuntu server registers itself into your local DDNS sever at your site when it comes online through the VPN with the same host name as what you use on the public internet. These seems unlikely, so you shouldn't ever see this problem.
-
@scottalanmiller I get what he wants to do, which is have a dedicated VPN Interface so that there is no bottleneck or interference with the public interface for the website.
He is creating an issue out of nothing though, the single interface should be more than enough to support a management VPN and the website.
-
Depending on what your agreement includes, how much you plan on hosting in azure, etc. You may want to look at the VPN gateway, essentially a vRouter that can communicate with your azure private networks and create a site to site tunnel back home. Make sure not to confuse this with ExpressRoute.
https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/
-
@donaldlandru Sorry about the radio silence, had a couple emergencies to deal with.
This is clearly my best option. Thanks for pointing that out, I was just reading up on it and will have to give it a try.
-
Linux computers are as vulnerable to hacks, malware attacks and virus infections just like any PC or Mac. Linux or Ubuntu operating systems do not provide any additional protection. You can make your connections secure and anonymous with a VPN easily. A VPN service can also allow Linux users to bypass censorship filters and geo blocks.
-
@Murtlap We'd all agree with you on the Linux isn't any more secure just because it's Linux point! Hopefully we'll have the video from my speech at MangoCon available soon. If not, you can always look at my slide deck.