Split-tunneling, or other options for VPN + local network access?

[LIGISTX]

So, I am trying to determine how I would go about running a preferably Fedora VM that is on a VPN to a friends house. Now, I say friend, but said friend likes to get drunk and “practice his coding skills in less than stellar ways... if I give him a way in, he will probably jack with my stuff for “fun””.

Point is, I’m not sure how to do this under a freenas VM since you can’t pass a VM a mount point like you can a jail, and I’m not sure exactly how the security of split tunneling works to be honest. Even if my friend didn’t do anything nefarious, if his network was compromised I don’t want my network to be a simple jump away from compromise as well.

What would be an ideal solution for setting up a VM with a VPN connection, but that VM also have the ability to access local freenas hosted data without opening up my freenas box/network to attack. If the attacker had to get into and go through my fedora VM itself I wouldn’t be to worried, it won’t have ssh turned on and have strong passwords ect. If someone can break into fedora.... I think my windows network will provide a much easier attack vector than a fedora VM. Although, I am by no means a network/hardening guru AT ALL, so maybe with networked access to the fedora box that wouldn’t be as hard as I imagine it to be.

I’m not sure what sort of options there are, but any advice or a point in the right direction would be wonderful.


Sent from my iPhone using Tapatalk

 

[Ericloewe]

I'm a bit confused as to what the goals are.

Whom do you want to give access to what? What is your friend supposed to have access to?

 

[LIGISTX]

I'm a bit confused as to what the goals are.

Whom do you want to give access to what? What is your friend supposed to have access to?

There is a directory within freenas that I want the VM to have access to, call it /mnt/tank/company_data, but that VM I want to be on a VPN to my friends network.

Problem is, as far as I know... once I connect the VM to the VPN, I won’t be able to see the “local” freenas data locally any longer. I wouldn’t be able to smb://“internal server IP” since that VM now believes it to be a part of my friends LAN and not my own.

I know, I can just have him SSH/SFTP data directly, no need to set up the VM, but I built this server to learn the ins and outs of networking and such, so while it may be a weird use case, it’s still a case I want to play with.


Sent from my iPhone using Tapatalk

 

[Ericloewe]

I wouldn’t be able to smb://“internal server IP” since that VM now believes it to be a part of my friends LAN and not my own.

Sure you can. You just have to ensure that traffic to the "local" subnet is not sent via the VPN connection and that traffic to the "remote" subnet is. Of course, that is more easily accomplished in a dedicated router, hence why you often see those doing the VPN stuff.

 

[LIGISTX]

Sure you can. You just have to ensure that traffic to the "local" subnet is not sent via the VPN connection and that traffic to the "remote" subnet is. Of course, that is more easily accomplished in a dedicated router, hence why you often see those doing the VPN stuff.

Is there an easy way to set this up within Fedora? Or at least a guide you can point me towards that may help? At this point I have not even got the VPN working though, its an openVPN config file, and for whatever reason its giving me credential issues. I have a little troubleshooting to do to just get it up and running. I was pointed at this by other sources, if anyone has any ideas for either issue, that would be awesome.

https://ask.fedoraproject.org/en/qu...work-activation-of-network-connection-failed/

 

[Ericloewe]

No, I'm afraid my hard networking skills are rudimentary, particularly where Linux is concerned.

 

[LIGISTX]

No, I'm afraid my hard networking skills are rudimentary, particularly where Linux is concerned.

Has to be a way... always a way.