So the office network has been lacking a VPN to the corporate network. We’ve got individual Cisco VPN clients we could use, but they suck because they disable local LAN access. Thus, while we are connected to headquarters, we can’t print to the printer sitting right next to us.
We were able to get by without this for a while, but now we’re expected to know what’s going on in corporate. With a permanent solution still weeks away, I decided to tackle the lame Cisco client head-on. I would try setting up the Cisco client as a gateway, so that the whole office could use it and still have access to the local network.
The VPN software seems to prohibit routing at the kernel level by installing itself as a module. The obvious solution of using the kernel to forward traffic between two interfaces doesn’t work. I would have to be creative.
Then I got inspired. Using tcpdump, I could see that traffic originating locally on my gateway box was being NATted to the VPN IP address. Traffic sent to the gateway from outside was not. Using some iptables-fu, I came up with a quick script which did the trick. I created a couple of IP-aliased interfaces. I then used SNAT and DNAT iptables rules to forward all traffic destined to these IPs to corresponding hosts on the corporate network.
Now the local office has “mirror” IPs for remote hosts and from the local users’ perspective it looks like they’re talking to the real server. The dumb VPN client doesn’t know that the traffic its forwarding did not originate locally. Everyone is happy.
Well, maybe not everyone. I’m not totally happy. As clever as my hack may be, it irks me that there isn’t yet an easier way to do this. I’ll continue to study the VPN client to see what other magic I can make it do.
I kind of surprised myself with how much of this stuff I still know how to do.