Changes between Version 1 and Version 2 of NatHack


Ignore:
Timestamp:
01/28/11 00:53:41 (13 years ago)
Author:
krzee king
Comment:

started fixing small things... not done

Legend:

Unmodified
Added
Removed
Modified
  • NatHack

    v1 v2  
    11= NAT-hack =
    22
    3 First of all: NAT is bad; you should definately try to ROUTE your networks, not NAT them. That's why this page's title is nat-HACK.
     3First of all: You should definitely try to ROUTE your networks, not NAT them. That's why this page's title is nat-HACK.
    44
    55When you connect different networks you should plan ahead so that all the computers can talk together with ROUTING. But sometimes you just can't change the routing in your network: Unwilling computer department, no password to the router, etc etc.
     
    88The NAT-hack is a way of making your openVPN server rewrite ALL TRAFFIC coming in from its VPN tunnels, sending it on to its destination but FAKING that the openVPN server is the SOURCE. This way all machines that the openVPN server is able to communicate with, can also be reached from the VPN tunnels.
    99
    10 It's more or less like everyone in the neighborhood using your phone. You would get a lot of work coordinating what calls are for what neighbor. But it could work. Would be better if everyone got their own phone, so the calls could be routed directly.
     10It's more or less like everyone in the neighborhood using your phone. You would spend time coordinating what calls are for what neighbor. But it could work. The authorities would see all the telephone calls as coming from you. It would be better if everyone got their own phone, so the calls could be routed directly.
    1111
    12 So the NAT-hack is '''NOT a problem-solver''', more a problem-creator. But it could get you out of this following tricky situation: (See [http://www.secure-computing.net/wiki/index.php/Graph] for an image)
     12So the NAT-hack is '''NOT a problem-solver''', and could be a problem-creator. But it could get you out of this following tricky situation: (See [http://www.secure-computing.net/wiki/index.php/Graph] for an image)
    1313You have an openVPN server obviously sitting on a network (LAN). Now you want your machines from your VPN to be able to reach some machine on the LAN. Now, the client 10.8.0.6 on your VPN tries to contact 10.10.2.20. That's OK, the openVPN server forwards the packet to 10.10.2.20. But 10.10.2.20 doesn't know where the 10.8.0.6 machine is supposed to be. So it sends it to the gateway. Now, the gateway doesn't know either, so it sends it to the internet. The internet just ignores it without warning, because 10.<something> addresses aren't allowed on the internet.
    1414