Re: Question about wg(4)

[Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost>]

Konrad Schroder <perseant%hhhh.org@localhost> writes:

>         wm0 = 192.0.2.123                     bge0 = 198.51.100.45
> 
>         Stationary server:                         Roaming client:
>         +---------+                                    +---------+
>         |    A    |                                    |    B    |
>         |---------|                                    |---------|
>         |        [wm0]-------------internet--------[bge0]        |
>         |    [wg0] port 1234 - - - (tunnel) - - - - - - [wg0]    |
>         |   10.0.1.0                  |               10.0.1.1   |
>         |         |                   |                |         |
>         +--[wm1]--+          +-----------------+       +---------+
>              |               | VPN 10.0.1.0/24 |
>              |               +-----------------+
>         +-----------------+
>         | LAN 10.0.0.0/24 |
>         +-----------------+

I have a somewhat similar situation, where I want clients inside my own
network to talk to a dual hosted machine over the inside address, and
not the external, official, address it has in DNS.

Since I use PowerDNS, with dnsdist in front of both authoritative and
recursive servers, I could modify the DNS response there.  In the case
of the network you drew, the dnsdist code would be something like:

inside_ips = newNMG()
inside_ips:addMask('10.0.0.0/24')

addAction(AndRule({NetmaskGroupRule(inside_ips),
                   QNameRule('thatserver.your.domain.'),
                   QTypeRule(DNSQType.A)}),
          SpoofAction('10.0.1.1', {ttl=3600}))

This neatly lets any other records for the server (anything that isn't
an A record) be delivered unaltered to the inside clients, modifying
only the response to A queries in particular.

-tih
-- 
Puppies are cute.