0

I have several Windows Servers running on an Azure virtual network with 2 subnets. I have a domain controller at 10.0.0.4, and servers at 10.0.1.4, 10.0.1.5, etc. I configured a point-to-site VPN, so that I can make a VPN connection to the virtual network from my PC. When I make the VPN connection, my PC receives a 10.0.16.x IP. By default the VPN connection provided by Azure routes only 10.x.x.x traffic through the VPN, but I've modified this by checking Use default gateway on remote network, because I want all internet traffic routed through Azure when I am connected to the VPN. When I make this connection, I am able to access the servers on the Azure virtual network, but I have no connectivity to the internet. My understanding is that a NAT router will be required in order to facilitate internet connectivity.

I have added a CentOS VM at 10.0.1.6. It has just a single NIC, as it's not possible for Azure VMs to have more than one NIC. I have two questions:

  1. Will it be possible to configure a NAT router with a single NIC? If so, how? Google searching buries me in an avalanche of iptables commands, mostly for NAT routers with 2 NICs. I can't find anything that simplifies the configuration steps required for this type of scenario. I tried the commands here, but that was not successful.

  2. On my PC after connecting to the VPN, I'm not quite clear what I'll need to do. Will I be essentially wanting to make 10.0.1.6 the default gateway? If so, is this how I will do that?

    route delete 0.0.0.0     
route add 0.0.0.0. MASK 0.0.0.0 10.0.1.6

In case it helps, here is the output of ifconfig on the CentOS VM:

eth0      Link encap:Ethernet  HWaddr 00:15:5D:61:7E:1E
          inet addr:10.0.1.6  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::215:5dff:fe61:7e1e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:931 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1034 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:101709 (99.3 KiB)  TX bytes:162650 (158.8 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Here's a snip from the Azure Virtual Network configuration page that hopefully helps to describe the layout of the network. I am using "Subnet-1" for domain controllers, and "Subnet-2" is where all other servers live (including the CentOS VM that i'm trying to use as a router). Azure automatically configures the VMs in "Subnet-1" with a default gateway of 10.0.0.1, and the VMs in "Subnet-2" with a default gateway of 10.0.1.1. But those gateways are not servers that I have any control over. The VPN clients are allocated IPs from the "point-to-site connectivity" address space.

Azure Virtual Network Configuration Screenshot

(I'm not allowed to post images apparently)

And here's a link to the route table on the (windows) vpn client (in this case after configuring 10.1.0.1 as the default gateway):

Route table on VPN client

Improve this question
12
  • I notice that no one has responded to this post yet. I was going to, but it was "too hard" as it is not immediately apparent [without better-then-average analytical/reading/modeling skills] how the network works. If no one else helps and you put up a diagram showing how it all looks I'll try help. I suspect the problem has to do with network masks and gateways.
    – davidgo
    Commented Jan 5, 2014 at 0:38
  • i don't know how to create a network diagram, but it's simple: centos vm ip: 10.0.1.6 default gateway: 10.0.1.0 internet connectivity: yes windows vpn client ip: 10.0.16.2 default gateway: 10.0.1.6 internet connectivity: no when i'm connected to the vpn, i can ping 10.0.1.6, and i can ping 10.0.16.2 from 10.0.1.6. but i don't have internet connectivity. i'm trying to configure iptables on the centos vm, but i haven't been able to get anything to work, and i want to make sure it's possible with only 1 nic.
    – almaplayera
    Commented Jan 5, 2014 at 1:52
  • typo: default gateway for the CentOS VM is 10.0.1.1
    – almaplayera
    Commented Jan 5, 2014 at 16:48
  • Sorry, not clear enough - I could not easily draw a network diagram from the information provided - no netmasks and not obvious where boxes fit together relative to routers. Yes, its possible with 1 nic - the VPN should act as a second NIC, but you need to tune your netmasks for a start. You can download Dia (dia-installer.de) for most OS's, put together a diagram as a png and upload or link to it.
    – davidgo
    Commented Jan 5, 2014 at 17:23
  • to be clear, the CentOS VM is not the VPN server. i'm just trying to configure it as a router. it's very difficult for me to fully describe the network, because several components are part of the azure infrastructure which I have no control over and don't really know anything about. hopefully the screenshot I posted provides enough information.
    – almaplayera
    Commented Jan 5, 2014 at 18:12

1 Answer 1

Reset to default
0

The vpn server, for example, 10.0.0.1 is always the first stop for all ip traffic going out from the client.

So, if you have traffic going to, for example, www.google.com, it must cross first this vpn server, because the vpn connection is a point-to-point link, i.e. traffic from client has only one exit, which is the server.

Then, the vpn server will see the destination of traffic, and since the server is configured not to forward traffic whose destination is the internet, it will drop this traffic.

So, the vpn server will always intercept and drop traffic going to internet, you can't bypass it.

Conclusion, the traffic won't even reach centos, thus won't trigger NAT.

You could create a 2nd tunnel from the client up to the centos (e.g. openvpn) inside the original vpn tunnel to hide the internet traffic from the vpn server.

Or, another solution would be to setup a web proxy on the centos VM, and configure your web browser for that proxy, this way the http traffic will always go out from the client with destination ip of centos, and then it will reach the proxy, which will forward to internet, however this solution works only for http traffic.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .