looking for a *very* specific vpn/proxy setup.

[manikyath]

so.. once again it's me and my very specific questions i cant find on teh google.

 

i'm looking for a very specific implementation of vpn / proxy / whatever sort of thing ends up working out..

 

in short, i want to put some sort of "wall" in front of the services my (home) server provides, primarily to reduce the need for whitelisting on game servers, or to lessen the emphasis on the security of said game servers. in short, this is what i want to reach connection wise:

 

[Game client on someone's machine] => [piece of software on someone's machine] => [service on my server] => [the actual game server to connect to]

 

in essence, the end user fills in a "bogus" IP address on the game client (127.0.0.1:7777) and that "magically" connects them to my server. 

 

things i don't want to deal with in this setup:

- complicated setup on the end users' systems, because some of them arent quite.. "geniusses"..

- the client's entire uplink traffic going trough the solution (for example a windows VPN)

- deal with licensing cost or tight limits of free versions (kicking hamachi out the window here)

- insanely complicated and poorly documented serverside software

 

things i'd prefer greatly:

- some form of identification for the clients, be it logon or whitelisting specific endpoints on the server (preferably not by IP, because no one has a static IP)

- great flexibility in the ports i can open up for the client to access trough the link,  i have a specific "pool" of ports in which i fit all my gameservers, but that pool tends to change by surprise (*cough* badly written games..) so i'd prefer not having to send clients new versions or configuration updates every time this happens.

- serverside linux support

- clientside windows support (this one is more or less a "must"..)

- if possible, having the clientside be portable / not require installation is a great bonus.

 

things i dont really care about:

- the specific implementation, as long as it does what i want to achieve.

- encryption. all that goes trough the link will be already intended to go over WAN anyways.

- setup on the server doesnt need to be child's play, as long as it is well documented.

 

things i've tried or ruled out for specific reasons:

- hamachi: the 5-user limit on the free version does not suffice

- teamviewer's VPN: no linux support and too complicated for the client.

- hamachi alternatives like tunngle: they're all worse.

- any out of the box VPN solution like OpenVPN: they're made to forward all of the endpoint's traffic.

[brwainer]

52 minutes ago, manikyath said:

- any out of the box VPN solution like OpenVPN: they're made to forward all of the endpoint's traffic.

I actually would suggest OpenVPN - you say you tried it, but clearly you didn't find the setting that controls what gets routed over the connection.

Normally the OpenVPN server will have a setting that it pushes to the clients called "RedirectGateway" - this means that the client changes its default gateway to go through the tunnel. You can either remove this setting on the server side, or on the client side you can use the command "Ignore RedirectGateway" https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

After you've done this, you'll want to push a route to the clients that specifically sends traffic to your game server over the tunnel - if you want to route only a specific IP, then you use a /32 subnet. example:

push "route 192.168.1.152 255.255.255.255"

assuming that your game server is on 192.168.1.152. The only conflict with their local network this will have is if they also have something on the network with the exact same IP address - in that case while they have the VPN connected, they won't be able to communicate with their local device using that IP because all traffic to that IP from their computer is going to go over the tunnel.

 

TL;DR: OpenVPN on its own doesn't automatically forward all traffic over the connection, but the default server config for most installers does - you just have to edit the server config.

[manikyath]

7 minutes ago, brwainer said:

I actually would suggest OpenVPN - you say you tried it, but clearly you didn't find the setting that controls what gets routed over the connection.

Normally the OpenVPN server will have a setting that it pushes to the clients called "RedirectGateway" - this means that the client changes its default gateway to go through the tunnel. You can either remove this setting on the server side, or on the client side you can use the command "Ignore RedirectGateway" https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

After you've done this, you'll want to push a route to the clients that specifically sends traffic to your game server over the tunnel - if you want to route only a specific IP, then you use a /32 subnet. example:

push "route 192.168.1.152 255.255.255.255"

assuming that your game server is on 192.168.1.152. The only conflict with their local network this will have is if they also have something on the network with the exact same IP address - in that case while they have the VPN connected, they won't be able to communicate with their local device using that IP because all traffic to that IP from their computer is going to go over the tunnel.

 

TL;DR: OpenVPN on its own doesn't automatically forward all traffic over the connection, but the default server config for most installers does - you just have to edit the server config.

i've never looked very deep into OpenVPN because its client is a bit too involved for some of the folks i deal with (yes, its that level of derp), and the serverside setup is really more than i want to bother with, because in essence it also means i need to insert some form of "wall" on my side of the connection as well, to stop the endpoints from accessing the stuff they have no business with accessing, because as mentioned in the OP, this is *realy* not OpenVPN's target application.

 

i've messed with OpenVPN as an actual VPN solution at some point in the past, but its really more of a hassle than i want to deal with.

 

your solution also requires me to have at least partial knowledge of the clients' home network, which is once again way beyond the scope of what i want to deal with. and it also, unfortunately, has proven less than reliable for me.

[beersykins]

What you described is basically openvpn.  User has client, authenticates to your network, is able to access server internally.

 

You could try rolling hamachi or something for ease of use otherwise openvpn really isn't that involved.

[brwainer]

5 hours ago, manikyath said:

i've never looked very deep into OpenVPN because its client is a bit too involved for some of the folks i deal with (yes, its that level of derp)

you can control almost everything from the server side when a client connects, especially if you can run something like PFSense or OPNSense as your OpenVPN server, because they have easy client configuration exports that let you roll all your settings and the certificates into a single file.

5 hours ago, manikyath said:

in essence it also means i need to insert some form of "wall" on my side of the connection as well, to stop the endpoints from accessing the stuff they have no business with accessing

Unless you find something that is able to restrict endpoint's access to a particular process/port, you're going to have this issue no matter what. The proper way to handle this is to have a "DMZ" subnet where the OpenVPN server and the game servers exist, and with no access from that subnet out to your regular network.

5 hours ago, manikyath said:

this is *realy* not OpenVPN's target application.

OpenVPN, like any good tool, doesn't have a target application. What you're thinking about is just the default server config that most installers include, as I said before.

5 hours ago, manikyath said:

your solution also requires me to have at least partial knowledge of the clients' home network,

How? Where? You don't need to know anything about the client's home network - just choose an unlikely-to-conflict subnet like 10.196.130.0/24 (I just randomly picked numbers for the second and third octet) for your VPN and Game Server subnet, and then the only possible conflict is if one of the clients also happens to use that same subnet for something in their local network. This is good advice even if you use something other than OpenVPN.