(This does not relate to the OpenVPN Server Rockon)
As the title states, Im in the process of putting my internet traffic from Rockstor, and its Rockons, on a VPN connection using OpenVPN to ExpressVPN as host.
It was a fairly simple deal setting the openvpn client up through ssh on Rockstor itself. I have confirmed that my external ip is indeed through the VPN service with:
curl icanhazip.com
But, I have a few questions and need help in getting this the way I want:
Is it possible that my Rockons are avoiding the VPN connection and communicating over the public connection? How do I know they are not?
If so, how do I force them over on the VPN connection?
If my VPN connection fails, how do I stop the Rockons from accessing the Internet until it is up again? Its ok that Rockstor itself also loses connection to the internet in this case.
Ive tried to search around for solutions to this on google and so forth, but haven’t found anything that is relevant to my issue. Im a linux newb so its hard to translate solutions to problems that are only similar to mine.
As Rock-ons are Docker based, I don’t think that is possible for them to bypass the VPN, so long as the VPN is running. You may want to configure the VPN service to kill internet access in general if goes down to keep any activity from occurring without the VPN operational.
I don’t know the “best” way to determine that your Rock-on’s are using the VPN, but here’s how I’d do it:
Log into Rockstore via ssh
Issue the command docker ps
You’ll get a list of running Rock-on’s and their CONTAINER IDs
You want to “log in” to one of the dockers by executing bash within that container. To do so, execute the command docker exec -it <CONTAINER ID> /bin/bash
Now you just need to have it query the IP address with a command such as curl https://ipecho.net/plain ; echo
What I did was a bit different but does what you want. I needed a new router, so I bought an Asus router that supported the Merlin firmware. Merlin has a feature where the router will handle the VPN connection so that your file server doesn’t need to do it. You can then configure Merlin such that all traffic goes through the VPN (and MAC addresses that bypass it) or specify MAC addresses that are forced through the VPN. If the VPN goes down, you can have it kill internet access for devices that are forced through the VPN tunnel.
I randomly found out that indeed my rockons are using the correct device and are on the vpn when on the internet, by looking at the remote section in plex.tv.
But thanks for answer! I will save this for later. Im sure it will be useful at some point!
When it comes to solving it a better way with a router, I whole heartedly agree. Your router seems perfect for the task to be able to choose what devices are on a vpn and not.
…but!
I have a plan to be able to access my rockon gui’s from the web, and thought that it would be more secure to set up an OpenVPN server on the rockstor, and when I want to access my rockons GUI’s I would connect to that vpn, and use the local adresses to bring up the GUI. I would only need to open one port on my router, and I think the OpenVPN server would be more secure than the rockons even with https enabled.
Im stuck there at the moment, since it seems that when the rockstor is on the vpn client out, I can’t seem to dial in to the rockstor server from outside through my router even though Ive set up port forwarding as its supposed to work.
I used this to open up so that the server would allow packets to its eth0 device, and my router is sending packets there, but doesn’t seem to work…
Followed this:
Its strange because plex works fine with this config (added my ddns to the custom server address to its network section).