Linux – How to make servers visible on the VPN


I'm tinkering with web servers on Rackspace, trying to figure out if I can set up a website with public parts and also private parts that are visible only via a VPN connection.

I have 2 servers running apache, the first has a mixture of public and private sites. The second has private sites and also pptpd running as the VPN server. In both cases, the internal IPs (10.n.n.n) are exposed via DNS for the private sites.

Here's a hastily drawn diagram that should hopefully show how I've managed to rig things:

network diagram

The public sites work fine. The VPN connection works fine. The private sites on server 2 work fine when connected to the VPN. What doesn't work is accessing the private sites on server 1 via the VPN. I've added a potentially misleading red arrow to the diagram showing where I think the problem is.

I can ping each server from the other on their internal addresses, and I can ping server 2 over the internet on its internal address. What I can't do is ping server 1 over the internet.

I feel that I'm naively missing some essential networking knowledge about how VPNs actually work. Can anyone see what I'm missing?

The internal IP information for the servers is:

Server 1
    inet addr:  Bcast:  Mask:

Server 2
    inet addr:  Bcast:  Mask:

I am assured by rackspace that this means they are on the same subnet

Things I have tried:

Changing the local and remote IPs in /etc/pptpd.conf






Switching on bcrelay eth1 and proxyarp in /etc/pptpd.conf

I don't know if I even need bcrelay, but it seemed like a good idea at the time.

Adding a route with

route add -net netmask gw

(or, whatever the localip happens to be)

route add -net netmask gw

Adding assorted iptable entries, such as:

sudo iptables -t nat -A POSTROUTING -j SNAT --to-source [server 2 ext ip]


sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

Add ARP table entries via script

Following suggestions found on this site, (Since I am seeting 'Cannot determine ethernet address for proxy ARP' from pptp in syslog) I added an ip-up.local and ip-down.local scripts that run whenever a client connects and disconnects, automatically modifying the ARP table to add this:

arp --use-device --set <client 192.168... ip address> eth0 pub

None of these things seem to work. The only difference is that sometimes I get this:

Pinging with 32 bytes of data:
Request timed out.

and sometimes I get this:

Pinging with 32 bytes of data:
Reply from <server 2 ext ip>: Destination host unreachable.

depending on what assorted options I'm trying out.

I'm painfully aware though, that of all the firewall/arp table fiddling I've done, I'm not really aware of what it is I'm doing, and that worries me. I'm also aware of an uncomfortable feeling that I must have tried everything, or that there is some magical combination of the things above that I did not try yet.

Best Answer

Without knowing some more about the specifics of your IP addressing, I would guess that server 1 doesn't know that your workstation should be routed to through server 2.

If you add some more detail about your IP addressing scheme, especially in relation to the IP address that the HTTP requests from your workstation appear to come from, I might be able to expand this answer.

Update: Server 1's best guess as to how to get to is via it's default route, which is wrong. You need to add a static route to via server 2 on server 1.

route add -net netmask gw <server2>

I'm making assumptions about the network assigned by pptpd. Also, that route won't survive a reboot, so you probably want to add the route to a configuration file. Which file and what syntax depends on your distribution.