Background<\/h2>\n\n\n\n
The need for this approach surged when I realized that while being in the corporate VPN with my company notebook, I could not access my home network anymore.<\/p>\n\n\n\n
Preconditions<\/h2>\n\n\n\n
In order to use the approach described here, you should:<\/p>\n\n\n\n
- \n
- \u2026 have access to a Linux machine which is already properly configured on its principal network interface (e.g.,\u00a0eth0<\/em>) and which has an additional network card (e.g., eth1<\/em>) available<\/li>\n\n\n\n
- \u2026 have knowledge of routing concepts, networks, some understanding of shell scripts and configuration files<\/li>\n\n\n\n
- … have already setup meaningful services like NTP<\/a>, samba<\/a> or MariaDB<\/a> \/ MySQL<\/a> on the Linux machine<\/li>\n\n\n\n
- \u2026 know related system commands like\u00a0sysctl<\/em><\/li>\n\n\n\n
- \u2026 familiarize yourself with [1<\/a>] and read at least a bit through [2<\/a>]<\/li>\n<\/ul>\n\n\n\n
Description and Usage<\/h2>\n\n\n\n
![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/Corporate_VPN_skaliert-1024x480.png\")
Setup for the company notebook on eth1<\/em><\/figcaption><\/figure>\n\n\n\n In this setup, we have a full-blown SoHo Linux server on an internal network\u00a0192.168.2.0\/24<\/strong>\u00a0that is also used by all other devices in the same home. For the approach described here, this Linux server needs to be equipped with an additional network card (eth1<\/em>), and we will use this connection exclusively in order to connect the company notebook. A DHCP and DNS server on the Linux server shall span the network 192.168.0.0\/24<\/strong> on the interface eth1<\/em>, and the company notebook will get an IP address in this network. We assume that for remote work (Home Office), the user has to use a corporate VPN which is then channeled through our Linux server. For the approach described here, it is important that the corporate VPN on the company notebook does not channel all traffic<\/strong> of the company notebook through the VPN, but that it is a split VPN<\/strong> that leaves some routes outside of the VPN. Many corporate VPN are essentially split VPN and typically exclude IP ranges that connect to Microsoft\u00ae services (M365, Teams, SharePoint, etc.) or dedicated streaming services used by the company so that this traffic is not led through the company (it would anyway be fed into the company and directly be sent out to Microsoft\u00ae only using precious bandwidth of the company’s internet connection). We will single out one IP address of the IP ranges that are outside the corporate VPN and use the fact that legitimate traffic which might go to this IP address almost certainly will be either on port 80<\/strong> (http<\/strong>) or on port 443<\/strong> (https<\/strong>). An iptables<\/strong><\/em> command will help us to deviate traffic on this one IP address that shall go to dedicated services on our Linux server.<\/p>\n\n\n\n
![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/Corporate_VPN_2_skaliert-1024x480.png\")
Re-routing traffic to dedicated services with iptables<\/figcaption><\/figure>\n\n\n\n We need some auxiliary services in order to make things work perfectly, and they are described in the following sections.<\/p>\n\n\n\n
Setting up eth1<\/h3>\n\n\n\n
The first step is to set up the interface eth1<\/em> and to assign static IP addresses for IPv4 and IPv6. In order to make life easy for me, I use YaST2 on my openSuSE system and assign the addresses 192.168.0.1 and fd00::1 to the Linux server on eth1<\/em>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/image-17-1024x490.png\")
Static IP configuration in YaST2 on eth1<\/em><\/figcaption><\/figure>\n\n\n\n Providing DHCP and DNS on eth1<\/h3>\n\n\n\n
The company notebook needs to get an IP address when it is booted up, and since it is connected only to eth1<\/em> on the Linux server, this means that the Linux server shall provide an IP address via DHCP<\/a> so that we do not have to configure a static IP on the company notebook. The package dnsmasq<\/strong><\/a>\u00a0can provide both\u00a0DHCP<\/a>\u00a0as well as cache\u00a0DNS<\/a>. That is very practical as it allows us for example, to have only\u00a0DNS<\/a>\u00a0on\u00a0eth0<\/em>\u00a0where the\u00a0SoHo router already is the\u00a0DHCP<\/a>\u00a0master, but to configure both\u00a0DHCP<\/a>\u00a0and a caching\u00a0DNS<\/a>\u00a0on\u00a0eth1<\/em>. The following configuration file will exactly do that (it uses only a subset of the capabilities of\u00a0dnsmasq<\/a>):<\/p>\n\n\n\n
\/etc\/dnsmasq.conf<\/h4>\n\n\n\n
# Never forward addresses in the non-routed address spaces.\nbogus-priv\n\n# If you don't want dnsmasq to read \/etc\/resolv.conf or any other\n# file, getting its servers from this file instead (see below), then\n# uncomment this.\nno-resolv\n\n# If you don't want dnsmasq to poll \/etc\/resolv.conf or other resolv\n# files for changes and re-read them then uncomment this.\nno-poll\n\n# Add other name servers here, with domain specs if they are for\n# non-public domains.\nserver=8.8.8.8\nserver=8.8.4.4\nserver=9.9.9.9\nserver=1.1.1.1\n\n# If you want dnsmasq to listen for DHCP and DNS requests only on\n# specified interfaces (and the loopback) give the name of the\n# interface (eg eth0) here.\n# Repeat the line for more than one interface.\ninterface=eth0\ninterface=eth1\n\n# If you want dnsmasq to provide only DNS service on an interface,\n# configure it as shown above, and then use the following line to\n# disable DHCP and TFTP on it.\nno-dhcp-interface=eth0\n\n# Uncomment this to enable the integrated DHCP server, you need\n# to supply the range of addresses available for lease and optionally\n# a lease time. If you have more than one network, you will need to\n# repeat this for each network on which you want to supply DHCP\n# service.\ndhcp-range=tag:eth1,192.168.0.10,192.168.0.254,24h\n\n# Enable DHCPv6. Note that the prefix-length does not need to be specified\n# and defaults to 64 if missing\/\ndhcp-range=tag:eth1,fd00:0:0:0::A, fd00:0:0:0::C8, 64, 24h\n\n# Assign a pseudo-static IPv4 to the the company notebook identified by its MAC.\n# Assign a pseudo-static IPv6 to the the company notebook identified by its DUID.\n# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.\ndhcp-host=80:3f:5d:d2:4b:57,FHD4QV3,192.168.0.195,24h\ndhcp-host=id:00:01:00:01:2c:e6:bc:51:ac:91:a1:61:03:30,FHD4QV3,[fd00::c3\/64] \n\n# Set the NTP time server addresses\ndhcp-option=option:ntp-server,192.168.2.3\n\n# Send Microsoft-specific option to tell windows to release the DHCP lease\n# when it shuts down. Note the \"i\" flag, to tell dnsmasq to send the\n# value as a four-byte integer - that's what Microsoft wants. See\n# https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-dhcpe\/4cde5ceb-4fc1-4f9a-82e9-13f6b38d930c\ndhcp-option=vendor:MSFT,2,1i\n\n# Include all files in a directory which end in .conf\nconf-dir=\/etc\/dnsmasq.d\/,*.conf<\/code><\/pre>\n\n\n\nIn this configuration, we can see that on\u00a0eth0<\/em>, we will not enable\u00a0DHCP<\/a>\u00a0(Option\u00a0no-dhcp-interface=eth0<\/em>). On\u00a0eth1<\/em>, we want\u00a0DHCP<\/a>\u00a0to be active. Furthermore, we propagate the server\u2019s address\u00a0192.168.2.3<\/em>\u00a0as\u00a0NTP<\/a>\u00a0server. For this, the\u00a0NTP<\/a>\u00a0service needs to be enabled, of course, otherwise that would be pointless.<\/p>\n\n\n\n
With the configuration option dhcp-host<\/em>, we can assign a pseudo-static<\/strong> IPv4 address (192.168.0.195) to the company notebook identified by its MAC address. And using the same option for a second time, we can also assign a pseudo-static IPv6 address to the company notebook. However, in order to accomplish this, we need to know the DHCP Unique Identifier (DUID)<\/a><\/strong> of the company notebook. With dnsmasq<\/a>, we can obtain the DUID<\/strong> by leaving out the option dhcp-host<\/em> at first and then scanning in the log file of dnsmasq<\/a> (or, in the syslog if no dedicated log file has been specified) which DUID the notebook has. In the log file, we might find entries like:<\/p>\n\n\n\n
2026-02-27T09:51:39.478262+01:00 caipirinha dnsmasq-dhcp[14776]: DHCPSOLICIT(eth1) 00:01:00:01:2c:e6:bc:51:ac:91:a1:61:03:30\n2026-02-27T09:51:39.478460+01:00 caipirinha dnsmasq-dhcp[14776]: DHCPADVERTISE(eth1) fd00::c3 00:01:00:01:2c:e6:bc:51:ac:91:a1:61:03:30 fhd4qv3<\/code><\/pre>\n\n\n\nThe DUID can then be identified as 00:01:00:01:2c:e6:bc:51:ac:91:a1:61:03:30<\/strong>.<\/p>\n\n\n\n
dnsmasq<\/a>\u00a0uses the file\u00a0\/etc\/hosts<\/strong>\u00a0as well as upstream\u00a0DNS<\/a>\u00a0servers for its own\u00a0DNS<\/a>\u00a0service. The advantage of this is that \u2013 if your file\u00a0\/etc\/hosts<\/em>\u00a0is properly maintained \u2013 you can also use the device names listed there. As upstream\u00a0DNS<\/a>\u00a0servers from which\u00a0dnsmasq<\/a>\u00a0itself gets the IP resolution, I have configured four popular ones (8.8.8.8, 8.8.4.4, 9.9.9.9, 1.1.1.1), but you could also just list the IP of your SoHo router or of the\u00a0DNS<\/a>\u00a0resolver of your internet provider.<\/p>\n\n\n\n
Providing web proxy services<\/h2>\n\n\n\n
If we want to use unrestricted and unfiltered internet also on the company notebook, then we need to set up a web proxy<\/strong> on our Linux server and use a separate browser on the company notebook on which we configure the Linux server as web proxy. As on company notebooks, you might not be allowed to install software by yourself, Mozilla Firefox, Portable Edition<\/a> might be an option. This is a browser that does not require installation but can just be placed on the hard disk of the company notebook. In this browser, you can configure a dedicated proxy server without having to change the system configuration or default proxy setting of the company notebook. On the Linux server, the package tinyproxy<\/strong><\/a> is an easy-to-configure and lightweight proxy server well suited for our purpose. Below is a typical configuration of tinyproxy<\/a>. The configuration option Port<\/em> sets the port on which tinyproxy<\/a> will listed for incoming connections, in our case I chose 4077. <\/p>\n\n\n\n
\/etc\/tinyproxy.conf<\/h4>\n\n\n\n
# User\/Group: This allows you to set the user and group that will be\n# used for tinyproxy after the initial binding to the port has been done\n# as the root user. Either the user or group name or the UID or GID\n# number may be used.\n#\nUser tinyproxy\nGroup tinyproxy\n\n# Port: Specify the port which tinyproxy will listen on. Please note\n# that should you choose to run on a port lower than 1024 you will need\n# to start tinyproxy using root.\n#\nPort 4077\n\n# Bind: This allows you to specify which interface will be used for\n# outgoing connections. This is useful for multi-home'd machines where\n# you want all traffic to appear outgoing from one particular interface.\n#\nBind 192.168.2.3\n\n# Timeout: The maximum number of seconds of inactivity a connection is\n# allowed to have before it is closed by tinyproxy.\n#\nTimeout 600\n\n# LogFile\n#\nLogFile \"\/var\/log\/tinyproxy\/tinyproxy.log\"\n\n# LogLevel: Warning\n#\n# Set the logging level. Allowed settings are:\n#\tCritical\t(least verbose)\n#\tError\n#\tWarning\n#\tNotice\n#\tConnect\t\t(to log connections without Info's noise)\n#\tInfo\t\t(most verbose)\n#\nLogLevel Warning\n\n# PidFile\n#\nPidFile \"\/var\/run\/tinyproxy\/tinyproxy.pid\"\n\n# XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which\n# contains the client's IP address.\n#\nXTinyproxy Yes\n\n# MaxClients: This is the absolute highest number of threads which will\n# be created. In other words, only MaxClients number of clients can be\n# connected at the same time.\n#\nMaxClients 400\n\n# Allow: Customization of authorization controls. If there are any\n# access control keywords then the default action is to DENY. Otherwise,\n# the default action is ALLOW.\n#\nAllow 127.0.0.1\nAllow ::1\nAllow 192.168.0.0\/16\n\n# ViaProxyName: The \"Via\" header is required by the HTTP RFC, but using\n# the real host name is a security concern. If the following directive\n# is enabled, the string supplied will be used as the host name in the\n# Via header; otherwise, the server's host name will be used.\n#\nViaProxyName \"tinyproxy\"\n\n# Filter: This allows you to specify the location of the filter file.\n#\nFilter \"\/etc\/tinyproxy\/filter\"\n\n# FilterURLs: Filter based on URLs rather than domains.\n#\nFilterURLs On\n\n# FilterDefaultDeny: Change the default policy of the filtering system.\n# If this directive is commented out, or is set to \"No\" then the default\n# policy is to allow everything which is not specifically denied by the\n# filter file.\n#\n# However, by setting this directive to \"Yes\" the default policy becomes\n# to deny everything which is _not_ specifically allowed by the filter\n# file.\n#\nFilterDefaultDeny No<\/code><\/pre>\n\n\n\ntinyproxy<\/a> also allows filtering<\/strong> of internet domains. I know I said before that we want unrestricted and unfiltered internet access, but in this case, we can use the file \/etc\/tinyproxy\/filter<\/strong> in order to filter out nasty and annoying advertisement and tracking domains. Suitable filter lists can be found on the internet and can just be copied to \/etc\/tinyproxy\/filter<\/strong>. Or you might add just these domains whose advertisements annoy you most when you access web pages. I personally use a mixture of both.<\/p>\n\n\n\n
Re-routing traffic to our server<\/h3>\n\n\n\n
In my personal case, the corporate VPN client (a Cisco VPN<\/strong> client) is so helpful that it provides me with the IP ranges that are excluded from the corporate VPN. Out of these IP ranges, I did pick one IP address, in my case, 192.229.232.200<\/strong>. The selection was completely arbitrary; I could have chosen any other IP address from the IP ranges that are excluded from the corporate VPN. The following commands prepare the Linux server for our desired setup:<\/p>\n\n\n\n
ip link set eth1 up\niptables -t nat -A POSTROUTING -s 192.168.0.0\/24 -o eth0 -j SNAT --to-source 192.168.0.1\nip6tables -t nat -A POSTROUTING -s fd00:0:0:0::\/64 -o eth0 -j MASQUERADE\niptables -t nat -A PREROUTING -i eth1 -p tcp -d 192.229.232.200 --match multiport --dports 22,445,3306,4077 -j DNAT --to 192.168.2.3\nsystemctl start dnsmasq.service\nsystemctl start tinyproxy.service<\/code><\/pre>\n\n\n\nLet us discuss these commands in detail:<\/p>\n\n\n\n
- \n
- The first command brings up the network interface eth1<\/em>. This command might not be necessary if you have a switch connected to eth1<\/em> of the Linux Server or if the company notebook is powered up before you boot up the Linux server. Otherwise, if you boot up the Linux server and nothing is connected to eth1<\/em>, the interface might not come up.<\/li>\n\n\n\n
- The second command translates traffic from the network on eth1<\/em> to the SoHo network 192.168.2.0\/24 and to the Linux server’s address on that network (192.168.2.3). Of course, IPv4 routing needs to be enabled on the Linux server. This command enables that (even without the corporate VPN active), the company notebook can get access to the internet from its otherwise isolated network 192.168.0.0\/24.<\/li>\n\n\n\n
- The third command does the same for the IPv6 domain and the network fd00:0:0:0::\/64 on eth1<\/em>. Probably we would not even need IPv6 on the network of the company notebook, few companies already work with IPv6. If we leave IPv6 away, we should however also delete the configuration option dhcp-host<\/em> for IPv6 in \/etc\/dnsmasq.conf<\/em>.<\/li>\n\n\n\n
- The fourth command is very important. It tells the server to deviate connections on one of the TCP<\/strong> ports 22, 445, 3306, 4077 originally destined to the IP address 192.229.232.200 to the new IP address 192.168.0.1, the IP address of the Linux server on eth1<\/em>.<\/li>\n\n\n\n
- The fifth and sixth command start the services dnsmasq<\/a> and tinyproxy<\/a>.<\/li>\n<\/ul>\n\n\n\n
We can see from the fourth command that the scope for deviating connections to the Linux server is very narrow. First, we only consider TCP connections, and we single out only four IP ports that probably otherwise would not be used in conjunction with the IP address 192.229.232.200. With this, we can access the following services on our Linux server:<\/p>\n\n\n\n
- \n
- ssh<\/strong> (Port 22): On the company notebook, we have to configure our ssh client (e.g., puTTY<\/a>) for a connection to 192.229.232.200:22.<\/li>\n\n\n\n
- smb<\/strong> (Port 445): Of course, the Linux server must have a smb service running already; the configuration of it is not part of this article. Then, on the company notebook, we can access a network drive by using \\\\192.229.232.200\\network_share.<\/li>\n\n\n\n
- mariadb<\/strong> \/ mysql<\/strong> (Port 3306): Of course, the Linux server must have a mysql service running already; the configuration of it is not part of this article. Then, on the company notebook, we can access the service for example with the MySQL Workbench<\/a> by connecting to 192.229.232.200:3306.<\/li>\n\n\n\n
- tinyproxy<\/strong> (Port 4077): We configure Mozilla Firefox, Portable Edition<\/a> and set the proxy to 192.229.232.200, Port 4077 for both http and https.<\/li>\n<\/ul>\n\n\n\n
The following images show the configuration of related programs and apps on the company notebook.<\/p>\n\n\n\n
\n ![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/PuTTY-Verbindungs-Einstellungen.png\")
PuTTY Configuration<\/figcaption><\/figure>\n\n\n\n ![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/Windows-Explorer-Verbindungs-Einstellungen.png\")
Windows Explorer<\/figcaption><\/figure>\n\n\n\n ![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/MySQL-Verbindungs-Einstellungen.png\")
MySQL Workbench<\/figcaption><\/figure>\n\n\n\n ![\"\"](\"https:\/\/caipirinha.spdns.org\/wp\/wp-content\/uploads\/Firefox-Verbindungs-Einstellungen.png\")
Firefox: Connection Settings<\/figcaption><\/figure>\n Configuration of Programs and Apps on the Company Notebook<\/figcaption><\/figure>\n\n\n\n Of course, you can modify the iptables<\/em> command (fourth command above) to deviate even more ports, depending on the services that you have available on your own Linux server. <\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
With a second LAN, DHCP<\/a>, DNS<\/a>, a proxy server like tinyproxy<\/a>, some clever commands and a split corporate VPN, we can bypass corporate VPN restrictions that would not allow us to access our local network and services on our Linux server otherwise. With an additional browser on the company notebook like Mozilla Firefox, Portable Edition<\/a>, this will even enable us to bypass restrictions and browsing policies that corporations might have put forward.<\/p>\n\n\n\n
Having said that, I would always recommend you stick to the IT regulations of your company, of course…<\/p>\n\n\n\n
Sources<\/h2>\n\n\n\n
- \n
- [1<\/a>] =\u00a0iptables \u2013 Port forwarding over OpenVpn<\/a><\/li>\n\n\n\n
- [2<\/a>] =\u00a0Netfilter<\/a><\/li>\n<\/ul>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
This blog post explains how\u00a0Policy Routing\u00a0on a Linux server in the Home Office can help you to bypass access restrictions by a corporate VPN to your local LAN.<\/p>\n","protected":false},"author":1,"featured_media":2259,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[102,98],"class_list":["post-2240","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it","tag-iptables","tag-vpn"],"_links":{"self":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2240"}],"version-history":[{"count":6,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2240\/revisions"}],"predecessor-version":[{"id":2257,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2240\/revisions\/2257"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=\/wp\/v2\/media\/2259"}],"wp:attachment":[{"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/caipirinha.spdns.org\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- [2<\/a>] =\u00a0Netfilter<\/a><\/li>\n<\/ul>\n\n\n\n
- smb<\/strong> (Port 445): Of course, the Linux server must have a smb service running already; the configuration of it is not part of this article. Then, on the company notebook, we can access a network drive by using \\\\192.229.232.200\\network_share.<\/li>\n\n\n\n
- The second command translates traffic from the network on eth1<\/em> to the SoHo network 192.168.2.0\/24 and to the Linux server’s address on that network (192.168.2.3). Of course, IPv4 routing needs to be enabled on the Linux server. This command enables that (even without the corporate VPN active), the company notebook can get access to the internet from its otherwise isolated network 192.168.0.0\/24.<\/li>\n\n\n\n