2
I am trying to understand how the connection to a server at my university through VPN works. The IP address of the server on the network is 172.27.xxx.xxx, which to my understanding is a private IP address (i.e. is reserved for internal use and is not allowed on the public internet). It is also my understanding that if you perform a DNS lookup for that server then it will return the IP address of one of the university's routers that connects to the public internet (perhaps the VPN router?) because of this What IP address is DNS service returning?, and not the private address. So when you send packets from your host on the public internet, they are encrypted and sent to the campus VPN router. Once they make it to the VPN they are decrypted, but at this point how does the router know where to send the packets since we never had the private IP address of the desired server?
Some related questions are here, but I haven't found anything that makes this point clear to me. How to access a VPN server with a private IP address? and How Does a VPN Manage Local IP Addresses and DNS lookup in internal network.
Thanks! That explains a lot that the OS allows the VPN client software to create the inner IP payload before passing off this payload to the usual network software on the system (I was going to ask about this in a separate question!). One key question still remains though: what does the VPN client place in the IP header for the inner payload so that the network router knows where to send the packet after removing the outer protocol? – dpritch – 2017-04-07T01:37:11.803
VPN servers are also routers. It doesn't modify the inner packet at all. If the encapsulated destination IP - available after un-encapsulating - is an IP accessible to the VPN server, the VPN server will send it on. This could be a private IP address range only accessible to the VPN server (normal for corporate VPNs, etc.), or an Internet-accessible host (this is how "privacy VPNs" work - they simply take your traffic and throw it back on the Internet). – LawrenceC – 2017-04-07T01:41:10.463
When I run
nslookup domain.name.edu
it returns the 172.27.xxx.xxx address of the server. So I presume that's the IP address that is placed in the encapsulated destination IP header? In other words, the DNS lookup allows for addresses that are not reachable on the public Internet. – dpritch – 2017-04-07T02:29:01.577Looks like it. You can configure a DNS server to return any IP you want, even private range IPs, or even 127.0.0.1 if you really wanted. – LawrenceC – 2017-04-07T02:36:26.370
Thanks again! I've accepted this answer. But if you could add this last statement about being able to configure the DNS server to return the private range IP address I think that would be really helpful for future readers. – dpritch – 2017-04-07T14:10:55.567