How to access hosts not on LAN but still local when VPN only allows local LAN access.

Recently I ran in to an interesting problem, our new laptops at work required us to run a VPN client to be able to access our emails and various other intranet services. "They" (corp. VPN services) were kind enough to allow the connecting VPN clients local LAN access but our local LAN is actually 2 different network segments and we need access to both networks and the VPN for day to day business. Gave it some thought and came up with the following.

A new host on our primary LAN that acts as a firewall/NAT box, this host is given 1 IP address, virtual device for each service on the second LAN that we need to access.

The DNS server in our primary LAN is setup to "hijack" certain hostnames from the second LAN, these hostnames are created as zones in the primary LANs DNS server and this allows us to send traffic to named hosts on the second LAN where ever we want, in this case to the firewall/NAT box that we recently created.

Sample network interface configuration for "virtual interface"
# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)
DEVICE=eth0:host
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.0.230
NETMASK=255.255.255.0

Sample iptables configuration
iptables -A FORWARD -d 192.168.10.3 -i eth0 -p tcp -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d 192.168.0.230 -p tcp -m tcp -j DNAT --to-destination 192.168.10.3

The samples above shows a virtual interface that sits on the 192.168.0.0/24 network, this should be your primary LAN, some iptables rules that allows forwarding to the host on the second LAN and a rules that does the NAT stuff.

Sample bind zone file
$TTL 3600
@               IN      SOA  host.other.domain. hostmaster.host.other.domain. (
                   2010031505      ; Serial
                   1440                    ; Refresh        2 hours
                   720                      ; Retry          2 hours
                   604801               ; Expire         1 day
                   86400 )               ; Minimum        1 day
;
host.other.domain.    IN      A       10.40.0.108
                                      IN      NS      this.domain.
                                      IN      NS      ns2.this.domain.
                                      IN      MX      10      some.mail.server.
;
localhost                     IN      A       127.0.0.1

Sample Named.conf
zone "host.other.domain" {
        type master;
        file "zone.host.other.domain";
        allow-query { internal; };
};

The bind configuration examples above shows how to "hijack" the host name from the second LAN, this configuration needs to be applied to the name servers of the primary LAN, worth mentioning is that this will affect all computers accessing the primary LAN and not just the ones using the VPN.

And dont forget to enable ip forwarding on the firewall/NAT box
echo 1 > /proc/sys/net/ipv4/ip_forward