1 |
Hilco, I don't know if this thread was resolved - additional suggestions |
2 |
posted below. |
3 |
|
4 |
On Saturday, 9 June 2018 01:20:18 BST Hilco Wijbenga wrote: |
5 |
|
6 |
> Let me give some more information, perhaps that will help. |
7 |
> |
8 |
> Setup without VPN |
9 |
> $ ip route |
10 |
> default via 192.168.151.1 dev eth0 proto static metric 100 |
11 |
> 127.0.0.0/8 via 127.0.0.1 dev lo |
12 |
> 192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric |
13 |
> 100 |
14 |
> |
15 |
> (192.168.151.1 is my own gateway, an old computer functioning as router) |
16 |
> |
17 |
> |
18 |
> Setup with VPN (Gateway: vpn.company.com; Other DNS Servers: |
19 |
> dns1,dns2; Search Domains: |
20 |
> r1.i.company.com,r2.i.company.com,r3.i.company.com,r4.i.company.com,r5.i.com |
21 |
> pany.com,r6.i.company.com,r7.i.company.com,r8.i.company.com,i.company.com,co |
22 |
> nfig) |
23 |
> $ ip route |
24 |
> default via 192.168.151.1 dev eth0 proto static metric 100 |
25 |
> $SOME_COMPANY_IP_1 dev tun0 proto kernel scope link src |
26 |
> $SOME_COMPANY_IP_1 metric 50 |
27 |
> 127.0.0.0/8 via 127.0.0.1 dev lo |
28 |
> 192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric |
29 |
> 100 |
30 |
> 192.168.151.1 dev eth0 proto static scope link metric 100 |
31 |
> $VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100 |
32 |
> |
33 |
> (where $SOME_COMPANY_IP is the IP of some internal server, and |
34 |
> $VPN_GATEWAY is the IP of vpn.company.com). |
35 |
> ==> This does _not_ allow me to access (e.g.) *.i.company.com but |
36 |
> everything else works fine. |
37 |
|
38 |
In the above setup you need to define a route for the subnet of your company's |
39 |
LAN. For example, if the LAN of your company is 10.0.20.0/24: |
40 |
|
41 |
ip route add 10.0.20.0/24 via $SOME_COMPANY_IP_1 dev tun0 |
42 |
|
43 |
should push all connections to your company's LAN via the tunnel tun0. |
44 |
|
45 |
Two commands to help you see what routes your VPN client is setting up are: |
46 |
|
47 |
ip rule list |
48 |
|
49 |
which may list some new tables (in addition to local, main and default), if |
50 |
your VPN client has set these up. Then look at the contents of said table, |
51 |
e.g.: |
52 |
|
53 |
ip route show table 220 |
54 |
|
55 |
Not all clients create separate rules, so the changes may have been added to |
56 |
the main rule table. If in doubt and don't mind some noise look at all the |
57 |
tables: |
58 |
|
59 |
ip route show table all |
60 |
|
61 |
NOTE: If you are accessing your company's LAN/servers using a FQDN instead of |
62 |
private IP addresses, then you will need to configure the appropriate |
63 |
nameserver for your company. Check what has been entered in /etc/resolv.conf. |
64 |
|
65 |
|
66 |
> Same setup but without "Use only for resources on this connection": |
67 |
> $ ip route |
68 |
> default dev tun0 proto static scope link metric 50 |
69 |
|
70 |
Device tun0 has a higher metric than your physical eth0 device below. I |
71 |
expect all connections which can be routed via tun0 will be routed so. |
72 |
|
73 |
> default via 192.168.151.1 dev eth0 proto static metric 100 |
74 |
|
75 |
I'm not sure if this will work, but you can try changing the metric of device |
76 |
eth0, so it takes precedence to tun0; e.g.: |
77 |
|
78 |
ip route replace default via 192.168.151.1 dev eth0 proto static metric 30 |
79 |
|
80 |
ip route show |
81 |
|
82 |
ip route delete default via 192.168.151.1 dev eth0 proto static metric 100 |
83 |
|
84 |
|
85 |
> $SOME_COMPANY_IP_2 dev tun0 proto kernel scope link src |
86 |
> $SOME_COMPANY_IP_2 metric 50 |
87 |
> 127.0.0.0/8 via 127.0.0.1 dev lo |
88 |
> 192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric |
89 |
> 100 |
90 |
> 192.168.151.1 dev eth0 proto static scope link metric 100 |
91 |
> $VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100 |
92 |
> |
93 |
> (note that $SOME_COMPANY_IP_1 and $SOME_COMPANY_IP_2 differ only in |
94 |
> the last digit; this seems to go up by one every time I connect to |
95 |
> VPN, so probably irrelevant) |
96 |
> ==> This allows me to access *.i.company.com but breaks everything else. |
97 |
|
98 |
I expect it breaks everything else (connections to anything outside you |
99 |
company's LAN) because everything is sent out tun0 which has a higher priority |
100 |
than your eth0, but your company's routing on the other side, once it receives |
101 |
the packets, does not allow outgoing connections from your allocated |
102 |
$SOME_COMPANY_IP_2 to the Internet. |
103 |
|
104 |
TBH I wouldn't select "Use only for resources on this connection", because |
105 |
this creates a full tunnel. |
106 |
|
107 |
> What would be the "correct" output for "ip route"? |
108 |
|
109 |
Different VPN clients create rules and entries in different tables, so there |
110 |
isn't a straight forward "correct" ip route output. In any case, using 'ip |
111 |
route show table all' you should be able to see a route which allows |
112 |
connections to your company's LAN subnet to be sent out via tun0 and |
113 |
connections to the rest of the world to be routable via your eth0. |
114 |
|
115 |
What VPN client are you using? |
116 |
|
117 |
-- |
118 |
Regards, |
119 |
Mick |