Ask Your Question
2

vpn routes with "use this connection only..."

asked 2018-03-06 19:36:25 -0600

jidar gravatar image

updated 2018-03-09 15:18:19 -0600

By default, the vpn connection works and all traffic is routing the tunnel, this sucks for my work because they get tons of traffic not required.

So when I manually set routes with the option "use this connection only for resources on its network" it's fine.

When attempting to set a route based on a device/interface, the GUI doesn't let me. However, if I add the routes manually from the command line, it's fine:

ip route add 172.16.0.0/16 dev tun0

ip route add 10.0.0.0/8 dev tun0

I want to script/automate the routes being added without forcing all traffic over the default route.

One last thing, by default routes are assigned to the VPN's IP, this is from DHCP so I can't force the gateway to a DHCP address.

GUI

When attempting to follow some instructions from this post, I'll note that my gateway does not change when connecting to the VPN:

route after connecting

route prior to connecting

So I am not able to determine my route from the connection at all.

I also tried a few things, like using 172.16.16.1 or 172.16.16.254 expecting maybe that the network on the other end is a /24.

I also tried looking at a tracepath from another server at work and trying to trace back to the VPN IP, to see if it hit a specific route, at that point trying to even start the VPN fails.

tracepath to the VPN IP from elsewhere on the network

When I use that IP 10.1.1.254 and try to route only 172.16.0.0/16 the vpn connection fails to establish.

I've also captured the logs when connecting, we can see the vpn connection is providing me a "next-hop" of the DHCP address I'm being handed.

I attempt to set a static route to 10.0.0.0/8 and the connections fails:

keyfile: update /etc/NetworkManager/system-connections/mycompany (<uuid>,"mycompany")
keyfile: update /etc/NetworkManager/system-connections/mycompany (<uuid>,"mycompany") after persisting connection
audit: op="connection-update" uuid="<uuid>" name="mycompany" args="ipv4.routes" pid=4372 uid=1000 result="success"
audit: op="connection-activate" uuid="<uuid>" name="mycompany" pid=4372 uid=1000 result="success"
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: Started the VPN service, PID 5524
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: Saw the service appear; activating connection
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN plugin: state changed: starting (3)
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN connection: (ConnectInteractive) reply received
manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/22)
link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN connection: (IP4 Config Get) reply received from old-style plug
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: VPN Gateway: <public-ip>
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: Tunnel Device: "tun0"
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: IPv4 configuration:
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal Address: 172.16.16.199
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal Prefix: 32
vpn-connection[0x5590ddc342b0 ...
(more)
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2018-03-09 05:41:28 -0600

reclusivegeek gravatar image

You should never use a tun device in your routing configs. If you bring up a more than one device you can't be sure that the kernel will always give you the same tun device for a VPN Link. You have to use IP addresses.

Almost all IPSEC/OpenVPN etc servers use DHCP to allocate both random and fixed client IP Addresses. Also most network admins will set the config option to push default route. Without some detective work you not going to know what the VPN server is sending or how its networks are configured.

You need to treat this problem not as a VPN issue but an IP routing issue and command netstat -nr is your friend.

Here is a example:

First thing is to do a netstat -nr so you can see the Kernel IP routing table before you activate the VPN. image description

Next I configure the VPN GUI like this :- image description

Now I am going to activate the VPN from the GUI and do another netstat -nr image description

So now from netstat we can learn the following about the server and the dhcp settings

On the second line we see destination 10.255.254.0 gateway 0.0.0.0 genmask 255.255.255.0 dveice tun0 and we know that the subnet for dhcp network is 255.255.255.0 and the IP range is 10.255.254.1 to 10.225.254.254

Next we need to know is what the default gateway for this network is, and line five tells us as I now the 172.30.254.0 network is a remote network and the gateway for this network is 10.255.254.1

Now we know that the VPN network has the following properties :- Network 10.255.254.0 Broadcats 10.255.254.255 Default GW 10.255.254.1

Now regardless of tun device (tun0, tun1, tun2 etc) it will always have this IP network so we can now configure the vpn.

So now the GUI will look like :- image description

Bring it up and test it.

All should work regarless of the number of VPN's in use or tun

Hope this help

reclusivegeek

edit flag offensive delete link more

Comments

I absolutely understand what and why you are suggesting I do not use the device. Please see my recent edit for an explanation as to why I see no other options.

jidar gravatar imagejidar ( 2018-03-09 11:52:27 -0600 )edit

Do you know what the VPN server is that your company is using and also do you have a config file or is all the config pushed by the server when you login ?

reclusivegeek gravatar imagereclusivegeek ( 2018-03-09 14:34:38 -0600 )edit

Also make sure that you have Routes Automatic OFF as this should stop the Destination 0.0.0.0 gateway 0.0.0.0 genmask 0.0.0.0 tun0 line getting added to the kernel table.

reclusivegeek gravatar imagereclusivegeek ( 2018-03-09 14:42:57 -0600 )edit
1

answered 2018-03-08 06:13:04 -0600

reclusivegeek gravatar image

Just replace tun0 with the IP address of the server. So if tun0 has an IP address of say 10.255.255.105 and a subnet of 255.255.255.0 it's probable that the gateway address is 10.255.255.1 or 10.255.255.254.

If that does not work remove the address and untick the "connection only" and let the VPN connect. The on a command line type netstat -nr and find the gateway for the Kernel IP routing table.

Hope that helps

reclusivegeek

edit flag offensive delete link more

Comments

This just isn't how it (appears to) work, when I uncheck the "connection only" box, the route that gets created is "default dev tun0 proto static scope link metric 50" and "172.16.16.187 dev tun0 proto kernel scope link src 172.16.16.187 metric 50" but when I try to add a route for that network that tun0 is on, I get an error: Error: Nexthop has invalid gateway. When I add a route for thatspecificip that I get from DHCP, I can route traffic fine. So either I need to use the DHCP IP, or the device

jidar gravatar imagejidar ( 2018-03-08 10:49:42 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-03-06 19:35:05 -0600

Seen: 1,044 times

Last updated: Mar 09 '18