[ale] {Disarmed} VPN Routing

Michael H. Warfield mhw at WittsEnd.com
Sat Sep 10 17:40:52 EDT 2011


On Sat, 2011-09-10 at 03:49 -0400, David Hillman wrote: 
> At work, we are using Untangle as the main router/gateway for our LAN, it's
> mainly for the ease with which it does OpenVPN configuration.  The Untangle
> box has two networks coming in on the public interface.  One of the networks
> goes out to a T1 connection with 10 public IPs.  The other network goes to
> another internal router that our main network guys manage.  The Untangle box
> only has two interfaces, but it is sitting behind a switch with multiple
> VLANs.  I was able to add aliases for all of the IPs we have on both
> networks and a static route to the network controlled by the internal
> router; the default gateway on the Untangle box is set to the managed router
> for the T1 connection.  Everything seems to work fine on the LAN, but none
> of the OpenVPN clients can reach the network that is controlled by our other
> internal router.  I am guessing that's because the information about that
> static route isn't known by any of those clients.  VPN clients can hit any
> of the machines on the LAN behind the Untangle box.  My issue is how do I
> add the route to the other network without messing things up.  I would
> prefer to add the route to the Untangle server and than push that the
> clients.  Lord knows how I would get my iPad to handle a static route over
> OpenVPN.

I've read that paragraph a half a dozen times and I still have only a
vague notion of what you are describing.

DRAW A PICTURE.  Even if it's ascii art.  I tried drawing a network
diagram from what you described in that solid block of words above and
failed.  About 1/3 of the way through the paragraph, I'm lost in a cloud
of words going "what was that again?"

1) Draw a picture showing us what you have and describe it.

2) Tell us what you want to do.

3) Tell us what your observations are.

4) Tell us what your thoughts are based on the above.

5) Do it in separate paragraphs.

I think that paragraph above should be at least 4 paragraphs (plus a
drawing) and then you might have a better shot at getting an answer.

> For testing purposes, I tried logging into the Untangle box and setting the
> route there, but I got a weird "SIOCADDRT: no such device" error.  This is
> the command that I used:

> route add -net 172.16.0.0/24 192.168.0.1

That error generally means you tried to add a route through a gateway it
did not know how to route through.  But...  Don't you have another error
in there.  Shouldn't that command be:

route add -net 172.16.0.0/24 gw 192.168.0.1

Note the missing "gw".  In the terms of the more modern ip command:

ip route add 172.16.0.0/24 via 192.168.0.1

You might try the ip command as well.  It might give you a better (or at
least different) error.


You'll also need to show us the output from:

netstat -nr

- or -

ip route ls

My guess would be it doesn't know how to route to 192.168.0.1 but,
without seeing the routing table, that's a wild ass guess.

> Maybe I am misunderstanding how OpenVPN routing works, but according to the
> routing table, 172.16.0.0 is the network that tun0 uses.  However, I was
> given a 192.168.5.x IP address when I logged in through OpenVPN.  It
> shouldn't matter, as long as my local machine knows how to handle the route
> to the other network.  192.168.0.1 is the IP address for the Untangle
> router.

> Can anyone clear this up?

I don't even know how to start with a clearer idea of what you have and
what you are trying to do.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110910/07984b0d/attachment.bin 


More information about the Ale mailing list