[ale] {Disarmed} VPN Routing
David Hillman
hillmands at gmail.com
Sun Sep 11 20:14:05 EDT 2011
Sorry about that. I wrote that huge blob at 3:30 AM. It makes me cringe
just looking at it.
Below is the network diagram.
72.15.16.176/29
OpenVPN
208.62.71.47/29 switch (1-12) |
10.28.6.0/24 ---------+---------+
+--------------------+
| vlan1 | eth0 (public)|
Untangle1 | eth1 (LAN) 192.168.0.0/24
+---------+----------------------+
+--------------------------------------+
| | |
+--------------------+ |
switch (13-24)
|
+---------+-------------------------------------------------------------------------------------+
| vlan2 |
+----+---+-----LAN clients
The Untangle box is acting as a NAT gateway for the 208.62.72.47/29 public
addresses (changed).
It also does routing from the LAN to the 10.32.7.0/24 network.
There is also a bridging firewall/IDS but I didn't put it there.
Here is the routing table (changed a bit) for the Untangle box:
~ # netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
172.16.0.2 * 255.255.255.255 UH 0 0
0 tun0
72.15.16.176 * 255.255.255.248 U 0 0
0 eth0
208.62.71.47 * 255.255.255.248 U 0 0
0 eth0
192.168.1.0 172.16.0.2 255.255.255.0 UG 0 0
0 tun0
172.16.0.0 172.16.0.2 255.255.255.0 UG 0 0
0 tun0
192.168.0.0 * 255.255.255.0 U 0 0
0 eth1
10.28.6.0 10.28.6.1 255.255.255.0 UG 0 0
0 eth0
10.28.6.0 * 255.255.255.0 U 0
0 0 eth0
192.0.2.0 * 255.255.255.0 U 0
0 0 dummy0
192.0.2.0 * 255.255.255.0 U 0
0 0 utun
I can ping any of the 10.28.6.x addresses directly from the LAN.
I can also ping anything on the Internet from the LAN.
I can't ping any of the 10.28.6.x addresses from the VPN connection.
My question was:
Is it possible for the VPN clients to get a route from the
172.16.0.0/24network to the
to the 10.28.6.0/24 network through OpenVPN (don't know much about OpenVPN)?
I finally heard back from the Untangle folks, and it looks like there is a
way to do that;
it's just that the Untangle GUI doesn't have an option for pushing routes to
the clients.
As long as we can access the 10.28.6.0/24 network from the LAN, that's good
enough.
On Sat, Sep 10, 2011 at 5:40 PM, Michael H. Warfield <mhw at wittsend.com>wrote:
> On Sat, 2011-09-10 at 03:49 -0400, David Hillman wrote:
> > At work, we are using Untangle as the main router/gateway for our LAN,
> it's
> > mainly for the ease with which it does OpenVPN configuration. The
> Untangle
> > box has two networks coming in on the public interface. One of the
> networks
> > goes out to a T1 connection with 10 public IPs. The other network goes
> to
> > another internal router that our main network guys manage. The Untangle
> box
> > only has two interfaces, but it is sitting behind a switch with multiple
> > VLANs. I was able to add aliases for all of the IPs we have on both
> > networks and a static route to the network controlled by the internal
> > router; the default gateway on the Untangle box is set to the managed
> router
> > for the T1 connection. Everything seems to work fine on the LAN, but
> none
> > of the OpenVPN clients can reach the network that is controlled by our
> other
> > internal router. I am guessing that's because the information about that
> > static route isn't known by any of those clients. VPN clients can hit
> any
> > of the machines on the LAN behind the Untangle box. My issue is how do I
> > add the route to the other network without messing things up. I would
> > prefer to add the route to the Untangle server and than push that the
> > clients. Lord knows how I would get my iPad to handle a static route
> over
> > OpenVPN.
>
> I've read that paragraph a half a dozen times and I still have only a
> vague notion of what you are describing.
>
> DRAW A PICTURE. Even if it's ascii art. I tried drawing a network
> diagram from what you described in that solid block of words above and
> failed. About 1/3 of the way through the paragraph, I'm lost in a cloud
> of words going "what was that again?"
>
> 1) Draw a picture showing us what you have and describe it.
>
> 2) Tell us what you want to do.
>
> 3) Tell us what your observations are.
>
> 4) Tell us what your thoughts are based on the above.
>
> 5) Do it in separate paragraphs.
>
> I think that paragraph above should be at least 4 paragraphs (plus a
> drawing) and then you might have a better shot at getting an answer.
>
> > For testing purposes, I tried logging into the Untangle box and setting
> the
> > route there, but I got a weird "SIOCADDRT: no such device" error. This
> is
> > the command that I used:
>
> > route add -net 172.16.0.0/24 192.168.0.1
>
> That error generally means you tried to add a route through a gateway it
> did not know how to route through. But... Don't you have another error
> in there. Shouldn't that command be:
>
> route add -net 172.16.0.0/24 gw 192.168.0.1
>
> Note the missing "gw". In the terms of the more modern ip command:
>
> ip route add 172.16.0.0/24 via 192.168.0.1
>
> You might try the ip command as well. It might give you a better (or at
> least different) error.
>
>
> You'll also need to show us the output from:
>
> netstat -nr
>
> - or -
>
> ip route ls
>
> My guess would be it doesn't know how to route to 192.168.0.1 but,
> without seeing the routing table, that's a wild ass guess.
>
> > Maybe I am misunderstanding how OpenVPN routing works, but according to
> the
> > routing table, 172.16.0.0 is the network that tun0 uses. However, I was
> > given a 192.168.5.x IP address when I logged in through OpenVPN. It
> > shouldn't matter, as long as my local machine knows how to handle the
> route
> > to the other network. 192.168.0.1 is the IP address for the Untangle
> > router.
>
> > Can anyone clear this up?
>
> I don't even know how to start with a clearer idea of what you have and
> what you are trying to do.
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of
> all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110911/8fd3db27/attachment.html
More information about the Ale
mailing list