[ale] {Disarmed} VPN Routing

David Hillman hillmands at gmail.com
Sun Sep 11 20:14:05 EDT 2011


Sorry about that.  I wrote that huge blob at 3:30 AM.  It makes me cringe
just looking at it.

Below is the network diagram.

     72.15.16.176/29
 OpenVPN
     208.62.71.47/29            switch (1-12)                            |
          10.28.6.0/24   ---------+---------+
 +--------------------+
                                        |  vlan1 |      eth0 (public)|
Untangle1    | eth1 (LAN) 192.168.0.0/24
                                        +---------+----------------------+
                  +--------------------------------------+

|                     |                                        |

 +--------------------+                                       |
                                          switch (13-24)
                                                       |

+---------+-------------------------------------------------------------------------------------+

                                        |  vlan2 |
                                        +----+---+-----LAN clients

The Untangle box is acting as a NAT gateway for the 208.62.72.47/29 public
addresses (changed).
It also does routing from the LAN to the 10.32.7.0/24 network.
There is also a bridging firewall/IDS but I didn't put it there.

Here is the routing table (changed a bit) for the Untangle box:

~ # netstat -r

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
172.16.0.2           *           255.255.255.255     UH      0          0
     0   tun0
72.15.16.176        *           255.255.255.248     U        0          0
     0   eth0
208.62.71.47        *           255.255.255.248     U        0          0
     0   eth0
192.168.1.0     172.16.0.2  255.255.255.0        UG      0          0
 0   tun0
172.16.0.0       172.16.0.2  255.255.255.0        UG      0          0
 0   tun0
192.168.0.0          *           255.255.255.0        U         0          0
       0   eth1
10.28.6.0       10.28.6.1     255.255.255.0        UG       0          0
   0  eth0
10.28.6.0             *           255.255.255.0         U         0
 0        0  eth0
192.0.2.0             *           255.255.255.0         U         0
 0        0 dummy0
192.0.2.0             *           255.255.255.0         U         0
 0        0 utun

I can ping any of the 10.28.6.x addresses directly from the LAN.
I can also ping anything on the Internet from the LAN.
I can't ping any of the 10.28.6.x addresses from the VPN connection.

My question was:

Is it possible for the VPN clients to get a route from the
172.16.0.0/24network to the
to the 10.28.6.0/24 network through OpenVPN (don't know much about OpenVPN)?

I finally heard back from the Untangle folks, and it looks like there is a
way to do that;
it's just that the Untangle GUI doesn't have an option for pushing routes to
the clients.

As long as we can access the 10.28.6.0/24 network from the LAN, that's good
enough.


On Sat, Sep 10, 2011 at 5:40 PM, Michael H. Warfield <mhw at wittsend.com>wrote:

> On Sat, 2011-09-10 at 03:49 -0400, David Hillman wrote:
> > At work, we are using Untangle as the main router/gateway for our LAN,
> it's
> > mainly for the ease with which it does OpenVPN configuration.  The
> Untangle
> > box has two networks coming in on the public interface.  One of the
> networks
> > goes out to a T1 connection with 10 public IPs.  The other network goes
> to
> > another internal router that our main network guys manage.  The Untangle
> box
> > only has two interfaces, but it is sitting behind a switch with multiple
> > VLANs.  I was able to add aliases for all of the IPs we have on both
> > networks and a static route to the network controlled by the internal
> > router; the default gateway on the Untangle box is set to the managed
> router
> > for the T1 connection.  Everything seems to work fine on the LAN, but
> none
> > of the OpenVPN clients can reach the network that is controlled by our
> other
> > internal router.  I am guessing that's because the information about that
> > static route isn't known by any of those clients.  VPN clients can hit
> any
> > of the machines on the LAN behind the Untangle box.  My issue is how do I
> > add the route to the other network without messing things up.  I would
> > prefer to add the route to the Untangle server and than push that the
> > clients.  Lord knows how I would get my iPad to handle a static route
> over
> > OpenVPN.
>
> I've read that paragraph a half a dozen times and I still have only a
> vague notion of what you are describing.
>
> DRAW A PICTURE.  Even if it's ascii art.  I tried drawing a network
> diagram from what you described in that solid block of words above and
> failed.  About 1/3 of the way through the paragraph, I'm lost in a cloud
> of words going "what was that again?"
>
> 1) Draw a picture showing us what you have and describe it.
>
> 2) Tell us what you want to do.
>
> 3) Tell us what your observations are.
>
> 4) Tell us what your thoughts are based on the above.
>
> 5) Do it in separate paragraphs.
>
> I think that paragraph above should be at least 4 paragraphs (plus a
> drawing) and then you might have a better shot at getting an answer.
>
> > For testing purposes, I tried logging into the Untangle box and setting
> the
> > route there, but I got a weird "SIOCADDRT: no such device" error.  This
> is
> > the command that I used:
>
> > route add -net 172.16.0.0/24 192.168.0.1
>
> That error generally means you tried to add a route through a gateway it
> did not know how to route through.  But...  Don't you have another error
> in there.  Shouldn't that command be:
>
> route add -net 172.16.0.0/24 gw 192.168.0.1
>
> Note the missing "gw".  In the terms of the more modern ip command:
>
> ip route add 172.16.0.0/24 via 192.168.0.1
>
> You might try the ip command as well.  It might give you a better (or at
> least different) error.
>
>
> You'll also need to show us the output from:
>
> netstat -nr
>
> - or -
>
> ip route ls
>
> My guess would be it doesn't know how to route to 192.168.0.1 but,
> without seeing the routing table, that's a wild ass guess.
>
> > Maybe I am misunderstanding how OpenVPN routing works, but according to
> the
> > routing table, 172.16.0.0 is the network that tun0 uses.  However, I was
> > given a 192.168.5.x IP address when I logged in through OpenVPN.  It
> > shouldn't matter, as long as my local machine knows how to handle the
> route
> > to the other network.  192.168.0.1 is the IP address for the Untangle
> > router.
>
> > Can anyone clear this up?
>
> I don't even know how to start with a clearer idea of what you have and
> what you are trying to do.
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>   NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110911/8fd3db27/attachment.html 


More information about the Ale mailing list