[lug] routing question...

Bear Giles bgiles at coyotesong.com
Tue Nov 3 15:02:04 MST 2020 

Yeah, that was a typo. We've actually set up several address ranges in our
VPN but I'm simplifying the situation for simplicity.

The mac users have a pretty interface but it's just a wrapper to OpenSSL.
On my linux boxes I just run 'openvpn corp.ovpn'. That conf file includes a
push to the local routing tables etc and has everything go through a fixed
IP address on the other side.

That's why I can manually change the gateway metrics after I've established
a connection. They push

   $ sudo ip route add default via 172.28.1.1

and I'll replace it so it only routes the CIDR mentioned above. Everything
works fine.

I'll do this when I'm connected to the VPN on my home system. They did as
well, for awhile, but I think they changed it back to a default route
because of some legacy servers that are outside of the walled garden. I
would prefer to go through the laptop though since I noticed it sometimes
changed my network settings without warning. I assume it's from Network
Manager noticing that the VPN connection had dropped and reestablishing it.

On Tue, Nov 3, 2020 at 2:44 PM Orion Poplawski <orion at nwra.com> wrote:

> On 11/3/20 2:32 PM, Bear Giles wrote:
> > I seem to be missing something - as well as all of the results in my
> google
> > searches.
> >
> > I'm trying to route traffic from my home system (with dual 4k monitors)
> to my
> > work laptop and then onto the corporate VPN. I *could* set up the VPN on
> my
> > home system but would prefer the control of setting up my own routing.
> E.g., I
> > don't want the VPN to be my default route to the internet at large - esp.
> > since I only use the VPN to access an AWS walled garden.
> >
> > I have a similar situation when I lose my home comcast connection. I can
> > usually still get out - either a comcast hotspot or a tethered
> phone/tablet -
> > and my entire network could get out if I could temporarily change the
> default
> > route to go through that system. (Not all of my systems have wifi.) I
> haven't
> > had any luck though and I think it's the same problem I'm seeing today.
> >
> > This should be pretty straightforward. On the laptop I entered
> >
> >    $ sudo sysctl -w net.ipv4.ip_forward=1
> >
> > and on my home system I entered
> >
> >    $ sudo ip route add 172.28.0.0/16 <http://172.28.0.0/16> via
> 192.168.1.100
> > proto static
> >
> > where 192.168.1.100 is the laptop.
> >
> > I've verified that the route is listed in both `ip route` and `netstat
> -r`.
> >
> > However I can't reach the walled garden. In fact if run
> >
> >    $ traceroute 172.27.10.10
>                       ^^^
>
> Is that right?  You list .28 above.
>
> >
> > it reports the first hop as 192.168.1.1, not 192.168.1.100.
> >
> > Am I missing a step? I thought these changes took effect immediately but
> maybe
> > I need to bounce something. E.g., I know I probably need to set up a NAT
> for
> > the comcast or tethered connection, but I can assign my own IP address
> in the
> > 172.28.0.0/16 <http://172.28.0.0/16> CIDR so that's not an issue. I
> also don't
> > see how that would affect the first hop chosen in traceroute.
> >
> > Thanks
>
> Also note that depending on the firewall on the work side, this might not
> work
> unless you also setup NAT on your work laptop.  Here we would certainly
> block
> traffic not from the VPN client itself.
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems          720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion at nwra.com
> Boulder, CO 80301                 https://www.nwra.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20201103/cc686c1a/attachment.html>

More information about the LUG mailing list