LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-10-2015, 12:49 AM   #1
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS
Posts: 1,337

Rep: Reputation: Disabled
Using SSH through a VPN connection fails


I am working with another person to set up a VPN. This is my first attempt at trying to configure a VPN.

The VPN is a Microtik router and has been assigned a public gateway address. Once connected to the gateway, user's systems are assigned private IP addresses in the 192.168.88.x subnet.

I have been testing mostly from within my home network. I use a Linksys router. For all of my home systems my private wired and wireless subnet is 192.168.1.x. Gateway is 192.168.1.1.

For house guests I have an open wireless subnet of 192.168.3.x, which is not bridged to my 192.168.1.x subnet.

From within the 192.168.1.x subnet I have no problems connecting two systems to the VPN gateway. When both systems are connected to the VPN gateway I can ssh from one system to another.

The testing always fails when the two systems are on different subnets. That is, ssh fails to connect when I keep both systems in my home, keep my desktop system on my normal 192.168.1.x, but connect my laptop to my house guest subnet of 192.168.3.x. In these tests, despite both systems successfully connecting to the VPN gateway, ssh always fails with a 'No route to host' error.

That is the part that confuses me. I presume that once both systems connect to the VPN gateway, and I ssh from one private 192.168.88.x address to another, that I should connect. Yet that succeeds only when both systems connect to the VPN from the same originating subnet.

I am testing this way in my home with different subnets because I am simulating the two computers being in physically different locations. Yet I also have tested both systems at different locations. I see the same failure.

Firewalls are not the culprit. I obtain the same failures with or without the firewalls. I obtain the same success with or without the firewalls as long as both systems are on the same originating subnet.

To connect I use either kvpnc or network manager. At the moment we are using pptp (Please --- no discussion about whether pptp is secure. )

This is a routing table when connecting my desktop with kvpnc:

Code:
0.0.0.0         192.168.1.1     0.0.0.0         UG    1      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.88.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.88.10   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
XXX.XXX.XXX.XXX 192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
This is a routing table when connecting my laptop with network manager:

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.3.1     0.0.0.0         UG    0      0        0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 ppp0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0
192.168.88.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0
192.168.88.11   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
XXX.XXX.XXX.XXX 192.168.3.1     255.255.255.255 UGH   0      0        0 wlan0
XXX.XXX.XXX.XXX 192.168.3.1     255.255.255.255 UGH   0      0        0 wlan0
Where XXX.XXX.XXX.XXX is the VPN gateway.

The routing tables are incomplete but I don't know what I am missing. I appreciate any guidance. Mostly, "big picture" guidance. Such as, what a routing table should look like with a VPN connection.

Thank you.
 
Old 02-10-2015, 08:17 AM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,843

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
something is a bit off - two entries for the vlan on the same device?

And with the vlan active, I don't thing there should be a default route through 192.168.3.1 (it should be the vlan). Very likely this is the entry causing problems - the address of the remote system should be using the vlan address of the remote system. If you are trying to use the 192.168.1.x address of the other subnet then it should fail as the packets aren't being passed.
 
Old 02-12-2015, 01:42 PM   #3
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS
Posts: 1,337

Original Poster
Rep: Reputation: Disabled
Quote:
something is a bit off - two entries for the vlan on the same device?
Seems to be an LMDE quirk. I cannot replicate on Fedora or Slackware.

With further thought, I believe I am trying to accomplish much the same as folks who work from home and connect to a company VPN. I want to preserve my existing routing for personal usage, but want to add the VPN routing to access company resources.
 
Old 02-12-2015, 04:33 PM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,843

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
Quote:
Originally Posted by upnort View Post
Seems to be an LMDE quirk. I cannot replicate on Fedora or Slackware.

With further thought, I believe I am trying to accomplish much the same as folks who work from home and connect to a company VPN. I want to preserve my existing routing for personal usage, but want to add the VPN routing to access company resources.
Yes - but normally the default route is switched to the VPN. This allows the company to control firewall access to their facilities, and prevent the connection from providing a back door.
 
Old 02-18-2015, 06:59 PM   #5
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS
Posts: 1,337

Original Poster
Rep: Reputation: Disabled
Quote:
normally the default route is switched to the VPN.
This does seem to be the problem. I do not know why NetworkManager does not automatically adjust the routing table.

I tested this in Windows and everything just works. Likewise, every how-to I visit goes no further than the basic NM setup and for those writers, everything just works. I suspect I am not seeing something that everybody else doing this does see.

Ideas?
 
Old 02-19-2015, 05:57 AM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,843

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
There should be a configuration file for the VPN that includes the gateway specification. I don't have one so I'm not sure where it would be. It is also possible the GUI setup for the VPN didn't get the gateway added, so NM didn't use it when determining the default route.
 
Old 02-19-2015, 02:30 PM   #7
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS
Posts: 1,337

Original Poster
Rep: Reputation: Disabled
After some more web surfing yesterday, I stumbled across the idea that the router might not be correctly configured to push routing information to clients, or is not doing so in a manner expected by Linux clients. I did not run a full test with the Windows setup, but the Windows routing table did change the gateway. The oddity to me is the Windows system showed the default gateway as the system's assigned ppp0 IP address.

I tinkered a bit with manually editing the routing table in the hope of getting something close to the Windows routing table, but my inexperience in this area did not get me far.

Confusing to me is I have looked at dozens of online tutorials, blogs, and how-tos. Not one mentioned anything with manual or special adjustments. Just the basic NM pptp configuration and for them, everything just worked. That observation is leading me to think the problem is the VPN router configuration and not NM.
 
Old 03-03-2015, 02:21 PM   #8
agentbuzz
Member
 
Registered: Oct 2010
Location: Texas
Distribution: Debian, Ubuntu, CentOS, RHEL
Posts: 131

Rep: Reputation: 25
Quote:
I am testing this way in my home with different subnets because I am simulating the two computers being in physically different locations. Yet I also have tested both systems at different locations. I see the same failure.
I had a similar problem a couple of years ago when I installed OpenVPN in order to set up a VPN tunnel to a third-party provider, then I tried to SSH in from the Internet (a hospital, an airport, etc.), intending to shovel the packets through my server and then go out to the foreign VPN.

I could go through the OpenVPN server in my house from a client in my house, and out to the foreign VPN server. However, I could not do an "ssh -D 8080 user@mypersonalserver.com" from the hospital and browse from the hospital to my server and then on out to the VPN provider. The following fixed that problem.

Here is my /etc/rc.d/rc.local on the server:

Code:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
/root/vpn-script.sh
/etc/init.d/openvpn restart
Here is the /root/vpn-script.sh:

Code:
#!/bin/bash
ip rule add from 192.168.1.222 table 10
ip route add default via 192.168.1.254 table 10
Here is what the routing table looks like:

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 bond0
192.168.122.0   *               255.255.255.0   U     0      0        0 virbr0
link-local      *               255.255.0.0     U     1004   0        0 bond0
default         192.168.1.254   0.0.0.0         UG    0      0        0 bond0

Last edited by agentbuzz; 03-03-2015 at 02:22 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN connection fails on Fedora 16 tron_thomas Linux - Networking 2 01-08-2012 12:01 PM
SSH tunneling connection fails morningsunshine Ubuntu 1 08-17-2011 03:28 AM
VPN connection worked before, now fails mike11 Linux - Newbie 0 11-03-2010 05:54 AM
vpn connection fails on debian lenny alenoosh Linux - Networking 3 08-04-2010 01:28 AM
Will a backgroup job stop after vpn connection fails? ernietam Linux - Newbie 5 05-21-2008 09:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration