On Fri, Jun 8, 2018 at 4:34 PM Mick <michaelkintz...@gmail.com> wrote:
>
> On Friday, 8 June 2018 23:21:52 BST Grant Taylor wrote:
> > On 06/08/2018 03:31 PM, Hilco Wijbenga wrote:
> > > Sigh, I take it back. That causes the internal sites to no longer work.
> >
> > Okay.
> >
> > So you're on the proper track.
> >
> > I'm guessing the work network isn't a simple single prefix. Or at least
> > the VPN client doesn't route enough through the VPN.
> >
> > Check your routing table with the VPN connected. Is enough being routed
> > through? Do you need to add additional prefixes?
> >
> > If DNS is working properly for internal resources, make sure that what
> > they resolve to is routed through the VPN.
>
> I don't know what networkmanager offers in terms of VPN settings, but as Grant
> says you need to set split routing. As it currently is, everything is sent
> out through the tunnel and your work's router is not set up to route out to
> the Internet your VPN connection.
>
> If networkmanager does not get you what you want, you can do this with 'ip
> route'. Delete the default route, then set again the default route via the
> your local gateway:
>
> # ip route del default via 192.168.1.254 dev wlan0
> # ip route add default via 192.168.1.254 dev wlan0
>
> then create an additional route for the remote subnet if it's not there:
>
> # ip route add 10.10.20.0/24 via 172.16.1.1 dev wlan0
>
> Where 10.10.20.0/24 is your work's subnet and 172.16.1.1 is the local VPN IP
> address for your PC. Something along these lines ought to work.
I fooled around with "ip" but while removing ("del default") was easy,
"add default" did not seem to do anything.
Let me give some more information, perhaps that will help.
Setup without VPN
$ ip route
default via 192.168.151.1 dev eth0 proto static metric 100
127.0.0.0/8 via 127.0.0.1 dev lo
192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric 100
(192.168.151.1 is my own gateway, an old computer functioning as router)
Setup with VPN (Gateway: vpn.company.com; Other DNS Servers:
dns1,dns2; Search Domains:
r1.i.company.com,r2.i.company.com,r3.i.company.com,r4.i.company.com,r5.i.company.com,r6.i.company.com,r7.i.company.com,r8.i.company.com,i.company.com,config)
$ ip route
default via 192.168.151.1 dev eth0 proto static metric 100
$SOME_COMPANY_IP_1 dev tun0 proto kernel scope link src
$SOME_COMPANY_IP_1 metric 50
127.0.0.0/8 via 127.0.0.1 dev lo
192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric 100
192.168.151.1 dev eth0 proto static scope link metric 100
$VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100
(where $SOME_COMPANY_IP is the IP of some internal server, and
$VPN_GATEWAY is the IP of vpn.company.com).
==> This does _not_ allow me to access (e.g.) *.i.company.com but
everything else works fine.
Same setup but without "Use only for resources on this connection":
$ ip route
default dev tun0 proto static scope link metric 50
default via 192.168.151.1 dev eth0 proto static metric 100
$SOME_COMPANY_IP_2 dev tun0 proto kernel scope link src
$SOME_COMPANY_IP_2 metric 50
127.0.0.0/8 via 127.0.0.1 dev lo
192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric 100
192.168.151.1 dev eth0 proto static scope link metric 100
$VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100
(note that $SOME_COMPANY_IP_1 and $SOME_COMPANY_IP_2 differ only in
the last digit; this seems to go up by one every time I connect to
VPN, so probably irrelevant)
==> This allows me to access *.i.company.com but breaks everything else.
What would be the "correct" output for "ip route"?
