Hilco, I don't know if this thread was resolved - additional suggestions posted below.
On Saturday, 9 June 2018 01:20:18 BST Hilco Wijbenga wrote: > Let me give some more information, perhaps that will help. > > Setup without VPN > $ ip route > default via 192.168.151.1 dev eth0 proto static metric 100 > 127.0.0.0/8 via 127.0.0.1 dev lo > 192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric > 100 > > (192.168.151.1 is my own gateway, an old computer functioning as router) > > > Setup with VPN (Gateway: vpn.company.com; Other DNS Servers: > dns1,dns2; Search Domains: > r1.i.company.com,r2.i.company.com,r3.i.company.com,r4.i.company.com,r5.i.com > pany.com,r6.i.company.com,r7.i.company.com,r8.i.company.com,i.company.com,co > nfig) > $ ip route > default via 192.168.151.1 dev eth0 proto static metric 100 > $SOME_COMPANY_IP_1 dev tun0 proto kernel scope link src > $SOME_COMPANY_IP_1 metric 50 > 127.0.0.0/8 via 127.0.0.1 dev lo > 192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric > 100 > 192.168.151.1 dev eth0 proto static scope link metric 100 > $VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100 > > (where $SOME_COMPANY_IP is the IP of some internal server, and > $VPN_GATEWAY is the IP of vpn.company.com). > ==> This does _not_ allow me to access (e.g.) *.i.company.com but > everything else works fine. In the above setup you need to define a route for the subnet of your company's LAN. For example, if the LAN of your company is 10.0.20.0/24: ip route add 10.0.20.0/24 via $SOME_COMPANY_IP_1 dev tun0 should push all connections to your company's LAN via the tunnel tun0. Two commands to help you see what routes your VPN client is setting up are: ip rule list which may list some new tables (in addition to local, main and default), if your VPN client has set these up. Then look at the contents of said table, e.g.: ip route show table 220 Not all clients create separate rules, so the changes may have been added to the main rule table. If in doubt and don't mind some noise look at all the tables: ip route show table all NOTE: If you are accessing your company's LAN/servers using a FQDN instead of private IP addresses, then you will need to configure the appropriate nameserver for your company. Check what has been entered in /etc/resolv.conf. > Same setup but without "Use only for resources on this connection": > $ ip route > default dev tun0 proto static scope link metric 50 Device tun0 has a higher metric than your physical eth0 device below. I expect all connections which can be routed via tun0 will be routed so. > default via 192.168.151.1 dev eth0 proto static metric 100 I'm not sure if this will work, but you can try changing the metric of device eth0, so it takes precedence to tun0; e.g.: ip route replace default via 192.168.151.1 dev eth0 proto static metric 30 ip route show ip route delete default via 192.168.151.1 dev eth0 proto static metric 100 > $SOME_COMPANY_IP_2 dev tun0 proto kernel scope link src > $SOME_COMPANY_IP_2 metric 50 > 127.0.0.0/8 via 127.0.0.1 dev lo > 192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric > 100 > 192.168.151.1 dev eth0 proto static scope link metric 100 > $VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100 > > (note that $SOME_COMPANY_IP_1 and $SOME_COMPANY_IP_2 differ only in > the last digit; this seems to go up by one every time I connect to > VPN, so probably irrelevant) > ==> This allows me to access *.i.company.com but breaks everything else. I expect it breaks everything else (connections to anything outside you company's LAN) because everything is sent out tun0 which has a higher priority than your eth0, but your company's routing on the other side, once it receives the packets, does not allow outgoing connections from your allocated $SOME_COMPANY_IP_2 to the Internet. TBH I wouldn't select "Use only for resources on this connection", because this creates a full tunnel. > What would be the "correct" output for "ip route"? Different VPN clients create rules and entries in different tables, so there isn't a straight forward "correct" ip route output. In any case, using 'ip route show table all' you should be able to see a route which allows connections to your company's LAN subnet to be sent out via tun0 and connections to the rest of the world to be routable via your eth0. What VPN client are you using? -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
