2

I have two Linux machines connected with a VPN tunnel:

VPN Client <-------> VPN Server
10.74.1.10/24         10.74.1.1/24

Each one has NICs to reach their own networks:

---------> VPN Client <-------------------> VPN Server <------
10.37.0.205/24   10.74.1.10/24      10.74.1.1/24    10.74.0.1/24

And, of course, I have different Linux computers (Linux A, Linux B, etc.) on each network:

Linux A  <----> VPN Client <-----> VPN Server <----> Linux B

From VPN Client, I can ping to VPN Server and computers like Linux B.

Although, from Linux A, I can ping to both VPN Client machine's interfaces (10.32.0.205 and 10.74.1.10), it turns out I can't ping to VPN Server with address 10.74.1.1 or to any computer on the network B.

I tried to add a new route on Linux A, but I get this:

$ sudo ip route add 10.74.1.1 via 10.74.1.10 dev eth0
RTNETLINK answers: Network is unreachable

$ sudo ip route add 10.74.1.1 via 10.37.0.205 dev eth0
RTNETLINK answers: Network is unreachable

How can I make this works? Maybe configuring something on VPN Client?

EDIT:

The route table on VPN Client is this:

default via 10.37.0.1 dev eth0 
10.37.0.0/24 dev eth0  proto kernel  scope link  src 10.37.0.205 
10.74.0.0/16 via 10.74.1.9 dev tun0 
10.74.1.0/24 via 10.74.1.9 dev tun0 
10.74.1.9 dev tun0  proto kernel  scope link  src 10.74.1.10 
128.0.0.0/1 via 10.74.1.9 dev tun0

The route table on Linux A:

default via 10.37.1.1 dev eth0 
10.37.1.0/24 dev eth0  proto kernel  scope link  src 10.37.1.217

Also, I activated IP forwarding on VPN Client

$ sudo sysctl -w net.ipv4.conf.all.forwarding=1

EDIT 2:

Filtering packet on VPN Client:

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
JonDoe297
  • 563
  • 2
  • 8
  • 21

3 Answers3

1

What kind of VPN are you using?

Sounds like your VPN Client should NAT traffic from Linux A to your VPN Server & Linux B. And/or: your Linux B does not have a route back to your VPN Client.

SYN
  • 1,751
  • 9
  • 14
  • I'm using OpenVPN... So, do I need to configure NAT on Client VPN? I didn't do something like that yet. – JonDoe297 Dec 14 '16 at 04:09
  • You were right. The problem was the NAT configuration. Thanks! – JonDoe297 Dec 14 '16 at 04:44
  • Assuming your un-natted packets were passing through your VPN tunnel, then your OpenVPN server logs did probably tell about discarding traffic from unknown IPs. Nice to see you figured it out. – SYN Dec 14 '16 at 04:50
  • It is possible and cleaner to set this up without NAT. – Tero Kilkanen Dec 15 '16 at 03:02
0

I have been struggling to find a simple solution to a problem similar to this and found that sshuttle is the simplest for at least a temporary solution, as it were for me.

One linux machine have access to a VPN and with sshuttle running on another machine I got access to that VPN.

Furthermore the routing could be easily filtered using a cidr block as the last parameter. This improved the usability in the second machine since not every call goes to the VPN-enabled machine.

sshuttle --dns -r user@192.168.86.100 10.208.0.0/16

Link: https://github.com/sshuttle/sshuttle

Installation only necessary on the client. SSH access to the VPN-enabled machine is all that is required on that end.

javabeangrinder
  • 101
  • 2
0

If you add a route then the next hop must be link-local. Linux A can reach only the addresses 10.37.1.0/24 directly. But

ip route add 10.74.1.1 via 10.74.1.10 dev eth0

says: Send a packet to 10.74.1.1 to the link-local host 10.74.1.10. As 10.74.1.10 is not link-local (or: not configured as such) you get the error message Network is unreachable.

The next hop must be the local address of VPN Client:

ip route add 10.74.1.1 via 10.37.0.205 dev eth0
Hauke Laging
  • 5,285
  • 2
  • 24
  • 40