1

I have a Linux machine which is set to automatically connect a VPN tunnel into a corporate network. This machine is set to NAT traffic from the local network destined to 194.1.0.0/16** and 10.0.0.0/8 through the tunnel to machines with the corporate network.

Clients on the local network are set to have this server's IP as their default gateway, as issued via dhcp.

This all works pretty well except traffic destined for the internet is being routed through this host as well. i.e. client A (192.168.1.144) wants to talk to Google's DNS server (8.8.8.8). What currently happens is that it sends it's packet to the VPN host (192.168.1.108) which then sends it to the ADSL router (192.168.1.254) which forwards it out over the internet. The response then (presumably) returns via the VPN host before reaching A.

What I would like is for the VPN server, on receiving a packet not destined for the networks at the end of the VPN, to respond with an ICMP redirect instructing A to send via 192.168.1.254. This should then take the load away from the VPN server.

I have tried setting static routes in the DHCP server (ISC DHCPD on Ubuntu 16.04.1 LTS) so that the default gateway for everything is 192.168.1.254 and VPN hosts are accessible via 192.168.1.108, but I've either misconfigured it or the various clients fail to pick up the options. Clients are a range of Windows machines (7 & 10), Linux machines (mainly Ubuntu) and Android devices.

The VPN server is running Ubuntu 16.04.1 LTS. The following script sets up the NAT:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables-restore <<EOF
*nat
-A POSTROUTING -j MASQUERADE
COMMIT
EOF

Routes on the machine are:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 ens2
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ens2
194.1.0.0       0.0.0.0         255.255.0.0     U     0      0        0 ppp0
194.1.1.220     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

Any help on getting this working would be appreciated. If I've missed out any info which could be pertinent please let me know.

** - please don't question why sections of my internal network aren't on private IP address ranges. I inherited this and will fix it once the rest of the problems I also inherited get sorted***.

*** - this could be a while.

Ceisc
  • 162
  • 1
  • 9
  • **Why does your VPN server require that NAT rule?** What kind of VPN tunnel are you running? What does a trace route look like, and where is it being routed differently then what you want? – Zoredache Feb 15 '17 at 01:20
  • 1
    BTW, a basic network diagram showing how all your networks and adress spaces are linked together would help a lot, – Zoredache Feb 15 '17 at 01:23

0 Answers0