2

I'm wanting to establish a static route to a separate subnet, routing through a vpn. Debian linux.

Machine A: vpn IP 10.1.1.10 --> machine b (server) ip 10.1.1.2

Machine B: 3 network interfaces: eth0 LAN1 (172.x.x.x), tun/tap VPN (10.1.1.2), eth1 LAN2 (10.42.0.x).

Machine c: 10.42.0.10 (example)

Eth1 is a shared connection, allowing everything on the 10.42.0 subnet to access the 172.x subnet with iptables forwarding packets and NAT to eth0. Works great.

I want a machine A on the VPN network to be able to access the 10.42.0.x subnet. Basically a static route to 10.42.0.xx to route through 10.1.1.2 from a machine on the 10.1.1.x VPN network.

Tolsadus
  • 1,183
  • 11
  • 23
ideal_
  • 21
  • 2
  • What have you tried to add the route? Which VPN software are you using? What is the error you are encountering when adding the route? – Tero Kilkanen Mar 05 '17 at 18:10
  • @tero route -n add -net 10.42.0.0/24 10.1.1.2 (on the OSX client - machine "A") – ideal_ Mar 05 '17 at 21:56
  • What is the output of the command? What is the problem you are having after executing the command? Please add more details to the question. – Tero Kilkanen Mar 05 '17 at 23:07
  • there is no issue with actually adding the route - the problem is it doesn't allow a connection using the route. ie: Can not ping a machine on the 10.42.x subnet. I guess my question is what are the subnet parameters to use when adding a route, given the scenario I initially described, to allow traffic from the 10.0.x subnet to the 10.42.x subnet via 10.0.0.6 (which is conenected to both) – ideal_ Mar 05 '17 at 23:13
  • What does the routing table look like after adding the route? – Tero Kilkanen Mar 05 '17 at 23:17
  • Sorry, I can't get it pasted here and formatted properly. Thanks anyways I'll try and figure it out. – ideal_ Mar 06 '17 at 01:10
  • Well, it takes two to tango, when it comes to routing - there should be routes on **both** networks across the router that point in the right direction. What's your default gateway on 10.42.0.10 (machine c)? If its not pointing to Machine B, you need a static route on Machine C for 10.1.1.x as well. – Peter Zhabin Mar 06 '17 at 16:06

1 Answers1

0

It sounds like you need to push a route from your VPN server to do that.

For both openvpn and strongswan, the VPN server announces a route to the subnet for all clients which don't have direct access to it.

That route can go via a specific IP from within the VPN pool, but you would need to make it a static assignment (i.e. if you push a route for 10.42.x via 10.1.1.2, then 10.1.1.2 should always be assigned to the machine that actually has access to 10.42.x.x)

The VPN client through which traffic is going to be routed to reach 10.42.x.x will then need to allow IP forwarding, and have suitable firewall rules to make everything work.

What you basically want is:

[machine C] -> [machine A] -> [machine B] -> 10.42.x.x

iwaseatenbyagrue
  • 3,688
  • 15
  • 24