1

I can ssh into my Ubuntu VM (running in VMware Fusion) when I'm not on my employer's VPN. (It works both when the VM's network connection is NAT and bridged.) But when I connect to the VPN, I can no longer ssh into my VM:

$ ssh 172.16.193.128
ssh: connect to host 172.16.193.128 port 22: Operation timed out

I've tried with the network connection as NAT and bridged, and have the same problem. I've even tried switching from bridged to NAT after connecting to the VPN.

I can ping my Mac from the VM while connected to the VPN.

What is causing this problem? Any advice troubleshooting it? Is there a workaround?

(Note that I want to be able to ssh into the VM so I can mount its filesystem using MacFUSE and edit files using my Mac OS X editor, etc.)

Daryl Spitzer
  • 2,996
  • 9
  • 33
  • 40

2 Answers2

2

My suspicion is that, when you connect to the VPN, it alters the routing tables on your computer, and redirects that route to the VPN. I believe running netstat -r while both connected and disconnected from the VPN, and diffing the results, would be the way to test for this.

I assume that you can not ping the VM from the Mac when connected, but can when disconnected.

I believe you can work around it by using a reverse SSH tunnel. (Here is one explanation on how to do it -- note that I haven't actually tried it.)

Alternately, does the VM have any other way to access it? Can you use mDNS (Bonjour) to connect, say, using hostname.local, where hostname is the VMs hostname?

Clinton Blackmore
  • 3,520
  • 6
  • 36
  • 61
  • Confirmed: `ping 172.16.193.128` times out just like ssh does. – Daryl Spitzer Dec 11 '09 at 18:00
  • I don't know how mDNS (Bonjour) works. I can't `ping dspitzer-desktop.local` (the VM's hostname is "dspitzer-desktop") when not connected to the VPN, though `ping 172.16.193.128` works. (And neither works when connected to the VPN.) Is there a way to list all domains on the local network using Bonjour? – Daryl Spitzer Dec 11 '09 at 18:06
  • To find things advertised by Bonjour, use Bonjour Browser ( tildesoft.com/Programs.html ). [There is a tool called 'mdns' built in, but I don't know how to use it.] I know that when a computer gets a self-assigned IP, it is in the 169.*.*.* range, and thought just perhaps the VM would retain a second IP there, but, on reflection, that doesn't make a lot of sense. The bonjour name should route information to the computer/VM, but only if you could get at it by direct IP. My bad. – Clinton Blackmore Dec 11 '09 at 18:17
  • Glad to hear it. – Clinton Blackmore Dec 11 '09 at 18:22
0

You could also choose not to use the default route on the VPN tunnel. That way all traffic except traffic for your VPN network will be sent normally. However, at my office we have multiple networks that are necessary when VPNing in. I have to add specific routes after creating the VPN tunnel everytime.

Assuming: 10.0.0.100 for VPN assigned address of the Mac 10.0.0.0 with a subnet of 255.255.255.0 for the main work network 10.0.100.0 with a subnet of 255.255.255.0 for the second work network

Under Windows: route add 10.0.100.0 mask 255.255.255.0 10.0.0.100 Under Linux: route add -net 10.0.100.0 netmask 255.255.255.0 gw 10.0.0.100

jrasmussen0
  • 26
  • 1