How to route traffic over the a tun0 device (IPSec VPN connection)

ipsecroutingtun

I've set up an IPSec VPN tunnel between my laptop and work. The tunnel gets established, but routing does not.

The relevant part of ifconfig is :

eth0      Link encap:Ethernet  HWaddr d4:be:d9:6f:a7:eb  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:20 Memory:f7d00000-f7d20000 

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.100.10  P-t-P:192.168.100.10  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 68:94:23:8e:82:0d  
          inet addr:192.168.1.73  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::6a94:23ff:fe8e:820d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20028 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15702 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:17288561 (17.2 MB)  TX bytes:2462845 (2.4 MB)

The relevant part of route -n is:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
192.168.1.0     0.0.0.0         255.255.255.0   U     9      0        0 wlan0

I'm using the IPSec/IKEv2 (strongswan) network manager plugin in Ubuntu to establish the connection.

Let's say I'd like all traffic to get routed over the tun0 device, how do I do that?

Best Answer

Take a look to this answer.. specially the part about the IPTABLES rules... I think it should solve your problem:

OpenVPN not default gateway for all traffic

Related Solutions

Openvpn for client/server in same subnet

Your default route metric value is lower than the 10.22.0.0/16 route and it gets routed to the default route. In resolving routes, if more than one route matches destination, the lower metric value route takes precedence.

Either push a default route through VPN or lower metric for 10.22.0.0/16 (increase metric for default route).

It should look like this:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
      0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.23    1000
    10.22.0.0      255.255.0.0        10.22.8.1       10.22.8.10     30
    10.22.8.0    255.255.255.0         On-link        10.22.8.10    286
   10.22.8.10  255.255.255.255         On-link        10.22.8.10    286
  10.22.8.255  255.255.255.255         On-link        10.22.8.10    286

Centos 6.2 Fresh ‘Basic Server’ install networking issues

Your routes and configuration look fine.

$: route -n
Destination // Gateway // Genmask // Flags // Metric // Ref // Use // Iface
66.*.*.0       0.0.0.0    255.255.255.248   U   1003      0   0     0  em2
0.0.0.0        66.*.*.1   0.0.0.0           UG     0      0   0     0  em2

The first route, 66.*.*.0/29 with gateway 0.0.0.0 tells your computer to use interface em2 and then make an arp request to find the hardware address of the host you're trying to reach. This is a "connected" route.

The second one is the default route, pointing at your default gateway through em2. If you need to send a packet in another network than 66.*.*.0/29, your computer will make an arp request to find 66.*.*.1 and then send the packets to it.

The only thing in your configuration that could be an issue is the NM_CONTROLLED=yes statement in /etc/sysconfig/network-scripts/ifcfg-em2. This tells the system that this interface is controlled by NetworkManager. This could interfere with your static configuration.

However, even without any default gateway you should be able to ping and ssh from the 66.*.*.0/29 subnet to your machine.

Check layer 1 first, and ensure that the cable is plugged on each side. Use leds on nic and switch, and check if the system sees it correctly:

# mii-tool
eth0: negotiated 1000baseT-FD flow-control, link ok

Then verify if any iptables are dropping the packets. Use iptables -L or iptables-save to check for any rules, and iptables -D <rule> to delete them. Pay attention to the default policy.

Also, on some systems, NetworkManager can configure ufw automatically, and I've had issues with static interface configuration that wasn't seen by NM and hence blocked by ufw.

Best Answer

Related Solutions

Openvpn for client/server in same subnet

Centos 6.2 Fresh ‘Basic Server’ install networking issues

Related Topic