I'd like to set up a vpn to allow two separate computers to connect to each other.
I've found a bunch of places where they say you should remove redirect-gateway def1 bypass-dhcp from the server config and add a route route 10.0.0.0 255.255.255.0 vpn_gateway to make connecting to the private network work. But this doesn't seem to do what I want.
Yes it now makes all requests via my local gateway (All servers report my public ip is my own ip, rather than that of the vpn), but now connecting to other clients no longer works.
I can still connect to my own private ip (10.0.0.0) as assigned by the vpn, but other clients can not reach me on this same ip.
My client.conf:
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3
key-direction 1
My server.conf:
port 1194
proto udp
dev tun
ca ca.crt
cert vpnserver.crt
key vpnserver.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
route 10.0.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
# push "redirect-gateway def1 bypass-dhcp"
push "route 10.0.0.0 255.255.255.0 vpn_gateway 1"
client-to-client
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
ccd/myclient
ifconfig-push 10.0.0.0 255.255.255.255
How can I make client-to-client work without making all my regular traffic flow through the vpn?
edit: After some more experimenting I've figured out that this setup is working fine as long the assigned private ip is in the 10.8.0.x range. I have a few static private ips in the 10.0.0.x range, so that's why it isn't working. I'd still like to use these ips though.
I ended up changing the server config to use 10.0.0.x as default pool.
I changed:
server 10.8.0.0 255.255.255.0
route 10.0.0.0 255.255.255.0
to
server 10.0.0.0 255.255.255.0
I don't like that static and dynamic ips are now both using the same pool, but this is the best I can do.
Related
I am on a Windows 10 machine. I have got the below routes configured in my machine.
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 1
10.1.0.0 255.255.0.0 192.168.2.1 192.168.2.5 1
10.2.0.0 255.255.0.0 192.168.3.1 192.168.3.5 1
When ping IP 10.1.1.1, I want to determine which network interface will be used to route the traffic.
Is there any network utility that can help me find the correct route based on the destination IP?
If you ping 10.1.1.1, it will use the interface with the IP 192.168.2.5 looking at your route table.
You can also use tracert 10.1.1.1 to see what route your network traffic will take.
I'm trying to simulate this simple one-router network in GNS3, but I'm having trouble setting up static routing from the left half (connected to router's fastEthernet0/0) to the right half(connected to router's fastEthernet0/1).
Here are the sequence of commands I type in the router telnet, but as you can see below, no static route is made and I can't understand why.
conf t
interface fastEthernet0/0
ip address 192.168.88.5 255.255.255.0
no shut
interface fastEthernet0/1
ip address 10.0.0.5 255.255.255.0
no shut
end
conf t
ip route 192.168.88.0 255.255.255.0 10.0.0.1
ip route 192.168.88.0 255.255.255.0 10.0.0.2
ip route 10.0.0.0 255.255.255.0 192.168.88.1
ip route 10.0.0.0 255.255.255.0 192.168.88.2
end
show ip route
The result, as you can see there's no static route built at all:
What may I be doing wrong? All help will be appreciated. (note: I'm not allowed to change the network topology or add new routers)
you better use your router's interface as a gateway for connecting to other networks.
So you may use:
ip route 192.168.88.0 255.255.255.0 fastEthernet0/0
instead of fastEthernet0/0, you can say 192.168.88.5. both are correct.
ip route 10.0.0.0 255.255.255.0 10.0.0.5
The problem with your code is you're targeting the whole network just to one system in your whole network
Your target to another network should be either your router's interface or another (next) router's interface.
I have two machines, machine A sending packets to machine B.
If I use
tcpdump -i <interface> udp port <port>
on machine A, I can see the traffic going out.
However when I enable the VPN, I then see nothing coming out of that port.
And I would like to understand why.
The VPN is IPsec based which I understand encrypts the packets, and has the tunneling mode as a typical default.
I was going through some stuff on IPsec VPNs and saw it mentioned that the VPN sends the packets out of different ports. I saw port 4500 mentioned in a number of places, as well as some other port numbers.
I did try these port listed but saw nothing at any of them.
Is my issue that I am preforming the traffic dump at the wrong port? If so is there a way to determine which port the outgoing traffic of machine A is leaving from?
If it is another issue, what might it be? Is it possible to monitor my outgoing traffic from a machine with a VPN tunnel enabled?
When you initially capture packets, you are seeing traffic on your default interface (whichever that is). When you enable your VPN, part of the setup process is to make the VPN virtual interface the default interface. Depending on your system, this will mean giving the VPN interface a higher routing metric or higher routing priority in the list.
After you enable your VPN connection, your routing table should change (see below). You should also see the name of your VPN connection with these commands (as new default interface), which can be used as the interface name with tcpdump. Note that depending on your system/VPN solution, you might need to do additional configuration to get the necessary vpn interface name.
Route metrics on various systems
netstat -rn will show you the routing table on most systems (Windows, Macos, Linux, BSD, ...), but won't show you the routing metrics.
The following commands will show you routing metrics (with sample output shown). As you can see, on Ubuntu/Windows, there's a routing metric number, but on Macos, there's a routing ordering. The way you change the routing ordering in Macos is to literally just change the list order like networksetup -ordernetworkservices service1, service2...
Ubuntu 18.04
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s3
Macos 10.15
$ networksetup -listnetworkserviceorder
An asterisk (*) denotes that a network service is disabled.
(1) AX88179 USB 3.0 to Gigabit Ethernet
(Hardware Port: AX88179 USB 3.0 to Gigabit Ethernet, Device: en5)
(2) Wi-Fi
(Hardware Port: Wi-Fi, Device: en0)
(3) Bluetooth PAN
(Hardware Port: Bluetooth PAN, Device: en3)
(4) Thunderbolt Bridge
(Hardware Port: Thunderbolt Bridge, Device: bridge0)
(5) Corporate VPN
(Hardware Port: L2TP, Device: )
Windows 10
C:\Users\rj>route print
===========================================================================
Interface List
5...08 00 27 04 b9 fa ......Intel(R) PRO/1000 MT Desktop Adapter
3...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.2.2 10.0.2.15 25
10.0.2.0 255.255.255.0 On-link 10.0.2.15 281
10.0.2.15 255.255.255.255 On-link 10.0.2.15 281
...
I would appreciate any help with configuration of MS Windows Server 2012 R2. I have tried more solutions, but any of them were not so appropriate.
The idea is on the attached schema belove.
Server has AD.
Server has 2 NICs. Both are configured on the same subnet. (192.168.1.0) with IP addresses manually configured as is on the schema.
NIC 1:
IP:192.168.1.254
MASK: 255.255.255.0
GW: 192.168.1.1
DNS 1: 192.168.1.254
DNS 2: 192.168.1.1
Metric: 10
NIC 2:
IP:192.168.1.154
MASK: 255.255.255.0
GW: no
DNS 1: 192.168.1.154
DNS 2: 192.168.1.1
Metric 100
NIC 1 is connected to router from ISP 2.
NIC 2 is connected to router from ISP 1.
The goal is: All clients should have access to the internet via ISP 2. Some clients have acces also via ISP 1 via VPN. ISP 1 does not provide public static IP address. ISP 1 yes. So only via ISP 1 is possible to access the local network via VPN.
How to configure server to accept VPN connection and route whole traffic from VPN to local and to ISP 2?
Also I have tried 2 subnets (for VPN clients 192.168.2.0, for local clients 192.168.1.0 but no success to setup routing).
Thanks.
This is not how you do this, rather you need a firewall that supports multiple WAN interfaces - examples are Peplink (great if you also want to load balance the ISPs or get increased throughput by leveraging both of them) other examples include the Cisco RVx series, or Zywall USG series.
Then your server can have one IP on the LAN (as it should) and you can use the ACL/Firewall rules to control what goes in/out which ISP.
i'm facing with this simple configuration and i can't figure it out.
Scenario:
With a cisco vpn client (or ipad, iphone..) i can connect to my company vpn.
What i know is:
VPN GROUP NAME
VPN KEY
VPN SERVER PUBLIC IP
VPN USERNAME and PASSWORD
Ip address of virtual adapter created by cisco vpn client: 10.0.201.31 255.255.255.0
My lan 172.23.28.0 255.255.255.224
Company lan 172.19.248.0 255.255.252.0
The question is "How can i handle this for my home's lan with a cisco 827 router ?"
I think the steps are:
1) configuring eth0, dns and dhcp (done)
2) configuring ATM0 and Dialer0 to get internet access (done)
3) configuring access list and ip routes for my lan (done)
4)configuring ezvpn parameters (done)
5) configuring virtual interface with Ip 10.0.201.31 (What kind of interface?)
6) Set inside and outside nat for "crypto ipsec client ezvpn MYVPNTUNNELNAME" (which interfaces and how ?)
7) configuring route to 172.19.248.0 255.255.252.0 (how?)
Here is my configuration:
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R827
!
boot-start-marker
boot-end-marker
!
enable secret 5 cryptedSecret
enable password notcrypted
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 172.23.28.1
ip dhcp excluded-address 172.23.28.2
ip dhcp excluded-address 172.23.28.3
ip dhcp excluded-address 172.23.28.4
ip dhcp excluded-address 172.23.28.5
ip dhcp excluded-address 172.23.28.6
ip dhcp excluded-address 172.23.28.7
ip dhcp excluded-address 172.23.28.8
ip dhcp excluded-address 172.23.28.9
ip dhcp excluded-address 172.23.28.10
!
ip dhcp pool CeccoDhcp
network 172.23.28.0 255.255.255.224
default-router 172.23.28.1
dns-server 8.8.8.8
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
!
!
crypto ipsec client ezvpn MYVPNTUNNELNAME
connect auto
group MYGROUPNAME key MYGROUPKEY
mode network-extension
peer PUBLICIPOFVPNSERVER
username MYUSER password MYPASSWORD
!
!
!
interface Ethernet0
ip address 172.23.28.1 255.255.255.224
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username aliceadsl password 7 15130705072F2A203B3F
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
!
!
access-list 101 permit ip 172.23.28.0 0.0.0.31 any
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
stopbits 1
line vty 0 4
password MYTERMINALPASSWORD
login
!
scheduler max-task-time 5000
end
End of configuration.
Please note:
If i add
crypto ipsec client ezvpn MYVPNTUNNELNAME
to Dialer0
and
crypto ipsec client ezvpn MYVPNTUNNELNAME inside
to Ethernet0
i get this:
Tunnel name : MYVPNTUNNELNAME
Inside interface list: Ethernet0,
Outside interface: Dialer0
Current State: READY
Last Event: CONN_UP
Hope someone could help me.
Thanks in advance.
Cecco
Ok, I compared your config to some old notes I had. I did work turning up Cisco VPNs in the past so this jogged my memory.
I think the READY state and CONN_UP last event mean that it sits there, prior to authentication. And this may be because you're not telling the 871 how to handle XAUTH.
Try adding the below to your crypto ipsec client ezvpn section:
xauth userid mode interactive
That and turning debugging on should give you something to work on. Let me know how it goes.
Solved!!
Thanks to James help i switched ezvpn conf to "mode client" and with debug i noticed that the problem was on server side, cause "storage-password enable" was not set.
When company's net admin told me that "storage-password enable" was set i just did:
conf t
int Dia0
crypto ipsec client ezvpn MYVPNTUNNELNAME
....and everything works perfectly :-)