I have two machines, machine A sending packets to machine B.
If I use
tcpdump -i <interface> udp port <port>
on machine A, I can see the traffic going out.
However when I enable the VPN, I then see nothing coming out of that port.
And I would like to understand why.
The VPN is IPsec based which I understand encrypts the packets, and has the tunneling mode as a typical default.
I was going through some stuff on IPsec VPNs and saw it mentioned that the VPN sends the packets out of different ports. I saw port 4500 mentioned in a number of places, as well as some other port numbers.
I did try these port listed but saw nothing at any of them.
Is my issue that I am preforming the traffic dump at the wrong port? If so is there a way to determine which port the outgoing traffic of machine A is leaving from?
If it is another issue, what might it be? Is it possible to monitor my outgoing traffic from a machine with a VPN tunnel enabled?
When you initially capture packets, you are seeing traffic on your default interface (whichever that is). When you enable your VPN, part of the setup process is to make the VPN virtual interface the default interface. Depending on your system, this will mean giving the VPN interface a higher routing metric or higher routing priority in the list.
After you enable your VPN connection, your routing table should change (see below). You should also see the name of your VPN connection with these commands (as new default interface), which can be used as the interface name with tcpdump. Note that depending on your system/VPN solution, you might need to do additional configuration to get the necessary vpn interface name.
Route metrics on various systems
netstat -rn will show you the routing table on most systems (Windows, Macos, Linux, BSD, ...), but won't show you the routing metrics.
The following commands will show you routing metrics (with sample output shown). As you can see, on Ubuntu/Windows, there's a routing metric number, but on Macos, there's a routing ordering. The way you change the routing ordering in Macos is to literally just change the list order like networksetup -ordernetworkservices service1, service2...
Ubuntu 18.04
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.2.2 0.0.0.0 UG 100 0 0 enp0s3
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s3
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s3
Macos 10.15
$ networksetup -listnetworkserviceorder
An asterisk (*) denotes that a network service is disabled.
(1) AX88179 USB 3.0 to Gigabit Ethernet
(Hardware Port: AX88179 USB 3.0 to Gigabit Ethernet, Device: en5)
(2) Wi-Fi
(Hardware Port: Wi-Fi, Device: en0)
(3) Bluetooth PAN
(Hardware Port: Bluetooth PAN, Device: en3)
(4) Thunderbolt Bridge
(Hardware Port: Thunderbolt Bridge, Device: bridge0)
(5) Corporate VPN
(Hardware Port: L2TP, Device: )
Windows 10
C:\Users\rj>route print
===========================================================================
Interface List
5...08 00 27 04 b9 fa ......Intel(R) PRO/1000 MT Desktop Adapter
3...02 00 4c 4f 4f 50 ......Npcap Loopback Adapter
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.2.2 10.0.2.15 25
10.0.2.0 255.255.255.0 On-link 10.0.2.15 281
10.0.2.15 255.255.255.255 On-link 10.0.2.15 281
...
Related
I'm running Pi4 with Raspbian for my home automation, and it's connected to its both network interface: eth0 (ethernet) and wlan0 (wifi).
The wlan0 is connected to the network 10.10.10.0/24, which is the VLAN for management. This VLAN is configured on the unifi edgerouter x and uap-ac-lite access point. If only wlan0 is active (i.e, I only use the wifi on the Pi), the Pi should be able to see devices on the other VLANs, for example 10.10.50.0/24 for IoT devices.
However, as the Pi is running Unifi controller, I also need to connect it to the edge router's physical network 192.168.10.0/24 so I can manage the access point. This means, the eth0 is active, which somehow makes VLAN 10.10.50.0/24 inaccessible. I disconnect the ethernet cable and the 10.10.50.0/24 is accessible again.
My best guess is that if both interfaces are enabled, only 1 of them (eth0 in this case) will be used for the default routing. Is it possible to make both routing accessible, depending on the destination networks?
Never mind, I have found the answer: Simply change priority of the wifi network routing by adding metric 100 to wlan0 section in dhcpcd.conf
I have a win 10 machine(A) with 2 network cards. While I have only one Ethernet port at my work place, and recently I got another machine(B). What I want to do is to connect machine A with the first network cart to the Ethernet port, and connect machine B with the second network card to machine B.
So I configured machine A (Win 10) as follows:
[NIC1]:
IP: 202.3.4.136
Subnet: 255.255.255.0
Gateway: 202.3.4.1
[NIC2]:
IP: 192.168.1.1
Subnet: 255.255.255.0
Gateway: 202.3.4.136
I configure machine B as follows:
[NIC1]:
IP: 192.168.1.2
Subnet: 255.255.255.0
Gateway: 192.168.1.1
It's possible to ping machine B from machine A, and vice versa. However I cannot access the internet from machine B. So I tried to use the method mentioned here, adding route add -p 192.168.1.0 MASK 255.255.255.0 192.168.1.1 on machine A. It still does not work. What is the problem for that? Thank you!
The network topology looks like this:
[port to Internet] <------> (NIC1) Machine A (NIC2) <------> (NIC1) Machine B
If you were using Win10, you could just turn on the Internet Connection Sharing on the public NIC, then set the corresponding IP of the following private NICs.
You have to tell machine B to use 192.168.0.1 as default gateway. It makes no sense to introduce yet another subnet 192.168.1.x into the situation.
Machine A needs to be told to do the routing and NAT for B.
With these keywords, please google for concrete steps, you will find an abundance of tutorials.
Folks,
I have a Ubuntu machine connected to the Internet through wireless (wlan0), and I am sharing this connection to my Ethernet port (eth1). Then, I have this Ethernet port connected to a switch, and two windows machine connected to the same switch. So the two windows machines have a static IP from the LAN generated from the route generated from wlan0 to eth1, so that I can communicate with all 3 computers at the same time (this works since I can ssh and remote access all 3 computers).
My problem is that I when I run my LCM program (with TTL = 1) on my windows PC, I cannot receive the messages on my Ubuntu machine (meaning that the message should pass through the Ethernet). How can I make sure the UDP messages can be routed back into my Ubuntu machine from the windows machines while the wireless network is running?
This was my solution to the problem (right there on the LCM website):
sudo ifconfig eth1 multicast
sudo route add -net 224.0.0.0 netmask 240.0.0.0 dev eth1
Now all my UDP packets are routed only through eth1. And my shared network (from wlan0) is still intact after this. So all computers have internet at the same time. So great!
My computer has 2 ethernet ports and 1 wireless port. One of the ethernet ports (eth5) and the wireless port (wlan0) are both configured to connect to a network server, and the other ethernet port (eth4) is configured to connect to a local network switch for communicating with some local devices. The route table of the computer looks like this (as I can not post image yet):
Destination Gateway Genmask Iface
0.0.0.0 141.21.32.1 0.0.0.0 eth5
10.10.10.0 0.0.0.0 255.255.255.0 eth4
141.21.12.0 0.0.0.0 255.255.252.0 wlan0
141.21.32.0 0.0.0.0 255.255.224.0 eth5
169.254.0.0 0.0.0.0 255.255.0.0 eth5
My question is that, how I could change the sequence of the gateways with the network-manager in ubuntu (permanently), so that the gateway of wlan0 will be used before the eth4's. Otherwise when I unplug the cable from eth5, I will lose connection to the network (the gateway of eth4 will be used by default).
I tried editing the /etc/network/interfaces file, but it conflicts with the network-manager, and it can not handle the dynamic events (e.g., when network cable is plugged or unplugged), meaning that its settings are static, while the network-manager can handle these things perfectly, and change the network configurations adaptively, so I would like to find a solution for this problem with network-manager.
The os is ubuntu 13.04 32bit. Thanks for viewing and I will appreciate for any advice!
Problem is solved by checking the option "use this connection only for resources on its network" in the "Routes" page of the IPv4 settings of the configuration interface for the local network (used by eth4) in network-manager.
How do I set an IP address for a TUN interface on OSX? I cannot figure out how to set up an ip address for my interface without specifying a destination IP. I don't want to do that- I'm want to more or less build a tunnel to an arbitrary address at a later point in time. Prior questions which are unhelpful:
There's a question that has an unclear answer, so I tried following the reference.
This question sets a point to point ip address for a tun device, so it has a destination, which is exactly what I don't want.
On the page for osxtuntap it says:
ifconfig tap0 10.1.2.3 up
I cannot make this work on OSX 10.6 for a TUN interface:
$ sudo ifconfig tun0 10.1.2.3 up
ifconfig: ioctl (SIOCAIFADDR): Destination address required
Adding a netmask doesn't help- OSX seems to demand a destination address:
$ ifconfig tun0 10.0.0.1/24 netmask 255.255.255.0
ifconfig: ioctl (SIOCAIFADDR): Destination address required
For linux, I get how it works. According to this page, you open() the interface, and use the ip command, and do this, and I've done this before with zero issues:
$ ip link set tun0 up
$ ip addr add 10.0.0.1/24 dev tun0
All I want to do is the same thing that I can do in linux.
EDIT:
I'm writing a little UDP tunnel app. Like so:
tun1 -> udp app #1 -> udp tunnel -> udp app #2 -> tun2
If the udp apps are on different computers (let's say local and remote), I'd like to associate their respective tun devices with an ip address, so I can send a packet from local to remote via the tunnel by sending the packet to the ip address of the tun device on the remove machine.
To borrow more from the linux tutorial, the author sets up a tun device on local and remote, associates ips, and runs a simple tunneling app, and then pings the other end of the tunnel:
[remote]# ip link set tun3 up
[remote]# ip addr add 192.168.0.2/24 dev tun3
[remote]$ ./simpletun -i tun3 -s
# server blocks waiting for the client to connect
[local]# ip link set tun11 up
[local]# ip addr add 192.168.0.1/24 dev tun11
[local]$ ./simpletun -i tun11 -c 10.2.3.4
# nothing happens, but the peers are now connected
[local]$ ping 192.168.0.2
By default, tun devices operate in the layer 3 mode, aka point to point. You're asking for layer 2 mode which more closely resembles a generic Ethernet device. Linux calls these tap devices. In OpenBSD you can switch a tun device into layer 2 mode with "ifconfig tun0 link0". The Macintosh tuntaposx driver mimics Linux' device schism; open a tap device instead.
You might want to review https://community.openvpn.net/openvpn/wiki/BridgingAndRouting to determine if you really want tap devices. They add a little overhead. If you just need two boxes to pass IP packets between each other and no bridging or broadcasting to a larger subnet, point to point should be sufficient.
For example, if you have two machines, one we label "local" with a LAN IP address like 192.168.0.12 and another we label "remote" with a LAN IP address like 192.168.1.14, you can assign tunnel IP addresses thusly:
ifconfig tun0 inet 10.0.0.1 10.0.0.2 up
on the local system, and:
ifconfig tun0 inet 10.0.0.2 10.0.0.1 up
on the remote system. Note the reversed perspective on the remote machine. Do not set your point to point addresses to anything on an existing subnet; it will not route properly.
I can't stress this enough: read and re-read the manual pages ("man ifconfig" and "man tun", probably others) until they make sense. My ifconfig examples above may differ slightly from your operating system.
And for another perspective you might look into GRE tunnels as their functionality mirrors what you describe for your program. However, GRE is likely not viable in today's TCP-centric networks nor is it a good idea due to major security issues.
If your goal is to circumvent an overbearing firewall, be aware that many such firewalls block UDP (and especially GRE) packets. In such a case, try SSH interface tunneling to set up tun/tap interfaces and forward packets. You get encryption and optionally compression as well. :)