I have a server that has 3 interfaces. 1 interface has ip 192.168.0.10 (eth0) and a second ip 192.168.0.11 (eth0:1) and the other 2 have ip's 192.168.6.10 (eth1) and 192.168.7.10(eth2). I would like to use the server to create a VPN using Openswan to another server 192.168.1.10. I have configured both sides and I can see the VPN works.
BUT in order to separate the .6 and the .7 traffic from each other, I have created 2 separate VPN's configured and connected to the 192.168.1.10 server and I can see they are both up.
The problem:
I can ping from the 192.168.6.0 and can get to the 192.168.1.10 but from the 192.168.7.0 subnet to the 192.168.1.10 server does not work.
I have all this configured in /etc/sysctl.conf:
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
and the VPN's are both up on the 192.168.0.10 server.
but I can only see 192.168.1.10 from the 192.168.6.0/24 subnet. What am I missing to see the 192.168.1.10 from the 192.168.7.0/24 network ?
Just note that both VPN's terminate on the same VPN server 192.168.1.10
Thanks
Related
I am on a Windows 10 machine. I have got the below routes configured in my machine.
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 1
10.1.0.0 255.255.0.0 192.168.2.1 192.168.2.5 1
10.2.0.0 255.255.0.0 192.168.3.1 192.168.3.5 1
When ping IP 10.1.1.1, I want to determine which network interface will be used to route the traffic.
Is there any network utility that can help me find the correct route based on the destination IP?
If you ping 10.1.1.1, it will use the interface with the IP 192.168.2.5 looking at your route table.
You can also use tracert 10.1.1.1 to see what route your network traffic will take.
I'd like to set up a vpn to allow two separate computers to connect to each other.
I've found a bunch of places where they say you should remove redirect-gateway def1 bypass-dhcp from the server config and add a route route 10.0.0.0 255.255.255.0 vpn_gateway to make connecting to the private network work. But this doesn't seem to do what I want.
Yes it now makes all requests via my local gateway (All servers report my public ip is my own ip, rather than that of the vpn), but now connecting to other clients no longer works.
I can still connect to my own private ip (10.0.0.0) as assigned by the vpn, but other clients can not reach me on this same ip.
My client.conf:
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3
key-direction 1
My server.conf:
port 1194
proto udp
dev tun
ca ca.crt
cert vpnserver.crt
key vpnserver.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
route 10.0.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
# push "redirect-gateway def1 bypass-dhcp"
push "route 10.0.0.0 255.255.255.0 vpn_gateway 1"
client-to-client
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
ccd/myclient
ifconfig-push 10.0.0.0 255.255.255.255
How can I make client-to-client work without making all my regular traffic flow through the vpn?
edit: After some more experimenting I've figured out that this setup is working fine as long the assigned private ip is in the 10.8.0.x range. I have a few static private ips in the 10.0.0.x range, so that's why it isn't working. I'd still like to use these ips though.
I ended up changing the server config to use 10.0.0.x as default pool.
I changed:
server 10.8.0.0 255.255.255.0
route 10.0.0.0 255.255.255.0
to
server 10.0.0.0 255.255.255.0
I don't like that static and dynamic ips are now both using the same pool, but this is the best I can do.
I have enabled 1 port [8081] and it's accessible from the remote computer. but the same for other port [7500] not working?
I would like to know the meaning of the below line?
TCP [::]:8081 [::]:0 LISTENING
And how to enable the same for port [7500]?
Attached listening port status:
netstat -na outputs 4 columns of data:
Proto, Local Address, Foreign Address, and State.
When looking for port 8081, you find 2 entries - one for TCP on 0.0.0.0:8081 for IPv4, and one for TCP [::]:8081 for IPv6.
When looking for port 7500, you find 1 entry - one for TCP 0.0.0.0:7500 for IPv4 only.
In both cases, you have local sockets listening via wildcard IPs to all local network adapters, and there is no "Foriegn Address" assigned because a listening socket is not connected to any remote party. TCP sockets in the ESTABLISHED state have remote parties.
You have not shown any code, or explained your network setup, so nobody can really explain why you have 2 entries for port 8081 but only 1 entry for port 7500, or why remote computers can connect to port 8081 but not to port 7500. Maybe those clients are only using IPv6? Maybe your listening computer is behind a router that doesn't forward port 7500? We don't know.
I would appreciate any help with configuration of MS Windows Server 2012 R2. I have tried more solutions, but any of them were not so appropriate.
The idea is on the attached schema belove.
Server has AD.
Server has 2 NICs. Both are configured on the same subnet. (192.168.1.0) with IP addresses manually configured as is on the schema.
NIC 1:
IP:192.168.1.254
MASK: 255.255.255.0
GW: 192.168.1.1
DNS 1: 192.168.1.254
DNS 2: 192.168.1.1
Metric: 10
NIC 2:
IP:192.168.1.154
MASK: 255.255.255.0
GW: no
DNS 1: 192.168.1.154
DNS 2: 192.168.1.1
Metric 100
NIC 1 is connected to router from ISP 2.
NIC 2 is connected to router from ISP 1.
The goal is: All clients should have access to the internet via ISP 2. Some clients have acces also via ISP 1 via VPN. ISP 1 does not provide public static IP address. ISP 1 yes. So only via ISP 1 is possible to access the local network via VPN.
How to configure server to accept VPN connection and route whole traffic from VPN to local and to ISP 2?
Also I have tried 2 subnets (for VPN clients 192.168.2.0, for local clients 192.168.1.0 but no success to setup routing).
Thanks.
This is not how you do this, rather you need a firewall that supports multiple WAN interfaces - examples are Peplink (great if you also want to load balance the ISPs or get increased throughput by leveraging both of them) other examples include the Cisco RVx series, or Zywall USG series.
Then your server can have one IP on the LAN (as it should) and you can use the ACL/Firewall rules to control what goes in/out which ISP.
What's the mean for * when using netstat command to check result?
udp 0 0 10.224.54.76:18253 10.224.2.253:* ESTABLISHED 30433/wbx
I noticed that there are two results, if there need to create two connections for udp?
udp 0 0 10.224.54.76:18252 10.224.2.253:37008 ESTABLISHED 30433/wbx
udp 0 0 10.224.54.76:18253 10.224.2.253:* ESTABLISHED 30433/wbx
* is a wildcard that means anything. So that socket is bound to the local address 10.224.54.76, local port 18253, remote address 10.224.2.253, and will accept packets from any remote port.
In your updated question, the first socket will only receive packets from remote port 37008 to local port 18252. The second socket will receive packets from any remote port to local port 18253.
Both of these come from calling connect() on a UDP socket. In the first case, port 37008 was specified in the remote address, in the second case port 0 was specified, which means any port.