How to set up VPN connection routing?

F

Falseclock2014-04-02 10:56:30

VPN

Falseclock, 2014-04-02 10:56:30

+-------- CLIENT --------+     +-------- ROUTER -------+     +----VPN SERVER -----+
| local: 192.168.100.102 | ==> | LAN: 192.168.100.0/24 |     | LAN: 172.16.0.0/24 |
+------------------------+     | VPN local: 10.8.0.6   | ==> | IP: 172.16.0.5     |
                               | VPN remote: 10.8.0.5  |     | VPN: 10.8.0.1      |
                               +------ VPN CLIENT -----+     +--------------------+
                                                                       |
                                                                       |
                                                                       |
                                                             +------ SHARE -------+
                                                             | LAN: 172.16.0.0/24 |
                                                             | IP: 172.16.0.4     |
                                                             +--------------------+

All machines on the client network of the network have a transparent VPN to the server through a router.
The client (192.168.100.102) can ping the VPN server's internal IP, but cannot ping other addresses from that network (eg 172.16.0.4).

Log from the client machine

D:\>ping 172.16.0.5

Pinging 172.16.0.5 with 32 bytes of data:
Reply from 172.16.0.5: bytes=32 time=19ms TTL=62
Reply from 172.16.0.5: bytes=32 time=11ms TTL=62
Reply from 172.16.0.5: bytes=32 time=9ms TTL=62
Reply from 172.16.0.5: bytes=32 time=10ms TTL=62

Ping statistics for 172.16.0.5:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 9ms, Maximum = 19ms, Average = 12ms

D:\>ping 172.16.0.4

Pinging 172.16.0.4 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.0.4:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

D:\>tracert -d 172.16.0.5

Tracing route to 172.16.0.5 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.200.1
  2     2 ms     1 ms    <1 ms  192.168.100.1
  3     8 ms    10 ms     8 ms  172.16.0.5

Trace complete.

D:\>tracert -d 172.16.0.4

Tracing route to 172.16.0.4 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.200.1
  2    34 ms     3 ms     1 ms  192.168.100.1
  3    18 ms    18 ms    17 ms  10.8.0.1
  4     *        *        *     Request timed out.
  5  ^C
D:\>

At the same time, the router itself can reach any machine on the 172.16.0.0/24 network. But in two cases, the routing is different.

log from router

[email protected]:~# traceroute 172.16.0.5
traceroute to 172.16.0.5 (172.16.0.5), 30 hops max, 38 byte packets
 1  172.16.0.5 (172.16.0.5)  3.592 ms  2.815 ms  2.808 ms
[email protected]:~# traceroute 172.16.0.4
traceroute to 172.16.0.4 (172.16.0.4), 30 hops max, 38 byte packets
 1  10.8.0.1 (10.8.0.1)  11.759 ms  8.433 ms  4.442 ms
 2  172.16.0.4 (172.16.0.4)  3.630 ms  2.962 ms  2.387 ms
[email protected]:~#
[email protected]:~# ping 172.16.0.5
PING 172.16.0.5 (172.16.0.5): 56 data bytes
64 bytes from 172.16.0.5: seq=0 ttl=64 time=9.557 ms
64 bytes from 172.16.0.5: seq=1 ttl=64 time=4.015 ms

--- 172.16.0.5 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.015/6.786/9.557 ms
[email protected]:~# ping 172.16.0.4
PING 172.16.0.4 (172.16.0.4): 56 data bytes
64 bytes from 172.16.0.4: seq=0 ttl=63 time=14.421 ms
64 bytes from 172.16.0.4: seq=1 ttl=63 time=4.235 ms

--- 172.16.0.4 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 4.235/9.328/14.421 ms

[email protected]:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
172.16.0.0      10.8.0.5        255.255.255.252 UG    0      0        0 tun1
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun1
172.16.0.0      10.8.0.5        255.255.255.0   UG    0      0        0 tun1
192.168.10.0    10.8.0.5        255.255.255.0   UG    0      0        0 tun1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 vlan2
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         192.168.10.1    0.0.0.0         UG    0      0        0 vlan2
[email protected]:~# ip route list
10.8.0.5 dev tun1  proto kernel  scope link  src 10.8.0.6
192.168.100.0/24 dev br0  proto kernel  scope link  src 192.168.100.1
10.8.0.0/24 via 10.8.0.5 dev tun1
172.16.0.0/24 via 10.8.0.5 dev tun1
192.168.10.0/24 via 10.8.0.5 dev tun1
192.168.10.0/24 dev vlan2  proto kernel  scope link  src 192.168.10.79
169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1
127.0.0.0/8 dev lo  scope link
default via 192.168.10.1 dev vlan2

What would be done so that client machines see IP addresses from the entire 172.16.0.0/24 network, and not just the address of the VPN server?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

K

kodi, 2014-04-02
@Falseclock

@Falseclock
on Share machines VPN-server is registered as the main gateway or not?
or on Share the machine is registered a route to a network 192.168.100.0/24?

S

Sergey, 2014-04-02
@bk0011m

Surely there is a firewall, so you need to allow the router to go from 192.168.100.0/24 to 172.16.0.0/24
. Perhaps on the VPN SERVER too. If there is a firewall
Also in the VPN SERVER settings, you must specify that the network 192.168.100.0/24 is located on the external interface. You also need to give a route to this network through the ROUTER.
And do the same on the ROUTER. Both networks must be described and there must be routes to them.