Fw: Re: npppd - changing clients' route table

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
rdk
Reply | Threaded
Open this post in threaded view
|

Fw: Re: npppd - changing clients' route table

rdk
Hello,

> The interface which terminate the tunnel has "192.168.4.254".
> Right?
Do you mean the other end of the tunnel? It is 10.109.4.254
interface pppx0 address 10.109.4.254 ipcp IPCP

> How about if you configure the npppd-users
>
> rdk:
>   :password=passsssword:\
>   :framed-ip-address=10.109.4.254:\
>   :framed-ip-netmask=255.255.255.0:
>
> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP
> session authenticated by the above "rdk".
I have tried to configure npppd-users with netmask /24, but it doesnt make any changes. Still have all traffic to 10.0.0.0/8 going across the tunnel to 10.109.4.254(VPN), but I need to push the traffic to 10.109.3.0/24 through the tunnel (via 10.109.4.254) and the rest of 10.0.0.0/8 through default gw or sometimes some traffic to 10.0.0.0/8 through another tunnel at the same time. Now if the PPP tunnel is established the VPN catches all the 10.0.0.0/8 traffic.
The VPN client (Windows7/10) is configured to NOT use the VPN as remote gw.

Example:
I have a public, static IP. There is configured route to 10.55.0.0/24 at the ISP's side and I dont need any VPN tunnel to access 10.55...... Somewhere over the rainbow is a router with LAN 10.109.3.0/24 and npppd.
If I use the PPP tunnel I can acces 10.109.3.0/24 but at the same time I can't access 10.55.0.0/24 because all 10.0.0.0/8 goes across the tunnel.


On Sun, 21 Feb 2021 23:18:19 +0900 (JST)
YASUOKA Masahiko <[hidden email]> wrote:

> Hello,
>
> On Sat, 20 Feb 2021 21:14:24 +0100
> Radek <[hidden email]> wrote:
> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes via 10.109.4.254
> >
> > client> route print
> > Network Destination   Netmask      Gateway          Interface Metric
> >           0.0.0.0                  0.0.0.0       192.168.1.1    192.168.1.101     20
> >         10.0.0.0              255.0.0.0     10.109.4.254          10.109.4.1     21
> >     10.109.4.1  255.255.255.255         On-link                10.109.4.1    276
> > [...]
>
> The interface which terminate the tunnel has "192.168.4.254".
> Right?
>
> > $ cat /etc/npppd/npppd-users
> > rdk:\
> > :password=passsssword:\
> > :framed-ip-address=10.109.4.1:
> > #:framed-ip-netmask=255.255.255.0:
>
> How about if you configure the npppd-users
>
> rdk:
>   :password=passsssword:\
>   :framed-ip-address=10.109.4.254:\
>   :framed-ip-netmask=255.255.255.0:
>
> ?
>
> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP
> session authenticated by the above "rdk".
>
>
> On Sat, 20 Feb 2021 21:14:24 +0100
> Radek <[hidden email]> wrote:
> > Hi,
> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes via 10.109.4.254
> >
> > client> route print
> > Network Destination   Netmask      Gateway          Interface Metric
> >           0.0.0.0                  0.0.0.0       192.168.1.1    192.168.1.101     20
> >         10.0.0.0              255.0.0.0     10.109.4.254          10.109.4.1     21
> >     10.109.4.1  255.255.255.255         On-link                10.109.4.1    276
> > [...]
> >
> > I need to redirect the traffic to 10.109.4.254 only if it goes to the remote LAN (10.109.3.0/24), the rest should go via def gw.
> > How can I configure it on the router/server side ?
> >
> > $ cat /etc/npppd/npppd.conf
> > # $OpenBSD: npppd.conf,v 1.3 2020/01/23 03:01:22 dlg Exp $
> > # sample npppd configuration file.  see npppd.conf(5)
> >
> > set max-session 200
> > set user-max-session 4
> >
> > authentication LOCAL type local {
> >         users-file "/etc/npppd/npppd-users"
> > }
> > tunnel L2TP protocol l2tp {
> >         listen on X.X.X.X
> > }
> >
> > ipcp IPCP {
> >         pool-address 10.109.4.1-10.109.4.32
> >         dns-servers 1.1.1.1
> > }
> >
> > # use pppx(4) interface.  use an interface per a ppp session.
> > interface pppx0 address 10.109.4.254 ipcp IPCP
> > bind tunnel from L2TP authenticated by LOCAL to pppx0
> >
> > $ cat /etc/npppd/npppd-users
> > rdk:\
> > :password=passsssword:\
> > :framed-ip-address=10.109.4.1:
> > #:framed-ip-netmask=255.255.255.0:
> >
> > $ dmesg | head
> > OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021
> >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > --
> > Radek
> >
>
--
Radek

Reply | Threaded
Open this post in threaded view
|

Re: npppd - changing clients' route table

YASUOKA Masahiko-3
Hi,

On Sun, 21 Feb 2021 19:18:48 +0100
Radek <[hidden email]> wrote:
>> The interface which terminate the tunnel has "192.168.4.254".
>> Right?
> Do you mean the other end of the tunnel? It is 10.109.4.254
> interface pppx0 address 10.109.4.254 ipcp IPCP

Sorry, "192.168.4.244" should have been "10.109.4.254".

>> How about if you configure the npppd-users
>>
>> rdk:
>>   :password=passsssword:\
>>   :framed-ip-address=10.109.4.254:\
>>   :framed-ip-netmask=255.255.255.0:
>>
>> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP
>> session authenticated by the above "rdk".
> I have tried to configure npppd-users with netmask /24, but it doesnt make any changes. Still have all traffic to 10.0.0.0/8 going across the tunnel to 10.109.4.254(VPN), but I need to push the traffic to 10.109.3.0/24 through the tunnel (via 10.109.4.254) and the rest of 10.0.0.0/8 through default gw or sometimes some traffic to 10.0.0.0/8 through another tunnel at the same time. Now if the PPP tunnel is established the VPN catches all the 10.0.0.0/8 traffic.
>
> The VPN client (Windows7/10) is configured to NOT use the VPN as remote gw.
>
> Example:
> I have a public, static IP. There is configured route to 10.55.0.0/24 at the ISP's side and I dont need any VPN tunnel to access 10.55...... Somewhere over the rainbow is a router with LAN 10.109.3.0/24 and npppd.
> If I use the PPP tunnel I can acces 10.109.3.0/24 but at the same time I can't access 10.55.0.0/24 because all 10.0.0.0/8 goes across the tunnel.

The route to the natural netmask of the tunnel address, 10.0.0.0/8 in
this case, is configured by Windows automatically.  I don't know a way
to stop or override this.  But by using another addresses for the
tunnel, you can avoid the problem.  Also we can use dhcpd(8) to push
routes configuration.

For example,

1. Use 192.168.255.0/24 for the tunnel to avoid the conflict on
   10.0.0.0/8.

   ipcp IPCP {
      pool-address 192.168.255.1-192.168.255.32
    :
   interface pppx0 address 192.168.255.254 ipcp IPCP
   ---
   rdk:
    :password=passsssword:\
    :framed-ip-address=192.168.255.32:

2. Configure dhcpd

   /etc/dhcpd-l2tp.conf
   ----
   subnet 192.168.255.0 netmask 255.255.255.0 {
     option classless-ms-static-routes 10.109.3.0/24 192.168.255.254;
     option classless-static-routes    10.109.3.0/24 192.168.255.254;
   }
   ---
 
   $ doas /usr/sbin/dhcpd -u255.255.255.255 -c /etc/dhcpd-l2tp.conf

> On Sun, 21 Feb 2021 23:18:19 +0900 (JST)
> YASUOKA Masahiko <[hidden email]> wrote:
>
>> Hello,
>>
>> On Sat, 20 Feb 2021 21:14:24 +0100
>> Radek <[hidden email]> wrote:
>> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
>> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes via 10.109.4.254
>> >
>> > client> route print
>> > Network Destination   Netmask      Gateway          Interface Metric
>> >           0.0.0.0                  0.0.0.0       192.168.1.1    192.168.1.101     20
>> >         10.0.0.0              255.0.0.0     10.109.4.254          10.109.4.1     21
>> >     10.109.4.1  255.255.255.255         On-link                10.109.4.1    276
>> > [...]
>>
>> The interface which terminate the tunnel has "192.168.4.254".
>> Right?
>>
>> > $ cat /etc/npppd/npppd-users
>> > rdk:\
>> > :password=passsssword:\
>> > :framed-ip-address=10.109.4.1:
>> > #:framed-ip-netmask=255.255.255.0:
>>
>> How about if you configure the npppd-users
>>
>> rdk:
>>   :password=passsssword:\
>>   :framed-ip-address=10.109.4.254:\
>>   :framed-ip-netmask=255.255.255.0:
>>
>> ?
>>
>> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP
>> session authenticated by the above "rdk".
>>
>>
>> On Sat, 20 Feb 2021 21:14:24 +0100
>> Radek <[hidden email]> wrote:
>> > Hi,
>> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
>> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes via 10.109.4.254
>> >
>> > client> route print
>> > Network Destination   Netmask      Gateway          Interface Metric
>> >           0.0.0.0                  0.0.0.0       192.168.1.1    192.168.1.101     20
>> >         10.0.0.0              255.0.0.0     10.109.4.254          10.109.4.1     21
>> >     10.109.4.1  255.255.255.255         On-link                10.109.4.1    276
>> > [...]
>> >
>> > I need to redirect the traffic to 10.109.4.254 only if it goes to the remote LAN (10.109.3.0/24), the rest should go via def gw.
>> > How can I configure it on the router/server side ?
>> >
>> > $ cat /etc/npppd/npppd.conf
>> > # $OpenBSD: npppd.conf,v 1.3 2020/01/23 03:01:22 dlg Exp $
>> > # sample npppd configuration file.  see npppd.conf(5)
>> >
>> > set max-session 200
>> > set user-max-session 4
>> >
>> > authentication LOCAL type local {
>> >         users-file "/etc/npppd/npppd-users"
>> > }
>> > tunnel L2TP protocol l2tp {
>> >         listen on X.X.X.X
>> > }
>> >
>> > ipcp IPCP {
>> >         pool-address 10.109.4.1-10.109.4.32
>> >         dns-servers 1.1.1.1
>> > }
>> >
>> > # use pppx(4) interface.  use an interface per a ppp session.
>> > interface pppx0 address 10.109.4.254 ipcp IPCP
>> > bind tunnel from L2TP authenticated by LOCAL to pppx0
>> >
>> > $ cat /etc/npppd/npppd-users
>> > rdk:\
>> > :password=passsssword:\
>> > :framed-ip-address=10.109.4.1:
>> > #:framed-ip-netmask=255.255.255.0:
>> >
>> > $ dmesg | head
>> > OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021
>> >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> >
>> > --
>> > Radek
>> >
>>
> --
> Radek
>