Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help configuring VPN routing tables - server+client

Status
Not open for further replies.

Carmageddon

Technical User
Dec 31, 2007
8
IL
Hi, I am trying to setup a VPN tunnel between my computer at the campus (with lots of limitations, such as no outgoing UDP traffic at all, limited outgoing tcp ports as well), and my home computer - which sits behind a router Netgear WGT624.

This (campus computer at my dorms) is also behind a router - Linksys WGT54GL with DD-WRT firmware).

To connect to the network, I am getting an IP from CheckPoint firewall via DHCP, and then to finally get access, I need to telnet to it, and write user/pass provided by uni - method of control after uni resources were abused in the past to launch attacks against US targets...


Anyhow, my LAN in uni is at 192.168.1.1 for router, 1.2 for the desktop computer I am using (the VPN client).

Home LAN is 10.1.1.1, with designated VPN server being 1.2

VPN server is defined to work at the 10.10.10.1 range, however for some reason, it seems the server doesnt get the .1 ip assigned, but different one, not sure how significant it is.
Anyhow:

Here is routing table print from both ends:

SERVER:
Code:
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...7a 79 05 b1 fe 0d ...... Hamachi Network Interface
0x3 ...00 c0 9f 69 ad d8 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - ?
???-?÷??? ?? ?·µ?? ???·
0x4 ...00 90 4b 9f fd 91 ...... Broadcom 802.11b/g WLAN - ????-?÷??? ?? ?·µ?? ??
?·
0x10006 ...00 ff 54 b6 e6 d5 ...... TAP-Win32 Adapter V8 - ????-?÷??? ?? ?·µ?? ?
??·
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.1.1        10.1.1.2       25
          5.0.0.0        255.0.0.0     5.177.254.13    5.177.254.13       20
     5.177.254.13  255.255.255.255        127.0.0.1       127.0.0.1       20
    5.255.255.255  255.255.255.255     5.177.254.13    5.177.254.13       20
         10.1.1.0    255.255.255.0         10.1.1.2        10.1.1.2       25
         10.1.1.2  255.255.255.255        127.0.0.1       127.0.0.1       25
       10.10.10.0  255.255.255.252       10.10.10.1      10.10.10.1       30
       10.10.10.0    255.255.255.0       10.10.10.2      10.10.10.1       1
       10.10.10.1  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255         10.1.1.2        10.1.1.2       25
   10.255.255.255  255.255.255.255       10.10.10.1      10.10.10.1       30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        240.0.0.0     5.177.254.13    5.177.254.13       20
        224.0.0.0        240.0.0.0         10.1.1.2        10.1.1.2       25
        224.0.0.0        240.0.0.0       10.10.10.1      10.10.10.1       30
  255.255.255.255  255.255.255.255     5.177.254.13               3       1
  255.255.255.255  255.255.255.255     5.177.254.13    5.177.254.13       1
  255.255.255.255  255.255.255.255         10.1.1.2        10.1.1.2       1
  255.255.255.255  255.255.255.255       10.10.10.1      10.10.10.1       1
Default Gateway:          10.1.1.1
===========================================================================
Persistent Routes:
  None
CLIENT:
Code:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...04 4b 80 80 80 03 ...... NVIDIA nForce Networking Controller
0x3 ...04 4b 80 80 80 03 ...... NVIDIA nForce Networking Controller #2
0x4 ...00 ff 8e 65 d4 ba ...... TAP-Win32 Adapter V8
0x5 ...00 11 b1 07 a3 30 ...... Bluetooth PAN Network Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.2       20
       10.10.10.1  255.255.255.255       10.10.10.5      10.10.10.6       1
       10.10.10.4  255.255.255.252       10.10.10.6      10.10.10.6       30
       10.10.10.6  255.255.255.255        127.0.0.1       127.0.0.1       30
   10.255.255.255  255.255.255.255       10.10.10.6      10.10.10.6       30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2       20
      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2       20
     192.168.50.0    255.255.255.0     192.168.50.1    192.168.50.1       30
     192.168.50.1  255.255.255.255        127.0.0.1       127.0.0.1       30
   192.168.50.255  255.255.255.255     192.168.50.1    192.168.50.1       30
        224.0.0.0        240.0.0.0       10.10.10.6      10.10.10.6       30
        224.0.0.0        240.0.0.0      192.168.1.2     192.168.1.2       20
        224.0.0.0        240.0.0.0     192.168.50.1    192.168.50.1       30
  255.255.255.255  255.255.255.255       10.10.10.6      10.10.10.6       1
  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2       1
  255.255.255.255  255.255.255.255     192.168.50.1               3       1
  255.255.255.255  255.255.255.255     192.168.50.1    192.168.50.1       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

Now, server config file:

Code:
local 10.1.1.2


port 443

# TCP or UDP server?
proto tcp
;proto udp


;dev tap
dev tun

;dev-node MyTap


ca ca.crt
cert server.crt
key server.key  # This file should be kept secret


dh dh1024.pem


server 10.10.10.0 255.255.255.0



;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100


;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"


;client-config-dir ccd
;route 192.168.40.128 255.255.255.248


;client-config-dir ccd
;route 10.9.0.0 255.255.255.252



;learn-address ./script


;push "redirect-gateway"

;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"


;client-to-client

;duplicate-cn


keepalive 10 120


;tls-auth ta.key 0 # This file is secret


;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES


comp-lzo


;max-clients 100


;user nobody
;group nobody


persist-key
persist-tun

status openvpn-status.log


;log         openvpn.log
;log-append  openvpn.log


verb 3


mute 20

(I've cleared out all the # comments, to make it easier to read.

Now the Client config file:
Code:
client


;dev tap
dev tun


;dev-node MyTap


proto tcp
;proto udp


remote uniproxy.dyndns.org 443
;remote my-server-2 1194


;remote-random


resolv-retry infinite


nobind

;user nobody
;group nobody


persist-key
persist-tun


;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]


;mute-replay-warnings


ca ca.crt
cert Desktop.crt
key Desktop.key


;ns-cert-type server


;tls-auth ta.key 1

;cipher x


comp-lzo

verb 3

mute 20

It seems I can ping 10.10.10.1 just fine and gettin reply back - which means tunnel works great (uni blocks ICMP packets too.

Which leaves me with only few problems:
1) How do I route single IP through the VPN exactly?
I have tried to test with ipchicken.com for example (209.68.27.16), trying various route syntaxes, one of them:
route add 209.68.27.16 mask 255.255.255.255 10.1
0.10.6 metric 1

This however makes the site unreachable at all (although I think it still manages to DNS it into IP when used from Avant browser - did not even try IE7).

2) How do I route specific IPs through the VPN? do I need special route paths added on client as well as server? if so which ones?

3) How do I route a certain application through the VPN interface? my main problem, is Ventrilo 3.0.1 (VoIP popular in various games), which since upgrade from 2.3.1 uses UDP - which I cant relay through regular SOCKs proxy, and it 'calls home, as well as the specific clan server on UDP ports - hence why I need to route the whole application through VPN.

4) Last but not least - I'd welcome any suggestions and further ideas on how to improve and get the system working :)

PS my uni IP from DHCP is 132.72.151.107 - if thats of any help.

Thanks in advance to all those who get through this long post, and help :)
 
if you just trying to access you pc at school what about Remote Desktop, did you try this? This way you can work on your pc directly with out creating a VPN tunnel.
 
No you dont understand, I have remote control over the home PC without any difficulties.

What I want, is to route certain traffic THROUGH home PC, over VPN tunnel, to bypass various firewalls at the univercity, where I am most of the time.
 
Well to get the VPN to work you are going to have to go through their IT dept which I am sure you want to do. I myself am a Network Admin and unless I approve something I will not open any thing for users.
 
Again I think you misunderstand me, I didnt ask whether I need an approval of the IT dept or not (which btw I discussed with the manager of the departement himself, he cant approve me anything specific I need cause it opens up too many security risks).

Anyway I did check VPN of a friend once - and I could load the ipchicken.com site, once I added specific IP routing to the table..

Therefore it WORKS and I dont need any further approval, I just need to figure out what am I missing on my client/server settings, that prevents traffic from being routed problem on either client/server.

I'd appreciate it if you did not derail this thread further with comments such as going to the IT admin, I would like to stay focused on solutions to my problems through tunneling traffic via another computer, such as the VPN solution.

Thanks :)
 
So the home LAN is 10.1.1.0...what's the mask?
The vpn server is 10.10.10.0...again---what is the mask?
Is your concern the fact that the VPN pool is different from the LAN?
You need to do the routing through the routers, not client/server---this is done when the server either has 2 nics, or you are doing the route add on the remote server, for which you need admin priveleges. This is not derailing the post...
The reason that it worked through your friend's set up is likely due to the fact that you have permission.
Telnetting the way you do is bad, even after going through the tunnel---authentication still takes place at the server at the uni, and it's all clear text...

"To connect to the network, I am getting an IP from CheckPoint firewall via DHCP, and then to finally get access, I need to telnet to it, and write user/pass provided by uni - method of control after uni resources were abused in the past to launch attacks against US targets..."
Someone at the uni could easily get usernames and pw's via a sniffer, since telnet sends them in clear text...use ssh2, at least 1024 bit encryption.
The LAN and VPN pool are directly connected, so routing takes place there no matter what.
I am guessing I too am way off in answering your question, but in my opinion, you re making it way too unclear. What do you do---play a game at the uni server from home, or vice versa, or what? Please specify exactly what apps you run, from where and to where, and what all is in the way...

Burt
 
So the home LAN is 10.1.1.0...what's the mask?
The vpn server is 10.10.10.0...again---what is the mask?

For the LAN, mask is 255.255.255.0
for the VPN server - if I am checking correctly - the TAP32 adapter's subnet mask - its 255.255.255.252 - even though as you can see on my server conf file, mask is set to .0 and not 252... can it be the source of the problem?


You need to do the routing through the routers, not client/server---this is done when the server either has 2 nics, or you are doing the route add on the remote server, for which you need admin priveleges. This is not derailing the post...

I am not sure what exactly do you mean - opening the ports on the router? thats done, I can VPN into the server without any problems, even ping it.

Adding routes on the remote server is not a problem either - I am using remote control - logmein.com is best cause it uses HTTP and hence easily passes uni firewalls.
Of course I am the admin of my own computers :)

Someone at the uni could easily get usernames and pw's via a sniffer, since telnet sends them in clear text...use ssh2, at least 1024 bit encryption.

I guess thats true, but to be honest - I dont really care, its the uni's admin problems, not mine.

The LAN and VPN pool are directly connected, so routing takes place there no matter what.
What do you mean? they are different pools - 10.10.10 and 10.1.1 are different, as the mask seperates them quite clearly (and its not 255.0.0.0).
Unless I misunderstood something in your post, or about networking.

I am guessing I too am way off in answering your question, but in my opinion, you re making it way too unclear. What do you do---play a game at the uni server from home, or vice versa, or what? Please specify exactly what apps you run, from where and to where, and what all is in the way...

Ok fair enough, I will try to explain again:

I am spending most of my time in uni, at the dormitories.
Where I have my desktop computer, and I need to access certain things past the uni firewalls, such as:

FTP servers, Ventrilo server for my corp in the game EVE-Online: I would like to elaborate further on this critical thing for me: without being able to connect to our voice comms, there is not much I can do in the game.

The problem is, prior to Ventrilo 3, it used only TCP traffic, and hence I could easily relay it through a proxy I used for that.
But then ventrilo was upgraded to version 3 - using UDP, and I cant relay that through regular SOCKS proxy, hence why I started checking out other solutions.
Uni firewalls block outgoing UDP traffic entirely as well.

Even if it turns out I cant route UDP through tcp VPN tunnel, I still would like to get it working, because the proxy I use costs me like 5$ a month, while I have virtually unsued bandwidth at home,nobody uses almost.

Oh, and I also need to route mIRC ports I am using as well - thats blocked too.

Oh, and the uni also blocked ssh and telnet ports as well - I cant remote manage servers either - also for security reasons they claim..

I also would like to route only certain things through the VPN tunnel - like, there is no point loading up traffic that is perfectly going through the uni's fast links, on my home connection.

I hope now you have a better picture of my situation, and what I am trying to accomplish here.

Thanks for trying, and I appreciate the help Burt!
 
I have a lot to do today, but I can answer a few questions, which may even help solve the problem...

"For the LAN, mask is 255.255.255.0
for the VPN server - if I am checking correctly - the TAP32 adapter's subnet mask - its 255.255.255.252 - even though as you can see on my server conf file, mask is set to .0 and not 252... can it be the source of the problem?"
10.10.10.0 255.255.255.252 10.10.10.1 10.10.10.1 30---this IP range is as follows...
10.10.10.0/30 is the wire address, 10.10.10.1 and 10.10.10.2 are the only useable IP addresses for this subnet, and 10.10.10.3 is the broadcast address for this subnet. This could cause problems, as 10.10.10.0/24 range is 10.10.10.1 through 10.10.10.254 as useable IP addresses...

"I am not sure what exactly do you mean - opening the ports on the router? thats done, I can VPN into the server without any problems, even ping it."
Once VPN'd in, the server still needs to know how to get around to other subnets, and this is usually done in the router, since its job is to route everything (NOT the server, unless the server is a Windows server providing the VPN authentication and tunnel).

"I guess thats true, but to be honest - I dont really care, its the uni's admin problems, not mine."
Are these YOUR login credentials? If so, you SHOULD care!

"What do you mean? they are different pools - 10.10.10 and 10.1.1 are different, as the mask seperates them quite clearly (and its not 255.0.0.0).
Unless I misunderstood something in your post, or about networking."
Well, the subnets are both configured in the router, so therefor the router knows about them---this is what directly connected means. This is how the router knows how to route between them. It is common practice for VPN pools to be different from the LAN addresses, mostly due to NAT and routing issues. Since your VPN tunnel connects successfully, this is not an issue.

Sorry, but that is all I can answer for now. I will try more later, perhaps this evening...

HTH

Burt


 
"For the LAN, mask is 255.255.255.0
for the VPN server - if I am checking correctly - the TAP32 adapter's subnet mask - its 255.255.255.252 - even though as you can see on my server conf file, mask is set to .0 and not 252... can it be the source of the problem?"
10.10.10.0 255.255.255.252 10.10.10.1 10.10.10.1 30---this IP range is as follows...
10.10.10.0/30 is the wire address, 10.10.10.1 and 10.10.10.2 are the only useable IP addresses for this subnet, and 10.10.10.3 is the broadcast address for this subnet. This could cause problems, as 10.10.10.0/24 range is 10.10.10.1 through 10.10.10.254 as useable IP addresses...
Okay hehe I got lost here, can you elaborate please? I tried to read at various places, and didnt quite understand what the /30 and /24 etc thing means...

I am not sure what problems this can cause exactly (as I didnt quite understand whats the problem), but what do you suggest?

"I am not sure what exactly do you mean - opening the ports on the router? thats done, I can VPN into the server without any problems, even ping it."
Once VPN'd in, the server still needs to know how to get around to other subnets, and this is usually done in the router, since its job is to route everything (NOT the server, unless the server is a Windows server providing the VPN authentication and tunnel).

But, the router doesnt even see the VPN network.. as far as the router is concerned - the network doesnt exist.
It simple sends packet from 1.2.3.4 to machine in the LAN, and only then windows recognizes packet comes from 1.2.3.4, and re-routes it into the TAP32 interface.

Did I grasp the VPN concept correctly?


"I guess thats true, but to be honest - I dont really care, its the uni's admin problems, not mine."
Are these YOUR login credentials? If so, you SHOULD care!
Yes, I guess thats a good point, I will bring it up with the admin next time I talk to him, but it really doesnt change my problem here, or helps the solution.
Every dorms student works like that, its not just my uni login credentials...

"What do you mean? they are different pools - 10.10.10 and 10.1.1 are different, as the mask seperates them quite clearly (and its not 255.0.0.0).
Unless I misunderstood something in your post, or about networking."
Well, the subnets are both configured in the router, so therefor the router knows about them---this is what directly connected means. This is how the router knows how to route between them. It is common practice for VPN pools to be different from the LAN addresses, mostly due to NAT and routing issues. Since your VPN tunnel connects successfully, this is not an issue.

Well I still dont quite understand this.. as I have said above - the router doesnt even see the VPN lan as a client or something..

I am attaching a diagram I made of the network as I see it in MS Visio.
Please correct me if I am wrong, but isnt my only problem remaining is the properly "weld" - so to speak, the edges of the VPN client and server, back into the router? so traffic flows back and forth, using route tables?
On the client, only specific IPs, and on server - any ip that comes out of the pipe, into the router, and the same specific IPs that come back - back into the VPN tunnel?

I appreciate your input Burt :)
 
 http://picasaweb.google.com/carmageddon/CellPhone/photo#5151032804053250642
Following your post, I can only think of one more thing to add, maybe that'd help.

my router's routing table, of the comp at uni:
Code:
~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
132.72.148.0    *               255.255.252.0   U     0      0        0 vlan1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         132.72.148.254  0.0.0.0         UG    0      0        0 vlan1

I have also added link to the original Visio file, for any revisions you might want to suggest, if you use that.

Hope to get some more feedback by the morning, good night!
 
 http://public.box.net/carmageddon84313
I can't open that Visio file, as my version is too old...ha ha.
Anyway, so you're trying to VPN into home and use that internet connection because of all the uni firewall rules...correct? And you have a site-to-site tunnel from the uni to home? Well, the problem is that you have only succeeded in making your home network a part of your uni network, and going through the tunnel will likely be way too slow...
What kind of firewall is at the uni? Can you talk the admin into letting your computer through? I can't think of any other way...sorry.

Burt
 
I can't open that Visio file, as my version is too old...ha ha.
Anyway, so you're trying to VPN into home and use that internet connection because of all the uni firewall rules...correct? And you have a site-to-site tunnel from the uni to home? Well, the problem is that you have only succeeded in making your home network a part of your uni network, and going through the tunnel will likely be way too slow...
What kind of firewall is at the uni? Can you talk the admin into letting your computer through? I can't think of any other way...sorry.

Thats exactly what I am trying to do! use the home internet connection for my traffic which is blocked by uni.

and no the admin refuses to make any exceptions, due to past abuses of uni lines to attack targets in the US.. they dont want to get any more angry letters from the Ractor and uni president hehe.

Well I kind of hoped you knew how to complete this setup :(

hopefully someone might still help me out here...
 
The only thing I can think of is setting up a remote access VPN to your home, but this would be slow. I would think it would be an ssl vpn...

Burt
 
The only thing I can think of is setting up a remote access VPN to your home, but this would be slow. I would think it would be an ssl vpn...

How do I do that? isnt that exactly what I am trying to do so far?
I dont care about slow - really. as long as I can connect and listen to my friends on ventrilo, etc...
 
Well, it does not necessarily need to be an ssl VPN...that just means that you authenticate through https, in a browser. I am not sure how to do it in your hardware (the Netgear), but if it were a Cisco router, I could tell you...do you still have the manual? Remote access VPN is what you want. IPSEC and L2TP can use UDP ports (1720, I believe), so IPSEC over tcp would be the best bet.

Burt
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top