Private network additional routing
I'm trying to setup a VPN + local network (that stands behind the VPN) using two Linode machines in the same datacenter.
I've been able to setup VPN using OpenVPN, without major issues.
Now I'm trying to setup routing, but I'm seemingly stuck at what seems to be a simple routing problem.
This is my setup:
Machine A:
<snip>eth0:1 Link encap:Ethernet HWaddr f2:3c:91:e4:05:f6
inet addr:192.168.145.3 Bcast:0.0.0.0 Mask:255.255.128.0
<snip>tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
<snip>Machine B:
<snip>eth0:1 Link encap:Ethernet HWaddr f2:3c:91:e4:2a:b1
inet addr:192.168.150.3 Bcast:0.0.0.0 Mask:255.255.128.0</snip></snip></snip></snip>
I'm trying to ping 10.8.0.1 from Machine B.
Of course I'm able to ping 192.168.145.3 from machine B:
$ ping -c 2 192.168.145.3
PING 192.168.145.3 (192.168.145.3) 56(84) bytes of data.
64 bytes from 192.168.145.3: icmp_seq=1 ttl=64 time=0.749 ms
64 bytes from 192.168.145.3: icmp_seq=2 ttl=64 time=0.656 ms
--- 192.168.145.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.656/0.702/0.749/0.053 ms
But if I add the following routing rule:
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.145.3 dev eth0:1
then I'm not able to reach 10.8.0.1 anyhow.
Machine B:
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default gw-li1415.linod 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 192.168.145.3 255.255.255.0 UG 0 0 0 eth0
139.162.148.0 * 255.255.255.0 U 0 0 0 eth0
192.168.128.0 * 255.255.128.0 U 0 0 0 eth0
$ ping -c 2 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
--- 10.8.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms
# tcpdump -n -i eth0:1 net 192.168.128.0/17
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0:1, link-type EN10MB (Ethernet), capture size 65535 bytes
17:15:13.904185 IP 192.168.150.3 > 10.8.0.1: ICMP echo request, id 24947, seq 1, length 64
17:15:14.904295 IP 192.168.150.3 > 10.8.0.1: ICMP echo request, id 24947, seq 2, length 64
17:15:18.907628 ARP, Request who-has 192.168.145.3 tell 192.168.150.3, length 28
17:15:18.908241 ARP, Reply 192.168.145.3 is-at f2:3c:91:e4:05:f6, length 46
Machine A:
# tcpdump -n -i eth0 net 10.8.0.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
So the packet is sent from machine B, but is never received at machine A.
This same approach works for me and is tested on other machines with same or different Linux distros; might there be some filtering in Linode infrastructure that I'm not considering?
Thanks for any help you might give.
Diego
EDIT: both machines are Ubuntu 14.04
2 Replies
@dwfreed:
There are filtering rules on the hosts that only allow Linodes to see traffic that is destined for them, and send traffic using IP addresses assigned to them. The host your machine A is on is dropping the traffic destined for 10.8.0.1, because it's not an IP address assigned to your Linode. You would need to include Machine B in your VPN, or use some other sort of tunnel (GRE, ipip, etc.) in order for this to work.
Hi dwfreed,
thank you very much for your kind reply. Would a bridged VPN rather than a routed VPN work in your opinion, as it would operate at layer 2 rather than layer 3?
Thanks,
Diego