| View previous topic :: View next topic |
| Author |
Message |
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
 Posted: Thu Jul 09, 2015 1:42 pm Post subject: [SOLVED] PPTP split-tunneling broken? |
 |
|
I have a MAJOR issue with my work laptop. Whenever I connect to a remote location via PPTP VPN by way of Network Manager in KDE4, I lose all Internet connectivity. In Windows I can select "Do not use default gateway on remote network" and all is good. I have been to the PPTP routes tab and checked "Only use for resources on this connection", but I still lose everything. How can I setup my PPTP connections to to only work for addresses on that remote network?
*UPDATE*
For those reading this thread for a solution, it can be found here!
_________________
Ever picture systemd as what runs "The Borg"?
Last edited by The_Great_Sephiroth on Fri Jul 24, 2015 1:39 pm; edited 1 time in total |
|
| Back to top |
|
 |
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Sat Jul 11, 2015 2:15 pm Post subject: |
|
|
Is this possible with Linux? It seems to be broken on Debian Wheezy also, which tells me it is a long-standing bug or that it cannot work, despite having options for it.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3133
|
| Posted: Sat Jul 11, 2015 9:19 pm Post subject: |
|
|
Well, I'm not that much into PPTP and NM to know all the tricks there, but there is iptables as well. So... it surely is possible. It just may be a bit lower level than you would like.
What should this setup look like? You have some IP range you want to tunnel over VPN with the rest bypassing it? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Sat Jul 11, 2015 10:41 pm Post subject: |
|
|
The way it works on Windows and Apple is that if I access a host/ip on the remofe network, it is routed through the tunnel. If I access anything else, it is not routed through said tunnel. Currently, everything is routed through the tunnel.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Tue Jul 21, 2015 2:08 pm Post subject: |
|
|
There is a bug! I am not sure if the bug exists in pppd or Network Manager. On my VPN properties in Network Manager if I check "Use thie connection only for resources on this network", nothing is reachable when I connect. After some checking, I discovered that a route was not being added. Here is what happens when I connect tot he VPN.
| Code: |
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.4.254 0.0.0.0 UG 100 0 0 enp0s25
10.0.2.201 * 255.255.255.255 UH 0 0 0 ppp0
10.0.4.0 * 255.255.255.0 U 0 0 0 enp0s25
10.0.4.0 * 255.255.255.0 U 100 0 0 enp0s25
cpe-75-191-161- 10.0.4.254 255.255.255.255 UGH 0 0 0 enp0s25
loopback * 255.0.0.0 U 0 0 0 lo
|
Now, if I manually enter sudo route add -net 10.0.0.0/22 ppp0, I get this.
| Code: |
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.4.254 0.0.0.0 UG 100 0 0 enp0s25
10.0.0.0 * 255.255.252.0 U 0 0 0 ppp0
10.0.2.201 * 255.255.255.255 UH 0 0 0 ppp0
10.0.4.0 * 255.255.255.0 U 0 0 0 enp0s25
10.0.4.0 * 255.255.255.0 U 100 0 0 enp0s25
cpe-75-191-161- 10.0.4.254 255.255.255.255 UGH 0 0 0 enp0s25
loopback * 255.0.0.0 U 0 0 0 lo
|
Now everything works! By default data uses my network, but if the resource is at the other office, I am routed through my VPN. Where should I report this bug and should I report NM or pppd?
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3133
|
| Posted: Wed Jul 22, 2015 6:58 pm Post subject: |
|
|
| Quote: | | You have some IP range you want to tunnel over VPN with the rest bypassing it? |
| Quote: | | sudo route add -net 10.0.0.0/22 ppp0 |
 10.0.0.0/22
I'd report it to NM developers, it's clearly configuration issue. And if somehow it isn't, they should know their stuff well enough to notice it, while pppd should no even know or care what is managing it. |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Fri Jul 24, 2015 1:05 pm Post subject: |
|
|
Yes, /22, as in, 255.255.252.0. This give the remote network (main office) 10.0.0.1-10.0.3.254 as a usable range. These are used for various things in-house. So no, that was not a typo. When you need more than 254 addresses, it is the only way to go!
Now, I will try to report this to the best of my ability. Should I report it to the Gentoo devs and let it go up though?
*EDIT*
Just for fun, here is a network break-down!
10.0.0.1-200 - Servers (Mostly virtualized ones)
10.0.0.200-250 - Physical XenServer systems, normally with dual NICs
10.0.1.1-10.0.1.250 - Static workstations
10.0.2.1-200 - Dynamic devices such as laptops or mobile phones
10.0.2.201-250 - VPN IP addresses
10.0.3.1-100 - Static printing/scanning devices
10.0.3.101-200 - Static SIP/H323 phones
10.0.3.201-250 - Reserved
Remember, this is our MAIN office. Lots of goodies here we do not have at remote locations. Remote locations have VPN tunnels into the main office for access to servers and such.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1602
Location: Fayetteville, NC, USA
|
| Posted: Fri Jul 24, 2015 1:32 pm Post subject: |
|
|
Alright, this is NOT a bug. After reading, and doing some remembering, PPP is only aware of the device on the other end. When you check that box, you have to enter the route you want for the remote network. I did this under the "Routes" box for this particular network connection and all is good. Basically, you add a route for 10.0.0.0 with the netmask of 255.255.252.0 and set the metric to 22, and each time the connection comes up, it routes only packets destined for that network through the VPN. Everything else goes through my default gateway at my location.
To summarize:
- Create the PPTP VPn connection and set everything up
- Go to the IPv4 tab and change to Routes with the drop-down
- Check "Use only for resources on this connection" to avoid changing your default gateway
- Click the "Add" button and type in the network IP and the netmask of the remote network
- Leave the "Gateway" at 0.0.0.0 and set the metric value to CIDR (in my case, 22)
- Enjoy PPTP working correctly!
Hope this helps somebody else!
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
