3

I've set up an L2TP/IPsec VPN using OpenSwan and xl2tpd using the "nodefaultroute" ppp option. The server's virtual IP address is set to 10.10.31.1 and it allocates addresses in the range 10.10.31.2-254. This sets up PPP links between 10.10.31.1 <-> 10.10.31.2 etc. and this works fine - the VPN-connected hosts can communicate with the server.

How can I set up the ppp link so the server end looks like the entire range 10.10.0.0 instead of just that IP address? I am hoping that connecting clients will then route any requests for that subnet via the VPN interface, where the server can catch them and act as a gateway. Going in the other direction, the "proxyarp" option will allow the VPN server to catch traffic back to the VPN clients.

One obvious solution to this is to use the VPN server as the default route. I would prefer not to do this, so that only the traffic specific to that subnet goes through the VPN. Is this even possible?

Tom K
  • 151
  • 1
  • 6
  • 2
    Networking terminology is complex, and context seems to be required for everything. Please don't take this personally, but even with a couple decades of TCP/IP networking, I simply cannot figure out what you are describing. There are too many poorly defined words involved here. The variety of tunneling and virtual things involved don't help. In lieu of a much longer post, maybe a diagram of what you have, and what you want, might help (be sure to label all interfaces, virtual or real). – Skaperen Dec 05 '12 at 06:53
  • @Skaperen Yep I'm slightly less dumb now. Thanks for the kindly-written comment. – Tom K Apr 09 '13 at 12:57

1 Answers1

2

As I suspected the problem is that I'm a bit of a numpty. In case anyone finds this question and is wondering the same thing, these are the key things you should know:

nodefaultroute doesn't go in your VPN server config. It is something for a PPP client. PPP clients are responsible for deciding whether or not to create a default route. This is the "Send all traffic" checkbox on iOS.

Your PPP client will always create a route to the remote gateway, plus a route for the remote subnet. Provided that you have IP forwarding enabled on your VPN server (/proc/sys/net/ipv4/ip_forward = 1 plus appropriate iptables rules on linux) your client will be able to send traffic to hosts on the remote subnet.

You must specify proxyarp in the ppp options.xl2tpd file for hosts on the VPN server's LAN to be able to send traffic back to clients. This will create an entry in the arp table and enable the proxy_arp option in the kernel. This allows the VPN server to accept packets on behalf of VPN clients using its own ethernet interface. If you don't want to do this or need to cross routers it appears that putting the VPN clients behind NAT is a popular solution, though I didn't test this myself.

Use the ms-dns ppp option to provide a nameserver for clients if they are going to use the VPN as a default route. Otherwise an iPad will complain that it's not connected to the internet.

Tom K
  • 151
  • 1
  • 6
  • You should accept your answer so that the question doesn't keep popping up forever, looking for an answer. – Ron Maupin Nov 30 '17 at 04:05
  • @RonMaupin Done, thanks for the heads up. I had no idea old questions got cycled through again. Pretty underwhelming outcome all those years ago... – Tom K Nov 30 '17 at 07:45