0

I have setup VPN client (on ubuntu) behind sonicwall but can't see any machine on the WAN when it is running.

When I am connect to the VPN I can't see the WAN router (and no domain names resolve). I can't ping the WAN router (from the LAN client) when I am "connected".

ifconfig (not connected)

enp5s0    Link encap:Ethernet  HWaddr 00:1c:23:e1:ec:ca
          inet addr:10.0.10.60  Bcast:10.0.10.255  Mask:255.255.255.0
          inet6 addr: eeee::21c:23ff:fee1:ecca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4917 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2834 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6667701 (6.6 MB)  TX bytes:250136 (250.1 KB)
          Interrupt:16

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:164 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:12080 (12.0 KB)  TX bytes:12080 (12.0 KB)

ifconfig (connected)

enp5s0    Link encap:Ethernet  HWaddr 00:1c:23:e1:ec:ca
          inet addr:10.0.10.60  Bcast:10.0.10.255  Mask:255.255.255.0
          inet6 addr: eeee::21c:23ff:fee1:ecca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5275 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3209 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6703007 (6.7 MB)  TX bytes:345599 (345.5 KB)
          Interrupt:16

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:164 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:12080 (12.0 KB)  TX bytes:12080 (12.0 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.16.10.6  P-t-P:10.16.10.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

I could be misunderstanding something... but I believe my network ip should be in the 10.0.10.xxx range, but when the vpn is "connected" (I use that term loosely), it is showing an ip of 10.16.10.6

This would be restricted by sonicwall and would explain why I can't see the WAN, how can I make it pick an ip in the range of my LAN?

I assume I need something setting in /etc/network/interfaces....

Current /etc/network/interfaces

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto enp5s0
iface enp5s0 inet dhcp
  address 10.0.10.60
  netmask 255.255.255.0
  gateway 10.0.10.10

Thanks

Beakie
  • 137
  • 1
  • 7
  • Your default route is probably changing when connected to the VPN. By the way, your network IP (Internet Protocol) is Version 4, not `10.0.10.xxx` or `10.16.10.6`; I think you mean your IP address. – Ron Maupin Oct 01 '16 at 01:58
  • Looks like a subnet issue. Hard to say exactly but looks like your VPN server is setup on a different subnet do you have the config? – Joshmello Oct 01 '16 at 01:35

1 Answers1

1

The VPN "address" that you are seeing is never seen by your SonicWall router. It is specific to the VPN tunnel and is only seen by the VPN tunnel.

The VPN tunnel has set your default route ( type 'route' at a command prompt to see it ) to send all traffic by default to the remote end of the VPN tunnel, i.e., 10.16.10.5. This is probably because the router administrator at the remote end was lazy and didn't feel like enumerating all the networks at the remote end so that your end could set up network routes to those networks. Instead he used the blunt force hammer of "send it all". His router also apparently is not set up to route VPN traffic to the Internet, probably because of misguided network security concerns.

All of that is, alas, on your router administrator's end, and not something you can change. However, if you know the networks that you want to talk to at the remote end, you can do what that administrator was too lazy to do, and set up a route pointed at the VPN to do so. For example, if you know the remote network you're trying to get to is 10.20.10.x, then after the connection:

route add default gw 10.0.10.10
route add -net 10.20.10.0/24 gw 10.16.10.5

That will flip your default route back to your local router, and set up a route through the tunnel that is only the network that you're trying to get to. Then when you bring down the tunnel, you just need to get rid of the -net route:

route del -net 10.20.10.0/24 gw 10.16.10.5

Voila, back to normal.

eric.green
  • 385
  • 1
  • 4