0

My /etc/network/interfaces:

auto lo
iface lo inet loopback

auto wan
iface wan inet static
        address $myPublicIP
        netmask $ispSubnet
        gateway $ispGateway

auto vpn
iface vpn inet static
        address 10.102.1.194
        netmask 255.255.255.192
        up ip route add 192.168.10.32/27 via 10.102.1.196 dev vpn src 10.102.1.194 metric 10
        up ip route add 192.168.11.0/24 via 10.102.1.196 dev vpn src 10.102.1.194 metric 10

ip r shows as expected:

default via $wanGateway dev wan onlink 
$wanGateway/$wanCIDR dev wan proto kernel scope link src $wanIP 
10.102.1.192/26 dev vpn proto kernel scope link src 10.102.1.194 
192.168.10.32/27 via 10.102.1.196 dev vpn src 10.102.1.194 metric 10 
192.168.11.0/24 via 10.102.1.196 dev vpn src 10.102.1.194 metric 10

But even after reboot, traffic goes via LAN (a.k.a vpn) gateway, 10.102.1.193/27:

traceroute to 192.168.11.2 (192.168.11.2), 30 hops max, 60 byte packets
 1  10.102.1.193 (10.102.1.193)  368.435 ms  368.370 ms  368.316 ms^C

This is Debian 10 LXC container under Proxmox VE 6.0-9. Is it the culprit, or am I missing something there? I tried this answer, but it didn't work for some reason - adding table and/or ip rule doesn't affect the outcome.

Improve this question
4
  • What is the expected outcome then? And what do you get from ip route get 192.168.11.2 & ip route show match 192.168.11.2?
    – grawity_u1686
    Commented Nov 14, 2019 at 19:33
  • Not sure if it matters but why do they have metric?
    – Tom Yan
    Commented Nov 15, 2019 at 1:51
  • @grawity 192.168.X traffic goes via 10.102.1.196 gateway (which is connected to SSTP server 10.102.1.193.
    – user541663
    Commented Nov 15, 2019 at 10:21
  • @Tom Yan I wanted to check if metric override would do the trick. Seems not.
    – user541663
    Commented Nov 15, 2019 at 10:21

1 Answer 1

Reset to default
1

The fact that there's no route that has 10.102.1.193 as gateway being listed in ip r, and the fact that the interface name is vpn, makes me wonder if it's actually a tun (or anything of level/layer 3). In that case the via part of the routes wouldn't make a difference as there's no ARP/MAC involved.

For example with OpenVPN (with tun), the way to use a client as gateway is to enable client-to-client and add corresponding iroute for a route pushed (or configured on a client), so that the VPN server will know where (i.e. which client) to direct the traffics (instead of "letting it out" on its own host).

Though the VPN appears to be a multi-client setup, with that and OpenVPN you don't usually configure address in this way (as in fact, it requires you set iroute for the address, otherwise the server wouldn't even response to you ping through the tunnel). So perhaps this is purely my wild guess (or you are doing everything wrong).

Improve this answer
10
  • This container is located inside 10.102.1.192/27 VLAN behind Mikrotik CHR, and the 10.102.1.196 is another site, connected via SSTP, and input/output/forwarding firewall rules enabled on it (196).
    – user541663
    Commented Nov 15, 2019 at 10:23
  • @ivdok what does ip l show vpn give anyway?
    – Tom Yan
    Commented Nov 17, 2019 at 3:45
  • 422: vpn@if423: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 3e:a4:ab:e7:8f:f9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    – user541663
    Commented Nov 17, 2019 at 18:20
  • What about ip r show via 10.102.1.193 table all?
    – Tom Yan
    Commented Nov 17, 2019 at 19:36
  • It returns nothing.
    – user541663
    Commented Nov 17, 2019 at 21:12

You must log in to answer this question.