16

I am setting up a new cluster in my new workplace, and I am still administering another cluster in my last work place. Basically I am "copying" the configuration of the first one to setup the new one.

Now I am at home, and I would like to use both VPN connections simultaneously instead of one after the other to access both clusters at the same time. In my opinion this is not possible, but maybe someone has an idea?

One VPN connection uses OpenVPN and the second uses CISCO VPN client. Or maybe is it possible to play with route rules to obtain that? I am not very experienced in networking.

I am trying to use route -n to try to re-define the rules for the different sub interfaces. Here is what I get when no VPN is active:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.0.1        0.0.0.0         UG    0      0        0 eth0
10.1.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0

Now If I switch on the cisco VPN (VPN1):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         xxx.xxx.xxx.117 0.0.0.0         UG    0      0        0 cscotun0
10.1.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0
xxx.xxx.xxx.0   0.0.0.0         255.255.255.0   U     0      0        0 cscotun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.yy.yy.22    10.1.0.1        255.255.255.255 UGH   0      0        0 eth0

If I swicth on the openVPN (VPN2):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.0.1      0.0.0.0         UG    0      0        0 eth0
10.1.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.1.0     192.168.2.17    255.255.255.0   UG    0      0        0 tun0
192.168.2.17    0.0.0.0         255.255.255.255 UH    0      0        0 tun0
zzz.zzz.zz.zz   10.1.0.1        255.255.255.255 UGH   0      0        0 eth0

And now if I switch on both (first vpn2 and then vpn1):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         xxx.xxx.xxx.117 0.0.0.0         UG    0      0        0 cscotun0
10.1.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0
xxx.xxx.xxx.0   0.0.0.0         255.255.255.0   U     0      0        0 cscotun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.yy.yy.22    10.1.0.1        255.255.255.255 UGH   0      0        0 eth0
192.168.2.17    0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Ideally, all the request for xxx.xxx.xxx.0 should go as when only VPN1 is active (cscotun0) and all the requests for 192.168.2.0 should go through 192.168.2.17 (tun0) and the other through eth0 ...

I am not used to routing, and would appreciate any help.

EDIT: inspired by the answers I am trying to play with route command to try to correctly setup my config.

to be more clear I have edited the above route tables to reflect the result of route -n command, which is more informative. I have also modified my home router so that I have 10.1.0.0 nm 255.255.255.0 ip addresses at home.

If I understand well, when only VPN2 (tun0) is active, it uses the defalut gateway of my home (10.1.0.1) and defines a few new routes, tell me if I understand wrong:

192.168.1.0   192.168.2.17 -> this says "everything for 192.162.1.0 network (vpn2 network), then pass through official gateway 192.168.2.17 "
192.168.2.17  0.0.0.0 -> this says "everything for host 192.168.2.17, goes to default gateway  (0.0.0.0) " , which is currently pointing to my home rooter"
zzz.zzz.zz.zz 10.1.0.1 -> this says "everything for zzz.zzz.zz.zz . pass through my home router (10.1.0.1)

When I switch on VPN1 alone, it overrides the default gateway with its own (xxx.xxx.xxx.53) and anything is redirected to this. This is also why I can't see my home network btw (if I am right).

Now, I see that when I switch both VPN on, the default gateway is redirected to the one of VPN1 (xxx.xxx.xxx.53), and what I am asking is: How can I set up rules, so that:

  • everything for 198.162.1.0 goes through 198.162.2.17
  • things for 198.162.2.17 pass through 10.1.0.1
  • things for xxx.xxx.xxx.0 pass through xxx.xxx.xxx.117
  • things for 10.1.0.0 pass to 10.1.0.1

I have tried to play with with route add and route del but I am more or less trying to do things by trial and error, and I would better understant what I am supposed to do, and if the rules I want to apply right here are correct or basically stupid...

EDIT 2: Following the suggestion of MariusMatutiae I append here the result of ifconfig when both VPN are on:

cscotun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:xxx.xxx.xxx.117  P-t-P:xxx.xxx.xxx.117  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1380  Metric:1
          RX packets:21 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:4007 (4.0 KB)  TX bytes:3789 (3.7 KB)

eth0      Link encap:Ethernet  HWaddr 00:21:cc:6b:3e:ae  
          inet addr:10.1.0.226  Bcast:10.1.0.255  Mask:255.255.255.0
          inet6 addr: fe80::221:ccff:fe6b:3eae/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28245 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29039 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14287030 (14.2 MB)  TX bytes:5521200 (5.5 MB)
          Interrupt:20 Memory:f3a00000-f3a20000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:9928 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9928 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4962141 (4.9 MB)  TX bytes:4962141 (4.9 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.2.18  P-t-P:192.168.2.17  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:719 errors:0 dropped:0 overruns:0 frame:0
          TX packets:764 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:103523 (103.5 KB)  TX bytes:56000 (56.0 KB)

EDIT 3:

descritpion of what does not work: after I switch both VPN on, I cannot reach VPN tun0; and if I try to ping something outside xxx.xxx.xxx.0 I get ping: sendmsg: Operation not permitted .

Ideally, I would like to access to both VPN (if the DNS for VNP nets does not work I can manage it with direct IP, not a problem) and ideally access to my local lan too...

Unfortunately I am not enough an iptables expert to undrestand how I am supposed to do.

Thanks in advance

Improve this question
5
  • 1
    I have 5 VPNs connected at the same time on one of my system that routes/firewalls traffic between the various VPNs. Getting it all setup right is simply about properly understanding and configuring your routes.
    – Zoredache
    Commented Jan 31, 2014 at 0:19
  • I do this all the time. I use two paid services. Both support OpenVPN
    – Ramhound
    Commented Feb 1, 2014 at 1:41
  • THanks, could you please add an answer to show me a couple of route commands to do it please? Thanks
    – Danduk82
    Commented Feb 2, 2014 at 15:23
  • 1
    What exactly is wrong with your configuration right now? Which of the two subnets you cannot reach? Can you reach the internet? Have you checked that the three subnets are all different? Have you checked that the OpenVPn client and server configuration files do not contain a satement including def1?
    – MariusMatutiae
    Commented Feb 6, 2014 at 14:01
  • after I switch on cscotun0 I cannot reach the tun0 vpn. I have checked, no def1 in both configurations. See my 3rd edit.
    – Danduk82
    Commented Feb 6, 2014 at 20:53

3 Answers 3

Reset to default
11

You can certainly use several VPNs simultaneously. The major issue in arranging this is making sure the routing table is correct, because all VPNs will try to alter it without assuming there are more VPNs doing the same thing.

Your scenario is very simple, because you are basically using VPNs to access remote LANs, not to redirect all of your traffic. The last configuration would have required a more complex set up, but in your case we can get away with much less work.

A precondition for this to work is that all subnets are different: your home's, and your two workplaces'.

Supposing you have arranged this already, then you must make sure that your client configuration file for OpenVPN does not contain the following statement

    redirect-gateway def1

and that the server configuration file does not contain the following statement:

   push "redirect-gateway def1 bypass-dhcp"

Since you are only interested in working with two VPNs, this already solves your problem, because, even if the other VPN grabs the default route, there will be a single default route in your routing table, and you are done.

However, Cisco VPN does not, by default, grab the default route. So you should be ok. To check, make sure that the output of route -n contains a couple of lines like the following,

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.73.1    0.0.0.0         UG    0      0        0 eth0

where 192.168.73.1 is your home default router (change as needed, if your router is not 192.168.73.1).

This problem would have been a whole lot more fun if you had wanted to redirect all traffic through both VPNs simultaneously (yes, it can be done).

Edit:

You may also surely use OpenVPN on different network interfaces, if you care to. As an example, you may bring up a virtual interface based on your ethernet card as follows, 

   ip link add link eth0 mac0 address 56:61:4f:7c:77:db type macvlan
   ip link set mac0 up
   dhclient mac0

and now check the IP address of the virtual interface mac0 with

   ip addr show

Then, in your openvpn client config file, you may introduce the statement

   local IP_address_of_mac0

and when you connect to your OpenVPN server, the connection will have bound only to the interface mac0. Then, to access the remote LAN, you need to remember to bind all applications to the same interface mac0, and to its IP address. For instance, to access a pc via ssh this way, you will have to say:

  ssh -b IP_address_of_mac0 user@remote_LAN_pc

and so on. For ping, you should use

   ping -i IP_address_of_mac0 remote_LAN_pc
Improve this answer
2
  • when I try to ping machines outside VPN1 range, I get the error: ping: sendmsg: Operation not permitted what does it mean? (even if using -I ip_of_other_network_interface syntax)
    – Danduk82
    Commented Feb 2, 2014 at 15:24
  • @Danduk82 please post ifconfig and routing table. Add it to you post, makes it much easier to read.
    – MariusMatutiae
    Commented Feb 2, 2014 at 15:39
2

It is entirely possible to run multiple VPNs simultaneously.

I see a couple of issues with your setup -

Depending on what you are trying to do, you should make sure the VPN server does not publish (or you ignore or use a lower metric for the correct) default route. Otherwise you have VPN's trying to route through each other and breaking. Of-course, this implies that you are using VPN's to only reach specific networks/routes

The second issue you may have (note the duplicate 192.168.1.0 networks with netmask 255.255.255.0) appears to be that both the networks you are trying to reach are at 192.168.1.x. This is a problem as the kernel does not know which one you are referring too. The correct solution is to renumber one of the networks so it is in a different network block. (There may be horrible, horrible, horrible hacks you can do with iptables and hosts files and other tricks to emulate this on your system, but its highly specialist, fragile and not recommended).

BTW, when producing route tables, its generally better to use the "-n" switch so they show IP's rather then trying to resolve machine names - machine names mean nothing to us !!!

Improve this answer
3
  • What do you mean by renumber one of the networks so it is in a different network block ? I cannot modify anything on the cisco VPN setup, but maybe I could change some stuff in the openvpn config file for the second connection.
    – Danduk82
    Commented Jan 31, 2014 at 8:04
  • I am at work now, and I see that the address of firewalllocal is also 192.168.1.1 . Is it a bad thing?
    – Danduk82
    Commented Jan 31, 2014 at 8:12
  • 1
    Yes - its bad. Each device needs a unique IP address otherwise its insanely difficult to make it work (not something to attempt without a strong understanding of TCP/IP.
    – davidgo
    Commented Jan 31, 2014 at 18:10
0

What about simply setting up a W7 VM in VirtualBox, and using the 2nd VPN via that, then using bidirectional folder sharing between the host and guest? Simplicity. :)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .