Home / ubuntu / Questions / 1155221
Accepted
mgilbert
Asked: 2019-07-02 05:20:31 +0800 CST

Configure Traffic for VPN

  • 772

I am having issues accessing remtote resources using the Cato VPN client. The subnet that I am connecting to via VPN looks like 

192.168.1.0/24
192.168.2.0/24
...

And my home network wifi interface / network looks like 

wlp58s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.98  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::e306:14d0:1888:c6b7  prefixlen 64  scopeid 0x20<link>
        inet6 2604:2000:12c1:c42a:0:a0c3:8dc2:729c  prefixlen 128  scopeid 0x0<global>
        inet6 2604:2000:12c1:c42a:14a4:c462:d46a:8396  prefixlen 64  scopeid 0x0<global>
        inet6 2604:2000:12c1:c42a:8c06:b847:efda:159a  prefixlen 64  scopeid 0x0<global>
        ether 9c:b6:d0:d5:24:05  txqueuelen 1000  (Ethernet)
        RX packets 1382636  bytes 1411037937 (1.4 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 354583  bytes 73040708 (73.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

when I attempt to acess 192.168.1.11 I get a server address IP could not be found error. I believe the issue is that 192.168.1.11 is being looked for locally on my home network, instead of over the VPN. One solution would be to change my home network to something else like 192.168.7.0/24 but I'm wondering if there are any other options?

The output for ip route with the client active is

default dev tun0 
default via 192.168.1.1 dev wlp58s0 proto dhcp metric 600 
45.62.183.62 via 192.168.1.1 dev wlp58s0 
169.254.0.0/16 dev wlp58s0 scope link metric 1000 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev wlp58s0 proto kernel scope link src 192.168.1.98 metric 600 
192.168.1.4 dev tun0

Without the vpn ip route shows

default via 192.168.1.1 dev wlp58s0 proto dhcp metric 600 
169.254.0.0/16 dev wlp58s0 scope link metric 1000 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev wlp58s0 proto kernel scope link src 192.168.1.98 metric 600
networking vpn

1 Answers

  1. Best Answer

    You can see the problem in the ip route. Number 6 says the route to all 192.168.1.0/24 ip addresses is on device wlp58s0. This takes priority over rule 1 which says the default gateway is tun0 (the VPN). You seem to have diagnosed the problem correctly.

    Normally VPNs wouldn't use a subnet that's so common because it will be prone to issues like this. If you're ever on a network where you don't control the IPs such as a public wifi you won't be able to use the VPN.

    The best solution would probably change the VPN subnet to something more unique like 10.X.Y.0/24 and set your firewall rules so that this subnet has access to the remote 192.168.1.0/24 subnet.

    If that's not an option you could change your home subnet, but this isn't a portable solution.

    Finally, you could delete the rule: 

    192.168.1.0/24 dev wlp58s0 proto kernel scope link src 192.168.1.98 metric 600

    This would solve your problem, but cost you access to your local subnet. Also messing with your routing tables manually is risky if you don't understand networks very well.

    • 1