Re: Share VPN connection

To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: Share VPN connection
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Sun, 01 Dec 2013 12:04:31 +0100
Message-id: <[🔎] 529B17BF.6070701@plouf.fr.eu.org>
In-reply-to: <529A53C9.2060400@tesco.net>
References: <04B33A9D-1239-4FE3-9D21-9182EAFA80DD@gmail.com> <529A4386.4010503@tesco.net> <BBBB6B36-C62D-41E4-8571-22378F879E47@gmail.com> <529A53C9.2060400@tesco.net>

Ron Leach a écrit :
> On 30/11/2013 20:22, François Fayard wrote:
>>
>> With the VPN, route gives :
>>
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
>> default         *               0.0.0.0         U     0      0        0 ppp0
>> 10.42.0.0       *               255.255.255.0   U     0      0        0 eth0
>> strong-mf35.rel 192.168.1.1     255.255.255.255 UGH   0      0        0 eth1
>> strong-mf35.rel 192.168.1.1     255.255.255.255 UGH   0      0        0 eth1
>> 129.189.255.173 *               255.255.255.255 UH    0      0        0 ppp0
>
> this seems to be the reverse of what was in ifconfig for ppp0.  I'm 
> not sure if that is correct.

I guess you mean 129.189.255.173 seems to be the reverse of
173.255.189.129, the remote address of ppp0. Actually it is not an
address but the partial (due to lack of display space) reverse DNS of
173.255.189.129 :

Name :    129.189.255.173.client.dyn.strong-mf35.as54203.net
Address:  173.255.189.129

One should always run the route command with the -n option to avoid
reverse name resolution which, as can be seen, obfuscates the output.

>> 192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
> 
> I notice that your shared eth1 local LAN network is using
> 192.168.1.0/24,
> and your machine's IP address on eth1 is 192.168.1.30.
> 
> That address, 192.168.1.30, will be the local LAN's gateway to your 
> external VPN.  So check that all the other machines have a gateway 
> setting of 192.168.1.30.

No, eth1 is the internet side. The LAN side is on eth0.

> I'm a bit surprised to see the VPN *also* has a route in the 
> 192.168.1.0/24 range.

It doesn't. The only route to 192.168.1.0/24 is on eth1.

The routing table is correct if François wants to share the VPN with the
rest of the LAN. François must review the iptables rules to check that :
- SNAT/MASQUERADE is enabled on ppp0
- FORWARDed packets between eth0 and ppp0 are accepted.

Also, he must check which DNS the machines on the LAN use. If they use
the DNS proxy/relay provided by the internet box or the Debian router,
then it is fine. But if they use the DNS provided by the ISP, these
won't reply when queried through the VPN.

Reply to:

Prev by Date: Re: A rookie's query: Want to about Debian and the related
Next by Date: Re: A rookie's query: Want to about Debian and the related
Previous by thread: Re: Share VPN connection
Next by thread: Re: Share VPN connection
Index(es):
- Date
- Thread