Re: network newbie seeks help combining routesets for VPN tunnel

To: debian-user@lists.debian.org,
Subject: Re: network newbie seeks help combining routesets for VPN tunnel
From: Tom Roche <Tom_Roche@pobox.com>
Date: Mon, 09 Mar 2015 23:55:32 -0400
Message-id: <[🔎] 8761a94ibv.fsf@pobox.com>
Reply-to: debian-user@lists.debian.org, Tom Roche <Tom_Roche@pobox.com>
In-reply-to: <54C55592.5060507@mattventura.net>
References: <54C55592.5060507@mattventura.net> <54C46278.8090208@mattventura.net> <54C42517.2060508@mattventura.net> <87egqlrx06.fsf@pobox.com> <abb116082uv8@mids.svenhartge.de> <54C2B359.7000408@mattventura.net> <7bb023u82uv8@mids.svenhartge.de> <54C1C14D.1040406@mattventura.net> <87k30es73k.fsf@pobox.com> <87mw5asg8x.fsf@pobox.com> <54C1485E.2060408@mattventura.net> <54C09651.3070105@mattventura.net> <54BFE8CE.9010302@mattventura.net> <87vbk0rpkj.fsf@pobox.com> <87sif3sts8.fsf@pobox.com> <87ppa6socq.fsf@pobox.com> <87bnlnsxl6.fsf@pobox.com> <874mrfsgzr.fsf@pobox.com> <871tmjroj7.fsf@pobox.com>

Apologies for letting this thread[1] drop--I was forced to handle other interrupts for a few weeks. Basically, I need to make a networking configuration work, but am currently (apparently) blocked by inability to set a route. Details:

A brief summary of what I need to do to get back to work on a science project[2] is

1. I must `ssh` from a Debian laptop through a firewall to a compute cluster, where I can do the actual science.
2. The cluster's admins (aka "the agency") require use of an F5VPN to cross the firewall, and maintain the F5VPN server through which I must connect.
3. The F5VPN client is entirely {proprietary, blackbox to me, nonconfigurable by me}.
4. The agency (now) requires "security" features which I'm attempting to meet using a cloud node (on which I have root, and which also runs Debian and an OpenVPN server) as a jumpbox.
5. Both the F5VPN and OpenVPN clients run on my laptop (on which I am sole root).

(Full/gory details regarding networking requirements and history available here[3], toy diagram here[4].) My current problem is, I'm not able to set (i.e., `ip route add`) one of the routes I believe I need to make this VPN configuration work, and thus meet my networking requirements. I get to that point via the following sequence:

1. [initial routeset , start OpenVPN client] -> OpenVPN routeset
2. [OpenVPN routeset , start F5VPN client  ] -> F5VPN-imposed routeset
3. delete F5VPN-imposed routeset
4. set F5VPN-through-OpenVPN routeset

Sequence details:

My laptop's "initial routeset" (i.e., what `ip route show`s after restarting the laptop when connected to the modem) is

0: default via 192.168.1.1 dev eth0 proto static
1: 169.254.0.0/16 dev eth0 scope link metric 1000
2: 192.168.1.0/24 dev eth0 proto kernel scope link src LOCAL_IPN

(I'll parameterize some IP#s for clarity. E.g., in the above, LOCAL_IPN==192.168.1.142 , i.e., the laptop's LAN IP#.) At this point, DNS (and `ping`, etc) works, and if I browse to (e.g.) whatismyip.com I see my modem's IP#==INITIAL_PUBLIC_IPN . After I

1. start the OpenVPN server process on my cloud node
2. start the OpenVPN client process on my laptop

I get the following "OpenVPN routeset":

0: 0.0.0.0/1 via OPENVPN_ENDPT_IPN dev tun0
1: default via 192.168.1.1 dev eth0  proto static
2: OPENVPN_GATEWAY_IPN via OPENVPN_ENDPT_IPN dev tun0
3: OPENVPN_ENDPT_IPN dev tun0  proto kernel  scope link  src OPENVPN_SRCPT_IPN
4: 128.0.0.0/1 via OPENVPN_ENDPT_IPN dev tun0
5: 169.254.0.0/16 dev eth0  scope link  metric 1000
6: OPENVPN_PUBLIC_IPN via 192.168.1.1 dev eth0
7: 192.168.1.0/24 dev eth0  proto kernel  scope link  src LOCAL_IPN

(FWIW, I have never observed any change in the following IP#s, despite repeated use:

OPENVPN_GATEWAY_IPN='10.8.0.1'
OPENVPN_ENDPT_IPN=  '10.8.0.5'
OPENVPN_SRCPT_IPN=  '10.8.0.6'

) As suggested by the OpenVPN routeset, my OpenVPN client (which is quite "vanilla"[5]) adds a new link/interface=tun0, and subsequently other sites see a new public IP#==OPENVPN_PUBLIC_IPN . DNS still works, and networking life is good. But after I

1. login to the agency's remote-access website (RAW) using a special, F5-ed browser[6]
2. use the RAW's web UI to connect to the F5VPN server

I get the following "F5VPN-imposed routeset":

0: 0.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0  proto none  metric 1 
1: default via 192.168.1.1 dev eth0  proto static 
2: F5VPN_GATEWAY_IPN dev ppp0  proto kernel  scope link  src F5VPN_ENDPT_IPN 
3: 128.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0  proto none  metric 1 
4: F5VPN_PUBLIC_IPN via OPENVPN_ENDPT_IPN dev tun0  proto none  metric 1 

(F5VPN_GATEWAY_IPN, F5VPN_ENDPT_IPN, and F5VPN_PUBLIC_IPN all seem to change with each F5VPN use/connection.) At this point I also have a new link/interface=ppp0. However, at this point I cannot either `ping` or DNS: e.g.,

    $ ping -c 4 141.101.120.15 # == www.whatismyip.com
    PING 141.101.120.15 (141.101.120.15) 56(84) bytes of data.

    --- 141.101.120.15 ping statistics ---
    4 packets transmitted, 0 received, 100% packet loss, time 3022ms

    $ nslookup www.whatismyip.com
    ;; connection timed out; no servers could be reached

So it seems the F5VPN client cannot set routes that will work with the OpenVPN; to be fair, that is probably because the F5VPN knows nothing about the OpenVPN. Hence, after previous discussion (e.g., this post[7]), I first deleted (with this code[8]) the F5VPN-imposed routeset, then tried to set the following "F5VPN-through-OpenVPN routeset" (using this code[9]):

0: 192.168.1.0/24 dev eth0  proto kernel  scope link  src LOCAL_IPN
1: 0.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0  metric 1
2: default via 192.168.1.1 dev eth0  proto static
3: F5VPN_GATEWAY_IPN dev ppp0  proto kernel  scope link  src F5VPN_ENDPT_IPN
4: 128.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0  metric 1
5: OPENVPN_PUBLIC_IPN via 192.168.1.1 dev eth0
6: F5VPN_PUBLIC_IPN via OPENVPN_ENDPT_IPN dev tun0  metric 1

I can `ip route add` all of the above ... *except* the last route#=6! which gets the response

> RTNETLINK answers: Network is unreachable

This appears to be a real failure, in that if I subsequently (i.e., immediately after running the above script[9]) do

$ sudo ip route add ${F5VPN_PUBLIC_IPN} via ${OPENVPN_ENDPT_IPN} dev tun0  metric 1

from the commandline, I get the same failure. And, just to be clear, at this point my networking is just as broken as before: both `ping` and DNS fail until I disconnect from the F5VPN, stop the OpenVPN, and restore my initial routeset and linkset.

So ... how to fix this? What am I doing wrong? Any assistance you can provide is much appreciated! and will be paid-forward via the above code and wiki.

TIA, Tom Roche <Tom_Roche@pobox.com>

[1]: first post @ https://lists.debian.org/debian-user/2015/01/msg00732.html , last post before this one @ https://lists.debian.org/debian-user/2015/01/msg00905.html
[2]: https://bitbucket.org/tlroche/aqmeii-na_n2o/wiki/Home
[3]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home
[4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-new-architecture-diagram
[5]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-id5
[6]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap
[7]: https://lists.debian.org/debian-user/2015/01/msg00905.html
[8]: https://bitbucket.org/tlroche/linode_jumpbox_config/raw/HEAD/scripts/delete_current_routes.sh
[9]: https://bitbucket.org/tlroche/linode_jumpbox_config/raw/HEAD/scripts/set_F5VPN_routes.sh

Reply to:

Prev by Date: Re: Jessie sufficiently stable for general use?
Next by Date: Installing Jessie on a computer that current has Windows 7 on it
Previous by thread: Re: How to pinpoint the package responsible for an unhandled IRQ?
Next by thread: Installing Jessie on a computer that current has Windows 7 on it
Index(es):
- Date
- Thread