Hi,
On Sun, 21 Feb 2021 19:18:48 +0100
Radek <r...@int.pl> wrote:
>> The interface which terminate the tunnel has "192.168.4.254".
>> Right?
> Do you mean the other end of the tunnel? It is 10.109.4.254
> interface pppx0 address 10.109.4.254 ipcp IPCP
Sorry, "192.168.4.244" should have been "10.109.4.254".
>> How about if you configure the npppd-users
>>
>> rdk:
>> :password=passsssword:\
>> :framed-ip-address=10.109.4.254:\
>> :framed-ip-netmask=255.255.255.0:
>>
>> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP
>> session authenticated by the above "rdk".
> I have tried to configure npppd-users with netmask /24, but it doesnt make
> any changes. Still have all traffic to 10.0.0.0/8 going across the tunnel to
> 10.109.4.254(VPN), but I need to push the traffic to 10.109.3.0/24 through
> the tunnel (via 10.109.4.254) and the rest of 10.0.0.0/8 through default gw
> or sometimes some traffic to 10.0.0.0/8 through another tunnel at the same
> time. Now if the PPP tunnel is established the VPN catches all the 10.0.0.0/8
> traffic.
>
> The VPN client (Windows7/10) is configured to NOT use the VPN as remote gw.
>
> Example:
> I have a public, static IP. There is configured route to 10.55.0.0/24 at the
> ISP's side and I dont need any VPN tunnel to access 10.55...... Somewhere
> over the rainbow is a router with LAN 10.109.3.0/24 and npppd.
> If I use the PPP tunnel I can acces 10.109.3.0/24 but at the same time I
> can't access 10.55.0.0/24 because all 10.0.0.0/8 goes across the tunnel.
The route to the natural netmask of the tunnel address, 10.0.0.0/8 in
this case, is configured by Windows automatically. I don't know a way
to stop or override this. But by using another addresses for the
tunnel, you can avoid the problem. Also we can use dhcpd(8) to push
routes configuration.
For example,
1. Use 192.168.255.0/24 for the tunnel to avoid the conflict on
10.0.0.0/8.
ipcp IPCP {
pool-address 192.168.255.1-192.168.255.32
:
interface pppx0 address 192.168.255.254 ipcp IPCP
---
rdk:
:password=passsssword:\
:framed-ip-address=192.168.255.32:
2. Configure dhcpd
/etc/dhcpd-l2tp.conf
----
subnet 192.168.255.0 netmask 255.255.255.0 {
option classless-ms-static-routes 10.109.3.0/24 192.168.255.254;
option classless-static-routes 10.109.3.0/24 192.168.255.254;
}
---
$ doas /usr/sbin/dhcpd -u255.255.255.255 -c /etc/dhcpd-l2tp.conf
> On Sun, 21 Feb 2021 23:18:19 +0900 (JST)
> YASUOKA Masahiko <yasu...@openbsd.org> wrote:
>
>> Hello,
>>
>> On Sat, 20 Feb 2021 21:14:24 +0100
>> Radek <r...@int.pl> wrote:
>> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw
>> > 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
>> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes
>> > via 10.109.4.254
>> >
>> > client> route print
>> > Network Destination Netmask Gateway Interface Metric
>> > 0.0.0.0 0.0.0.0 192.168.1.1
>> > 192.168.1.101 20
>> > 10.0.0.0 255.0.0.0 10.109.4.254
>> > 10.109.4.1 21
>> > 10.109.4.1 255.255.255.255 On-link 10.109.4.1
>> > 276
>> > [...]
>>
>> The interface which terminate the tunnel has "192.168.4.254".
>> Right?
>>
>> > $ cat /etc/npppd/npppd-users
>> > rdk:\
>> > :password=passsssword:\
>> > :framed-ip-address=10.109.4.1:
>> > #:framed-ip-netmask=255.255.255.0:
>>
>> How about if you configure the npppd-users
>>
>> rdk:
>> :password=passsssword:\
>> :framed-ip-address=10.109.4.254:\
>> :framed-ip-netmask=255.255.255.0:
>>
>> ?
>>
>> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP
>> session authenticated by the above "rdk".
>>
>>
>> On Sat, 20 Feb 2021 21:14:24 +0100
>> Radek <r...@int.pl> wrote:
>> > Hi,
>> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw
>> > 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
>> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes
>> > via 10.109.4.254
>> >
>> > client> route print
>> > Network Destination Netmask Gateway Interface Metric
>> > 0.0.0.0 0.0.0.0 192.168.1.1
>> > 192.168.1.101 20
>> > 10.0.0.0 255.0.0.0 10.109.4.254
>> > 10.109.4.1 21
>> > 10.109.4.1 255.255.255.255 On-link 10.109.4.1
>> > 276
>> > [...]
>> >
>> > I need to redirect the traffic to 10.109.4.254 only if it goes to the
>> > remote LAN (10.109.3.0/24), the rest should go via def gw.
>> > How can I configure it on the router/server side ?
>> >
>> > $ cat /etc/npppd/npppd.conf
>> > # $OpenBSD: npppd.conf,v 1.3 2020/01/23 03:01:22 dlg Exp $
>> > # sample npppd configuration file. see npppd.conf(5)
>> >
>> > set max-session 200
>> > set user-max-session 4
>> >
>> > authentication LOCAL type local {
>> > users-file "/etc/npppd/npppd-users"
>> > }
>> > tunnel L2TP protocol l2tp {
>> > listen on X.X.X.X
>> > }
>> >
>> > ipcp IPCP {
>> > pool-address 10.109.4.1-10.109.4.32
>> > dns-servers 1.1.1.1
>> > }
>> >
>> > # use pppx(4) interface. use an interface per a ppp session.
>> > interface pppx0 address 10.109.4.254 ipcp IPCP
>> > bind tunnel from L2TP authenticated by LOCAL to pppx0
>> >
>> > $ cat /etc/npppd/npppd-users
>> > rdk:\
>> > :password=passsssword:\
>> > :framed-ip-address=10.109.4.1:
>> > #:framed-ip-netmask=255.255.255.0:
>> >
>> > $ dmesg | head
>> > OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021
>> >
>> > r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> >
>> > --
>> > Radek
>> >
>>
> --
> Radek
>
