problem routing F5VPN over OpenVPN

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
TomRoche
OpenVpn Newbie
Posts: 12
Joined: Tue Oct 14, 2014 2:33 am

problem routing F5VPN over OpenVPN

Post by TomRoche » Thu Mar 12, 2015 2:32 am

summary: I'm currently unable to tunnel an F5VPN (over which I have no control) through an OpenVPN (over which I have much control). I suspect this is due to a routing problem, but I Could Be Wrong. However, even if my diagnosis is correct, I'm unable to set (i.e., `ip route add`) one of the routes I believe I need: all of the others work, but the last route fails with `Network is unreachable`, at which point I have no networking (i.e., both `ping` and DNS fail) until I stop both the F5VPN and the OpenVPN and restore my original routes and links. How to fix?

details:

A computational-science project on which I need to work has these requirements:
  1. I must `ssh` from a Debian laptop through a firewall to a compute cluster, where I do the actual science.
  2. The cluster's admins require use of an F5VPN to cross the firewall, and maintain the F5VPN server through which I must connect.
  3. The F5VPN client is entirely {proprietary, blackbox to me, nonconfigurable by me}.
  4. The admins (now) requires security features which I'm attempting to meet using a cloud node (on which I have root, and which also runs Debian and an OpenVPN server) as a jumpbox.
  5. Both the F5VPN and OpenVPN clients run on my laptop (on which I am sole root).
Full/gory details regarding networking requirements and history are available here; I also have a diagram summarizing my intended configuration.

My current problem is, I'm not able to set (i.e., `ip route add`) one of the routes I believe I need to make this VPN configuration work, and thus meet my networking requirements. I get to that point via the following sequence:
  1. using initial routeset: start OpenVPN client, which sets a "OpenVPN routeset"
  2. using OpenVPN routeset: start F5VPN client, which sets an "F5VPN-imposed routeset"
  3. delete F5VPN-imposed routeset (alternatively, set a null routeset)
  4. set "F5VPN-through-OpenVPN routeset"
Details about that sequence:

initial routeset

My laptop's initial routeset (i.e., what `ip route show`s after restarting the laptop when connected to my ISP's modem) is

Code: Select all

0: default via 192.168.1.1 dev eth0 proto static
1: 169.254.0.0/16 dev eth0 scope link metric 1000
2: 192.168.1.0/24 dev eth0 proto kernel scope link src LOCAL_IPN
(I'll parameterize some IP#s for clarity. E.g., in the above, `LOCAL_IPN`==`192.168.1.142` , i.e., the laptop's LAN IP#.) At this point, DNS (and `ping`, etc) works, and if I browse to (e.g.) `whatismyip.com` I see my modem's IP#==`INITIAL_PUBLIC_IPN` .

OpenVPN routeset

After I
  1. start the OpenVPN server process on my cloud node
  2. start the OpenVPN client process on my laptop
the laptop gets the following "OpenVPN routeset" from my OpenVPN client, which is quite "vanilla"):

Code: Select all

0: 0.0.0.0/1 via OPENVPN_ENDPT_IPN dev tun0
1: default via 192.168.1.1 dev eth0  proto static
2: OPENVPN_GATEWAY_IPN via OPENVPN_ENDPT_IPN dev tun0
3: OPENVPN_ENDPT_IPN dev tun0  proto kernel  scope link  src OPENVPN_SRCPT_IPN
4: 128.0.0.0/1 via OPENVPN_ENDPT_IPN dev tun0
5: 169.254.0.0/16 dev eth0  scope link  metric 1000
6: OPENVPN_PUBLIC_IPN via 192.168.1.1 dev eth0
7: 192.168.1.0/24 dev eth0  proto kernel  scope link  src LOCAL_IPN
At this point, I also
  1. have a new link/interface=`tun0`
  2. am seen by remote sites--e.g., `whatismyip.com`, or the admins' remote-access website (aka `RAW`)--as having a new public IP#==`OPENVPN_PUBLIC_IPN`, which is the cloud node's static IP#, which is on the RAW's whitelist.
  3. use the following (apparently unchanging) IP#s:

Code: Select all

OPENVPN_GATEWAY_IPN='10.8.0.1'
OPENVPN_ENDPT_IPN=  '10.8.0.5'
OPENVPN_SRCPT_IPN=  '10.8.0.6'
At this point, the OpenVPN tunnel is setup, and networking life is good: all normal services still work, notably `ping`, DNS, and HTTP. But now I need to run the F5VPN through the OpenVPN.

F5VPN-imposed routeset

To start my F5VPN client, I must
  1. login to the RAW using a special, F5-ed browser
  2. use the RAW's web UI to connect to the F5VPN server
This gives the laptop an "F5VPN-imposed routeset":

Code: Select all

0: 0.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0  proto none  metric 1 
1: default via 192.168.1.1 dev eth0  proto static 
2: F5VPN_GATEWAY_IPN dev ppp0  proto kernel  scope link  src F5VPN_ENDPT_IPN 
3: 128.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0  proto none  metric 1 
4: F5VPN_PUBLIC_IPN via OPENVPN_ENDPT_IPN dev tun0  proto none  metric 1
(`F5VPN_GATEWAY_IPN`, `F5VPN_ENDPT_IPN`, and `F5VPN_PUBLIC_IPN` all seem to change with each F5VPN use/connection.) At this point I also have a new link/interface=`ppp0`. However, at this point I cannot either `ping` or DNS: e.g.,

Code: Select all

$ ping -c 4 141.101.120.15 # == www.whatismyip.com
PING 141.101.120.15 (141.101.120.15) 56(84) bytes of data.

--- 141.101.120.15 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms

$ nslookup www.whatismyip.com
;; connection timed out; no servers could be reached
So it seems the F5VPN-imposed routes will not work with the OpenVPN, probably because the F5VPN knows nothing about the OpenVPN. Hence I first deleted (with this code) all the F5VPN-imposed routeset, then tried to set the following routes (using this code):

F5VPN-through-OpenVPN routeset

Code: Select all

0: 192.168.1.0/24 dev eth0  proto kernel  scope link  src LOCAL_IPN
1: 0.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0  metric 1
2: default via 192.168.1.1 dev eth0  proto static
3: F5VPN_GATEWAY_IPN dev ppp0  proto kernel  scope link  src F5VPN_ENDPT_IPN
4: 128.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0  metric 1
5: OPENVPN_PUBLIC_IPN via 192.168.1.1 dev eth0
6: F5VPN_PUBLIC_IPN via OPENVPN_ENDPT_IPN dev tun0  metric 1
I can `ip route add` all of the above ... except the last route (i.e., route#=6), which gets the response

Code: Select all

RTNETLINK answers: Network is unreachable
This appears to be a real failure, in that if I subsequently (i.e., immediately after running the above script) do

Code: Select all

$ sudo ip route add ${F5VPN_PUBLIC_IPN} via ${OPENVPN_ENDPT_IPN} dev tun0  metric 1
from the commandline, I get the same failure. And, just to be clear, at this point my networking is just as broken as before: both `ping` and DNS fail until I disconnect from the F5VPN, stop the OpenVPN, and restore my initial routeset and linkset.

So ... how to fix this? What am I doing wrong? E.g., I suspect I need another route to make `OPENVPN_ENDPT_IPN` reachable, but I don't know enough about Linux networking to know what that route should be. But perhaps I need Something Completely Different?

Post Reply