details:
A computational-science project on which I need to work has these requirements:
- I must `ssh` from a Debian laptop through a firewall to a compute cluster, where I do the actual science.
- The cluster's admins require use of an F5VPN to cross the firewall, and maintain the F5VPN server through which I must connect.
- The F5VPN client is entirely {proprietary, blackbox to me, nonconfigurable by me}.
- The admins (now) requires security features which I'm attempting to meet using a cloud node (on which I have root, and which also runs Debian and an OpenVPN server) as a jumpbox.
- Both the F5VPN and OpenVPN clients run on my laptop (on which I am sole root).
My current problem is, I'm not able to set (i.e., `ip route add`) one of the routes I believe I need to make this VPN configuration work, and thus meet my networking requirements. I get to that point via the following sequence:
- using initial routeset: start OpenVPN client, which sets a "OpenVPN routeset"
- using OpenVPN routeset: start F5VPN client, which sets an "F5VPN-imposed routeset"
- delete F5VPN-imposed routeset (alternatively, set a null routeset)
- set "F5VPN-through-OpenVPN routeset"
initial routeset
My laptop's initial routeset (i.e., what `ip route show`s after restarting the laptop when connected to my ISP's modem) is
Code: Select all
0: default via 192.168.1.1 dev eth0 proto static
1: 169.254.0.0/16 dev eth0 scope link metric 1000
2: 192.168.1.0/24 dev eth0 proto kernel scope link src LOCAL_IPN
OpenVPN routeset
After I
- start the OpenVPN server process on my cloud node
- start the OpenVPN client process on my laptop
Code: Select all
0: 0.0.0.0/1 via OPENVPN_ENDPT_IPN dev tun0
1: default via 192.168.1.1 dev eth0 proto static
2: OPENVPN_GATEWAY_IPN via OPENVPN_ENDPT_IPN dev tun0
3: OPENVPN_ENDPT_IPN dev tun0 proto kernel scope link src OPENVPN_SRCPT_IPN
4: 128.0.0.0/1 via OPENVPN_ENDPT_IPN dev tun0
5: 169.254.0.0/16 dev eth0 scope link metric 1000
6: OPENVPN_PUBLIC_IPN via 192.168.1.1 dev eth0
7: 192.168.1.0/24 dev eth0 proto kernel scope link src LOCAL_IPN
- have a new link/interface=`tun0`
- am seen by remote sites--e.g., `whatismyip.com`, or the admins' remote-access website (aka `RAW`)--as having a new public IP#==`OPENVPN_PUBLIC_IPN`, which is the cloud node's static IP#, which is on the RAW's whitelist.
- use the following (apparently unchanging) IP#s:
Code: Select all
OPENVPN_GATEWAY_IPN='10.8.0.1'
OPENVPN_ENDPT_IPN= '10.8.0.5'
OPENVPN_SRCPT_IPN= '10.8.0.6'
F5VPN-imposed routeset
To start my F5VPN client, I must
- login to the RAW using a special, F5-ed browser
- use the RAW's web UI to connect to the F5VPN server
Code: Select all
0: 0.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0 proto none metric 1
1: default via 192.168.1.1 dev eth0 proto static
2: F5VPN_GATEWAY_IPN dev ppp0 proto kernel scope link src F5VPN_ENDPT_IPN
3: 128.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0 proto none metric 1
4: F5VPN_PUBLIC_IPN via OPENVPN_ENDPT_IPN dev tun0 proto none metric 1
Code: Select all
$ ping -c 4 141.101.120.15 # == www.whatismyip.com
PING 141.101.120.15 (141.101.120.15) 56(84) bytes of data.
--- 141.101.120.15 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms
$ nslookup www.whatismyip.com
;; connection timed out; no servers could be reached
F5VPN-through-OpenVPN routeset
Code: Select all
0: 192.168.1.0/24 dev eth0 proto kernel scope link src LOCAL_IPN
1: 0.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0 metric 1
2: default via 192.168.1.1 dev eth0 proto static
3: F5VPN_GATEWAY_IPN dev ppp0 proto kernel scope link src F5VPN_ENDPT_IPN
4: 128.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0 metric 1
5: OPENVPN_PUBLIC_IPN via 192.168.1.1 dev eth0
6: F5VPN_PUBLIC_IPN via OPENVPN_ENDPT_IPN dev tun0 metric 1
Code: Select all
RTNETLINK answers: Network is unreachable
Code: Select all
$ sudo ip route add ${F5VPN_PUBLIC_IPN} via ${OPENVPN_ENDPT_IPN} dev tun0 metric 1
So ... how to fix this? What am I doing wrong? E.g., I suspect I need another route to make `OPENVPN_ENDPT_IPN` reachable, but I don't know enough about Linux networking to know what that route should be. But perhaps I need Something Completely Different?