problem routing F5VPN over OpenVPN
Posted: Thu Mar 12, 2015 2:32 am
summary: I'm currently unable to tunnel an F5VPN (over which I have no control) through an OpenVPN (over which I have much control). I suspect this is due to a routing problem, but I Could Be Wrong. However, even if my diagnosis is correct, I'm unable to set (i.e., `ip route add`) one of the routes I believe I need: all of the others work, but the last route fails with `Network is unreachable`, at which point I have no networking (i.e., both `ping` and DNS fail) until I stop both the F5VPN and the OpenVPN and restore my original routes and links. How to fix?
details:
A computational-science project on which I need to work has these requirements:
My current problem is, I'm not able to set (i.e., `ip route add`) one of the routes I believe I need to make this VPN configuration work, and thus meet my networking requirements. I get to that point via the following sequence:
initial routeset
My laptop's initial routeset (i.e., what `ip route show`s after restarting the laptop when connected to my ISP's modem) is
(I'll parameterize some IP#s for clarity. E.g., in the above, `LOCAL_IPN`==`192.168.1.142` , i.e., the laptop's LAN IP#.) At this point, DNS (and `ping`, etc) works, and if I browse to (e.g.) `whatismyip.com` I see my modem's IP#==`INITIAL_PUBLIC_IPN` .
OpenVPN routeset
After I
At this point, I also
At this point, the OpenVPN tunnel is setup, and networking life is good: all normal services still work, notably `ping`, DNS, and HTTP. But now I need to run the F5VPN through the OpenVPN.
F5VPN-imposed routeset
To start my F5VPN client, I must
(`F5VPN_GATEWAY_IPN`, `F5VPN_ENDPT_IPN`, and `F5VPN_PUBLIC_IPN` all seem to change with each F5VPN use/connection.) At this point I also have a new link/interface=`ppp0`. However, at this point I cannot either `ping` or DNS: e.g.,
So it seems the F5VPN-imposed routes will not work with the OpenVPN, probably because the F5VPN knows nothing about the OpenVPN. Hence I first deleted (with this code) all the F5VPN-imposed routeset, then tried to set the following routes (using this code):
F5VPN-through-OpenVPN routeset
I can `ip route add` all of the above ... except the last route (i.e., route#=6), which gets the response
This appears to be a real failure, in that if I subsequently (i.e., immediately after running the above script) do
from the commandline, I get the same failure. And, just to be clear, at this point my networking is just as broken as before: both `ping` and DNS fail until I disconnect from the F5VPN, stop the OpenVPN, and restore my initial routeset and linkset.
So ... how to fix this? What am I doing wrong? E.g., I suspect I need another route to make `OPENVPN_ENDPT_IPN` reachable, but I don't know enough about Linux networking to know what that route should be. But perhaps I need Something Completely Different?
details:
A computational-science project on which I need to work has these requirements:
- I must `ssh` from a Debian laptop through a firewall to a compute cluster, where I do the actual science.
- The cluster's admins require use of an F5VPN to cross the firewall, and maintain the F5VPN server through which I must connect.
- The F5VPN client is entirely {proprietary, blackbox to me, nonconfigurable by me}.
- The admins (now) requires security features which I'm attempting to meet using a cloud node (on which I have root, and which also runs Debian and an OpenVPN server) as a jumpbox.
- Both the F5VPN and OpenVPN clients run on my laptop (on which I am sole root).
My current problem is, I'm not able to set (i.e., `ip route add`) one of the routes I believe I need to make this VPN configuration work, and thus meet my networking requirements. I get to that point via the following sequence:
- using initial routeset: start OpenVPN client, which sets a "OpenVPN routeset"
- using OpenVPN routeset: start F5VPN client, which sets an "F5VPN-imposed routeset"
- delete F5VPN-imposed routeset (alternatively, set a null routeset)
- set "F5VPN-through-OpenVPN routeset"
initial routeset
My laptop's initial routeset (i.e., what `ip route show`s after restarting the laptop when connected to my ISP's modem) is
Code: Select all
0: default via 192.168.1.1 dev eth0 proto static
1: 169.254.0.0/16 dev eth0 scope link metric 1000
2: 192.168.1.0/24 dev eth0 proto kernel scope link src LOCAL_IPNOpenVPN routeset
After I
- start the OpenVPN server process on my cloud node
- start the OpenVPN client process on my laptop
Code: Select all
0: 0.0.0.0/1 via OPENVPN_ENDPT_IPN dev tun0
1: default via 192.168.1.1 dev eth0 proto static
2: OPENVPN_GATEWAY_IPN via OPENVPN_ENDPT_IPN dev tun0
3: OPENVPN_ENDPT_IPN dev tun0 proto kernel scope link src OPENVPN_SRCPT_IPN
4: 128.0.0.0/1 via OPENVPN_ENDPT_IPN dev tun0
5: 169.254.0.0/16 dev eth0 scope link metric 1000
6: OPENVPN_PUBLIC_IPN via 192.168.1.1 dev eth0
7: 192.168.1.0/24 dev eth0 proto kernel scope link src LOCAL_IPN- have a new link/interface=`tun0`
- am seen by remote sites--e.g., `whatismyip.com`, or the admins' remote-access website (aka `RAW`)--as having a new public IP#==`OPENVPN_PUBLIC_IPN`, which is the cloud node's static IP#, which is on the RAW's whitelist.
- use the following (apparently unchanging) IP#s:
Code: Select all
OPENVPN_GATEWAY_IPN='10.8.0.1'
OPENVPN_ENDPT_IPN= '10.8.0.5'
OPENVPN_SRCPT_IPN= '10.8.0.6'F5VPN-imposed routeset
To start my F5VPN client, I must
- login to the RAW using a special, F5-ed browser
- use the RAW's web UI to connect to the F5VPN server
Code: Select all
0: 0.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0 proto none metric 1
1: default via 192.168.1.1 dev eth0 proto static
2: F5VPN_GATEWAY_IPN dev ppp0 proto kernel scope link src F5VPN_ENDPT_IPN
3: 128.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0 proto none metric 1
4: F5VPN_PUBLIC_IPN via OPENVPN_ENDPT_IPN dev tun0 proto none metric 1Code: Select all
$ ping -c 4 141.101.120.15 # == www.whatismyip.com
PING 141.101.120.15 (141.101.120.15) 56(84) bytes of data.
--- 141.101.120.15 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms
$ nslookup www.whatismyip.com
;; connection timed out; no servers could be reachedF5VPN-through-OpenVPN routeset
Code: Select all
0: 192.168.1.0/24 dev eth0 proto kernel scope link src LOCAL_IPN
1: 0.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0 metric 1
2: default via 192.168.1.1 dev eth0 proto static
3: F5VPN_GATEWAY_IPN dev ppp0 proto kernel scope link src F5VPN_ENDPT_IPN
4: 128.0.0.0/1 via F5VPN_ENDPT_IPN dev ppp0 metric 1
5: OPENVPN_PUBLIC_IPN via 192.168.1.1 dev eth0
6: F5VPN_PUBLIC_IPN via OPENVPN_ENDPT_IPN dev tun0 metric 1Code: Select all
RTNETLINK answers: Network is unreachableCode: Select all
$ sudo ip route add ${F5VPN_PUBLIC_IPN} via ${OPENVPN_ENDPT_IPN} dev tun0 metric 1So ... how to fix this? What am I doing wrong? E.g., I suspect I need another route to make `OPENVPN_ENDPT_IPN` reachable, but I don't know enough about Linux networking to know what that route should be. But perhaps I need Something Completely Different?