Arch Linux VPN + L2TP: connection established internet works but no access to internal network

Solution 1:

I want to direct traffic to aaa,bbb,ccc thru the VPN, how do that?

I'm assuming that these are local addresses (as you claim in the title), for example 192.168.0.2. Packets to that address dont go through the tunnel interface because you have a more specific route than the default route pointing to the wlp2s0 :

192.168.0.1     0.0.0.0         255.255.255.255 UH    600    0        0 wlp2s0

With static routing, more specific routes always 'win'. To solve this you can do the following:

1. Delete the current route using ip route delete 192.168.0.1
2. Add a new route to that prefix (which addresses the aaa,bbb,cc hosts) with the interface (dev) pointing to the tunnel interface. For example: ip route add 192.168.0.1/24 via $IP_OF_TUNNELGATEWAY dev ppp0

Solution 2:

Finally, I solved my problem. It's a long story. The root cause is the wrong DNS configuration as a result internal(behind the VPN server) addresses couldn't be resolved properly. An assumption why it happened is the following. Every time I connect to VPN the following chain of events happen:

1. -> networkmanager

   -> strongswan ppp0

   -> dhclient ppp0 (172.16.203.173, 192.0.2.1, dns1=x.y.z.11, dns2=x.y.z.12) -> resolvconf

   ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 3 link/ppp inet 172.16.203.173 peer 192.0.2.1/32 scope global ppp0 valid_lft forever preferred_lft forever

   -> dns1=x.y.z.11, dns2=x.y.z.12 to /etc/resolv.conf

DNS addresses were taken from the VPN connection configuration(see screenshot above).

2. A new route default via ppp0 metric 500 was added to the routeing table. Its priority less than the default enp3s0 priority 0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 enp3s0 as result no traffic flow thru the ppp0. first issue

3. /etc/resolv.conf which contains dns1 and dns2 is overridden by network manager at some point of time with default googles dns 8.8.8.8 and 8.8.4.4. second issue

To fix the second issue I installed dnsmasq which serves as a proxy and handles dns by itself. I had to uninstall pacman -R openresolv netctl which changed /etc/resolv.conf and not it contains the only address of dnsmasq:

# Generated by NetworkManager
search internal.mycompany.com
nameserver 127.0.0.1
options edns0 trust-ad

to say Network manager use dnsmarq, I also added this line into /etc/NetworkManager/conf.d/dns.conf:

[main]
dns=dnsmasq

To fix the first issue in the NetworkManager I added a more specific route that has higher priority than the default enp3s0 route:

10.Y.X.Z    192.0.2.1       255.255.255.255 UGH   500    0        0 ppp0

That's it. all the traffic to internal resource flow thru the VPN, the rest traffic flows as previously.

Also, I denied any overwriting of /etc/resolve.conf

chattr +i /etc/resolv.conf ((to protect the file from write))

chattr -i /etc/resolv.conf ((to unprotect, default mode)) - to roll back

Hope it will be helpful for somebody.