Is it possible to have 2 different VPN connections simultaneously on the same machine? maybe on different network interfaces?
I am setting up a new cluster in my new workplace, and I am still administering another cluster in my last work place. Basically I am "copying" the configuration of the first one to setup the new one.
Now I am at home, and I would like to use both VPN connections simultaneously instead of one after the other to access both clusters at the same time. In my opinion this is not possible, but maybe someone has an idea?
One VPN connection uses OpenVPN and the second uses CISCO VPN client. Or maybe is it possible to play with route rules to obtain that? I am not very experienced in networking.
I am trying to use route -n
to try to re-define the rules for the different sub interfaces. Here is what I get when no VPN is active:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.0.1 0.0.0.0 UG 0 0 0 eth0
10.1.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
Now If I switch on the cisco VPN (VPN1):
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 xxx.xxx.xxx.117 0.0.0.0 UG 0 0 0 cscotun0
10.1.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
xxx.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 cscotun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
192.yy.yy.22 10.1.0.1 255.255.255.255 UGH 0 0 0 eth0
If I swicth on the openVPN (VPN2):
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.0.1 0.0.0.0 UG 0 0 0 eth0
10.1.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
192.168.1.0 192.168.2.17 255.255.255.0 UG 0 0 0 tun0
192.168.2.17 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
zzz.zzz.zz.zz 10.1.0.1 255.255.255.255 UGH 0 0 0 eth0
And now if I switch on both (first vpn2 and then vpn1):
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 xxx.xxx.xxx.117 0.0.0.0 UG 0 0 0 cscotun0
10.1.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
xxx.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 cscotun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
192.yy.yy.22 10.1.0.1 255.255.255.255 UGH 0 0 0 eth0
192.168.2.17 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
Ideally, all the request for xxx.xxx.xxx.0 should go as when only VPN1 is active (cscotun0) and all the requests for 192.168.2.0 should go through 192.168.2.17 (tun0) and the other through eth0 ...
I am not used to routing, and would appreciate any help.
EDIT:
inspired by the answers I am trying to play with route
command to try to correctly setup my config.
to be more clear I have edited the above route tables to reflect the result of route -n
command, which is more informative. I have also modified my home router so that I have 10.1.0.0 nm 255.255.255.0
ip addresses at home.
If I understand well, when only VPN2 (tun0) is active, it uses the defalut gateway of my home (10.1.0.1) and defines a few new routes, tell me if I understand wrong:
192.168.1.0 192.168.2.17 -> this says "everything for 192.162.1.0 network (vpn2 network), then pass through official gateway 192.168.2.17 "
192.168.2.17 0.0.0.0 -> this says "everything for host 192.168.2.17, goes to default gateway (0.0.0.0) " , which is currently pointing to my home rooter"
zzz.zzz.zz.zz 10.1.0.1 -> this says "everything for zzz.zzz.zz.zz . pass through my home router (10.1.0.1)
When I switch on VPN1 alone, it overrides the default gateway with its own (xxx.xxx.xxx.53) and anything is redirected to this. This is also why I can't see my home network btw (if I am right).
Now, I see that when I switch both VPN on, the default gateway is redirected to the one of VPN1 (xxx.xxx.xxx.53), and what I am asking is: How can I set up rules, so that:
- everything for 198.162.1.0 goes through 198.162.2.17
- things for 198.162.2.17 pass through 10.1.0.1
- things for xxx.xxx.xxx.0 pass through xxx.xxx.xxx.117
- things for 10.1.0.0 pass to 10.1.0.1
I have tried to play with with route add
and route del
but I am more or less trying to do things by trial and error, and I would better understant what I am supposed to do, and if the rules I want to apply right here are correct or basically stupid...
EDIT 2: Following the suggestion of MariusMatutiae I append here the result of ifconfig when both VPN are on:
cscotun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:xxx.xxx.xxx.117 P-t-P:xxx.xxx.xxx.117 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1380 Metric:1
RX packets:21 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:4007 (4.0 KB) TX bytes:3789 (3.7 KB)
eth0 Link encap:Ethernet HWaddr 00:21:cc:6b:3e:ae
inet addr:10.1.0.226 Bcast:10.1.0.255 Mask:255.255.255.0
inet6 addr: fe80::221:ccff:fe6b:3eae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28245 errors:0 dropped:0 overruns:0 frame:0
TX packets:29039 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14287030 (14.2 MB) TX bytes:5521200 (5.5 MB)
Interrupt:20 Memory:f3a00000-f3a20000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:9928 errors:0 dropped:0 overruns:0 frame:0
TX packets:9928 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4962141 (4.9 MB) TX bytes:4962141 (4.9 MB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.2.18 P-t-P:192.168.2.17 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:719 errors:0 dropped:0 overruns:0 frame:0
TX packets:764 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:103523 (103.5 KB) TX bytes:56000 (56.0 KB)
EDIT 3:
descritpion of what does not work: after I switch both VPN on, I cannot reach VPN tun0; and if I try to ping
something outside xxx.xxx.xxx.0 I get ping: sendmsg: Operation not permitted
.
Ideally, I would like to access to both VPN (if the DNS for VNP nets does not work I can manage it with direct IP, not a problem) and ideally access to my local lan too...
Unfortunately I am not enough an iptables expert to undrestand how I am supposed to do.
Thanks in advance
You can certainly use several VPNs simultaneously. The major issue in arranging this is making sure the routing table is correct, because all VPNs will try to alter it without assuming there are more VPNs doing the same thing.
Your scenario is very simple, because you are basically using VPNs to access remote LANs, not to redirect all of your traffic. The last configuration would have required a more complex set up, but in your case we can get away with much less work.
A precondition for this to work is that all subnets are different: your home's, and your two workplaces'.
Supposing you have arranged this already, then you must make sure that your client configuration file for OpenVPN does not contain the following statement
redirect-gateway def1
and that the server configuration file does not contain the following statement:
push "redirect-gateway def1 bypass-dhcp"
Since you are only interested in working with two VPNs, this already solves your problem, because, even if the other VPN grabs the default route, there will be a single default route in your routing table, and you are done.
However, Cisco VPN does not, by default, grab the default route. So you should be ok. To check, make sure that the output of route -n contains a couple of lines like the following,
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.73.1 0.0.0.0 UG 0 0 0 eth0
where 192.168.73.1 is your home default router (change as needed, if your router is not 192.168.73.1).
This problem would have been a whole lot more fun if you had wanted to redirect all traffic through both VPNs simultaneously (yes, it can be done).
Edit:
You may also surely use OpenVPN on different network interfaces, if you care to. As an example, you may bring up a virtual interface based on your ethernet card as follows,
ip link add link eth0 mac0 address 56:61:4f:7c:77:db type macvlan
ip link set mac0 up
dhclient mac0
and now check the IP address of the virtual interface mac0 with
ip addr show
Then, in your openvpn client config file, you may introduce the statement
local IP_address_of_mac0
and when you connect to your OpenVPN server, the connection will have bound only to the interface mac0. Then, to access the remote LAN, you need to remember to bind all applications to the same interface mac0, and to its IP address. For instance, to access a pc via ssh this way, you will have to say:
ssh -b IP_address_of_mac0 user@remote_LAN_pc
and so on. For ping, you should use
ping -i IP_address_of_mac0 remote_LAN_pc
It is entirely possible to run multiple VPNs simultaneously.
I see a couple of issues with your setup -
Depending on what you are trying to do, you should make sure the VPN server does not publish (or you ignore or use a lower metric for the correct) default route. Otherwise you have VPN's trying to route through each other and breaking. Of-course, this implies that you are using VPN's to only reach specific networks/routes
The second issue you may have (note the duplicate 192.168.1.0 networks with netmask 255.255.255.0) appears to be that both the networks you are trying to reach are at 192.168.1.x. This is a problem as the kernel does not know which one you are referring too. The correct solution is to renumber one of the networks so it is in a different network block. (There may be horrible, horrible, horrible hacks you can do with iptables and hosts files and other tricks to emulate this on your system, but its highly specialist, fragile and not recommended).
BTW, when producing route tables, its generally better to use the "-n" switch so they show IP's rather then trying to resolve machine names - machine names mean nothing to us !!!