Is it possible to have 2 different VPN connections simultaneously on the same machine? maybe on different network interfaces?

I am setting up a new cluster in my new workplace, and I am still administering another cluster in my last work place. Basically I am "copying" the configuration of the first one to setup the new one.

Now I am at home, and I would like to use both VPN connections simultaneously instead of one after the other to access both clusters at the same time. In my opinion this is not possible, but maybe someone has an idea?

One VPN connection uses OpenVPN and the second uses CISCO VPN client. Or maybe is it possible to play with route rules to obtain that? I am not very experienced in networking.

I am trying to use route -n to try to re-define the rules for the different sub interfaces. Here is what I get when no VPN is active:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.0.1        0.0.0.0         UG    0      0        0 eth0
10.1.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0

Now If I switch on the cisco VPN (VPN1):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         xxx.xxx.xxx.117 0.0.0.0         UG    0      0        0 cscotun0
10.1.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0
xxx.xxx.xxx.0   0.0.0.0         255.255.255.0   U     0      0        0 cscotun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.yy.yy.22    10.1.0.1        255.255.255.255 UGH   0      0        0 eth0

If I swicth on the openVPN (VPN2):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.0.1      0.0.0.0         UG    0      0        0 eth0
10.1.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.1.0     192.168.2.17    255.255.255.0   UG    0      0        0 tun0
192.168.2.17    0.0.0.0         255.255.255.255 UH    0      0        0 tun0
zzz.zzz.zz.zz   10.1.0.1        255.255.255.255 UGH   0      0        0 eth0

And now if I switch on both (first vpn2 and then vpn1):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         xxx.xxx.xxx.117 0.0.0.0         UG    0      0        0 cscotun0
10.1.0.0        0.0.0.0         255.255.255.0   U     1      0        0 eth0
xxx.xxx.xxx.0   0.0.0.0         255.255.255.0   U     0      0        0 cscotun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.yy.yy.22    10.1.0.1        255.255.255.255 UGH   0      0        0 eth0
192.168.2.17    0.0.0.0         255.255.255.255 UH    0      0        0 tun0

Ideally, all the request for xxx.xxx.xxx.0 should go as when only VPN1 is active (cscotun0) and all the requests for 192.168.2.0 should go through 192.168.2.17 (tun0) and the other through eth0 ...

I am not used to routing, and would appreciate any help.

EDIT: inspired by the answers I am trying to play with route command to try to correctly setup my config.

to be more clear I have edited the above route tables to reflect the result of route -n command, which is more informative. I have also modified my home router so that I have 10.1.0.0 nm 255.255.255.0 ip addresses at home.

If I understand well, when only VPN2 (tun0) is active, it uses the defalut gateway of my home (10.1.0.1) and defines a few new routes, tell me if I understand wrong:

192.168.1.0   192.168.2.17 -> this says "everything for 192.162.1.0 network (vpn2 network), then pass through official gateway 192.168.2.17 "
192.168.2.17  0.0.0.0 -> this says "everything for host 192.168.2.17, goes to default gateway  (0.0.0.0) " , which is currently pointing to my home rooter"
zzz.zzz.zz.zz 10.1.0.1 -> this says "everything for zzz.zzz.zz.zz . pass through my home router (10.1.0.1)

When I switch on VPN1 alone, it overrides the default gateway with its own (xxx.xxx.xxx.53) and anything is redirected to this. This is also why I can't see my home network btw (if I am right).

Now, I see that when I switch both VPN on, the default gateway is redirected to the one of VPN1 (xxx.xxx.xxx.53), and what I am asking is: How can I set up rules, so that:

  • everything for 198.162.1.0 goes through 198.162.2.17
  • things for 198.162.2.17 pass through 10.1.0.1
  • things for xxx.xxx.xxx.0 pass through xxx.xxx.xxx.117
  • things for 10.1.0.0 pass to 10.1.0.1

I have tried to play with with route add and route del but I am more or less trying to do things by trial and error, and I would better understant what I am supposed to do, and if the rules I want to apply right here are correct or basically stupid...

EDIT 2: Following the suggestion of MariusMatutiae I append here the result of ifconfig when both VPN are on:

cscotun0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:xxx.xxx.xxx.117  P-t-P:xxx.xxx.xxx.117  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1380  Metric:1
          RX packets:21 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:4007 (4.0 KB)  TX bytes:3789 (3.7 KB)

eth0      Link encap:Ethernet  HWaddr 00:21:cc:6b:3e:ae  
          inet addr:10.1.0.226  Bcast:10.1.0.255  Mask:255.255.255.0
          inet6 addr: fe80::221:ccff:fe6b:3eae/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28245 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29039 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14287030 (14.2 MB)  TX bytes:5521200 (5.5 MB)
          Interrupt:20 Memory:f3a00000-f3a20000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:9928 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9928 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4962141 (4.9 MB)  TX bytes:4962141 (4.9 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.2.18  P-t-P:192.168.2.17  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:719 errors:0 dropped:0 overruns:0 frame:0
          TX packets:764 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:103523 (103.5 KB)  TX bytes:56000 (56.0 KB)

EDIT 3:

descritpion of what does not work: after I switch both VPN on, I cannot reach VPN tun0; and if I try to ping something outside xxx.xxx.xxx.0 I get ping: sendmsg: Operation not permitted .

Ideally, I would like to access to both VPN (if the DNS for VNP nets does not work I can manage it with direct IP, not a problem) and ideally access to my local lan too...

Unfortunately I am not enough an iptables expert to undrestand how I am supposed to do.

Thanks in advance


You can certainly use several VPNs simultaneously. The major issue in arranging this is making sure the routing table is correct, because all VPNs will try to alter it without assuming there are more VPNs doing the same thing.

Your scenario is very simple, because you are basically using VPNs to access remote LANs, not to redirect all of your traffic. The last configuration would have required a more complex set up, but in your case we can get away with much less work.

A precondition for this to work is that all subnets are different: your home's, and your two workplaces'.

Supposing you have arranged this already, then you must make sure that your client configuration file for OpenVPN does not contain the following statement

    redirect-gateway def1

and that the server configuration file does not contain the following statement:

   push "redirect-gateway def1 bypass-dhcp"

Since you are only interested in working with two VPNs, this already solves your problem, because, even if the other VPN grabs the default route, there will be a single default route in your routing table, and you are done.

However, Cisco VPN does not, by default, grab the default route. So you should be ok. To check, make sure that the output of route -n contains a couple of lines like the following,

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.73.1    0.0.0.0         UG    0      0        0 eth0

where 192.168.73.1 is your home default router (change as needed, if your router is not 192.168.73.1).

This problem would have been a whole lot more fun if you had wanted to redirect all traffic through both VPNs simultaneously (yes, it can be done).

Edit:

You may also surely use OpenVPN on different network interfaces, if you care to. As an example, you may bring up a virtual interface based on your ethernet card as follows,

   ip link add link eth0 mac0 address 56:61:4f:7c:77:db type macvlan
   ip link set mac0 up
   dhclient mac0

and now check the IP address of the virtual interface mac0 with

   ip addr show

Then, in your openvpn client config file, you may introduce the statement

   local IP_address_of_mac0

and when you connect to your OpenVPN server, the connection will have bound only to the interface mac0. Then, to access the remote LAN, you need to remember to bind all applications to the same interface mac0, and to its IP address. For instance, to access a pc via ssh this way, you will have to say:

  ssh -b IP_address_of_mac0 user@remote_LAN_pc

and so on. For ping, you should use

   ping -i IP_address_of_mac0 remote_LAN_pc

It is entirely possible to run multiple VPNs simultaneously.

I see a couple of issues with your setup -

Depending on what you are trying to do, you should make sure the VPN server does not publish (or you ignore or use a lower metric for the correct) default route. Otherwise you have VPN's trying to route through each other and breaking. Of-course, this implies that you are using VPN's to only reach specific networks/routes

The second issue you may have (note the duplicate 192.168.1.0 networks with netmask 255.255.255.0) appears to be that both the networks you are trying to reach are at 192.168.1.x. This is a problem as the kernel does not know which one you are referring too. The correct solution is to renumber one of the networks so it is in a different network block. (There may be horrible, horrible, horrible hacks you can do with iptables and hosts files and other tricks to emulate this on your system, but its highly specialist, fragile and not recommended).

BTW, when producing route tables, its generally better to use the "-n" switch so they show IP's rather then trying to resolve machine names - machine names mean nothing to us !!!