Route Web traffic over VPN

treeup · February 27, 2019, 4:53am

Can anyone tell me how to route my web traffic over my VPN? So far, I can log into the VPN with OpenConnect on the command line, but I can’t seem to access anything on the web browser (firefox). See the code below for ip route show before I connect to the VPN and after.

IP Route Show before VPN is connected.


adam@linux-e3yk:~> ip route show
default via 192.168.0.1 dev p3p1  proto static  metric 100 
192.168.0.0/24 dev p3p1  proto kernel  scope link  src 192.168.0.2  metric 100

Connect with OpenConnect

adam@linux-e3yk:~> sudo openconnect -g AnyConnect-UofMSplit https://tc-vpn-1.vpn.umn.edu
[sudo] password for root: 
POST https://tc-vpn-1.vpn.umn.edu/AnyConnect-UofMSplit
Connected to 160.94.217.90:443
SSL negotiation with tc-vpn-1.vpn.umn.edu
Connected to HTTPS on tc-vpn-1.vpn.umn.edu
Got HTTP response: HTTP/1.0 302 Temporary moved
POST https://infotech-od-06-v972.ggnet.umn.edu/AnyConnect-UofMSplit
Connected to 160.94.217.83:443
SSL negotiation with infotech-od-06-v972.ggnet.umn.edu
Connected to HTTPS on infotech-od-06-v972.ggnet.umn.edu
XML POST enabled
Please enter your username and password.
Username:Hxze020253    
Password:
POST https://infotech-od-06-v972.ggnet.umn.edu/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 10, Keepalive 20
Connected as 10.21.38.218 + 2607:ea00:103:4805::bc/64, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(DHE-RSA-4294967237)-(AES-256-CBC)-(SHA1).

IP Route Show after VPN is connected.

adam@linux-e3yk:~> ip route show
default via 192.168.0.1 dev p3p1  proto static  metric 100 
10.0.0.0/8 dev tun0  scope link 
10.21.32.0/20 dev tun0  scope link 
100.64.0.0/10 dev tun0  scope link 
128.101.0.0/16 dev tun0  scope link 
128.101.101.101 dev tun0  scope link 
131.212.0.0/16 dev tun0  scope link 
134.84.0.0/16 dev tun0  scope link 
134.84.84.84 dev tun0  scope link 
146.57.0.0/17 dev tun0  scope link 
146.57.128.0/18 dev tun0  scope link 
146.57.192.0/19 dev tun0  scope link 
146.57.224.0/20 dev tun0  scope link 
146.57.250.0/23 dev tun0  scope link 
146.57.255.16/28 dev tun0  scope link 
160.94.0.0/16 dev tun0  scope link 
160.94.217.83 via 192.168.0.1 dev p3p1  src 192.168.0.2 
172.16.0.0/12 dev tun0  scope link 
192.168.0.0/24 dev p3p1  proto kernel  scope link  src 192.168.0.2  metric 100 
192.168.0.0/16 dev tun0  scope link

I think I need to route add something or other.

deano_ferrari · February 27, 2019, 7:16am

Your default route is via the ethernet interface rather than via the vpn tunnel. For reference, I have an OpenVPN connection configured (home to office), and it looks like this…

~> ip route
default via 10.200.0.1 dev tun0 proto static metric 50 
default via 192.168.0.1 dev eth0 proto dhcp metric 100 
10.200.0.0/24 dev tun0 proto kernel scope link src 10.200.0.2 metric 50 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.19 metric 100 
192.168.0.1 dev eth0 proto static scope link metric 100 
xxx.xxx.xxx.xx via 192.168.0.1 dev eth0 proto static metric 100

Another VPN I have configured to reach a remote site…

~> ip route
default dev ppp0 proto static scope link metric 50 
default via 192.168.0.1 dev eth0 proto dhcp metric 100 
xx.xx.xx.xx via 192.168.0.1 dev eth0 proto static metric 100 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.19 metric 100 
192.168.0.1 dev eth0 proto static scope link metric 100 
192.168.3.254 dev ppp0 proto kernel scope link src 192.168.3.197 metric 50

As you can see, the default route with the lowest cost points towards the tunnel interfaces in both cases.

tsu2 · February 27, 2019, 10:25pm

Is the part I highlighted in red correct?
“Split” might mean to set up a “split vpn” which means that anything that doesn’t have a NetworkID that matches the network on the other side of your VPN should be routed through your regular Default Gateway, which is typically considered bad security. Recommended is always to configure <all> traffic including the Default Gateway and DNS should be routed through the vpn.

TSU

treeup · March 1, 2019, 10:07pm

tsu2. You identified the problem. Thank you. AnyConnect-UofMSplit is meant to route non umn traffic over my lan. I found another gateway and changed it as follows.

adam@linux-e3yk:~> sudo openconnect -g AnyConnect-UofMvpn https://tc-vpn-1.vpn.umn.edu

I am trying to understand the route add command. What gateway and netmask should I be using?

adam@linux-e3yk:~> sudo /sbin/route add -net 0.0.0.0 netmask 255.255.240.0 gw 192.168.0.1 metric 99 dev tun0            
adam@linux-e3yk:~> /sbin/route -n

192.168.0.1 is my router. Is that the right gateway, or should I be using 10.21.32.0 or something. Here is the route table.

adam@linux-e3yk:~> /sbin/route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     255.255.240.0   UG    99     0        0 tun0
default         192.168.0.1     0.0.0.0         UG    100    0        0 p3p1
10.0.0.0        *               255.0.0.0       U     0      0        0 tun0
10.21.32.0      *               255.255.240.0   U     0      0        0 tun0
100.64.0.0      *               255.192.0.0     U     0      0        0 tun0
128.101.0.0     *               255.255.0.0     U     0      0        0 tun0
ns.nts.umn.edu  *               255.255.255.255 UH    0      0        0 tun0
131.212.0.0     *               255.255.0.0     U     0      0        0 tun0
134.84.0.0      *               255.255.0.0     U     0      0        0 tun0
nss.nts.umn.edu *               255.255.255.255 UH    0      0        0 tun0
146.57.0.0      *               255.255.128.0   U     0      0        0 tun0
146.57.128.0    *               255.255.192.0   U     0      0        0 tun0
146.57.192.0    *               255.255.224.0   U     0      0        0 tun0
146.57.224.0    *               255.255.240.0   U     0      0        0 tun0
146.57.250.0    *               255.255.254.0   U     0      0        0 tun0
146.57.255.16   *               255.255.255.240 U     0      0        0 tun0
160.94.0.0      *               255.255.0.0     U     0      0        0 tun0
infotech-od-06- 192.168.0.1     255.255.255.255 UGH   0      0        0 p3p1
172.16.0.0      *               255.240.0.0     U     0      0        0 tun0
192.168.0.0     *               255.255.255.0   U     100    0        0 p3p1
192.168.0.0     *               255.255.0.0     U     0      0        0 tun0

It is working now, but I would still like to understand it.

deano_ferrari · March 1, 2019, 10:44pm

The default gateway for the tunnel should be using the tunnel gateway address, not the ethernet gateway IP address. A quick check with traceroute (or tracepath) to an internet address will demonstrate this.