I need to add a some static IPv4 routes for VPN routing on eth0 interface, which configured by Wicked and dhcp. At first I tried to done this by YaST2. It wrote a /etc/sysconfig/network/ifroute-eth0 for me with next content:
systemd: Stopped wicked managed network interfaces.
systemd: Starting wicked managed network interfaces...
wicked: discarding route not matching any interface: ipv4 192.168.1.0/24 via 192.168.17.50 type unicast table main scope universe protocol boot
wicked: discarding route not matching any interface: ipv4 192.168.2.0/24 via 192.168.17.50 type unicast table main scope universe protocol boot
wicked: discarding route not matching any interface: ipv4 10.8.0.0/16 via 192.168.17.50 type unicast table main scope universe protocol boot
wicked: lo up
wicked: eth0 setup-in-progress
systemd: Started wicked managed network interfaces.
In any case, routes are not added and subnets not available…
How I can add static routes?
Routes to another subnet must go via gateway and you did not specify any. If those subnets are on the same physical network, you must add IP address from each subnet to your interface in this subnet (in which case no explicit route is necessary).
Thank you for a reply ! But in my case the VPN gateway is not my default router, I do not have access to default gateway as well as to the dhcp service. Subnets then I want to access is the other physical networks and situated on other side of VPN tunnel.
How are you setting up your VPN?
Your setup should automatically set up your modified routing.
If you were setting up a static route <without> routing, you’d need to write your static route as a /etc/sysctl entry so that it would be re-loaded on boot.
But, don’t do that because it shouldn’t be necessary if you’re setting up a VPN.
It might be possible to configure a regular gateway (not default gateway) in YaST, but I haven’t tested that.
Or, are you trying to point to a VPN gateway for your LAN on another machine (sometimes referred to as a “VPN end point” or “VPN beachhead”?
It is possible to abstract from VPN in general. The question is how to set a permanent static route in openSUSE. I have another client with MS Windows, and there I just had to run the command: route -p add 192.168.1.0 MASK 255.255.255.0 192.168.15.50 for my purpose. How to do this in oS? Standard tools - YaST2, Wicked config files somehow not working for me…
IMO you first need to start with whether you’re setting up exactly what you want.
Usually the VPN beach head is set up on either the same machine as the DG or through the DG, it will generally have its own public IP address but usually does not require its own internal IP address because it can share the DG internal address.
A consideration is whether your company policy (I assume you’re connecting to a remote company network) wants you to connect directly to the Internet while you have access to company resources or if all your traffic including Internet should be routed through the VPN… and then exit through the company DG. Theoretically, any time a machine has access to both protected and public resources, that machine becomes a possible point of intrusion for malicious hackers, which is why companies want your machine to not connect directly to the Internet when you have access to the VPN.
The beach head VPN you have set up is useful if someone on the other side of the VPN might want to access a resource in your own network (like your printer or shares on your machine) and a beach head is also convenient if several machines and devices in your own network need to access the VPN… You only need to set up the beach head to service all of your machines instead of setting up on each and every machine.
But, if it’s only your single machine and no one on the other end would ever need to access anything in your network, then it’s probably better to set up the local VPN end point on your own machine instead of setting up a beach head so that you have better end to end encryption.
Those are generally your main choices before going into what you need to do…
Confirm what you want set up and we’ll go from there.
Just took another look at YaST for configuring a non-default gateway…
I remember now I’ve set that up before and didn’t have any problems…
(BTW - In the YaST configuration, I hardly ever leave a setting with its default “-” because I prefer to control and know what the value is)
Configure a static address for the correct network interface as might be needed… In your case it sounds like this may not be necessary.
Configure the gateway machine to the non-default remote network.
In YaST > Routing tab,
a. In the section for adding an ordinary route (Not the top 2 sections that create default gateways which are different), click Add…
b. Enter the information as necessary. Depending on the subnet mask, you need to have a “zero” value for the address portion of course.
Remember that this only sets up the IP routing portion, if you want to enable name resolution, you’ll need to configure that separately.
My apologies, I misunderstood your post. Looking at the last log in your original post the problem is clear - wicked attempts to configure routes before interface is up, which fails. Just yesterday there was a post on opensuse mailing list describing similar problem - static routes are not configured for DHCP interface. Sounds like a wicked bug.
In that case, the method I described adding the “route add” command to /etc/sysctl.conf whould work fine… That is read long after the initial network configuration is set up.
Or, if there is a current problem setting up a route in YaST for this very specific configuration (a DHCP client), then you can wait…
Else, as I described before anything else you should be sure you have your VPN set up the want first.
But are you sure you don’t want to make your Gateway Device your VPN beach head as well? That’s the normal setup instead of making a separate machine your VPN beach head. The reason for not doing what you’re doing is outlined in my previous post, you substantially increase the risk to the remote network you’re connecting to.
I haven’t googled examples of such records anywhere. Could you describe it in more detail?
You can Google the use of sysctl and static routing if you need to, but the logic is simple.
By default, when you add a route using the command line, it’s not persistent across reboots.
So, the solution is to simply execute the command on every boot automatically, and this is what happens when the command is in your /etc/sysctl.conf
Unfortunately I have no opportunity to make it, I have no access to it. I fully agree with you that it would be much easier and more correct.
I may be wrong, but as far as I know sysctl.conf has its own specific syntax and is not a startup script. Arbitrary entries in it can lead to errors like: “sysctl: /etc/sysctl.conf: invalid syntax, continuing”. From sysctl.conf manual:
sysctl.conf is a simple file containing sysctl values to be read in and set by sysctl. The
syntax is simply as follows:
token = value
Note that blank lines are ignored, and whitespace before and after a token or value is ignored,
although a value can contain whitespace within. Lines which begin with a # or ; are considered
comments and ignored.
# sysctl.conf sample
kernel.domainname = example.com
; this one has a space which will be written to the sysctl!
kernel.modprobe = /sbin/mod probe
Are you sure that I can add the “route add …” command to this file?
Is it the remote host that needs to access 192.168.1.0/24 and 192.168.2.0/24 subnets? I assume that it is the firewall router that routes these? If so, suitable routes added to the VPN router could be used to reach these. I’ve done similar with a Mikrotik router (configured as an OpenVPN server) connected behind a firewall. Sorry if I don’t have the correct interpretation here.
Ok, thanks for the further clarification. Can you make it work if you use a statically assigned configuration instead of using DHCP? (I was just wondering about the alleged wicked bug referenced by arvidjaar.)
Yes, I did this experiment. In this case, the problem is gone - the routes were added automatically from /etc/sysconfig/network/ifroute-eth0. And no errors in system log.
Thanks for the idea with systemd unit, I will be try to use this!