Friday, 15 February 2019

routing - OpenVPN: Route only specific subnetwork through vpn - works for single IP adresses


I was trying to route only specific subnet/single through open vpn.


I have read several questions like this on superuser, and even found good answer to my question.


So I am now able to route single ip adress through vpn. To do this I have added something like this to /etc/openvpn/client.conf:


route-nopull

route 1.2.3.4 255.255.255.255
route 5.6.7.8 255.255.255.255
route 9.10.11.12 255.255.255.255

However this solves only half of my problem, because what I would like to do is to route specific subnetworks through vpn, not only single adresses.


I have tried following


route x.y.19.178 255.255.255.0

which, I believe, should route whoule traffic to x.y.19.178/24 subnetwork through vpn, but it doesnt. Instead of that I can see following error in syslog:


Dec 18 16:11:01 wi-dev ovpn-client[31421]: /sbin/ip route add x.y.19.178/24 via z.a.0.1
Dec 18 16:11:01 wi-dev ovpn-client[31421]: ERROR: Linux route add command failed: external program exited with error status: 2

Any idea what might be wrong with my client (or server) config?



Answer



Your netmask is not valid for the IP address you're using. Specifically, if you take your IP addresses and convert them to binary you get:


IP   = x.y.19.178            = XXXXXXXX.YYYYYYYY.00010011.10110010
MASK = 255.255.255.252 (/30) = 11111111.11111111.11111111.11111100

In order for an IP address to be valid for a subnet, the IP must be at the beginning of the subnet, or in binary terms, the IP can only have 1s where the subnet mask has 1s. So, if we remove the last 1 from the IP we get:


IP   = x.y.19.176            = 00001010.00000000.00010011.10110000

So, the start of your subnet should actually be x.y.19.176. You'll have to calculate appropriate IPs if you want a subnet different than a /30. I used this tool to do some calculations.


Also note: if you just run the command given in the log at the command line


/sbin/ip route add x.y.19.178/24 via z.a.0.1

You'll get the error back. On my machine I got "Invalid argument", whereas this command succeeded:


/sbin/ip route add 192.168.19.176/24 via 192.168.0.1
-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...