How to add routing for 2 VPN connections?
I am trying to setup second VPN connection over the first one, which is my only option at the moment. The first VPN connection works fine(utun1), providing me internet access and it looks like this:
Internet:
Destination Gateway Flags Refs Use Netif Expire
0/1 10.56.10.5 UGSc 0 0 utun1
default 192.168.1.1 UGSc 2 0 en0
default 10.56.10.5 UGScI 17 0 utun1
10.56.10.1/32 10.56.10.5 UGSc 0 0 utun1
10.56.10.5 10.56.10.6 UHr 31 0 utun1
10.56.10.5/32 link#14 UCS 0 0 utun1
127 127.0.0.1 UCS 0 4 lo0
127.0.0.1 127.0.0.1 UH 35 2531224 lo0
128.0/1 10.56.10.5 UGSc 10 0 utun1
169.254 link#4 UCS 0 0 en0
179.13.126.66/32 192.168.1.1 UGSc 1 0 en0
192.168.1 link#4 UCS 1 0 en0
192.168.1.1/32 link#4 UCS 1 0 en0
192.168.1.1 ec:88:8f:2b:4d:b6 UHLWIir 4 26 en0 750
192.168.1.103/32 link#4 UCS 0 0 en0
192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 7 en0
224.0.0/4 link#4 UmCS 2 0 en0
224.0.0/4 link#14 UmCSI 0 0 utun1
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI 0 20 en0
255.255.255.255/32 link#4 UCS 1 0 en0
255.255.255.255 ff:ff:ff:ff:ff:ff UHLWbI 0 7 en0
255.255.255.255/32 link#14 UCSI 0 0 utun1
When connecting to second VPN(utun2), I don't have internet any more and I can't connect to host for which I am using second VPN. Second internet connection supposed to provide internet as well(providing when by luck I am able to connect to it directly). So the routing looks like this:
Internet:
Destination Gateway Flags Refs Use Netif Expire
0/1 10.56.10.5 UGSc 0 0 utun1
default link#16 UCS 0 0 utun2
default 192.168.1.1 UGScI 1 0 en0
default 10.56.10.5 UGScI 9 0 utun1
10.56.10.1/32 10.56.10.5 UGSc 0 0 utun1
10.56.10.5 10.56.10.6 UHr 19 0 utun1
10.56.10.5/32 link#14 UCS 0 0 utun1
127 127.0.0.1 UCS 0 4 lo0
127.0.0.1 127.0.0.1 UH 34 2536322 lo0
128.0/1 10.56.10.5 UGSc 5 0 utun1
32.169.33.64 10.56.10.5 UGHS 0 0 utun1
32.169.252.34 31.169.252.34 UH 0 11 utun2
169.254 link#4 UCS 0 0 en0
179.13.126.66/32 192.168.1.1 UGSc 1 0 en0
192.168.1 link#4 UCS 1 0 en0
192.168.1.1/32 link#4 UCS 1 0 en0
192.168.1.1 ec:88:8f:2b:4d:b6 UHLWIir 4 42 en0 1119
192.168.1.103/32 link#4 UCS 0 0 en0
192.168.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 5 en0
224.0.0/4 link#16 UmCS 0 0 utun2
224.0.0/4 link#4 UmCSI 1 0 en0
224.0.0/4 link#14 UmCSI 0 0 utun1
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI 0 4 en0
255.255.255.255/32 link#16 UCS 1 0 utun2
255.255.255.255/32 link#4 UCSI 0 0 en0
255.255.255.255/32 link#14 UCSI 0 0 utun1
255.255.255.255 link#16 UHW3bI 0 1 utun2 6
ifconfig shows this
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.56.10.6 --> 10.56.10.5 netmask 0xffffffff
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 32.169.252.34 --> 32.169.252.34 netmask 0xfffffc00
First VPN is created by some 3rd party VPN client. Second is built in OS X VPN connection, set to default.
The host that I am trying to connect via second vpn is in the subnet 32.169.0.0/16.
I've tried to add routing for that specific host, without much success
sudo route add -host 32.169.111.222 10.56.10.5 -interface utun2
What route would help me to add routing to the specific host via both tunnels? Just to be clear - utun1 is just helper tunnel for utun2.
Pablo2 Answers
You will want to do policy routing with iproute2. /etc/iproute2/rt_tables lists tables and you can also add them. They have a number next to them which is their priority in which they are processed. You can use 'ip route add' and 'ip rule add' to modify rules and routes. IP rules also have a priority. Both of the commands are processed with higher numbered routes and rules taken last. A route is added to a table while a rule specifies what kind of source and destination addresses take the specified route and/or routing table. Use the 'table' keyword to 'ip route add' to specify which table to add the route to and use 'lookup' for 'ip rule add' to specify which table to take.
I edited this to show an example, although I have not tested this command syntax or setup, it should be pretty much this easy:
rt_tables:
125 vpn-1
150 vpn-2
ip rules:
ip route add <vpn_1_ip> via <real_default_gw_ip> dev <dev> table main
ip route add <vpn_2_ip> via <vpn_1_ip> dev <dev> table vpn-1
ip route add default via <vpn_2_ip> dev <dev> table vpn-2
Then add rules. Something like this:
ip rule add pref 1000 from <vpn_1_ip> to any lookup main
ip rule add pref 1001 from <vpn_2_ip> to any lookup vpn-1
ip rule add pref 30000 from any to any lookup vpn-2
Although are you sure you need to do this if you configure the second VPN on top of the first VPN as through the first VPN instead of letting it use the default gateway?
infinmedYour problems might be that the first VPN server is not configured to accept remote access VPN connections. Verify with your VPN supplier if this is indeed the case.
See for example this link for configuring what Microsoft calls "Pass-Through VPN":
Configuration of the Company B VPN Server.
harrymcUser contributions licensed under CC BY-SA 3.0