What does netstat -r on OSX tell you about gateways?
I noticed the route table has a lot of entries I do not understand.
The route tabel is:
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.254 UGSc 28 0 en1
10.8.0.1/32 10.8.0.5 UGSc 1 2 tun0
10.8.0.5 10.8.0.6 UH 2 3 tun0
127 localhost UCS 0 284 lo0
localhost localhost UH 10 3663 lo0
169.254 link#5 UCS 0 0 en1
192.168.0 link#5 UCS 4 0 en1
192.168.0.25 localhost UHS 0 0 lo0
192.168.100 10.8.0.5 UGSc 0 7 tun0
I believe this route says:
- All traffic in 192.168.100.* should route to 10.8.0.5 (!?)
- All traffic to 10.8.0.5 should route to 10.8.0.6 (!?)
- All traffic to 10.8.0.1/32 should route to 10.8.0.5 (!?)
Why is 192.168.100 not going to 10.8.0.1, but instead to 10.8.0.5, and then from 5 to 6, and then i guess 1/32 is supposed to match 6, and it seems like there is a loop.
I can not ping 10.8.0.5, but I thought that was my ip on the vnetwork. I can not ping 10.8.0.6, however I think that is masked, I get some output "Communication prohibited by filter"
ifconfig shows:
tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
open (pid 1307)
And there is 6 -> 5 again!
NOTE: from here down is just specifics, in case you need more info to understand the routes.
My setup is: - Laptop on local network (192.168.0..) with router (192.168.0.254) - VPN connected via virtual router (10.8.0.1) on net (10.8.0...) to a network of (192.168.100...) with router (192.168.100.1) - 192.168.100.200 is a server on the remote network
Now when i 'traceroute 192.168.100.200', i expected
10.8.0.1 (VPN router on the other side) 192.168.100.1 (Router on the physical network on the other side) 192.168.100.200 (host reached.)
Instead I just get an endless set of *s
This is not the same as this question, and I could not find an answer, so Thanks!
nycynik
Community1 Answer
You are reading route information only partly correctly.
tun0 is virtual interface used for VPN, which uses (for it's own internal purposes) point-to-point link from 10.8.0.6 (VPNGW your side) to 10.8.0.5 (VPNGW remote side). That is the same thing that "ifconfig tun0" says to you. You should not access those two addresses directly.
So, any traffic you route via GW 10.8.0.5 will enter the VPN tunnel (via interface tun0), and exit VPN tunnel at other side (of course, assuming VPN tunnel is established and working, by VPN process running with pid 1307).
10.8.0.1/32 10.8.0.5 UGSc 1 2 tun0
This means that anything sent to host 10.8.0.1 (/32 is CIDR notation, meaning "just this one host") will be routed via gateway at 10.8.0.5 (that is, it will enter a VPN tunnel).
So when you ping 10.8.0.1, it will work only if VPN tunnels works. That's why it is here (so you can verify if tunnel is working, even if none of computers on the other side are up).
192.168.100 10.8.0.5 UGSc 0 7 tun0
same as above, but for whole class-C network 192.168.100.* (it could have also be written as "192.168.100.0/24" in CIDR instead of shorter "192.168.100"). This is the main thing you setup the tunel for - so you access this range of addresses on remote side via VPN.
10.8.0.5 10.8.0.6 UH 2 3 tun0
this one you got wrong, notice the flags "UH" - missing "G" means that is directly connected point-to-point link, and NOT a gateway through which you can route data. So it does NOT mean that traffic for 10.8.0.5 will be sent via 10.8.0.6, but instead only that 10.8.0.5 is directly visible to this computer (which has IP 10.8.0.6) using tun0 interface.
Why is 192.168.100 not going to 10.8.0.1, but instead to 10.8.0.5, and then from 5 to 6, and then i guess 1/32 is supposed to match 6, and it seems like there is a loop.
Hopefully the above info cleared up those misconceptions.
I can not ping 10.8.0.5, but I thought that was my ip on the vnetwork. I can not ping 10.8.0.6, however i think that is masked, i get some output "Communication prohibited by filter"
Yes, those two addresses are used internally by tun0 interface, and you should not concern yourself with them (unless you're running traffic analyzer between networks etc) - they won't work the way regular addresses would.
Matija NalisUser contributions licensed under CC BY-SA 3.0