You are not logged in.

#1 2013-01-27 14:01:33

joepvd
Member
Registered: 2011-10-06
Posts: 31

netcfg: Multiple simultaneous vpn-connections

I need to connect to two vpn networks, and I am using netcfg. I can connect to both networks separately, but it does not work to have both networks up at the same time.

This is the configuration:

vpn1: 10.0.0.0/255.0.0.0 vpnc
vpn2: 10.0.0.0/255.0.0.0 pptp

There is of course a collision in the address space. These are my routing requirements:

default gateway should stay at the gw without VPNs. 
All traffic to 10.0.0.0/255.0.0.0 should go to vpn1
Traffic to 10.1.2.3 and 10.5.6.7 should go to vpn2

I think I'll figure this routing out by myself, just mentioning it as it might be relevant context.

If vpn1 is up, and I do netcfg vpn2, vpn1 gets disabled before netcfg tries to connect to vpn2. And the other way around. There seems to be some 'exclusive'-flag set, but I have not been able to locate it from scrolling through /usr/bin/netcfg, /usr/lib/network/network and /usr/lib/network/globals. What have I missed? Any pointer would be much appreciated smile

Offline

#2 2013-01-28 09:02:05

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: netcfg: Multiple simultaneous vpn-connections

joepvd wrote:

I need to connect to two vpn networks, and I am using netcfg. I can connect to both networks separately, but it does not work to have both networks up at the same time.

This is the configuration:

vpn1: 10.0.0.0/255.0.0.0 vpnc
vpn2: 10.0.0.0/255.0.0.0 pptp

There is of course a collision in the address space. These are my routing requirements:

default gateway should stay at the gw without VPNs. 
All traffic to 10.0.0.0/255.0.0.0 should go to vpn1
Traffic to 10.1.2.3 and 10.5.6.7 should go to vpn2

You need to configure your VPN servers differently. You can not have conflicting subnets.

Also, PPTP is not secure. You should look into OpenVPN if you are in control of the VPN servers and have the authority to chose. OpenVPN is also much easier to configure. You simply add this to the end of the server config for vpn2.

push "route 10.1.2.3 255.255.255.255"
push "route 10.5.6.7 255.255.255.255"

Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2
DEFCON 19: Whitfield Diffie and Moxie Marlinspikeby
https://www.youtube.com/watch?v=sIidzPntdCM

Last edited by hunterthomson (2013-01-28 09:06:24)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#3 2013-01-28 13:50:31

joepvd
Member
Registered: 2011-10-06
Posts: 31

Re: netcfg: Multiple simultaneous vpn-connections

Thanks for taking time to answer, hunterthomson. Unfortunately, I am not in control of the PPTP-vpn server, so I'll have to live with it. I will solve this issue by installing openWRT in VirtualBox, and play around with my routing tables.

But out of curiosity, I still do not understand why setting up two tunnels at the same time is not possible. Isn't it a convenience function to set the routing table as requested by the VPN-Tunnel? In my case, the convenience has become a (small) burden. Is it really not possible to disable checking for routing conflicts, and adjusting the kernel's routing table?

Offline

#4 2013-01-28 22:55:21

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: netcfg: Multiple simultaneous vpn-connections

Bummer, stuck with PPTP sad

Well, you can just connect to vpn2 first. Then delete the routes it entered and put in the correct routes by hand. Then connect to vpn1.
Once you get that working then you can write a script to do it for you.

It seems strange to me that a VPN is eating up a whole Class-A network? The Admin on the server side has not configured the VPN's correctly, and that is your problem. I am sure the VPN network could be at least a /16 or /24 or better yet a /25 or /26 basically only use up the minimum number of IP's needed with a little room to grow.

Last edited by hunterthomson (2013-01-28 23:00:34)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

Board footer

Powered by FluxBB