Help - Routing & Gateway question !

[tiestobob]

Hi, so I have a situation that I need help with and Im not an expert so please bear with me:

There are 5 devices, all 5 devices are on the 10.168.0.0 network. There are 2 cellular modems as well. One for me and one for our contractor. Both are for us to be able to VPN into the network so we can manage our devices. I manage 2 devices and he manages 3. We decided to put all our devices on the same network for ease of integration. These cellular modems have the following IP & Gateway information:

Cell modem 1: 10.168.1.201 (IP) & 10.168.1.201 (gateway) (I guess this is considered the principal gateway since IP = gateway). And this is the contractor's modem FYI.
Cell modem 2: 10.168.1.205 (IP) & 10.168.1.201 (gateway). This is my modem.

All 5 aforementioned devices have IP 10.168.x.x & gateway 10.168.1.201. When I'm on site and I plug my laptop into my unmanaged switch, and I set my laptop's ethernet interface IP to say 10.168.1.150 I'm able to ping everything. However, problem is when I VPN into my cell modem (#2 cell modem) I can't ping any of these devices. The VPN IP I get assigned from my cell modem is 10.10.10.2 and my route table is shown below.

But when I change my cell modem #2 IP to .201 I can ping them all even though it is now a conflict with the other modem which also has .201 IP. Is it because cell modem #1 when its the principal gateway it does not have a route back to the 10.10.10.2 VPN network? It seems like my modem does based on the route table below, but not sure about the contractor's modem. Would he have to insert this route to 10.10.10.2 into his modem when he's the principal gateway?

Routing Table Entry List on cell modem #2:


Destination LAN NET   Subnet Mask   Gateway   Interface
10.10.10.0   255.255.255.0   0.0.0.0   tun2
10.168.0.0   255.255.0.0   0.0.0.0   LAN & WLAN

[Otanx]

As you suspected it is a routing issue. You mentioned you get 10.10.10.2 when connected to cell modem 2. What do you get when connected to cell modem 1? Is it a 10.10.10.X address? Basically you need to configure the two VPNs to use different IPs for the VPN clients. Then you can add a route on the main one to send traffic for the other VPN to the other modem.

-Otanx

[tiestobob]

As you suspected it is a routing issue. You mentioned you get 10.10.10.2 when connected to cell modem 2. What do you get when connected to cell modem 1? Is it a 10.10.10.X address? Basically you need to configure the two VPNs to use different IPs for the VPN clients. Then you can add a route on the main one to send traffic for the other VPN to the other modem.

-Otanx

Hi Otanx,

Yes, I get 10.10.10.2 when I VPN into my cellular modem (#2). I have never VPN'd into cell modem #1 though. It's not my modem, its the contractors. My assumption is that when my cellular modem is the main gateway (IP = .201, gateway = .201), everything works fine but when he connected his modem (#1) and I changed my ip to .205 and made him the gateway, I no longer have any connectivity to my or his devices. I'm just trying to understand if he needs to put a route in his modem (#1) so that when I VPN into my modem (#2) I can still talk to my devices? Or can I do that on my end on my cell modem too?

[Otanx]

Whatever device is being used as the gateway (.201) will need a route to the other modem for the VPN space on the other modem. However, if the VPN IPs are the same on both modems that will be an issue. If the contractor modem is also using 10.10.10.0/24 then one of you needs to configure different VPN IP addresses.

-Otanx

[tiestobob]

Thanks Otanx for your help.

So what we did was change our VPN to be TAP instead of TUN and modified our openvpn client file as well and it now works. What TAP does is it puts you on the local LAN network and you specify a start/end pool of IPs if DHCP is off (which it was on the contractor's modem). TUN worked when my modem was the gateway because my modem would automatically insert a route between the VPN and LAN networks when it was the gateway, but since the contractor's modem was the gateway they either had to put in a route or I had to change the way I VPN'd into my modem so we decided on the latter and I switched to TAP server mode for my VPN server mode.

Note:TAP won't work on most newer OpenVPN client software so I'm using an older one to make it work. I think generally its a security issue cause the VPN'd user is on the same network without any firewall or security measures that could be put in place like in the TUN openVPN server mode where the VPN is on its own network and is separate from the local network.

[deanwebb]

So now I'm wondering why newer VPNs don't do the TAP... 

[Dieselboy]

To save this route issue, what I have done previously is issue a VPN client IP that is in the same subnet as the remote LAN and then the device proxy-arps to receive the traffic - IE the device on the lan responds to ARP on your behalf.

Then, the devices already there on the LAN do not contact their default gateway for your VPN IP and you therefore do not need to place a route in the gateway telling it where to go to reach your VPN IP address.

[icecream-guy]

To save this route issue, what I have done previously is issue a VPN client IP that is in the same subnet as the remote LAN and then the device proxy-arps to receive the traffic - IE the device on the lan responds to ARP on your behalf.

Then, the devices already there on the LAN do not contact their default gateway for your VPN IP and you therefore do not need to place a route in the gateway telling it where to go to reach your VPN IP address.

proxy ARP is a security risk, and should be disabled where possible.   there are thing like ARP spoofing where attackers can leverage the trusting nature of proxy ARP by spoofing a trusted host and then intercepting packets.