Default VPN connection on Fedora will route all traffic to ppp0 device. Sometimes it is not the best solution. This post will show how to route only 10.0.0.0/8 (class A) network traffic to VPN and the rest to go through eth0 (via normal ISP) – in few clicks and without scripting.
After connecting to the VPN gateway from home Fedora desktop, I can access intranet PC and servers. One of my company policy is to disable accessing Internet from VPN connection. That’s nothing odd, but I’m forced to connect and disconnect VPN connection more frequently in case when need to go outside (for example use Google.com).
My company uses class A private address range for intranet servers, so it’s easy to configure routing for VPN connection. Here are steps to follow:
Click with left mouse button on network connection icon in upper panel and choose “Configure VPN”.
|Network connection (panel icon) -> VPN connections -> Configure VPN|
After network connections window appears with tabbed VPN, click on button “Add” on the right. First you will have to choose a VPN connection type and click on “Create…” button:
|Cisco Anyconnect Compatible VPN
|Compatible with Cisco Anyconnect SSL VPN|
|Cisco Compatible VPN
|Compatible with various Cisco, Juniper, Netscreen, and Sonicwall IPSec-based VPN Gateways|
|OpenVPN||Compatible with the OpenVPN server|
|Point-to-Point Tunnelling Protocol
|Compatible with Microsoft and other PPTP VPN Servers|
After “Create…” button is clicked, input dialog with two tabs will be displayed. Tabs are “VPN” and “IPv4 Settings”. Every connection type has a different general settings. For example, in case of PPTP, you will have to input VPN gateway, user name and password while in openconnect you will have to define certificate authentication as well. Just input given credentials depends on VPN type and click on “IPv4 Settings” tab.
2. IPv4 Settings
Regardless of selected connection type, IPv4 Settings tab is the same for all VPN types. First choose “addresses only” connection method:
|Method -> Automatic (VPN) addresses only|
And second define DNS and Search domains.
|DNS||IP addresses of domain name servers used to resolve host names. Use commas to separate multiple domain name server addresses.|
|Search domains||Domains used when resolving host names. Use commas to separate multiple domains.|
Intranets with many servers should have internal DNS for name resolving. So, in DNS field, enter IP of DNS server behind VPN gateway and in “Search domains” domain used for intranet. If internal DNS server doesn’t forward requests to external servers, then you will have to input DNS server for ISP connection and IP of DNS server behind VPN gateway (separated with comma). “Search domains” can be left blank if not needed.
3. Add routes
On “IPv4 Settings” tab, click on button “Route…” to edit IPv4 routes for VPN connection. I will give you example how to assign class A network for VPN connection:
And finally make sure that following checkboxes are checked:
✔ Ignore automatically obtained routes
✔ Use this connection only for resources on its network
So, with VPN connection configured on the described way, I’m able to access servers (and services) behind VPN gateway and outside world at the same time. Routing table filters traffic to the VPN gateway and eth0 device.
6 thoughts on “Fedora VPN client and routing (2)”
Thank you my friend ! Tried all sort of route combinations without success, yours rock !
perfect explanation thanx.
I needed solution for routing only 10.0.0.0/8 (class A) to the ppp0 device after VPN activation. Moreover, my VPN connection doesn’t allow outer traffic – it’s primarily used to access intranet services. So, this settings are prefect solution for such case. With VPN connection turned on, I’m able to see all intranet services from my company and Internet access at the same time.
“If internal DNS server doesn’t forward requests to external servers, then you will have to input DNS server for ISP connection and IP of DNS server behind VPN gateway (separated with comma).”
Does not work for me.
All request are sent to first DNS, which returns NXDOMAIN at search for internal names.
Thanks. Very helpful. But why “0.0.0.0” for the gateway?