profile for Hannel on Stack Exchange, a network of free, community-driven Q&A sites
Project Work Hours
Sat & Sun 6am - 9am
Subscribe via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Archives

This post covers a workaround to a common Linux Virtual Private Network (VPN) issue I see with cloud providers. You have a Linux Virtual Machine (VM) on Azure/GCP/AWS, you install a VPN client, configure it and connect to VPN server, all of a sudden you can no longer SSH to VM.

This happens because the VPN tunnel is now the default route, as it should be. If your VPN has port forwarding you can enable that for port 22 and you should be fine. If your VPN doesn’t have port forwarding or you do not want to pay the extra cost then this work around is for you.

I using information from an Ubuntu VM in GCP to write this post.

Prerequiste

Get the network information of the VM

ifconfig

ens4      Link encap:Ethernet  HWaddr 42:01:0a:8a:00:04  
          inet addr:10.138.0.4  Bcast:10.138.0.4  Mask:255.255.255.255
          inet6 addr: fe80::4001:aff:fe8a:4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1460  Metric:1
          RX packets:1981508 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1035619 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:56603 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56603 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 

Take note of the adapter and IP Address, since GCP is weird you will need to get the subnet directly from GCP Portal.

VPN

Once you have IP/Network information then the work begins.

Backup route table and add a VPNBypass to existing table.
sudo su
cp /etc/iproute2/rt_tables /etc/iproute2/rt_tables_orig
echo "250   vpnbypass" >> /etc/iproute2/rt_tables
exit

Use cat /etc/iproute2/rt_tables to confirm bypass entry in rt_table.

Make sure the entry is in there before you proceed.

Update the vpnbypass table to bypass connection for subnet communication

Note that i am using the subnet and Ethernet name to add the rule to the vpnbypass table

sudo ip rule add from 10.138.0.0/20 table vpnbypass #Allow communication from Subnet
sudo ip rule add to 10.138.0.0/20 table vpnbypass  #Allow communication to Subnet
sudo ip rule add to 169.254.169.254 table vpnbypass  #Allow communication to Metadata Service
sudo ip route add table vpnbypass to 10.138.0.0/20 dev ens4 #Selecting route for vpnbypass table
sudo ip route add table vpnbypass default via 10.138.0.1 dev ens4 #selecting gateway

Connect to your VPN, the connection should not drop. You can use curl ipinfo.io to confirm new your IP.


OPTIONAL

You can edit tthe rc.local file to make sure configuration is re-apply on reboot.

sudo vi /etc/rc.local

Add the following lines to the file

sudo ip rule add from 10.138.0.0/20 table vpnbypass #Allow communication from Subnet
sudo ip rule add to 10.138.0.0/20 table vpnbypass  #Allow communication to Subnet
sudo ip rule add to 169.254.169.254 table vpnbypass  #Allow communication to Metadata Service
sudo ip route add table vpnbypass to 10.138.0.0/20 dev ens4 #Selecting route for vpnbypass table
sudo ip route add table vpnbypass default via 10.138.0.1 dev ens4 #selecting gateway

Azure Series
http://hazelnest.com/blog/blog/tag/azure
GCP Series
http://hazelnest.com/blog/blog/tag/gcp