This post covers a workaround to a common Linux Virtual Private Network (VPN) issue I see with cloud providers. You have a Linux Virtual Machine (VM) on Azure/GCP/AWS, you install a VPN client, configure it and connect to VPN server, all of a sudden you can no longer SSH to VM.
This happens because the VPN tunnel is now the default route, as it should be. If your VPN has port forwarding you can enable that for port 22 and you should be fine. If your VPN doesn’t have port forwarding or you do not want to pay the extra cost then this work around is for you.
I using information from an Ubuntu VM in GCP to write this post.
Get the network information of the VM ifconfig
ens4 Link encap:Ethernet HWaddr 42:01:0a:8a:00:04
inet addr:10.138.0.4 Bcast:10.138.0.4 Mask:255.255.255.255
inet6 addr: fe80::4001:aff:fe8a:4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1460 Metric:1
RX packets:1981508 errors:0 dropped:0 overruns:0 frame:0
TX packets:1035619 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:56603 errors:0 dropped:0 overruns:0 frame:0
TX packets:56603 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
Take note of the adapter and IP Address, since GCP is weird you will need to get the subnet directly from GCP Portal.
Once you have IP/Network information then the work begins.
sudo su
cp /etc/iproute2/rt_tables /etc/iproute2/rt_tables_orig
echo "250 vpnbypass" >> /etc/iproute2/rt_tables
exit
Use cat /etc/iproute2/rt_tables
to confirm bypass entry in rt_table
.
Make sure the entry is in there before you proceed.
Note that i am using the subnet and Ethernet name to add the rule to the vpnbypass table
sudo ip rule add from 10.138.0.0/20 table vpnbypass #Allow communication from Subnet
sudo ip rule add to 10.138.0.0/20 table vpnbypass #Allow communication to Subnet
sudo ip rule add to 169.254.169.254 table vpnbypass #Allow communication to Metadata Service
sudo ip route add table vpnbypass to 10.138.0.0/20 dev ens4 #Selecting route for vpnbypass table
sudo ip route add table vpnbypass default via 10.138.0.1 dev ens4 #selecting gateway
Connect to your VPN, the connection should not drop. You can use curl
ipinfo.io
to confirm new your IP.
You can edit tthe rc.local
file to make sure configuration is re-apply on reboot.
sudo vi /etc/rc.local
Add the following lines to the file
sudo ip rule add from 10.138.0.0/20 table vpnbypass #Allow communication from Subnet
sudo ip rule add to 10.138.0.0/20 table vpnbypass #Allow communication to Subnet
sudo ip rule add to 169.254.169.254 table vpnbypass #Allow communication to Metadata Service
sudo ip route add table vpnbypass to 10.138.0.0/20 dev ens4 #Selecting route for vpnbypass table
sudo ip route add table vpnbypass default via 10.138.0.1 dev ens4 #selecting gateway
Azure Series
http://hazelnest.com/blog/blog/tag/azure
GCP Series
http://hazelnest.com/blog/blog/tag/gcp