Sorry for the late reply, adding ":framed-ip-netmask=255.255.255.0:" doesn't
solve the problem. Tested on Win10.
On Mon, 22 Feb 2021 14:55:52 +0900 (JST)
YASUOKA Masahiko <yasu...@openbsd.org> wrote:
> Hi,
>
> On Sun, 21 Feb 2021 19:18:48 +0100
> Radek <r...@int.pl> wrote:
> >> The interface which terminate the tunnel has "192.168.4.254".
> >> Right?
> > Do you mean the other end of the tunnel? It is 10.109.4.254
> > interface pppx0 address 10.109.4.254 ipcp IPCP
>
> Sorry, "192.168.4.244" should have been "10.109.4.254".
>
> >> How about if you configure the npppd-users
> >>
> >> rdk:
> >> :password=passsssword:\
> >> :framed-ip-address=10.109.4.254:\
> >> :framed-ip-netmask=255.255.255.0:
> >>
> >> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP
> >> session authenticated by the above "rdk".
> > I have tried to configure npppd-users with netmask /24, but it doesnt make
> > any changes. Still have all traffic to 10.0.0.0/8 going across the tunnel
> > to 10.109.4.254(VPN), but I need to push the traffic to 10.109.3.0/24
> > through the tunnel (via 10.109.4.254) and the rest of 10.0.0.0/8 through
> > default gw or sometimes some traffic to 10.0.0.0/8 through another tunnel
> > at the same time. Now if the PPP tunnel is established the VPN catches all
> > the 10.0.0.0/8 traffic.
> >
> > The VPN client (Windows7/10) is configured to NOT use the VPN as remote gw.
> >
> > Example:
> > I have a public, static IP. There is configured route to 10.55.0.0/24 at
> > the ISP's side and I dont need any VPN tunnel to access 10.55......
> > Somewhere over the rainbow is a router with LAN 10.109.3.0/24 and npppd.
> > If I use the PPP tunnel I can acces 10.109.3.0/24 but at the same time I
> > can't access 10.55.0.0/24 because all 10.0.0.0/8 goes across the tunnel.
>
> The route to the natural netmask of the tunnel address, 10.0.0.0/8 in
> this case, is configured by Windows automatically. I don't know a way
> to stop or override this. But by using another addresses for the
> tunnel, you can avoid the problem. Also we can use dhcpd(8) to push
> routes configuration.
>
> For example,
>
> 1. Use 192.168.255.0/24 for the tunnel to avoid the conflict on
> 10.0.0.0/8.
>
> ipcp IPCP {
> pool-address 192.168.255.1-192.168.255.32
> :
> interface pppx0 address 192.168.255.254 ipcp IPCP
> ---
> rdk:
> :password=passsssword:\
> :framed-ip-address=192.168.255.32:
>
> 2. Configure dhcpd
>
> /etc/dhcpd-l2tp.conf
> ----
> subnet 192.168.255.0 netmask 255.255.255.0 {
> option classless-ms-static-routes 10.109.3.0/24 192.168.255.254;
> option classless-static-routes 10.109.3.0/24 192.168.255.254;
> }
> ---
>
> $ doas /usr/sbin/dhcpd -u255.255.255.255 -c /etc/dhcpd-l2tp.conf
>
> > On Sun, 21 Feb 2021 23:18:19 +0900 (JST)
> > YASUOKA Masahiko <yasu...@openbsd.org> wrote:
> >
> >> Hello,
> >>
> >> On Sat, 20 Feb 2021 21:14:24 +0100
> >> Radek <r...@int.pl> wrote:
> >> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw
> >> > 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
> >> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8
> >> > goes via 10.109.4.254
> >> >
> >> > client> route print
> >> > Network Destination Netmask Gateway Interface Metric
> >> > 0.0.0.0 0.0.0.0 192.168.1.1
> >> > 192.168.1.101 20
> >> > 10.0.0.0 255.0.0.0 10.109.4.254
> >> > 10.109.4.1 21
> >> > 10.109.4.1 255.255.255.255 On-link
> >> > 10.109.4.1 276
> >> > [...]
> >>
> >> The interface which terminate the tunnel has "192.168.4.254".
> >> Right?
> >>
> >> > $ cat /etc/npppd/npppd-users
> >> > rdk:\
> >> > :password=passsssword:\
> >> > :framed-ip-address=10.109.4.1:
> >> > #:framed-ip-netmask=255.255.255.0:
> >>
> >> How about if you configure the npppd-users
> >>
> >> rdk:
> >> :password=passsssword:\
> >> :framed-ip-address=10.109.4.254:\
> >> :framed-ip-netmask=255.255.255.0:
> >>
> >> ?
> >>
> >> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP
> >> session authenticated by the above "rdk".
> >>
> >>
> >> On Sat, 20 Feb 2021 21:14:24 +0100
> >> Radek <r...@int.pl> wrote:
> >> > Hi,
> >> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw
> >> > 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
> >> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8
> >> > goes via 10.109.4.254
> >> >
> >> > client> route print
> >> > Network Destination Netmask Gateway Interface Metric
> >> > 0.0.0.0 0.0.0.0 192.168.1.1
> >> > 192.168.1.101 20
> >> > 10.0.0.0 255.0.0.0 10.109.4.254
> >> > 10.109.4.1 21
> >> > 10.109.4.1 255.255.255.255 On-link
> >> > 10.109.4.1 276
> >> > [...]
> >> >
> >> > I need to redirect the traffic to 10.109.4.254 only if it goes to the
> >> > remote LAN (10.109.3.0/24), the rest should go via def gw.
> >> > How can I configure it on the router/server side ?
> >> >
> >> > $ cat /etc/npppd/npppd.conf
> >> > # $OpenBSD: npppd.conf,v 1.3 2020/01/23 03:01:22 dlg Exp $
> >> > # sample npppd configuration file. see npppd.conf(5)
> >> >
> >> > set max-session 200
> >> > set user-max-session 4
> >> >
> >> > authentication LOCAL type local {
> >> > users-file "/etc/npppd/npppd-users"
> >> > }
> >> > tunnel L2TP protocol l2tp {
> >> > listen on X.X.X.X
> >> > }
> >> >
> >> > ipcp IPCP {
> >> > pool-address 10.109.4.1-10.109.4.32
> >> > dns-servers 1.1.1.1
> >> > }
> >> >
> >> > # use pppx(4) interface. use an interface per a ppp session.
> >> > interface pppx0 address 10.109.4.254 ipcp IPCP
> >> > bind tunnel from L2TP authenticated by LOCAL to pppx0
> >> >
> >> > $ cat /etc/npppd/npppd-users
> >> > rdk:\
> >> > :password=passsssword:\
> >> > :framed-ip-address=10.109.4.1:
> >> > #:framed-ip-netmask=255.255.255.0:
> >> >
> >> > $ dmesg | head
> >> > OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021
> >> >
> >> > r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >> >
> >> > --
> >> > Radek
> >> >
> >>
> > --
> > Radek
> >
--
Radek
