Jump to content
TorGuard
  • 0

LAN Connectivity Fails on VPN Connect

Rate this question


kittonian

Question

kittonian

I have a multi-segmented network (10.0.0.x, 10.0.1.x, 10.0.2.x) using all /24 (255.255.255.0) subnets. On the LAN is a router with static routes allowing all devices on the LAN to talk to one another. When I connect to the VPN, I can only talk to my own segment (10.0.1.x) because the client is modifying the routing tables in order to send traffic through the VPN.

I reached out to support and their solution was to add a static route for the segment(s) I needed to talk to when connected. I did so via route -n add -net 10.0.0.0/24 10.0.0.252 (where the latter IP is the LAN gateway), and it worked for a few minutes until I lost all LAN/WAN connectivity. Even after disconnecting from the VPN I still could not access anything, LAN or WAN, until I ran netstat -r and let it hang for long enough that for whatever reason, it rebuilt the routing tables properly and I regained connectivity.

It seems that the Torguard client is modifying the routing tables and then periodically checking on them to ensure VPN connectivity stays in place. This is why adding a static route will most likely never work, and why I lost all network connectivity when I modified the routing table while connected.

There are certain services running on my desktop that clients from the 10.0.0.x segment need to access, no matter if I'm connected to the VPN or not. This is what I'm trying to solve and I would love a working solution to this issue. Thanks!

Link to post
Share on other sites

17 answers to this question

Recommended Posts

  • 0
19807409

I assume you did it all with TorGuard's client, which involves few more features, if not, ignore my post. Whichever protocol you do use, try with original client (not torguard client) to see which config would work, it would be easier to configure it as well as you could specify static routes properly.

Link to post
Share on other sites
  • 0
kittonian

Thank you for responding, but I don't understand your post. Of course I am using the TG client software (latest version of Mac OS X). What do you mean original client? I've only ever used the TG client software to connect to the TG VPN.

Link to post
Share on other sites
  • 0
19807409

you are welcome, sorry if I confused you. I mean if you use openvpn protocol, try openvpn client, if openconnect protocol then openconnect/anyconnect client, if wireguard protocol then wireguard client.

Link to post
Share on other sites
  • 0
kittonian

I honestly didn't realize that I could use a different client with a TG account. I thought I needed to use their software client.

Link to post
Share on other sites
  • 0
Support
2 minutes ago, kittonian said:

I honestly didn't realize that I could use a different client with a TG account. I thought I needed to use their software client.

 

You can try using open connect via the TG client tunnel type menu - we have a new build coming tomorrow that includes WireGuard, you can try both methods and see if those work in your environment.

 

Regards

Link to post
Share on other sites
  • 0
19807409
2 hours ago, Support said:

You can try using open connect via the TG client tunnel type menu - we have a new build coming tomorrow that includes WireGuard, you can try both methods and see if those work in your environment.

 

This is good if you enable more features. I still think it is very important if there is no requirement for 3rd party client (which TorGuard is). All protocols are available on all architectures and there are plenty for which torguard does not offer a client, like ARM/ARM64. However, wireguard, openvpn etc.. are available for all those platforms which are in first line the requirement for TorGuard client too as TorGuard client is simply a GUI.

 

2 hours ago, kittonian said:

I honestly didn't realize that I could use a different client with a TG account. I thought I needed to use their software client.

TorGuard client does still use openvpn and other software which is actually developed and maintained normally by original teams. If they make changes to source code then you would be probably restricted but at the same time less secure as it is not open source and nobody could independently check and verify it, in fact, if TorGuard would modify sources in such way, sooner or later they would not work anymore with original sources. TorGuard does not develop those protocols, just a GUI for them allowing you to easily use some other features which would or might require some fancy setup.

However, the more feature, the higher possibility something goes somewhere wrong, I do think that TG client is very good and I do use it on desktop systems which I work on directly, but most my devices need stability and abilty to configure it the way I want. By that, TG client does not allow you to do a lot of things simply because if they allow it all, TG client would be as complicated as using and writing those fancy configs, they simply can't think on every possible scenario which can happen and your issue with routing can be resolved in several different ways, but there is not much you can do for now in preventing TG client to rewrite those rules which by default do ensure some Joe user that after reconnecting they get connected even if they messed up their routes, by that it clearly is more important to offer user friendly client, as everything sophisticated can be set up by any user who actually knows what he does without TG client and will use less resources and be slightly faster, soft slightly more up do date as well as only restriction of configuration is own imagination.

Link to post
Share on other sites
  • 0
kittonian

Thank you for the detailed response.

The bottom line is that I need to use a client (whether it's TG or something else) that will allow my machine on 10.0.1.1 to talk to the 10.0.0.x lan segment while I am connected. That is the only thing I need to do. Everything else works just fine right now, including talking to my own LAN segment of 10.0.1.x. I just need to be able to have my desktop talk to all the local LAN segments.

Link to post
Share on other sites
  • 0
19807409

I had several of such setups and requests, most of them were resolved in doing the networking part on another device (router as example), there you can configure your setup easily in several different ways, I would suggest you to use openwrt (or any capable wrt) on your router, then create separate vlan and assign one port to that vlan, after it, create your vpn interface and add it to your wan firewall policy. That's it, whole subnet would be in VPN and you would reach any interface within if you wish. Additionaly, you may want to have more than 1 vpn connection, you can easily assign more ports and create more vlan's, then install mwan (multi wan) and configure there what should go to which WAN interface, that way you would spare you at all a requirement to install anything on any device in your network.

Your setup is kinda customization but the issue you have affects many. Alternative easy solution would be to be in same segment but that is not optioin for many setups (especially in a company which can't simply change their topology)

Link to post
Share on other sites
  • 0
kittonian

Here's our network config:

Servers and hardware devices = 10.0.0.x/24

Desktops & Mobile devices = 10.0.1.x/24

Private Wireguard VPN = 10.0.2.x/24

All network clients (servers, desktops, etc.) all connect to the same switch (no VLANs).

We have a Linux server at 10.0.0.4/24 that servers as a forwarding DNS server, DHCP server, etc. and all network clients have their DNS set to this machine. For any external DNS requests, it forwards to 8.8.8.8.

We have a Ubiquity EdgeRouter 4 at 10.0.0.252/24 that serves as the gateway for all network clients.

On the router we have a static route configured to allow all local LAN segments to talk to one another.

Everything works perfectly.

 

We are not using the VPN for the entire network. Only one desktop uses the TG VPN service for about an hour or two per day. That machine's IP is 10.0.1.1/24.

When connected to the VPN, 10.0.1.1/24 can no longer talk to 10.0.0.x/24 (i.e. I cannot ping 10.0.0.242 for example).

When disconnected from the VPN, I can ping everywhere just fine.

 

If I connect to the VPN and manually add a static route via: route -n add -net 10.0.0.0/24 10.0.0.252 my desktop can ping 10.0.0.x/24 network clients.

However, after a few minutes, the routing table get mangled and I lose both LAN and WAN connectivity until a reboot.

 

Torguard Support is claiming that they do not modify the routing tables, nor do they monitor or update the routing tables. I find this highly unlikely as the only time the routing tables on this machine change is when their software is engaged.

 

What I need to do is find a VPN client (perhaps the Wireguard client since it's more secure and faster than OpenVPN) that will allow me to still talk to all local LAN segments when connected to the VPN.

Link to post
Share on other sites
  • 0
19807409

for openvpn you can define routes by yourself directly in the config, wireguard is also easy especially if you put that simply as a gateway and define in it as only allowed IP your desktop one where if other devices would use that gateway by mistake, they would not be routed. Actually any protocol can do what you need, it is the client which makes you trouble in not having feature to configure it the way you need and I would fully agree with you, using another client would give you more configuration possibilities (also failure possibilities, like leaking dns), but that is what I actually already suggested as first.

Link to post
Share on other sites
  • 0
snodrog742
On 8/8/2020 at 12:47 PM, kittonian said:

What I need to do is find a VPN client (perhaps the Wireguard client since it's more secure and faster than OpenVPN) that will allow me to still talk to all local LAN segments when connected to the VPN.

Having same exact issue.

Link to post
Share on other sites
  • 0
19807409

why not using ssh -D to create dynamic tunnel, then use 127.0.0.1 as your socks, that is reachable, in firefox add foxa proxy and surf whenever you need all your segments? This is called poorman's vpn and is the easiest and fastest solution considering you run it as service.
Again, this is just one of many easy ways how to resolve your issue.

 

Link to post
Share on other sites
  • 0
kittonian

Because it's not just for browsing the web, and users should not have to create sudo "poorman's VPN" solutions. Support is looking into this issue with their software devs and I'm waiting to hear back. It apparently has to do with split tunneling support in the TG client and how it transforms the routing tables to keep everything secure. There's a lot more to it than that, and as soon as I have a working resolution, I'll let you know.

Link to post
Share on other sites
  • 0
19807409
6 minutes ago, kittonian said:

Because it's not just for browsing the web

SOCKS5 is not about browsing "just" web.

7 minutes ago, kittonian said:

and users should not have to create sudo "poorman's VPN"

seems they do need it, mainly when you first time install TG client on a linux system with installed sudo. Or do you mean that creating autossh service file is such a big step to be done? Well, normally it takes me under 1 minute, and Poorman's VPN is exactly because of the easy of use so popular, especially in companies networks, you wont be able to use 3rd party VPN clients, you wont be able to use own not allowed servers, but you will quite in most companies have the ability to create local tunnel to encrypt your data.

I take it as that you dislike the fact that there is solution for you and not one, but many, including some very sophisticated, but guess what, I am using it on daily basis not connected to TorGuard VPN and in general, linux users are used to that and dont need guides for it too, unlike Windolls and Mac users requiring a guide for "how to use sudo", sure, yeah, it is more complicated than Windoll's bluescreen or apple's restricting own users like if they are retards, well, everybody chooses what they like more :) I guess. As if you do not like any workaround and suggestions, then your only way to get what you want is to wait for TorGuard, complaining helps here not much, by that, I will simply spare trying to help here as the only solution which would satisfy you seems to be fully working product by TorGuard and currently, there is no solution in that regard I would assume, devs are busy with wireguard and backend system.

Link to post
Share on other sites
  • 0
kittonian

Please don't take offense. I appreciate your suggestions. You mentioned Firefox and proxy'ing with the browser, so that's why I mentioned that this is more than browsing.

I have built many Linux servers over the course of my career and am very familiar with command line computing. In fact, I never liked installing X and instead chose to do all of my server admin on Linux via the command line.

That being said, my point was that this is core functionality of a VPN client and workarounds to maybe make certain things work when you need them are not always the greatest solutions.

The other thing to remember is that I am not always connected to the VPN. In fact, I'm rarely connected to it. Maybe only a few hours a day or less. Having to setup a workaround and then take it down each time I need to connect and disconnect is not something I have any interest in doing. Also, I'm on a Mac not Linux and my Mac desktop is the only machine that connects to the TG VPN on the LAN.

Seeing as how I created a static route on the router in order to allow the different segments to talk to each other, I thought about how that might be accomplished when the VPN is connected. However, after trying that out by creating static routes like 10.13.0.0/16, 10.13.150.0/24, 10.13.150.121/32, etc. none of them worked. The 10.13.x.x addresses are the local IPs the TG client gives out when connected to the VPN, and no matter what static route I configured, I wasn't able to talk to the 10.0.0.x LAN segment.

Link to post
Share on other sites
  • 0
19807409

Dont worry, I did not take it as offense, maybe my expression is not perfect due to english not being my first language. I am sorry if it came over, I actually tried to generalize it, did not mean you by that, but in general.

Most simple solution for you would be if there is a input field on TG client where you can actually add subnets/networks which should not be tunneled, there you could then set it all. Back then, it was not possible to do it on a TG client due to reasons you already mentioned several times. There were several requests for this in past years. I dont mind TG implementing it at all and it would be for sure useful.

My suggestion with a router or ssh or any other was intended simply to give you ideas (even if they are not new to you) to overcome your issues and be able using it the way you want until TorGuard knows if they will add this feature or not, in both cases you would be ready. Where SSH is indeed useful to know, especially as it does really help people on restricted environments (like companies notebook without admin privilege) where even on restricted windows systems, one can easily run putty and create dynamic tunnel, no admin priviledge (or sudo on linux) is required for that, taken in mind that you can use even 1024 bits keys for encryption if you need speed over security. You can also connect then over that tunnel to any VPN connection which the company would have restricted you. I also did not see  many companies who actually restricted on that, only high security places (banks as example, in all that I had ability to work, it was not possile, govs are another example where I actually never experienced this restriction).

One solution I did not mention, it is to have on all those subnets wireguard installed and connecting them all would give you access to all of them, but it is tricky, much more than router or SSH solution. Then you can do it with other protocols too, take openvpn and add your routes, that's it, you dont need then dependency on TG client which has all those protocols as own dependency.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...