VPN and Local Routes

Posted byKenyon HenslerPosted inUncategorized

Recently I was working on a script and need to access my local vCenter. I happened to be on a different network that needed to route to another network. This had been working fine but at some point a new VPN configuration got pushed to my machine. Normally I would just switch laptops but I only had one on me.

What happend? I tried to access vCenter via powercli but got a timed out error. DNS was working and returning the correct address but I was unable to ping the address. A traceroute showed nothing but timeouts. Not even the default gateway as the first hop. So what is going on? I ran a route print and the output was crazy. Pages and pages of routes. Most VPNs will push routes to clients to get them to send traffic down the tunnel. Looked like that was going on. I needed to access the 192.168.10.0/24 network via 192.168.0.1. so I added a route to the network I was looking for:

route add 192.168.10.0 255.255.255.0 192.168.0.1

Now it was working. I could access the network. This is great if I didn’t plan on needing this again. I didn’t want to add a persistent route as it may not be valid at another location or network. DHCP option 121 to the rescue. For those of you who like to read RFCs: https://datatracker.ietf.org/doc/html/rfc3442. I read it. For those of you who don’t like reading RFCs the gist of it is encode the CIDR, network, and gateway into hex and give it out via a string option. For my instance the CIDR is a /24 which translates to 0x18 in hex. The network is 192.168.10.0 -> 0xc0:a8:0a. Notice the lack of :00 at the end. This is because of the mask. You only specify the significant bits. The gateway translates to 0xc0:a8:00:01. Combined the string is 18:c0:a8:0a:c0:a8:00:01. I set this as the string value to option 121. After that I deleted my manually added route. Verified that I was unable to access the network again. Once done I renewed my IP with Wireshark running to verify the new option was pushed. It was an I was once again able to access the network with vCenter. 15 minutes of the day wasted before I could make my customer happy.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: