Creating A Split Tunnel VPN Connection in Linux
Creating A Split Tunnel VPN Connection in Linux
Creating A Split Tunnel VPN Connection in Linux
To give in example and to put this in context for Impact Radius, this technique will allow you to access internal Estalea / Impact Radius services
(JIRA, Confluence, Stash, Bamboo, etc..) over the VPN, while having your normal Internet traffic flow through the home / office connection
normally, without going through the VPN.
This is especially useful for those employees not working in the U.S., because that is where the VPN server is based, and without this technique
all of your traffic would need to transit to the U.S. and back to your country of origin, vastly slowing down your experience.
Note: This guide is written from Linux Mint 17, however it should work for Ubuntu and most other popular Linux distros that use the same Network
management interface.
Disclaimer: This guide is correct and accurate at time of writing, things such as IP addresses and domain names may change over time, hence
this guide may eventually become out of date if not kept up-to-date.
Outcome
After following this guide you should have a working split tunnel VPN connection to the Impact Radius VPN server. This will allow you to access
internal VPN-only services, without the disadvantages (mainly speed) associated with tunneling all of your internet traffic through the VPN.
It also assumes that you are connecting to the Impact Radius VPN concentrator at connect.impactradius.com
Instructions
1. Click on the Network Manager tray applet and select Network Settings, or
2. Click on Menu, type the word network, then press enter or select the Network menu item that comes up.
When you have opened this view you will see something similar to the following image.
2. Add a new PPTP VPN connection
Next click on the + button on the lower left of the window, this will start the process of adding a new connection.
At the first prompt you will be asked to select an interface, this should be set to VPN by default, make sure it is, set it if not, and then click Create.
It should be set to Point-to-Point Tunneling Protocol (PPTP) by default, ensure that it is, set it if not, and then click Create
3. Configure the VPN Basics
A new window should now have appeared allowing you to configure your new VPN connection.
Your VPN configuration window should now look something like this:
Now you will need to configure the advanced options of the connection by clicking on the Advanced button to the lower right of the window.
Once the PPTP Advanced Options window has opened, do the following:
1. Deselect the PAP, CHAP and EAP options listed under Authentication. You should only have MSCHAP and MSCHAPv2 selected.
2. Select the Use Point-to-point encryption (MPPE) option.
3. Select 128-bit (most secure) for Security.
4. Select Allow stateful encryption.
5. Finally click OK.
1. 10.2.3.29
2. 10.2.3.106
These are the primary domain name servers (DNS) for Estalea.
1. estalea.net
2. impactradius.net
3. impactradius.com
Click on Routes button to bring up the window that will allow you to configure custom routes for this VPN connection.
Click on the Add button, then enter one of the entries below, proceed until you have added all of them.
You should end up with the following once you are complete.
Note: If there are other internal services that you need to access through the VPN you can add routes for them here as well. Just find the IP
address of the service, and add it as above.
8. Finishing up
Click the OK button on the Routes window, then click Save on the main VPN configuration window, as below.
Your new VPN connection is now setup, and your Networking window should now have an entry for your new VPN connection, IR Partial
VPN in this case.
1. Clicking on the Networking Manager system try applet, and then clicking on IR Parital under VPN Connection
2. Clicking on the on/off switch button for the IR Partial connection in the Networking window.
Once the VPN connection has been established successfully you will see a new, solid, connection icon containing a small lock displayed for your
Network Manager tray applet.
Also, verify that your normal internet traffic works properly and that it isn't routed over the VPN. You can do this with tools such as traceroute a
nd mtr, or you can use the online service at IP Chicken.
The result should be the public IP address of your home / office internet connection, and not the IP address of the VPN concentrator in the US.
If you see the following, it means that you have not configured your VPN connection correctly. Please follow this guide again carefully, or contact
someone on the TechOps team for assistance.
OSX
The same kind of thing can be achieved on a Mac by using a couple of tricks. The first is the actual routing of VPN traffic. When you uncheck the
box for "send all traffic through VPN tunnel" you'll be left with whatever DNS resolution you used to have and only a specific route for the VPN.
Routing
OSX will run a script when the VPN tunnel is set up. this is /etc/ppp/if-up. There's a corresponding hook for ip-down as well if you need it.
We'll use this script to set up routes for all traffic that needs to traverse the firewall. Become root and use your favorite editor to create the file:
/etc/ppp/ip-up
#!/bin/sh
As long as you are in the office the name resolution should work just fine. The DNS resolvers will know about
addresses like "splunk.estalea.net". However when you are at home or at a hotel the DNS resolvers will be blissfully
unaware. We can manually set DNS properties on the VPN tunnel in the "DNS" tab on the same screen where we
choose if all traffic goes through the tunnel. Make it look like this:
The overall DNS setup publishes everything impactradius.com internet-wide, so we need not deal with those. However estalea.net and
impactradius.net are published only internally, so those are the ones we need to deal with specially for our VPN setup. The name servers are the
same as you will typically use in the office. Tellingly they have 10/8 addresses, which mean we need the VPN routing to be able to talk to them.
Note that the resolvers are in effect here whether we have the VPN tunnel active or not, so there may be cases where this could cause weird
errors. In practice I haven't had any issue though.
Again, hardcoding name server addresses like this sets us up for failure the next time tech-ops decide to change the IP addresses of the
resolvers, but in the last 8 years that hasn't happened. If it happens I'm sure we will hear about it.
Troubleshooting
Over the years I have had various settings, of which the following is still active on my laptop. If you run into problems
with the split VPN setup you may want to try the following:
1: To see what OSX thinks about name resolution right now run scutil --dns. It may not all make sense, but the
output of that command is very useful to whoever will try to help you troubleshoot.
2: It may be that you VPN needs to be preferred over wifi. See https://support.apple.com/kb/PH14006.
3: OSX will consult files in /etc/resolvers to augment the standard name resolution mechanism. Each file will
look like a typical resolv.conf with IP addresses for applicable DNS servers. The name of each file is the domain for
which those settings apply. In short:
/etc/resolvers/estalea.net
nameserver 10.2.3.22
nameserver 10.2.3.29
nameserver 10.8.4.9
/etc/resolvers/impactradius.net
nameserver 10.2.3.22
nameserver 10.2.3.29
nameserver 10.8.4.9