{"id":22,"date":"2018-07-02T15:59:56","date_gmt":"2018-07-02T20:59:56","guid":{"rendered":"http:\/\/www.diadian.com\/?p=22"},"modified":"2018-07-02T15:59:56","modified_gmt":"2018-07-02T20:59:56","slug":"what-to-do-when-your-local-subnet-matches-the-subnet-you-just-vpn-ed-into","status":"publish","type":"post","link":"https:\/\/www.diadian.com\/index.php\/2018\/07\/02\/what-to-do-when-your-local-subnet-matches-the-subnet-you-just-vpn-ed-into\/","title":{"rendered":"What to do when your local subnet matches the subnet you just vpn-ed into."},"content":{"rendered":"

Today I decided to get out of the office and work from the main Brooklyn library branch. \u00a0This place always inspires me and surprises me. \u00a0Plus I had two library books that were overdue and it would be great to stop the clock on those late fees.<\/p>\n

I VPN’ed back into the office and I found that my office network (10.0.1.X\/24) falls within the extremely wide network scope used by the BPL WiFi system (10.X.X.X\/8). \u00a0I was able to connect without issue since my public IP isn’t in the 10.X.X.X but I wasn’t able to ping anything on my office network and of course, I couldn’t reach the server I needed over SSH either.<\/p>\n

A quick read of the routing table (netstat -nr) shows that I should be able to ping one device \u00a0(10.0.1.1) oner the VPN and indeed I could. \u00a0I tried manually adding a route for my office LAN and directing it to the same Gateway IP that was working for the single host (sudo route add -host 10.0.1.36 10.0.1.231) and although I could add the route, the route did not help me ping anything on my LAN.<\/p>\n

I gave the routing table another look. \u00a0This time I wanted to know why I could ping one host and not the others… and there was the answer. \u00a0The route that allowed me to ping a single host had the VPN interface specified while all the other routes used en0.<\/p>\n

A quick read of the route command gave me the answer for a single host:<\/p>\n

sudo route add -host 10.0.1.204 -interface ppp0<\/strong><\/p>\n

and for my entire office subnet:<\/p>\n

sudo route add -net 10.0.1.0\/24 -interface ppp0<\/strong><\/p>\n

What this is doing is saying: for any traffic going to host 10.0.1.204, send it over the VPN instead of the standard network interface even though the network interface’s scope includes this host.<\/p>\n

I don’t expect the -net version of the command to work when the VPN and local WiFi scopes overlap perfectly (both using 192.168.0.1\/24 for example) but I am not really sure. \u00a0Next time I see a network using 10.0.1.1\/24, I’ll give it a try.<\/p>\n

This was done on a MacBook Pro running 10.13.5. \u00a0The VPN device on the other end is a Sonicwall TZ300 running 6.2.9.0-21N. \u00a0The VPN protocol was L2TP over IPSEC and the VPN client was the built-in OS X VPN client.<\/p>\n

Hope this helps someone.<\/p>\n","protected":false},"excerpt":{"rendered":"

Today I decided to get out of the office and work from the main Brooklyn library branch. \u00a0This place always inspires me and surprises me. \u00a0Plus I had two library books that were overdue and it would be great to stop the clock on those late fees. I VPN’ed back into the office and I […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-22","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.diadian.com\/index.php\/wp-json\/wp\/v2\/posts\/22"}],"collection":[{"href":"https:\/\/www.diadian.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.diadian.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.diadian.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.diadian.com\/index.php\/wp-json\/wp\/v2\/comments?post=22"}],"version-history":[{"count":4,"href":"https:\/\/www.diadian.com\/index.php\/wp-json\/wp\/v2\/posts\/22\/revisions"}],"predecessor-version":[{"id":26,"href":"https:\/\/www.diadian.com\/index.php\/wp-json\/wp\/v2\/posts\/22\/revisions\/26"}],"wp:attachment":[{"href":"https:\/\/www.diadian.com\/index.php\/wp-json\/wp\/v2\/media?parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.diadian.com\/index.php\/wp-json\/wp\/v2\/categories?post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.diadian.com\/index.php\/wp-json\/wp\/v2\/tags?post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}