Connecting a Linux Computer to SU Network
29 Mar 2020Since I am working with Linux, which is considered to be “insecure” by Syracuse University’s ITS, there is no official approach to connect to SU’s network with VPN. Fortunately, if you have an OSX or Windows machine around, which are capable of using SU’s VPN, we can set up a NAT rule to allow Linux computers in the same LAN to access SU hosts.
Requierments
- You have a machine that can use official SU VPN (OSX or Windows)
- This machine and your Linux computer is in the same network
If the other machine is OSX
-
Enable Firewall in OSX
System Prerefences->Security & Privacy->Firewawll->Turn On Firewall -
Turn on IP forwarding
sudo systemctl -w net.inet.ip.forwarding=1 - Connect to SU’s VPN
-
Use
netstat -nrcommand to find out VPN’s tunnel interfaceFor example, running
netstat -nron my computer yields the following output. The highlighted line indicates that the tunnel interface isppp0, because all SU traffic is redirected there.Alans-MacBook-Pro:~ xiang$ netstat -nr Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.0.1 UGSc en0 default link#20 UCSI ppp0 127 127.0.0.1 UCS lo0 127.0.0.1 127.0.0.1 UH lo0 128.230 ppp0 USc ppp0 128.230.153.12 192.168.0.1 UGHS en0 128.230.153.38 128.230.153.155 UH ppp0 169.254 link#6 UCS en0 ! 192.168.0 link#6 UCS en0 ! 192.168.0.1/32 link#6 UCS en0 ! 192.168.0.1 d8:d:17:b3:8f:6d UHLWIir en0 1165 192.168.0.7 link#6 UHRLWI en0 ! 192.168.0.101 5c:ea:1d:56:6d:af UHLWI en0 496 192.168.0.104 9c:f4:8e:4f:ad:c4 UHLWIi en0 1115 192.168.0.105 54:62:e2:59:d6:9a UHLWIi en0 668 192.168.0.106 bc:54:36:37:93:fd UHLWI en0 890 192.168.0.111/32 link#6 UCS en0 ! 192.168.0.111 f0:18:98:32:cf:3a UHLWI lo0 224.0.0/4 link#6 UmCS en0 ! 224.0.0/4 link#20 UmCSI ppp0 224.0.0.251 1:0:5e:0:0:fb UHmLWI en0 239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en0 255.255.255.255/32 link#6 UCS en0 ! 255.255.255.255/32 link#20 UCSI ppp0 -
Add NAT rules to OSX’s firewall
Open
/etc/pf.confwith root privilege and add NAT rule belownat-anchor. Here,192.168.0.100is the IP address of my Linux machine (I want to allow this machine only since I don’t want to get into trouble by abusing my VPN account. You can use CIDR notation to allow more computers in the subnet.);ppp0is the VPN tunnel interface. Note: this line must be added to the correct position, otherwisepfctlwill complain syntax error!# # com.apple anchor point # scrub-anchor "com.apple/*" nat-anchor "com.apple/*" nat on ppp0 from 192.168.0.100 to 128.230.0.0/16 -> (ppp0) rdr-anchor "com.apple/*" dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple"After updating the config file, run the following commands:
sudo pfctl -d #disables pfctl sudo pfctl -F all #flushes all pfctl rules sudo pfctl -f /etc/pf.conf -e #starts pfctl and loads the rulesWe can use
pfctl -s natto see if the rule is set up correctly.Alans-MacBook-Pro:~ xiang$ sudo pfctl -s nat Password: No ALTQ support in kernel ALTQ related functions disabled nat-anchor "com.apple/*" all nat on ppp0 inet from 192.168.0.100 to 128.230.0.0/16 -> (ppp0) round-robin rdr-anchor "com.apple/*" all
-
Add rules in Linux computer’s routing table
We need to route SU’s traffic towards the OSX computer. To do so, we use the following command:
(base) user@machine:~$ sudo ip route add 128.230.0.0/16 via 192.168.0.111
We can use
route -nto see if the routing table is updated correctly.(base) user@machine:~$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 enp0s31f6 128.230.0.0 192.168.0.111 255.255.0.0 UG 0 0 0 enp0s31f6 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 anbox0 192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s31f6 192.168.250.0 0.0.0.0 255.255.255.0 U 0 0 0 anbox0
Now everything should be done! We can use ping utility to see if we can access SU’s internal hosts.
(base) user@machine:~$ ping 128.230.84.1 PING 128.230.84.1 (128.230.84.1) 56(84) bytes of data. 64 bytes from 128.230.84.1: icmp_seq=1 ttl=252 time=62.6 ms 64 bytes from 128.230.84.1: icmp_seq=2 ttl=252 time=83.6 ms 64 bytes from 128.230.84.1: icmp_seq=3 ttl=252 time=104 ms ^C --- 128.230.84.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 62.607/83.503/104.299/17.020 ms
The traceroute results shows that our packets will go through our OSX machine and eventually reach SU’s network.
(base) user@machine:~$ sudo traceroute 128.230.84.1 -I [sudo] password for user: traceroute to 128.230.84.1 (128.230.84.1), 30 hops max, 60 byte packets 1 192.168.0.111 (192.168.0.111) 128.133 ms 128.145 ms 128.151 ms 2 128.230.153.38 (128.230.153.38) 311.626 ms 311.632 ms 311.915 ms 3 128.230.153.1 (128.230.153.1) 311.043 ms 311.053 ms 311.329 ms 4 172.16.0.101 (172.16.0.101) 311.333 ms 311.333 ms 311.334 ms 5 172.16.0.22 (172.16.0.22) 311.315 ms 311.315 ms 311.314 ms 6 gway-s84.syr.edu (128.230.84.1) 313.140 ms 298.395 ms 298.412 ms
If the other machine is Windows…
The steps should be similar. I do not have a Windows computer at hand, so this part is temporarily empty.
Reference links
