A Fix to Unable to Host Service On Server with Multiple NICs Feb 25th 2022 Words: 373

Problem

My server has two NICs connected to two different network segments: 172.16.1.1/24 via enp4s0 and 192.168.1.1/24 via br0. Both network segments have a VPN server for remote access.

The problem is the VPN clients of the 192.168.1.0/24 is unable to access the services host on the machine.

Analysis

Wireshark package capturing suggests that the ping from VPN clients is received from 10.0.1.0/24 br0, but is replied through 172.16.1.1 enp4s0.

The ip r command prints:

1
2
3
default via 172.16.1.1 dev enp4s0 proto dhcp metric 100 
172.16.1.0/24 dev enp4s0 proto kernel scope link src 172.16.1.100 metric 100
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.100

Since the host has no routing information of VPN segments, all packets to 10.0.1.0/24 is sent to default gateway.

Solution

The solution is to manually add static routes that allows the host sending packages to two VPN segments via the correct gateway.

In Ubuntu server, edit /etc/netplan/50-cloud-init.yaml:

Add static routes for the VPNs to each interface.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
network:
ethernets:
ens4s0:
dhcp4: true
dhcp6: true
optional: true
routes:
- to: 10.0.0.0/24
via: 172.16.1.1
enp0s31f6:
dhcp4: true
dhcp6: true
optional: true
routes:
- to: 10.0.1.0/24
via: 192.168.1.1
version: 2

Test the settings with netplan try, which automatically revert the change after 120 seconds. Press the enter to apply the configureation.

ip r now prints

1
2
3
4
5
default via 172.16.1.1 dev enp4s0 proto dhcp metric 100 
10.0.0.0/24 via 172.16.1.1 dev enp4s0
10.0.1.0/24 via 192.168.1.1 dev br0
172.16.1.0/24 dev enp4s0 proto kernel scope link src 172.16.1.100 metric 100
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.100

VPN clients of both network now is able to access the services host on the server.

References