Recently I found myself at a cafe that had a wifi connection that was using the whole 10.0.0.0/8 subnet, meaning all addresses from 10.0.0.1-10.255.255.254. This was set up by a professional networking company. In my opinion, someone needs to re-do their CCNA.

So what this means is that if your corporate network is, say, on 10.34.0.0, you will be unable to route traffic easily over the VPN.

I am told there are 2 ways of getting around this

1. Use network namespaces and NAT’ing to run your chosen applications in their own namespace that is NAT’ed through your real connection
2. Use iptables prerouting if you know which subnets you are trying to get to on the other side of the VPN.
3. Convince your coffee shop to use a sane network architecture

Let’s Get Started

ip netns add vpn_nat

ip netns list

Add virtual ethernet interfaces (peers)

ip link add name veth0 type veth peer name veth1

Move one of those peers into the vpn_nat namespace

ip link set veth1 netns vpn_nat

In the namespace context, set up the network

ip netns exec vpn_nat ifconfig lo up

ip netns exec vpn_nat ifconfig veth1 192.168.148.2/24 up

ip netns exec vpn_nat route add default gw 192.168.148.1

The eagle-eyed reader will notice that I am pointing to a gateway that doesn’t exist! We fix that like so:

ifconfig veth0 192.168.148.1/24 up

Test that the vpn_nat namespace can reach veth0