Piercing the firewall is not everything. You must also route the packets from this side of the firewall to the other. This section tackles the basic settings specific about routing accross a tunnel. For more detailed explanations of routing, see the relevant HOWTOs and man pages about networking, routing and masquerading.
The main point is that although your network administration would tell you to setup your local router as the default route, you might want to have it but a specific route to the networks within your side or the firewall, whereas the other end of your PPP link should be the router for the networks on the other side. Your default route should point to a router on whichever side gives you access to the Internet. Most importantly, all machines involved in routing packets to the other end of the tunnel should be routed through your usual network (i.e. ethernet), for your kernel will have problems if it tries to route through the tunnel the packets to the remote host that precisely serves as end-point for the tunnel.
So you'll have to setup proper routes in your network startup configuration
as well as your PPP startup configuration in
/etc/ppp/ip-up.d/ or wherever your distribution puts them.
To identify your distribution-specific file locations,
RTFM the docs of your distribution,
grep recursively on your
and if all else fails, trace the boot behaviour of your computer
Also, when piercing a tunnel from a roaming laptop on the Internet
into a protected network, I used to use from within my
(available from the
that gives me the current route for the host on the other end of the tunnel.
Once you can route packets to the other side of the tunnel, you might want to setup your machine as a router for all your pals on your site of the firewall, achieving a full-fledged shared VPN. This is not specific to Firewall-Piercing, so just you read the relevant HOWTOs about networking, routing and masquerading. Also, for security reasons, be sure to also setup a proper firewall on your machine, especially if you're going to be a router for other people.
Finally, be reminded that if you're using
on the other end of the tunnel (as opposed to user-mode
you will have to configure proper routes and firewall rules
on the other side of the tunnel, too.
Let's consider an example. In your case, of course, you'll have to adapt the IP numbers, and insert the commands in the right place, which depends on your distribution.
For instance, imagine your machine is on the ethernet eth0 with IP address is 18.104.22.168 on network 22.214.171.124/24, router 126.96.36.199. Your network administrator will have told you to use 188.8.131.52 as default router. But you shouldn't, as you should only use it to route on your side of the firewall. Imagine you have networks 184.108.40.206/16 and 220.127.116.11/16 and host 18.104.22.168 accessible through your router on your side of the firewall. Then you'll add these routes to your startup script:
route add -net 22.214.171.124 netmask 255.255.0.0 gw 126.96.36.199 route add -net 188.8.131.52 netmask 255.255.0.0 gw 184.108.40.206 route add -host 220.127.116.11 gw 18.104.22.168You must also keep the route to the local network, necessary for linux kernel 2.0 and earlier, but implicitly added by ifconfig on 2.2 and later:
route add -net 22.214.171.124 netmask 255.255.255.0 dev eth0On the other hand, you must remove any default route from your scripts:
route add default gw 126.96.36.199If the default route has already been set, you can remove it as is:
route del default gw 188.8.131.52Then you can have
pppdsetup a default route automatically when it starts by using its
defaultrouteoption. Or you can add it after the fact with:
route add default gw 10.0.2.2If you don't want
pppdas a default route, because the Internet is on your side of the firewall, and instead want network 184.108.40.206/20 to be routed through the tunnel, except from host 220.127.116.11 that serves as the other end of the tunnel, then have this executed from your
route add -host 18.104.22.168 gw 22.214.171.124 route add -net 126.96.36.199 netmask 255.255.240.0 gw 10.0.2.2If you're a laptop and your current LAN moves, and yet you want to keep your current route to 188.8.131.52, whatever it be, then use
getroute.plas follows to automatically find the right gateway in the
route add -hostcommand:
$(getroute.pl 184.108.40.206)Note that if you have them in your
/etc/hosts, you might use symbolic names instead of numerical IP addresses (and you might even use FQDN's, if you trust the DNS never to fail).