How do I tell if a given IP resolves to VPN network or somewhere locally?

Question

I don't know how to title my question, but here's the thing.

I'm on Ubuntu 22.04.3 LTS. I've got a GlobalProtect VPN configuration. I followed this article to be able to connect from Ubuntu's Network Manager: https://system-administrator.pages.cs.sun.ac.za/globalprotect-openconnect/ I installed the network-manager-openconnect-gnome package and configured the VPN in the the Ubuntu's Network Manager.

When I've done it, I was able to connect to the VPN and SSH to some servers inside the private network.

Then, after a few days it suddenly stopped working. I’m still able to connect to the VPN, but I cannot ssh to the server I used to, with the error saying:

ssh: connect to host 172.19.27.13 port 22: No route to host

I thought it was something with the VPN or the server itself, but then I tried to connect from my Mac (using the same WiFi) and it worked without any problems.

I started to think that maybe my Docker network overlaps with the IP range from the VPN, so I stopped the docker service and even restarted my PC, but that didn't help.

The only thing I've tested so far is listed below, but it didn't give me any clue:

$ traceroute 172.19.27.13
traceroute to 172.19.27.13 (172.19.27.13), 64 hops max
  1   *  172.19.16.1  65,092ms !H  0,001ms !H 


$ ping 172.19.27.13
PING 172.19.27.13 (172.19.27.13) 56(84) bytes of data.
From 172.19.16.1 icmp_seq=1 Destination Host Unreachable


$ nmcli con show --active | grep -i vpn
MyVPN            de48b3b6-3caf-422a-a75b-465985493b1f  vpn     wlo1            
vpn0             b3ba4a7b-5104-4809-86a2-ea308b56c36d  tun     vpn0            


$ ip route get 172.19.27.13
172.19.27.13 dev br-633a51729988 src 172.19.16.1 uid 1000 
    cache

Result of ip route before connecting to VPN:

$ ip route
default via 192.168.50.1 dev wlo1 proto dhcp metric 600 
169.254.0.0/16 dev wlo1 scope link metric 1000 
172.16.16.0/20 dev br-1995468707f3 proto kernel scope link src 172.16.16.1 linkdown 
172.16.32.0/20 dev br-0778c863d099 proto kernel scope link src 172.16.32.1 linkdown 
172.16.48.0/20 dev br-df4298cf3f34 proto kernel scope link src 172.16.48.1 linkdown 
172.16.64.0/20 dev br-b21e9bd4408a proto kernel scope link src 172.16.64.1 linkdown 
172.16.80.0/20 dev br-ab26a099e4af proto kernel scope link src 172.16.80.1 linkdown 
172.16.160.0/20 dev br-0809242b5614 proto kernel scope link src 172.16.160.1 linkdown 
172.16.176.0/20 dev br-7745b1996e38 proto kernel scope link src 172.16.176.1 linkdown 
172.16.224.0/20 dev br-e824a824630d proto kernel scope link src 172.16.224.1 linkdown 
172.17.32.0/20 dev br-390ac1b17b4a proto kernel scope link src 172.17.32.1 linkdown 
172.17.48.0/20 dev br-aba3c6c7ea81 proto kernel scope link src 172.17.48.1 linkdown 
172.17.64.0/20 dev br-fc9f97b6c962 proto kernel scope link src 172.17.64.1 linkdown 
172.18.80.0/20 dev br-c7b1780d377a proto kernel scope link src 172.18.80.1 linkdown 
172.18.112.0/20 dev br-bad9690b4488 proto kernel scope link src 172.18.112.1 linkdown 
172.18.224.0/20 dev br-4739b8f6c565 proto kernel scope link src 172.18.224.1 linkdown 
172.18.240.0/20 dev br-57b8ed7e5f78 proto kernel scope link src 172.18.240.1 linkdown 
172.19.0.0/20 dev br-345e49d0a9de proto kernel scope link src 172.19.0.1 linkdown 
172.19.16.0/20 dev br-633a51729988 proto kernel scope link src 172.19.16.1 linkdown 
172.19.32.0/20 dev br-9402f4890bea proto kernel scope link src 172.19.32.1 linkdown 
172.19.48.0/20 dev br-f973a49c39f8 proto kernel scope link src 172.19.48.1 linkdown 
172.19.64.0/20 dev br-337fb81fa103 proto kernel scope link src 172.19.64.1 linkdown 
172.19.80.0/20 dev br-32304ed3e93e proto kernel scope link src 172.19.80.1 linkdown 
172.19.96.0/20 dev br-25a1c30e2370 proto kernel scope link src 172.19.96.1 linkdown 
172.19.112.0/20 dev br-d41e5b9aaa3f proto kernel scope link src 172.19.112.1 linkdown 
172.19.128.0/20 dev br-1591a2081e6c proto kernel scope link src 172.19.128.1 linkdown 
172.19.160.0/20 dev br-9224acb921b3 proto kernel scope link src 172.19.160.1 linkdown 
172.19.176.0/20 dev br-cde9717fb323 proto kernel scope link src 172.19.176.1 linkdown 
172.19.192.0/20 dev br-dfd218450cc9 proto kernel scope link src 172.19.192.1 linkdown 
172.19.224.0/20 dev br-1119ec704f95 proto kernel scope link src 172.19.224.1 linkdown 
172.19.240.0/20 dev br-3b1afe5dcd39 proto kernel scope link src 172.19.240.1 linkdown 
172.20.0.0/20 dev br-3ef61fec14e6 proto kernel scope link src 172.20.0.1 linkdown 
172.20.16.0/20 dev br-1ad840df8f05 proto kernel scope link src 172.20.16.1 linkdown 
172.20.32.0/20 dev br-ac262d677384 proto kernel scope link src 172.20.32.1 linkdown 
172.20.48.0/20 dev docker0 proto kernel scope link src 172.20.48.1 linkdown 
172.20.64.0/20 dev br-32b0736cab0b proto kernel scope link src 172.20.64.1 linkdown 
172.20.80.0/20 dev br-bdd46d8dd94d proto kernel scope link src 172.20.80.1 linkdown 
172.20.96.0/20 dev br-de771380d5d0 proto kernel scope link src 172.20.96.1 linkdown 
172.20.128.0/20 dev br-c89e819f4c75 proto kernel scope link src 172.20.128.1 linkdown 
172.20.144.0/20 dev br-a41b7066e799 proto kernel scope link src 172.20.144.1 linkdown 
172.20.160.0/20 dev br-2df191fb5c5c proto kernel scope link src 172.20.160.1 linkdown 
172.22.0.0/16 dev br-650e4ea3a3bf proto kernel scope link src 172.22.0.1 linkdown 
172.23.0.0/16 dev br-082e3b5a62c0 proto kernel scope link src 172.23.0.1 linkdown 
172.25.0.0/16 dev br-5c28ca91c585 proto kernel scope link src 172.25.0.1 linkdown 
172.26.0.0/16 dev br-4f2c13db6831 proto kernel scope link src 172.26.0.1 linkdown 
172.27.0.0/16 dev br-82b4239e4105 proto kernel scope link src 172.27.0.1 linkdown 
172.28.0.0/16 dev br-7cc44739f78c proto kernel scope link src 172.28.0.1 linkdown 
172.29.0.0/16 dev br-7e70216d3f8f proto kernel scope link src 172.29.0.1 linkdown 
172.31.0.0/16 dev br-e687be49ba8e proto kernel scope link src 172.31.0.1 linkdown 
192.168.0.0/20 dev br-a66dd5b6bf3b proto kernel scope link src 192.168.0.1 linkdown 
192.168.16.0/20 dev br-58856c396a34 proto kernel scope link src 192.168.16.1 linkdown 
192.168.50.0/24 dev wlo1 proto kernel scope link src 192.168.50.91 metric 600 
192.168.64.0/20 dev br-b71cb646f966 proto kernel scope link src 192.168.64.1 linkdown 
192.168.80.0/20 dev br-84c7113cab9d proto kernel scope link src 192.168.80.1 linkdown 
192.168.96.0/20 dev br-8b729ef36abf proto kernel scope link src 192.168.96.1 linkdown

Result of ip route after connecting to VPN:

$ ip route
default via 192.168.50.1 dev wlo1 proto dhcp metric 600 
10.0.0.0/16 dev vpn0 proto static scope link metric 50 
10.1.0.0/16 dev vpn0 proto static scope link metric 50 
10.2.0.0/16 dev vpn0 proto static scope link metric 50 
10.3.0.0/16 dev vpn0 proto static scope link metric 50 
10.4.0.0/16 dev vpn0 proto static scope link metric 50 
10.5.0.0/16 dev vpn0 proto static scope link metric 50 
10.6.0.0/16 dev vpn0 proto static scope link metric 50 
10.50.0.32/28 dev vpn0 proto static scope link metric 50 
10.50.0.48/28 dev vpn0 proto static scope link metric 50 
10.50.0.64/28 dev vpn0 proto static scope link metric 50 
10.50.0.104/29 dev vpn0 proto static scope link metric 50 
10.50.1.0/24 dev vpn0 proto static scope link metric 50 
10.50.3.0/29 dev vpn0 proto static scope link metric 50 
10.50.3.56/29 dev vpn0 proto static scope link metric 50 
10.50.3.80/29 dev vpn0 proto static scope link metric 50 
10.50.3.88/29 dev vpn0 proto static scope link metric 50 
10.50.3.112/29 dev vpn0 proto static scope link metric 50 
10.50.6.0/28 dev vpn0 proto static scope link metric 50 
10.50.6.64/26 dev vpn0 proto static scope link metric 50 
10.50.12.0/24 dev vpn0 proto static scope link metric 50 
10.50.13.0/24 dev vpn0 proto static scope link metric 50 
10.79.1.0/24 dev vpn0 proto static scope link metric 50 
10.122.0.0/16 dev vpn0 proto static scope link metric 50 
10.125.0.0/16 dev vpn0 proto static scope link metric 50 
10.126.0.0/16 dev vpn0 proto static scope link metric 50 
10.255.0.0/16 dev vpn0 proto static scope link metric 50 
169.254.0.0/16 dev wlo1 scope link metric 1000 
172.16.0.0/16 dev vpn0 proto static scope link metric 50 
172.16.10.12 dev vpn0 proto static scope link metric 50 
172.16.10.13 dev vpn0 proto static scope link metric 50 
172.16.16.0/20 dev br-1995468707f3 proto kernel scope link src 172.16.16.1 linkdown 
172.16.32.0/20 dev br-0778c863d099 proto kernel scope link src 172.16.32.1 linkdown 
172.16.48.0/20 dev br-df4298cf3f34 proto kernel scope link src 172.16.48.1 linkdown 
172.16.64.0/20 dev br-b21e9bd4408a proto kernel scope link src 172.16.64.1 linkdown 
172.16.80.0/20 dev br-ab26a099e4af proto kernel scope link src 172.16.80.1 linkdown 
172.16.160.0/20 dev br-0809242b5614 proto kernel scope link src 172.16.160.1 linkdown 
172.16.176.0/20 dev br-7745b1996e38 proto kernel scope link src 172.16.176.1 linkdown 
172.16.224.0/20 dev br-e824a824630d proto kernel scope link src 172.16.224.1 linkdown 
172.17.32.0/20 dev br-390ac1b17b4a proto kernel scope link src 172.17.32.1 linkdown 
172.17.48.0/20 dev br-aba3c6c7ea81 proto kernel scope link src 172.17.48.1 linkdown 
172.17.64.0/20 dev br-fc9f97b6c962 proto kernel scope link src 172.17.64.1 linkdown 
172.18.0.0/16 dev vpn0 proto static scope link metric 50 
172.18.80.0/20 dev br-c7b1780d377a proto kernel scope link src 172.18.80.1 linkdown 
172.18.112.0/20 dev br-bad9690b4488 proto kernel scope link src 172.18.112.1 linkdown 
172.18.224.0/20 dev br-4739b8f6c565 proto kernel scope link src 172.18.224.1 linkdown 
172.18.240.0/20 dev br-57b8ed7e5f78 proto kernel scope link src 172.18.240.1 linkdown 
172.19.0.0/20 dev br-345e49d0a9de proto kernel scope link src 172.19.0.1 linkdown 
172.19.0.0/16 dev vpn0 proto static scope link metric 50 
172.19.16.0/20 dev br-633a51729988 proto kernel scope link src 172.19.16.1 linkdown 
172.19.32.0/20 dev br-9402f4890bea proto kernel scope link src 172.19.32.1 linkdown 
172.19.48.0/20 dev br-f973a49c39f8 proto kernel scope link src 172.19.48.1 linkdown 
172.19.64.0/20 dev br-337fb81fa103 proto kernel scope link src 172.19.64.1 linkdown 
172.19.80.0/20 dev br-32304ed3e93e proto kernel scope link src 172.19.80.1 linkdown 
172.19.96.0/20 dev br-25a1c30e2370 proto kernel scope link src 172.19.96.1 linkdown 
172.19.112.0/20 dev br-d41e5b9aaa3f proto kernel scope link src 172.19.112.1 linkdown 
172.19.128.0/20 dev br-1591a2081e6c proto kernel scope link src 172.19.128.1 linkdown 
172.19.160.0/20 dev br-9224acb921b3 proto kernel scope link src 172.19.160.1 linkdown 
172.19.176.0/20 dev br-cde9717fb323 proto kernel scope link src 172.19.176.1 linkdown 
172.19.192.0/20 dev br-dfd218450cc9 proto kernel scope link src 172.19.192.1 linkdown 
172.19.224.0/20 dev br-1119ec704f95 proto kernel scope link src 172.19.224.1 linkdown 
172.19.240.0/20 dev br-3b1afe5dcd39 proto kernel scope link src 172.19.240.1 linkdown 
172.20.0.0/20 dev br-3ef61fec14e6 proto kernel scope link src 172.20.0.1 linkdown 
172.20.16.0/20 dev br-1ad840df8f05 proto kernel scope link src 172.20.16.1 linkdown 
172.20.32.0/20 dev br-ac262d677384 proto kernel scope link src 172.20.32.1 linkdown 
172.20.48.0/20 dev docker0 proto kernel scope link src 172.20.48.1 linkdown 
172.20.64.0/20 dev br-32b0736cab0b proto kernel scope link src 172.20.64.1 linkdown 
172.20.80.0/20 dev br-bdd46d8dd94d proto kernel scope link src 172.20.80.1 linkdown 
172.20.96.0/20 dev br-de771380d5d0 proto kernel scope link src 172.20.96.1 linkdown 
172.20.128.0/20 dev br-c89e819f4c75 proto kernel scope link src 172.20.128.1 linkdown 
172.20.144.0/20 dev br-a41b7066e799 proto kernel scope link src 172.20.144.1 linkdown 
172.20.160.0/20 dev br-2df191fb5c5c proto kernel scope link src 172.20.160.1 linkdown 
172.22.0.0/16 dev br-650e4ea3a3bf proto kernel scope link src 172.22.0.1 linkdown 
172.22.0.0/16 dev vpn0 proto static scope link metric 50 
172.23.0.0/16 dev br-082e3b5a62c0 proto kernel scope link src 172.23.0.1 linkdown 
172.25.0.0/16 dev br-5c28ca91c585 proto kernel scope link src 172.25.0.1 linkdown 
172.25.3.0/24 dev vpn0 proto static scope link metric 50 
172.26.0.0/16 dev br-4f2c13db6831 proto kernel scope link src 172.26.0.1 linkdown 
172.27.0.0/16 dev br-82b4239e4105 proto kernel scope link src 172.27.0.1 linkdown 
172.28.0.0/16 dev br-7cc44739f78c proto kernel scope link src 172.28.0.1 linkdown 
172.29.0.0/16 dev br-7e70216d3f8f proto kernel scope link src 172.29.0.1 linkdown 
172.31.0.0/16 dev br-e687be49ba8e proto kernel scope link src 172.31.0.1 linkdown 
192.168.0.0/20 dev br-a66dd5b6bf3b proto kernel scope link src 192.168.0.1 linkdown 
192.168.6.0/24 dev vpn0 proto static scope link metric 50 
192.168.13.0/24 dev vpn0 proto static scope link metric 50 
192.168.15.0/24 dev vpn0 proto static scope link metric 50 
192.168.16.0/24 dev vpn0 proto static scope link metric 50 
192.168.16.0/20 dev br-58856c396a34 proto kernel scope link src 192.168.16.1 linkdown 
192.168.17.0/24 dev vpn0 proto static scope link metric 50 
192.168.27.0/24 dev vpn0 proto static scope link metric 50 
192.168.31.0/24 dev vpn0 proto static scope link metric 50 
192.168.32.0/24 dev vpn0 proto static scope link metric 50 
192.168.50.0/24 dev wlo1 proto kernel scope link src 192.168.50.91 metric 600 
192.168.50.1 dev wlo1 proto static scope link metric 50 
192.168.64.0/24 dev vpn0 proto static scope link metric 50 
192.168.64.0/20 dev br-b71cb646f966 proto kernel scope link src 192.168.64.1 linkdown 
192.168.65.0/24 dev vpn0 proto static scope link metric 50 
192.168.71.0/24 dev vpn0 proto static scope link metric 50 
192.168.80.0/20 dev br-84c7113cab9d proto kernel scope link src 192.168.80.1 linkdown 
192.168.96.0/20 dev br-8b729ef36abf proto kernel scope link src 192.168.96.1 linkdown 
193.104.155.113 via 192.168.50.1 dev wlo1 proto static metric 50

What I've tried:

stopping docker service
restarting PC
removing and recreating VPN configuration
using different WiFi (mobile connection in this case)

None of that helped.

So I think the question is - does it really try to connect to the private network, or maybe it tries to find the IP somewhere locally? How can I debug that?

You say "I tried to connect from my Mac (using the same WiFi)": so that MAC has a working VPN, but your Linux machine doesn't, is that correct? What errors or confirmations do you get when you startt the VPN? Please edit your post to provide some more detail. — zwets, Commented Jan 23 at 21:24
@zwets thanks for your comment. I clarified that part in my post - I’m able to connect to VPN on both computers, but SSH connection to a server inside that network only works on Mac. — sowiq, Commented Jan 23 at 22:31
Did you use the Network Manager method? Or did you install the app using the terminal? Add this information in your question. — user68186, Commented Jan 23 at 22:40
Please add the output of ip route to your question, before and after connecting to the VPN. — zwets, Commented Jan 23 at 22:42

raj · Accepted Answer · 2024-01-24 11:04:36Z

I'm not sure if I fully understand your question, but if you want to know "how" the system connects to a given IP, you can use the command

ip route get x.x.x.x

It will show you over what interface (and what gateway, if any) the packets are routed towards the IP address x.x.x.x. Two examples from the computer I'm currently working on:

raj@ubu64:~$ ip route get 172.28.200.1
172.28.200.1 dev eth1  src 172.28.200.55 
    cache  mtu 1500 advmss 1460 hoplimit 64
raj@ubu64:~$ ip route get 10.0.0.1
10.0.0.1 via 192.168.137.1 dev eth0  src 192.168.137.44 
    cache  mtu 1500 advmss 1460 hoplimit 64

You can see that connection to IP address 172.28.200.1 goes through interface eth1 on my computer (which has IP address 172.28.200.55) and connection to 10.0.0.1 goes through interface eth0 (which has IP address 192.168.137.44) and via the gateway 192.168.137.1.

So if you know the name of your VPN interface (from the ip route output you posted it looks that it is vpn0) or the IP address of your local end of the VPN tunnel, you can identify the connections going over the VPN.

In your particular case, you want to connect to 172.19.27.13. Your ip route output both before and after connecting to VPN shows that IP range 172.19.16.0/20 (172.19.27.13 belongs to that range) is routed over interface br-633a51729988 (you must identify what this particular interface actually is). Note that after connecting to VPN, this does not change - the same range is still routed through the same interface.

The networks routed through your VPN are the ones that have dev vpn0 in your ip route output. These ranges do not include the address 172.19.27.13.

I guess that all these IP ranges routed through various br-* interfaces are ranges assigned to your Docker containers (sorry, I have no experience with Docker, so I don't know this for sure). This also applies to 172.19.27.13 - it is an address somewhere within your Docker subnets.

If you want 172.19.27.13 to be some address external to your Docker virtual network, you have to either change the addressing of your Docker subnets so that this address does not fall into that range (this is the optimal solution), or - as a workaround - you need to manually add route to that particular address over the VPN interface.

Thank you for your answer. Indeed that looks to be the case - the traffic seems to be directed to the br-633a51729988 interface. This at least gives me a clue of where to start looking into. — sowiq, Commented Jan 24 at 11:56
I'm marking this answer as an accepted solution, as it allowed me to solve the problem. Appears that reconfiguring Docker networks and restarting the service, or even the whole system was not enough. I also had to run docker network prune to get rid of the old, orphaned interfaces. — sowiq, Commented Jan 24 at 12:18

grandfatherclause · Accepted Answer · 2024-01-23 21:19:14Z

0

In my case, but using a different VPN, I stopped using the Ubuntu GUI for VPN settings and now I use only command line actions. No more problems.

answered Jan 23 at 21:19

grandfatherclause

546 bronze badges

That’s a good point, actually. However it’s a GlobalProtect type of VPN and I’m pretty sure it connects, as there’s 2FA step involved, which sends notification to a MS Authenticator on my phone. So for me it looks like that part works.
– sowiq
Commented Jan 23 at 22:34

Add a comment |

Stack Exchange Network

How do I tell if a given IP resolves to VPN network or somewhere locally?

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
networking
22.04
ssh
network-manager
vpn
.

Hot Network Questions

How do I tell if a given IP resolves to VPN network or somewhere locally?

2 Answers 2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged networking22.04sshnetwork-managervpn.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
networking
22.04
ssh
network-manager
vpn
.