Can an OpenVPN Route over TEST-NET-1 (RFC 5735)

Question

Background

I have a strange use-case where my VPN cannot be on any of the private subnets, but, also cannot use a TAP interface. The machine will be moving through different subnets, and requires access to the entire private address space by design. A single blocked IP would be considered a failure of design.

So, these are all off limits:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• 169.254.0.0/16

In searching for a solution, I came across RFC 5735, which defines:

• 192.0.2.0/24 TEST-NET-1
• 198.51.100.0/24 TEST-NET-2
• 203.0.113.0/24 TEST-NET-3

As:

For use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. As described in [RFC5737], addresses within this block do not legitimately appear on the public Internet and can be used without any coordination with IANA or an Internet registry.

Which, was a "Jackpot" moment for me and my use case.

Config

I configured an OpenVPN server as such:

local 0.0.0.0
port 443
proto tcp
dev tun
topology subnet
server 203.0.113.0 255.255.255.0 # TEST-NET-3 RFC 5735
push "route 203.0.113.0 255.255.255.0"
...[Snip]...

With Client:

client
nobind
dev tun
proto tcp
...[Snip]...

And ufw rules:

:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 203.0.113.0/24 -o ens160 -j MASQUERADE
COMMIT

However, upon running I get /sbin/ip route add 203.0.113.0/24 via 203.0.113.1 RTNETLINK answers: File exists in the error logs. While the VPN completes the rest of its connection successfully.

No connection

Running the following commands: Server: sudo python3 -m http.server 80 Client: curl -X GET / 203.0.113.1 Results in: curl: (28) Failed to connect to 203.0.113.1 port 80: Connection timed out

I have tried:

• /sbin/ip route replace 203.0.113.0/24 dev tun 0 on client and server.
• /sbin/ip route change 203.0.113.0/24 dev tun 0 on client and server.
• Adding route 203.0.113.0 255.255.255.0 to the server.
• Adding push "route 203.0.113.0 255.255.255.0 127.0.0.1" to server

And none of it seems to work.

Does anyone have any idea how I can force the client to push this traffic over the VPN to my server, instead of to the public IP?

Answer 1

This does actually work!

Just dont forget to allow connections within your firewall. I fixed my config with:

sudo ufw allow in on tun0

However, 198.18.0.0/15 and 100.64.0.0/10 defined as Benchmarking and Shared address space respectively, may be more appropriate choices, since being able to forward TEST-NET addresses may be considered a bug.