practice question (4) - VPN & VyOS

mint에서 8.8.8.8로 핑을 친다면 그게 vyos의 eth1을 통해서 외부로 나가는건지(1), 아니면 vmnet8에 존재하는 mint가 자신의 ens32를 통해 211.183.3.2로 직접 빠져 나가는건지(2) 검증

 

Two Paths

1. Vyos (10. 20.30.250 on eth1)

2. The VMware provied interface (ens32) that appears to sit on 211.183.3.2

 

Question is "Wlhich path it actually takes depends primarily on  Mint server's default route."

- If Mint's default gateway is set to 10.20.30.250 then traffic to 8.8.8.8 goes through Vyos (Path #1)

- If Mint's default gateway is somethinkg like 211.183.3.2 (ens 32) then traffic by passes VyOS and goest directly out to 211.183.3.x (Path #2)

 

How to verify which path is in use

Check the default route on Min

- ip route show

- Traceroute 

traceroute 8.8.8.8

If you see the first hop as 10.20.30.250, that means it is going through VyOS.
If the first hop is 211.183.3.2 or some other 211.x address, you are going out via ens32 directly.

but I do not have actual server than i can not able to test it.

 

What is ens32 and why can it talk to 211.183.3.x?

In Vmware, it is common for a VM's primary interface to be named ens32. That interface migh be bridged to physical NIC or Nated by VMware so that the VM sees an ip in 211.183.3.x .

So if Min's ens32 is NATed in such a way that it can directly reach 211.183.3.2.as gate way. The VM does not need to  go through VyOS for internet access.

The primary interface is the interface through which the client and host communicate with each other.

 

---

Both paths are possible but in a typical “VyOS as my firewall/router/VPN endpoint” setup, the “most correct” or most common arrangement is:

Mint’s default route points to VyOS (10.20.30.250). So Mint sends all Internet‐bound traffic (e.g., pings to 8.8.8.8) through VyOS on eth1. That traffic then NATs or routes out VyOS’s public interface (eth0 at 211.183.3.250). ens32 in Mint is merely the VMware‐provided NIC. Depending on how VMware is configured (Bridged / NAT / Host‐only), it may look like Mint can directly reach 211.183.3.x, but for a firewall/VPN design you typically do not give the VM a direct default route to the outside. Instead, you want all traffic to pass through VyOS.

This way VyOS can apply firewall rules, DNAT/SNAT, and manage the VPN. Mint is protected/filtered by VyOS.
VPN traffic originates from (or terminates on) Mint’s 10.20.30.x interface and is routed through VyOS, so the VPN and firewall policies actually come into play.
In other words, if Mint’s default gateway were 211.183.3.2 on ens32, it would bypass VyOS (and thus bypass VyOS’s firewall and VPN). That usually defeats the point of having a dedicated router/firewall.

Hence the “most correct answer” in a VyOS‐centric environment is:

Mint pings 8.8.8.8 via 10.20.30.250 → VyOS eth1 → VyOS eth0 → Internet
rather than going directly out Mint’s ens32 with a public IP/gateway.