Are you ready to go down the rabbit hole? To visit a surreal world, where black is white and white is carrots?
A friend, Metacognician in Shanghai, describes the situation as follows: “Life is more absurd than movies. I've gone down the rabbit hole too, when it just becomes more and more strange and you wonder how that all is supposed to make sense.” I asked him if I should just embrace it. He answered, “Why should you ... change the universe?”
It started with a psychotic named Jim Kiraly who resides, we think, at 6329 Twinberry Circle, Avila Beach, California.
Jim Kiraly is a respected citizen. A churchgoer. A Vice President of Transamerica Corporation. And a violent abuser who tried to use an emergency anti-violence measure, one intended to protect battered women, to stop his victim in a wheelchair from writing a book.
Concise enough? :)
For attorneys: Jim Kiraly filed for CLETS against his son and victim, who lived 200 miles away, did not own a car, and was in a wheelchair. His son and victim was not asked to end communications. Jim had no (zero) specific and relevant allegations that were not perjury. But he turned down repeated offers of no-contact and a signed stipulation that gave him everything but CLETS. He insisted on CLETS if his victim ever once “discussed” him with third parties.
In the end, Jim Kiraly signed an agreement far weaker than the ones he'd been offered.
A review of Court paperwork and other materials will tend to confirm that Jim and other parties, including attorneys on all sides, committed multiple felonies, crimes, and faux pas. :P
The word “abuser” is stated here publicly and without equivocation. A formal offer is hereby made to reaffirm the word in writing and under oath. Attorneys will understand the significance of the point. In short, there is little terror of a threatened defamation suit on this side. Actually, we feel that such a suit will fit nicely up Jim Kiraly's abuser ass.
Jim has one son, Ken Kiraly, who invented the Amazon Kindle and is one of the leads at Amazon's secret Lab126. Another son, Tom Kiraly is one of the leads, a Vice President-CFO type, at medical insurance firms, including one of the largest, Humana Corporation.
These people and some of the biggest names in Silicon Valley legal circles have committed or are involved in multiple crimes.
For the next decade or two, we're going to explore the crimes that these people committed, the motivations and the denial involved, the background and histories that led each person to make the choices that they did, and ways to build upon what happened and move towards positive societal goals.
There's plenty to go over. These people committed or were involved in: Spousal abuse, child abuse, DDOS (a highly prosecutable violation of CFAA), extortion, perjury, conspiracy to commit perjury (a possible felony), false police reports, conspiracy to file false police reports (a possible felony), unlawful threats, barratry, defamation, malpractice, civil harassment, criminal harassment, abuse of process, and violations of SCCBA Professional Standards.
The point was to force Jim's oldest son and victim, me, to sign a gag order. I was in a wheelchair. I'd never made a single inappropriate threat against my abuser. I wasn't even asked to not to call anybody. But Jim threatened to put me in a violence database unless I agreed never to write about him.
I won the right to write, but I lost my home of 25 years, most of my possessions, my chances for retirement, everything. Everything but a realization.
I can make a difference. I can conduct research for legitimate and reasonable purposes, document what happened, and analyze the choices of the people involved:
- Grace Kiraly, abuse victim and Christ Follower.
- Gail Cheda, slightly demented Realtor, spittle flying.
- Tom Stutzman of Thomas Chase Stutzman, a Family Law attorney whose hobbies include martial arts and alleged sexual harassment
- John Perrott of Thomas Chase Stutzman, a personable albeit lazy Family Law attorney who has a slight tendency towards fraud and malpractice
- Chris Burdick, head of the Santa Clara County Bar Association (SCCBA). Chris, you broke a written promise to speak with me because, you said, we had “Prior...” You didn't finish the sentence. Were you worried that I might take false statements to the State Bar? What's the deal with you and Hoge Fenton, anyway? What will we find if we dig?
- Tracie Zerr of Thomas Chase Stutzman, a woman of boundless intelligence and sensitivity.
Maggie told me that she didn't know what she could say to me about what happened. However, we have decades to work it out. It will be productive. I'd like to direct the attention of attorneys and other parties to the:
Questions or comments are welcome. For technical notes and disclaimers, click here.
The current free ebook is located at this link:
For details about the ebook, click here.
The Kiralys and their associates have tried to take down the sites before. Actually, they've committed multiple felonies in the process. It's no big deal, but to make a point, we're giving everything away for the low price of... well, free.
Here's a link to a ZIP file that contains a copy of the main Christ Follower site. It may be out of date but feel free to download the ZIP file and pass it around. The file is about 150MB in size.
Link for christfollower.zip:
The point? “The story is already out there, idiots. Keep it up and I'll demonstrate how something known as decentralized distribution works.”
cases kiraly tech
A full Kiraly Cases tags system will be added in 2014.
131101. The Kiralys and/or their associates tried to portray me as a “hacker”. Without making a single specific accusation. Then they themselves set up a highly illegal Botnet. Irony enough.
As it turns out, I only know a bit about such matters. But perhaps they should have thought things through. Honest to God, with no disrespect to Him intended, how did Jim Kiraly of Transamerica Corporation and Tom Kiraly of Humana Corporation and Sheridan Health Care expect this to play out? What did they think would happen?
They are involved with a highly prosecutable felony now. And I happen to be neurodiverse and good at patterns. A fact they've known for half a century. Somebody who is able to learn lawful and appropriate ways to deal with Botnets. And to Gather Information for Legitimate Purposes.
As always, potential attorneys for any person or side are invited to review the Legitimate Purposes list at the following link:
On a separate and unrelated note, a recent conversation with a white hat follows.
The illustration below the post is distributed under the following license. For attribution purposes, the creator and rights holder is Bakushade:
I did not explain the redacted hacker place trick. Shall I?
It was accidental, sort of.
First, you are *not* Transhumanist?
In exchange for how your minor secret was
revealed, be open with me.
We talked a while back. How do you assess me now?
<OldCoder> Do not be too quick to judge me negatively. I assume that Transhumanist has, as he has not talked to me in a year. Why will you speak with me? And he will not? It is a rhetorical question.
<OldCoder> The answer is trivial. It does not involve Transhumanist though it is an odd coincidence that he turned up there. The following bit is a favor to you. Minor, but a favor regardless.
i think that makes sense
Will you say hello to Transhumanist for me?
A full Kiraly Cases tags system will be added in 2013.
131101. The conversations below are part of a sidebar to the Kiraly Cases.
The illustration below the post is distributed under the following license. For attribution purposes, the creator and rights holder is Blazbaros:
There's more humor here than usual for a Kiraly Case matter. Bedivere didn't want to talk, but he insisted on talking for an hour. I wanted to talk, but I told him for an hour to go away and sleep. It's like one of the more lightweight Monty Python sketches.
Humor or not, though, the issues involved are worth thinking about.
Bedivere is intelligent. He has integrity. We might have become friends. But that was ruled out by the Kiraly Cases. The conversations below took place on a recent night. At the start, he has just revealed that he has returned.
Bedivere was an employee of Amazon Corporation in mid-2012. In these conversations, he alludes briefly to Amazon's connection to the Kiraly Cases.
However, Bedivere was not one of Ken Kiraly's associates. Ken, for those who are new to this nonsense, was the inventor of the Amazon Kindle. And, in a regrettable move by God, Ken was my little Brother.
Bedivere also was not a member of the Amazon Corporation associated group that stalked and harassed me. Those were your people, Ken Kiraly, weren't they?
I don't think the Amazon Corporation connection is significant in this instance. But these conversations are about something that matters.
People are animals. Who reach for the stars. It is an interesting combination.
When the Kiralys came after me to stop the book, people I'd helped turned on me. They decided things based not on facts but on the Fur. The principle that facts don't matter. That people are to be judged based on group affiliations. On whether or not somebody has a “place” in the world.
A place that is defined not by what somebody does. But by who loves somebody. And by who hates them.
If those in power wish somebody gone, and resources are brought to bear, the target ceases to have an identity. No reason is needed. Others need only be aware that in some unspecified way, the target is “bad” and must be shunned.
Or must die.
This is not unusal. It is one of the forces that defines human society.
The text below has been edited for length, for clarity, and to address concerns that Bedivere expressed. In some cases, as IRC is asynchronous, questions and answers have been moved so that they are adjoining.
I often talk about you
i do recall that, yes
i feel fine, i still get odd pains
now and again
a wealth of things complicated
“room to honor what was said”
do you know why i changed my nicks
so many times?
<OldCoder> In exchange for what I felt when you wished my death... you will not try to explain your feelings? Or you cannot do so?
<OldCoder> What I felt... when somebody I'd spent even a few hours helping said that. Without a cause that I was able to perceive? I have learned since then how rare it is. Even for people to spend 5 minutes. Thinking of others. I am hunted. Yet I have done nothing. And people will not explain.
my suspicion is that this sort of thing
<OldCoder> I loved the way you talked. What does that mean? If it is OK to ask. I am still surprised at the thought that you are him. Such a difference and yet the same.
probably most like the fantasia cartoon
i have a compiler — it's not even a compiler
anymore :) — and i am attempting to hotfix a broken web
I will not press you.
But you are valuable to me.
<OldCoder> That is fine. Have I offended you by making the connection. To a cornerstone of my story? The person who I helped and who wished my death without cause? Speak further over Time to me. It is not much to request.
i did not wish that for you
<OldCoder> I need to understand people. I have paid a high enough price. For the privilege. Go now. Work on the scraper. See me if you need help.
there's no price
I am not able to follow. Greed on my part?
I did not absorb that you were Amazon.
<OldCoder> And problems with others under you or associates. Neither you nor I exhibited greed; the word does not apply. You were concerned about decisions. And about an IRC channel that we both viewed as significant. Foolish us. If Amazon was in the mix I did not really think about it. And you did not strike me as greedy.
<OldCoder> There was no exchange either. I gave of my time freely. I did that for everybody. But you were not the only person among those I sympathized with, and tried to help, who spoke of my death.
<OldCoder> I realized subsequently what people are. I sought to change the human condition in a small way. It will come to nothing in the end. But I wish to write of it.
<OldCoder> When you are able to speak to me further, I request this. I believe I know what people are and how decisions are made. I do need to write of this.
are you able to find peace out of it
<OldCoder> In time, if I can write about it. Until I can tell the story, there will be no peace. They hunt me still with the funds at their disposal.
You are here now but I suspect you yourself
have not thought about the answers
i too have a story unresolved
Very well. I am better and worse.
I am attempting to send you away that you may come again.
Go in peace and return to me.
<OldCoder> I did pay a price... without a purchase. Redeem part of the price. I will be waiting. Good night.
i don't know that you're exactly seeking
fairness in this
<OldCoder> What I seek is entirely fair. And I bend over backwards. You can't be compelled to speak with me. It must be your decision. Speak another time therefore. What conflict? What conflict is there in Truth?
Please, rest. I am older than you. But you need rest
as well. Come again when you are able.
<OldCoder> Do not use words such as greed again. Or seek, if you speak to me again, to dodge the core. People are what they are. The idea is to understand what that is.
we'll speak another time
<OldCoder> Do not reflect now. That was not the advice. Your Time has value. So does your life. To hear the questions is burden enough for one night. I wish you well too.
i understand, faithfully
<Bedivere> please allow me space from that matter. it was bad timing. i meant only to address the name under which i had gone, and i knew it would stir your arousal. i understand that it would have made cause for what it did, and that is fine.
<Bedivere> the timing was off, but it may not have been due to the set of circumstances between you or i. there were occurrences where action simply was required. this circumstance still remains.
<Bedivere> so i only told you the name i had gone under because integrity is important to me
<OldCoder> Bedivere, to quote a S.F. movie of the 1990s, “Sleep, Now.” You have no obligation to me. Only to what may help others. Or to what may be right.
<OldCoder> If I tell you that I am pleased to hear your marvelous phrasing again, and that I mean well, will you take things in stride? I am here to help you and others before I die. I do not judge you or others save for those who hunt me. I wish you for a friend.
Please rest and come again.
i would give up lavishes to live simply
this internet thing is strange
but i see the strange things it causes in a way that
does not yield happiness
See my History of the Internet
interrupting my night :)
What happened to me was unique. And it is no longer
a topic for this evening.
Side issue redacted
What is important, then?
<OldCoder> I am in a calm and reflective mood. Life matters to me though I may lose it. I will accomplish something before I go.
<OldCoder> Speak to me again and see me as human. Friendly and honest. I was not made for any of this. I sought to do good.
The price will be fierce. And it is not
it started somewhere
<OldCoder> Hm? pencils in the shirt pocket. What about them? Braces, too. Retainers. Fall to the ground. Clumsy kid.
Not sure I follow
you sure output a lot
Heh. It is getting better.
Look, you try learning to write again
under these conditions
Make your choice... you are the one pressing
at this time
Can you not take my advice; that you put this aside for now?
I wish you for a friend as I need friends.
To remain alive.
<Bedivere> you are a nice man, but in this matter you are far too complicated for taste
<OldCoder> If you dream, dream of an Old Coder who is what he is. It is not my concern that I be suitable to your taste or any other.
<OldCoder> This is a world that I never made. I sought nothing but to live and to do so simply. Even this was denied me. And to talk about it... That is a crime indeed.
sometimes i think inaction is the
best form of protest
do you see how needy this is though?
<OldCoder> You fumble about looking for an exit from the Truth. When I have made no demands of you. Save that you rest. And try to help people.
your words demanded my presence
<OldCoder> There is the boy who was killed 40 years ago. It happens. He was a ghost who looked out through my eyes. And wept.
you're an odd person
some people lose their way
No man crosses the river twice.
To be trite but true.
i leave you to it and i see not where it goes
<OldCoder> Help those who you can. And face the truth when you are able to. Not the same words at all. I wish to live. I help when I can. Who will even speak of the Truth? I understand the answer now. Better than in the past.
Task me not with *that* point.
Why was it you felt compelled to talk?
As I have said repeatedly, go to sleep
<OldCoder> I leave you now to your rest. Heh. Is that acceptable? I leave you now to be happy. To dream of the future. To return when you are able.
that was an odd conversation
<MaskedLua> hmmm... I don't get why however
<OldCoder> It has been an odd 2 years. And he is not the only person. Who wished somebody who tried to help to die. And who cannot articulate why.
<MaskedLua> lets save those thoughts for tomorrow, I have a reason I think is plausible but can't articulate it correctly tonight, and I need to be headed to bed
also, death in regards to those I care about is a subject that I
dislike to contemplate, it is hard to imagine anyone I care for
<OldCoder> Do not leave on that note. This is a good person. He is troubled by the issue. When you say good-night to me. Or to the world. Reflect on more than one thing. Seek balance.
A full Kiraly Cases tags system will be added in 2013.
131027. If the Kiralys come after you with a Botnet, it's good to know somebody like the Masked Lua.
Good evening, I am the Masked Lua.
Recently I had some server troubles (self caused). It revolved around one silly idea that we knew must work and that we must learn how to do it.
We accomplished the idea, though there was a good deal of trouble associated with it. We would like to thank our kind server host for being there physically (somewhat) to physically reboot our server every time we made a mistake that locked us out.
The issue is about OpenVPN.
OpenVPN is an open source project that does VPNs and is an extension in some senses upon traditional VPNs. It has pros and cons like any solution.
As a technical note, OpenVPN requires a VPN account with a VPN company in order to work.
There are other protocols for VPNs like a proprietary one from Cisco and IPSEC, which is secured communications between 2 sites such that you are in their network while connected.
You can see VPNs in use at educational environments, companies that have remote workers, by people who want to hide who they are, and for special purposes.
In my case, I needed a VPN to establish a static IP address. Due to my network setup, without a VPN, I could not have had a fully operational static IP. I could have had a static IP. But it would not have had a full set of ports and would have lacked UDP.
I chose OpenVPN because it was free, open source, worked on Linux, and would do what I needed.
The primary problem was this. We had got a new static IP and the static IP was provided to us thru the powers of OpenVPN. Now the thing is, after OpenVPN started, connections via the physical network interface, i.e. the original physical adapter, no longer worked.
Any existing connections or new attempted connections over the physical interface went to /dev/null in a manner of speaking.
We looked at many things, tried many things, and many things came up as a dead end.
Upon research, after OpenVPN was started, we noticed first of all that a new interface had appeared. The interface was named: tun0
We also observed that new routes had been set up by the OpenVPN server. It had changed the routing tables. Old entries were still there but some were different in unexpected ways.
For example, OpenVPN subverted the default route, or at least made things more confusing. Initially, the system had routed 0.0.0.0/0 to a physical interface named enp3s0. As 0.0.0.0/0 matches everything, this made enp3s0 the default gateway.
But OpenVPN pushed a new rule through to the client side, my system, that routed 0.0.0.0/1 to OpenVPN gateways. Specifically, 10.29.112.5 or 10.29.112.6. The new rule was inserted above the old default rule. As 0.0.0.0/1 matches a large number of IP addresses, this meant that OpenVPN had preempted the default.
We needed to understand this. So we set off to play with routes. We managed to lock ourselves out many times before we realized that we needed a routing table per device.
Hold on there, read that again, a routing table per device. We researched and looked thru the Internet and found documentation lacking desperately, but found one thing of hope that might help us:
Reading through that page, we started our journey.
The rest of this post shall discuss the state of our network before VPN, after VPN, and after VPN plus changes. The discussion is intended to benefit those who wish to learn. It is presented such that they can see how all the information was gleaned to create the change.
The OS used for experiments was Arch Linux. The utility used was primarily ip.
Note that due to me running a dual port Ethernet card and some virtual machines, I likely had more than what was necessary for some purposes. Some other important notes are that we were using a TUN VPN, not a TAP one.
OpenVPN, the type of VPN that I used, supported either a TUN or a TAP connection. TAP connections seem common in some places and TUN overall seems prevalent in others. TAP sends packets between the client and server totally encapsulating an Ethernet frame, resulting in TAP having a higher overhead.
This means that TAP and TUN work at different layers in the OSI scheme. My assumption is that TAP is working at a layer where multi-routing is inapplicable or different or difficult. I've heard of difficulties related to TAP and multi-routing previously.
TUN, by comparison, apparently works well at Layer 3, the routing layer. Additionally the VPN company that I used more or less chose TUN for me. This article is therefore oriented towards TUN.
Last but not least, read thru the routing tables provided closely, they reveal a lot. For instance, no one has any idea how a VPN company's internal network looks. But thru careful inference we can figure out enough to make our solution work. Basically, we route multiple uplinks and providers.
You will see the lines in ip route that say “via”. The part after “via” is the gateway.
The hardest part of my experiments was, and remains, writing code to get gateways associated to an interface and an IP address as well as getting the appropriate netmask for that interface.
When you look thru ip route output using the human brain to parse, things are fairly easy. It is natural for me. However, getting the appropriate steps done programatically is more difficult. I continue to work on this part.
I tend to find that my mind can autosolve a problem in such a way that trying to go over the steps to solve that problem becomes harder than solving the problem.
The vibr* entries are not important because, 1) they existed before VPN startup, 2) they were virtual interfaces that were started by libvirtd for virtual machines, and 3) they had no effect on the actual topology of the two networks with direct connections to the Internet. However, entries of this type are included for completeness.
command: ip addr produced the output:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever enp3s0 and enp5s0 are two halves of a normal dual port Ethernet NIC. enp3s0 is connected to a LAN. enp5s0 is not connected to anything and is therefore not relevant to the discussion. 2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:21:5a:49:a9:72 brd ff:ff:ff:ff:ff:ff inet 192.168.1.22/24 brd 192.168.1.255 scope global enp3s0 valid_lft forever preferred_lft forever inet6 fe80::221:5aff:fe49:a972/64 scope link valid_lft forever preferred_lft forever 3: enp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:21:5a:49:a9:74 brd ff:ff:ff:ff:ff:ff As mentioned previously, the virbr* entries are also not relevant to the discussion. They are, again, included for the sake of complete- ness. 4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN link/ether 8e:f5:cb:18:9d:ff brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 5: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 52:54:00:67:c9:4f brd ff:ff:ff:ff:ff:ff inet 10.0.3.1/24 brd 10.0.3.255 scope global virbr1 valid_lft forever preferred_lft forever 6: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr1 state DOWN qlen 500 link/ether 52:54:00:67:c9:4f brd ff:ff:ff:ff:ff:ff vnet0 and vnet1 are related to the virbr* entries. 7: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr1 state UNKNOWN qlen 500 link/ether fe:54:00:be:8c:3a brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:febe:8c3a/64 scope link valid_lft forever preferred_lft forever 8: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr1 state UNKNOWN qlen 500 link/ether fe:54:00:2f:23:fc brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fe2f:23fc/64 scope link valid_lft forever preferred_lft forever
command: ip route produced the output:
default via 192.168.1.1 dev enp3s0 10.0.3.0/24 dev virbr1 proto kernel scope link src 10.0.3.1 192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.22 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 command: route -n (or netstat -rn, both display the same) produced the output: Kernel IP routing table Destination Gateway Genmask Flags Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG enp3s0 10.0.3.0 0.0.0.0 255.255.255.0 U virbr1 192.168.1.0 0.0.0.0 255.255.255.0 U enp3s0 192.168.122.0 0.0.0.0 255.255.255.0 U virbr0 command: ip rule produced the output: 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
After OpenVPN was used to start a VPN, things changed as shown below. Two notes:
a. There were no problems with the entries displayed by ip addr. The real issue was an added rule that I mentioned previously. The ip addr entries did help me to figure things out, though.
b. ip route entries are somewhat better for this type of thing than ip addr are. They provide more complete information. However, both types are sufficient if effort is put into the matter.
command: ip addr produced the output: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:21:5a:49:a9:72 brd ff:ff:ff:ff:ff:ff inet 192.168.1.22/24 brd 192.168.1.255 scope global enp3s0 valid_lft forever preferred_lft forever inet6 fe80::221:5aff:fe49:a972/64 scope link valid_lft forever preferred_lft forever 3: enp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:21:5a:49:a9:74 brd ff:ff:ff:ff:ff:ff 4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN link/ether 42:ad:be:c6:53:0c brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 5: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 52:54:00:67:c9:4f brd ff:ff:ff:ff:ff:ff inet 10.0.3.1/24 brd 10.0.3.255 scope global virbr1 valid_lft forever preferred_lft forever 6: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr1 state DOWN qlen 500 link/ether 52:54:00:67:c9:4f brd ff:ff:ff:ff:ff:ff 7: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr1 state UNKNOWN qlen 500 link/ether fe:54:00:be:8c:3a brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:febe:8c3a/64 scope link valid_lft forever preferred_lft forever 8: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr1 state UNKNOWN qlen 500 link/ether fe:54:00:2f:23:fc brd ff:ff:ff:ff:ff:ff inet6 fe80::fc54:ff:fe2f:23fc/64 scope link valid_lft forever preferred_lft forever 9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.29.112.6 peer 10.29.112.5/32 scope global tun0 valid_lft forever preferred_lft forever command: ip route produced the output: The first rule below is the one that caused most of the problems that I mentioned before. 0.0.0.0/1 via 10.29.112.5 dev tun0 default via 192.168.1.1 dev enp3s0 10.0.3.0/24 dev virbr1 proto kernel scope link src 10.0.3.1 10.29.112.1 via 10.29.112.5 dev tun0 10.29.112.5 dev tun0 proto kernel scope link src 10.29.112.6 184.108.40.206 via 192.168.1.1 dev enp3s0 220.127.116.11/1 via 10.29.112.5 dev tun0 192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.22 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 command: route -n produced the output: Kernel IP routing table Destination Gateway Genmask Flags Iface 0.0.0.0 10.29.112.5 18.104.22.168 UG tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG enp3s0 10.0.3.0 0.0.0.0 255.255.255.0 U virbr1 10.29.112.1 10.29.112.5 255.255.255.255 UGH tun0 10.29.112.5 0.0.0.0 255.255.255.255 UH tun0 22.214.171.124 192.168.1.1 255.255.255.255 UGH enp3s0 126.96.36.199 10.29.112.5 188.8.131.52 UG tun0 192.168.1.0 0.0.0.0 255.255.255.0 U enp3s0 192.168.122.0 0.0.0.0 255.255.255.0 U virbr0 command: ip rule produced the output: 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
The VPN didn't work as desired. Here is what happened. When I started the VPN, say that the physical interface was eth0 and the virtual interface created by the VPN was tun0.
After the VPN was started, all of a sudden, all connections on eth0 dropped, any new connections were impossible, both receiving or sending. All traffic had to go thru the VPN and the VPN only.
Decisions were fed by looking at the differences between before and after starting VPN. When I saw more routes and looked at IPs things started to not make sense. So I asked myself questions. And learned and researched more. And tried some things that didn't work at all.
Locked myself out the machine a lot. Then as I researched I stumbled across two posts on the Internet about multi-table routing. One was geared torwards multi-uplink and the other one looked more general. But neither showed what to expect much other than for it to work without thinking.
Someone in IRC reminded me that 0.0.0.0/1 and 184.108.40.206/1 are the first and second halves of the Internet. I figured that since OpenVPN pushed rules containing those 2 netmasks, those rules should not be in the main routing table where they would subvert other routing tables that might be created to fix the issue we were experiencing; therefore, their removal was promptly executed.
That was also something I tried before multi-table routing. What it did was make enp3s0 start working but tun0 stopped working.
The endeavor was fueled by wanting a solution that would allow both to be used as needed. And wanting a couple of ideas I had earlier to work that wouldn't be possible if both interfaces weren't functioning.
I set about researching it, going thru multiple ideas and failing, stumbling upon multi-table routing, piecing things together, changing things up slightly. Finally getting it to work.
After changes were in place:
command: ip addr produced the same results as before command: ip route produced the output: default via 192.168.1.1 dev enp3s0 10.0.3.0/24 dev virbr1 proto kernel scope link src 10.0.3.1 10.29.112.0/24 dev tun0 scope link src 10.29.112.6 10.29.112.1 via 10.29.112.5 dev tun0 10.29.112.5 dev tun0 proto kernel scope link src 10.29.112.6 220.127.116.11 via 192.168.1.1 dev enp3s0 192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.22 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 command: route -n produced the output: Kernel IP routing table Destination Gateway Genmask Flags Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG enp3s0 10.0.3.0 0.0.0.0 255.255.255.0 U virbr1 10.29.112.0 0.0.0.0 255.255.255.0 U tun0 10.29.112.1 10.29.112.5 255.255.255.255 UGH tun0 10.29.112.5 0.0.0.0 255.255.255.255 UH tun0 18.104.22.168 192.168.1.1 255.255.255.255 UGH enp3s0 192.168.1.0 0.0.0.0 255.255.255.0 U enp3s0 192.168.122.0 0.0.0.0 255.255.255.0 U virbr0 command: ip rule produced the output: 0: from all lookup local 32764: from 10.29.112.6 lookup T2 32765: from 192.168.1.22 lookup T1 32766: from all lookup main 32767: from all lookup default
Now looking thru all that, you can see changes, you could even deduce how to do most of these from that given time and some pain killers. We won't make you do that, however.
Basically, to get an idea of what we are doing, let's turn those numbers into something more easy to understand; i.e., names.
$IF1 shall be the name of interface 1 (the one that exists no matter if the tunnel exists or not, in our case enp3s0)
$IF2 shall be the name of the VPN interface (tun0)
$IP1 shall be the IPV4 of our interface $IF1 (192.168.1.22)
$IP2 shall be the IPV4 of our interface $IF2 (10.29.112.6)
$P1 shall be the gateway of $IF1 (192.168.1.1)
$P2 shall be the gateway of $IF2 (10.29.112.5)
$P1_NET shall be the subnet of $IF1 (192.168.1.0/24)
$P2_NET shall be the subnet of $IF2 (10.29.112.0/24)
All that information about *2 was gathered from inspecting the routing tables before and after plus IPV4 info.
The key was to get anything coming in over enp3s0 to be routed back out the same way it came in (the same went for tun0).
So we needed per-device routing tables at this point. Let's call them T1 and T2 where T1 is for $IF1 (enp3s0) and T2 is for $IF2 (tun0). To initialize these tables we put some lines in the file indicated below:
The lines in question were:
echo 1 T1 >> /etc/iproute2/rt_tables
Basically, we named two tables and gave them each an ID.
Next, we set those two tables up:
ip route add $P1_NET dev $IF1 src $IP1 table T1
Next, we set up the main table:
ip route add $P1_NET dev $IF1 src $IP1
Then, we made our default route:
ip route add default via $P1
Next, we added routing rules (these chose what routing table to route with):
ip rule add from $IP1 table T1
next we removed two rules the VPN had pushed to route the entire internet thru its gateway:
ip route del 0.0.0.0/1 via 10.29.112.5 dev tun0
Now for some words of advice:
If you try this kind of thing, have someone nearby to your machine physically to power it on and off when you make mistakes.
Never, ever, enter commands of this type one by one. Put them in a script and run the script. You will get all the way to a certain rule — and then be locked out — if you do not heed this advice.
Also, test your script, and modify it when network topologies change. There will be rules in your script that may not run due to routes being already existent or not existent. Remove them (or at least comment them out).
Now, if you are a tinker and thinker, you may be wondering why in the “Fixed” portion of our examples, some of the rules we added aren't showing up.
ip route seems to show only the main table. Run: ip route show table all
and you'll get something like this:
192.168.1.0/24 dev enp3s0 table T1 scope link src 192.168.1.22 default via 10.29.112.5 dev tun0 table T2 10.29.112.0/24 dev tun0 table T2 scope link src 10.29.112.6 default via 192.168.1.1 dev enp3s0 10.0.3.0/24 dev virbr1 proto kernel scope link src 10.0.3.1 10.29.112.0/24 dev tun0 scope link src 10.29.112.6 10.29.112.1 via 10.29.112.5 dev tun0 10.29.112.5 dev tun0 proto kernel scope link src 10.29.112.6 22.214.171.124 via 192.168.1.1 dev enp3s0 192.168.1.0/24 dev enp3s0 scope link src 192.168.1.22 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 broadcast 10.0.3.0 dev virbr1 table local proto kernel scope link src 10.0.3.1 local 10.0.3.1 dev virbr1 table local proto kernel scope host src 10.0.3.1 broadcast 10.0.3.255 dev virbr1 table local proto kernel scope link src 10.0.3.1 local 10.29.112.6 dev tun0 table local proto kernel scope host src 10.29.112.6 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 192.168.1.0 dev enp3s0 table local proto kernel scope link src 192.168.1.22 local 192.168.1.22 dev enp3s0 table local proto kernel scope host src 192.168.1.22 broadcast 192.168.1.255 dev enp3s0 table local proto kernel scope link src 192.168.1.22 broadcast 192.168.122.0 dev virbr0 table local proto kernel scope link src 192.168.122.1 local 192.168.122.1 dev virbr0 table local proto kernel scope host src 192.168.122.1 broadcast 192.168.122.255 dev virbr0 table local proto kernel scope link src 192.168.122.1 local ::1 dev lo proto kernel metric 256 fe80::/64 dev enp3s0 proto kernel metric 256 fe80::/64 dev vnet0 proto kernel metric 256 fe80::/64 dev vnet1 proto kernel metric 256 unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 local ::1 dev lo table local proto none metric 0 local fe80::221:5aff:fe49:a972 dev lo table local proto none metric 0 local fe80::fc54:ff:fe2f:23fc dev lo table local proto none metric 0 local fe80::fc54:ff:febe:8c3a dev lo table local proto none metric 0 ff00::/8 dev enp3s0 table local metric 256 ff00::/8 dev vnet0 table local metric 256 ff00::/8 dev vnet1 table local metric 256 unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
Now for the final part, an OpenVPN script that I'm still refining. It works for me and, when finished, might work for others.
This version is specific to the network that I used. I hope to write a generic version that might work on all networks. Until it is done, this version suffices me (tho I have made minor changes) and it may be useful as an example to educate others.
#!/usr/bin/env bash IF1=enp3s0 IF2=tun0 IP1=192.168.1.22 IP2=10.29.112.6 P1=192.168.1.1 P2=10.29.112.5 P1_NET=192.168.1.0/24 P2_NET=10.29.112.0/24 ip route del $P1_NET dev $IF1 src $IP1 table T1 #ip route del default via $P1 table T1 ip route del $P2_NET dev $IF2 src $IP2 table T2 ip route del default via $P2 table T2 ip route del $P1_NET dev $IF1 src $IP1 ip route del $P2_NET dev $IF2 src $IP2 ip route del default via $P1 ip rule del from $IP1 table T1 ip rule del from $IP2 table T2 ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip route add default via $P1 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route del 0.0.0.0/1 via 10.29.112.5 dev tun0 ip route del 126.96.36.199/1 via 10.29.112.5 dev tun0