Re: push "redirect-gateway def1" no longer seems to work on OpenVPN plugin

From: "Darren Albers" <dalbers gmail com>
To: "Dan Williams" <dcbw redhat com>
Cc: network manager <networkmanager-list gnome org>
Subject: Re: push "redirect-gateway def1" no longer seems to work on OpenVPN plugin
Date: Wed, 3 Sep 2008 11:54:42 -0400

On Tue, Sep 2, 2008 at 10:31 AM, Dan Williams <dcbw redhat com> wrote:
> On Sun, 2008-08-31 at 04:01 -0400, Darren Albers wrote:
>> On Sun, Aug 17, 2008 at 4:07 PM, Darren Albers <dalbers gmail com> wrote:
>> > On Sun, Aug 17, 2008 at 2:37 PM, Darren Albers <dalbers gmail com> wrote:
>> >> I am running SVN 3973 and the OpenVPN plugin works well and my
>> >> specific routes are all pushed to my client but the push
>> >> "redirect-gateway def1"
>> >>  seems to be failing.
>> >>
>>
>> Sorry to bug but am I the only one seeing this issue?
>
> Probably not, but any idea on how this get pushed to the client scripts?
> We'd need to figure that out and handle that in either NM or the openvpn
> plugin helper when generating the IP4 config.  BTW, is your objective to
> not route all traffic over the VPN?  What's your desired routing
> configuration?
>
> There's some issues to be worked through with tun vs. tap devices and
> how NM figures out some of the IP configuration, because it seems that
> things like netmasks (--ifconfig-push for tun devices doesn't send a
> netmask at all, and static-key doesn't allow netmasks to be specified
> via the command line) always have to get handled out-of-bad in various
> random connect scripts that people have to write all the time.
>
>
> Dan
>
>

What I am looking for is to route all traffic down the VPN tunnel
rather than just specific subnets.   According to the OpenVPN
documentation this is what happens:
--redirect-gateway [local] [def1]
    (Experimental) Automatically execute routing commands to cause all
outgoing IP traffic to be redirected over the VPN.

    This option performs three steps:

    (1) Create a static route for the --remote address which forwards
to the pre-existing default gateway. This is done so that (3) will not
create a routing loop.

    (2) Delete the default gateway route.

    (3) Set the new default gateway to be the VPN endpoint address
(derived either from --route-gateway or the second parameter to
--ifconfig when --dev tun is specified).

    When the tunnel is torn down, all of the above steps are reversed
so that the original default route is restored.

    Add the local flag if both OpenVPN servers are directly connected
via a common subnet, such as with wireless. The local flag will cause
step 1 above to be omitted.

    Add the def1 flag to override the default gateway by using
0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit
of overriding but not wiping out the original default gateway.

    Using the def1 flag is highly recommended, and is currently
planned to become the default by OpenVPN 2.1.

So we need to add a specific route to the VPN gateway that has the
next hop set to the local gateway, then add the default gateway that
goes to the VPN endpoint IP.   When I run openvpn from a command line
it seems to handle all this by itself and the old OpenVPN plugin used
to do this.

If you would like the specific commands to add these routes I can send
them to you.

Thanks!

Follow-Ups:
- Re: push "redirect-gateway def1" no longer seems to work on OpenVPN plugin
  - From: =?ISO-8859-1?Q?Lu=EDs?= Miguel dos Reis Oliveira e Silva

References:
- Re: push "redirect-gateway def1" no longer seems to work on OpenVPN plugin
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]