Re: vpnc and determining correct routes

[Dan Williams <dcbw redhat com>]

On Mon, 2006-10-23 at 16:07 +0200, Stefan Schmidt wrote:
> Hello.
> 
> On Mon, 2006-10-23 at 09:43, Dan Williams wrote:
> > On Mon, 2006-10-23 at 15:01 +0200, Stefan Schmidt wrote:
> > 
> > Right; there's a proliferation of options here.  We have a few
> > situations:
> > 
> > - Admins route all traffic through VPN, user wishes to override (vpnc
> > plugin already handles this case)
> 
> Perhaps a problem with network policy, but the user can override this
> at the commandline anyway. Should be fine.
> 
> > - Admins push split networks, but user wishes to override one or more
> 
> Just to don't get you wrong. The split-net routing is not working
> without manually setting routes yet, right? As this it was Thomas was
> talking about.

Right.  Split DNS doesn't work at all yet.

> > What's needed here is an extension of the current routing preferences.
> > We likely need two lists, one for "route only these netblock over the
> > VPN explicitly" and a second for "never route these netblocks over the
> > VPN".
> > 
> > The next problem is split DNS; do people care about that?  Ideally we
> > only query the VPN nameservers for names in a certain domain (passed
> > vpnc as CISCO_DEF_DOMAIN).  Sometimes though, admins don't push the
> > default domain and you have to manually fill it in for a split network
> > setup.  But that requires using named as a local caching nameserver,
> > which people, for some inconceivable reason, are very vocally against.
> > So right now all DNS queries go over the VPN.
> > 
> > So basically, we have to modify the user interface to:
> > 
> > - Add a "Never route these over VPN" entry
> > - Add an "Override default domain name" entry
> > - Modify the vpnc service daemon to push split networks to NM
> 
> Same as above. vpnc-plugin don't know the pushed routes yet, right?

Correct, it doesn't care about the environment variables that vpnc
pushes out for split routing yet.

> Sorry for bother about this again and again, but I like to make sure I
> understand it right.
> 
> > - Make NM do split DNS if requested
> > 
> > This stuff won't get into 0.6.4, but I'd certainly accept patches for
> > 0.7/HEAD.  If I could find time to work on it in between dbus-ifying
> > wpa_supplicant, the new config framework, and multiple active devices,
> > I'd take a look at it :)
> 
> That sounds like a lot work.

Not a ton of work, you just need to know where to put the code.  I'd be
happy to point people in the right direction.

> Is the original author of the vpnc-plugin still working on it? Sorry,
> did not check the cvs for a long time.

I did the backend bits, and David Zeuthen (of HAL fame) did the GUI
bits.  So nobody's picked up and left, just concentrating on other
things that are important to NetworkManager too.

Dan

> regards
> Stefan Schmidt