Re: openvpn fixes against svn 3140

[Casey Harkins <caseyharkins gmail com>]

Jon Escombe wrote:
> ----- "Casey Harkins" <caseyharkins gmail com> wrote:
>
> > I don't think openvpn should be trying to setup routes unless specific
> > options are being passed (--route, --route-gateway), but I could be
> > wrong. Either way, there's no harm in passing that option.
>
> Could be, my gateway etc is pushed from the server options so that might be enough to prompt it. Here it sets up a specific route to the vpn server, and then sets up the default route via the gateway address I'm pushing (see below). I've added the --route-noexec option to nm-openvpn-service and that definitely stops all three 'ip route' commands. NM at this point correctly sets up the route to the vpn server, and changes the default route - just doesn't include the remote gateway..


So, lets do this symbolically rather than with IP addressed:

VPN_SERVER: public ip of vpn server
This appears to be called "gateway" in vpnc and "remote" in openvpn. NM 
needs to establish a route to this ip over the underlying network 
connection. For openvpn, this ip is also returned in the "trusted_ip" 
env var and getting passed back to NM as the IP_CONFIG_GATEWAY.

VPN_GATEWAY: gateway for vpn routed traffic
This is what the vpn server is returning for a gateway for the vpn'ed 
traffic. This is in the "route_vpn_gateway" for openvpn, but is not 
being handled currently. For vpnc, it looks like this is "VPNGATEWAY" 
and is getting passed back to NM as the IP4_CONFIG_GATEWAY. NM should be 
using this as the gateway for the default route (if all traffic is going 
to be routed over the vpn).

What I'm seeing is that NM is using IP4_CONFIG_GATEWAY to maintain a 
route to the vpn server, and not specifying a gateway for the default 
route. I presume this needs to be changed and we either need an 
additional IP4_CONFIG variable for specifying the VPN_SERVER or vpn 
plugins need to push a route to the VPN_SERVER to NM.

Does this make sense?

-casey