Re: openvpn fixes against svn 3140
- From: Casey Harkins <caseyharkins gmail com>
- To: Jon Escombe <lists dresco co uk>
- Cc: networkmanager-list gnome org
- Subject: Re: openvpn fixes against svn 3140
- Date: Thu, 06 Dec 2007 12:54:58 -0600
Jon Escombe wrote:
----- "Casey Harkins" <caseyharkins gmail com> wrote:
I don't think openvpn should be trying to setup routes unless specific
options are being passed (--route, --route-gateway), but I could be
wrong. Either way, there's no harm in passing that option.
Could be, my gateway etc is pushed from the server options so that might be enough to prompt it. Here it sets up a specific route to the vpn server, and then sets up the default route via the gateway address I'm pushing (see below). I've added the --route-noexec option to nm-openvpn-service and that definitely stops all three 'ip route' commands. NM at this point correctly sets up the route to the vpn server, and changes the default route - just doesn't include the remote gateway..
So, lets do this symbolically rather than with IP addressed:
VPN_SERVER: public ip of vpn server
This appears to be called "gateway" in vpnc and "remote" in openvpn. NM
needs to establish a route to this ip over the underlying network
connection. For openvpn, this ip is also returned in the "trusted_ip"
env var and getting passed back to NM as the IP_CONFIG_GATEWAY.
VPN_GATEWAY: gateway for vpn routed traffic
This is what the vpn server is returning for a gateway for the vpn'ed
traffic. This is in the "route_vpn_gateway" for openvpn, but is not
being handled currently. For vpnc, it looks like this is "VPNGATEWAY"
and is getting passed back to NM as the IP4_CONFIG_GATEWAY. NM should be
using this as the gateway for the default route (if all traffic is going
to be routed over the vpn).
What I'm seeing is that NM is using IP4_CONFIG_GATEWAY to maintain a
route to the vpn server, and not specifying a gateway for the default
route. I presume this needs to be changed and we either need an
additional IP4_CONFIG variable for specifying the VPN_SERVER or vpn
plugins need to push a route to the VPN_SERVER to NM.
Does this make sense?
-casey
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]