Re: openvpn fixes against svn 3140
- From: Jon Escombe <lists dresco co uk>
- To: Casey Harkins <caseyharkins gmail com>
- Cc: networkmanager-list gnome org
- Subject: Re: openvpn fixes against svn 3140
- Date: Thu, 06 Dec 2007 19:37:38 +0000
Casey Harkins wrote:
Jon Escombe wrote:
----- "Casey Harkins" <caseyharkins gmail com> wrote:
I don't think openvpn should be trying to setup routes unless specific
options are being passed (--route, --route-gateway), but I could be
wrong. Either way, there's no harm in passing that option.
Could be, my gateway etc is pushed from the server options so that
might be enough to prompt it. Here it sets up a specific route to the
vpn server, and then sets up the default route via the gateway
address I'm pushing (see below). I've added the --route-noexec option
to nm-openvpn-service and that definitely stops all three 'ip route'
commands. NM at this point correctly sets up the route to the vpn
server, and changes the default route - just doesn't include the
remote gateway..
So, lets do this symbolically rather than with IP addressed:
VPN_SERVER: public ip of vpn server
This appears to be called "gateway" in vpnc and "remote" in openvpn.
NM needs to establish a route to this ip over the underlying network
connection. For openvpn, this ip is also returned in the "trusted_ip"
env var and getting passed back to NM as the IP_CONFIG_GATEWAY.
VPN_GATEWAY: gateway for vpn routed traffic
This is what the vpn server is returning for a gateway for the vpn'ed
traffic. This is in the "route_vpn_gateway" for openvpn, but is not
being handled currently. For vpnc, it looks like this is "VPNGATEWAY"
and is getting passed back to NM as the IP4_CONFIG_GATEWAY. NM should
be using this as the gateway for the default route (if all traffic is
going to be routed over the vpn).
What I'm seeing is that NM is using IP4_CONFIG_GATEWAY to maintain a
route to the vpn server, and not specifying a gateway for the default
route. I presume this needs to be changed and we either need an
additional IP4_CONFIG variable for specifying the VPN_SERVER or vpn
plugins need to push a route to the VPN_SERVER to NM.
Does this make sense?
-casey
Yes, that matches my understanding of how I think it should work. For
info - I've just tested a server config that doesn't push a gateway
down, and can confirm that the openvpn client doesn't set the
route_vpn_gateway environment variable or attempt any routing in this case.
Regards,
Jon
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]