Re: Trouble setting VPN for specific IP via NetworkManager

From: Dan Williams <dcbw redhat com>
To: michael butash net
Cc: networkmanager-list gnome org
Subject: Re: Trouble setting VPN for specific IP via NetworkManager
Date: Thu, 27 Oct 2011 01:40:29 -0500

On Mon, 2011-10-24 at 18:41 -0700, Michael Butash wrote:
> I've noticed similar behavior using vpnc-based vpn's that doesn't setup 
> routes quite right.  It adds the prefixes negotiated for routes by the 
> server, but it still insists on repointing a default route at the tun 
> interface as well, breaking split-tunneling.  I keep forgetting to spam 
> the list asking about this, thanks for the reminder.  :)
> 
> Can NM not explicitly repoint the default route to a tunnel please?  You 
> only want this when the vpn server sends an explicit default, but for 
> split tunneling, it needs to be versatile and only add the prefixes 
> wanted, leaving the default at the original gateway.

There's an NM option for this: check the "Only use this connection for
resources on it's network" box in the IPv4 Routes dialog that does this.
If the VPN plugin has enough information about the routing to know that
it shouldn't have the default route, then it can indicate that fact to
NM as well.  The vpnc and openconnect plugins already do this when the
server sends any routes at all, since sending routes would be pointless
if the VPN were supposed to have the default route.

In my experience, almost nobody sends an explicit default route in the
routes list when they want the VPN to claim the default route.  So since
it's a VPN, the assumption is that you want to be more secure, and thus
push all traffic through the VPN, unless you (or the person setting the
VPN up for you, or the VPN plugin itself) knows that's not going to be
the case.  The other way around doesn't work as well in the default
case.

Dan

> You can remove and add routes manually every time, it's more or less 
> what I do to override nm's bad behavior, but vpnc doesn't use ppp 
> interfaces.  Not sure why that is complicating for you other than the 
> fact the ppp interface
> 
> Try "route add default dev ppp0" without a gw addy?  PPP doesn't use 
> gateways per se.
> 
> -mb
> 
> 
> On 10/23/2011 02:33 PM, Mohan Sfo wrote:
> > Hello all,
> >
> > I apologize for asking such an elementary question on this list. Thanks
> > for your help. Two question below:
> >
> > 1) I am playing with setting up VPN via NetworkManager. I am able to
> > successfully setup VPN. Unfortunately, it is setting up *all* the routes
> > to go via the VPN. I want traffic for only a few address to go via VPN
> > and everything else to use the existing routes on wlan0. How do I do it?
> >
> > 2) Where are the log files for VPN or pppd stuff in NetworkManager? How
> > do I setup so that there is logging so that I can debug why I am having
> > connectivity problems.
> >
> > After setting up VPN connection:
> > #route -n
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use Iface
> > 10.116.78.13 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
> > 226.22.44.56 192.168.2.1 255.255.255.255 UGH 0 0 0 wlan0
> > 226.22.44.56 192.168.2.1 255.255.255.255 UGH 0 0 0 wlan0
> > 192.168.2.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
> > 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
> > 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
> > #
> >
> >
> > I deleted the default route below, and then added wlan0 as the new
> > default route. Regular stuff like google.com <http://google.com> are
> > working fine over wlan0. However, I run into trouble when I tell that
> > specific IP lists should go over ppp0.
> >
> > #route del default
> > #route add default gw 192.168.2.1 dev wlan0
> >
> >
> > Now, I run into trouble when I tell that specific IP 10.10.115.123
> > should go over ppp0.
> >
> >
> > #route add host 10.10.115.123 gw 0.0.0.0 dev ppp0
> > SIOCADDRT: Invalid argument
> >
> >
> > Please suggest me how I can do it over command line via route or via
> > NetworkManager.
> >
> >
> >
> > Thanks,
> > Mohan
> >
> >
> > _______________________________________________
> > networkmanager-list mailing list
> > networkmanager-list gnome org
> > http://mail.gnome.org/mailman/listinfo/networkmanager-list
> _______________________________________________
> networkmanager-list mailing list
> networkmanager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list

References:
- Trouble setting VPN for specific IP via NetworkManager
  - From: Mohan Sfo
- Re: Trouble setting VPN for specific IP via NetworkManager
  - From: Michael Butash

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]