Re: Problem with vpn connection

From: Jetchko Jekov <jetchko jekov gmail com>
To: Thomas Haller <thaller redhat com>, "networkmanager-list gnome org" <networkmanager-list gnome org>
Subject: Re: Problem with vpn connection
Date: Wed, 17 Aug 2016 19:27:15 +0000

Hi Tomas,

Unfortunately this doesn't work either. Maybe because 1st VPN server pushes 10.0.0.0/8 route and some route optimizations NM is doing, the specific route to 2nd VPN server is not added to the routing table.

I even tried with ignoring pushed routes and adding static routes to 10.0.0.0/8 and 10.x.x.x/32 (route to 2nd VPN server), still this second route is ignored by NM

Just for the record: 1st VPN connection is managed by openconnect plugin.

Br,

Jeka

On Tue, Aug 16, 2016 at 11:48 PM Thomas Haller <thaller redhat com> wrote:

On Mon, 2016-08-15 at 21:51 +0000, Jetchko Jekov wrote:
> Hi,
>
> Thanks for clarification.
> Although I am little puzzled with NMs view of "best-device". That's
> definitely not the default gateway in many cases.
> Yes the case I described is not so widely (vpn over vpn) spread but
> in my lab I am using VPNs with similar routing all the time.
> Fortunately till now I havent tried to use NM for managing these VPN
> connections. And now I know why I shouldn't even try it.
>
> As for your suggestion:
> How can I specify a route in format:
> 10.87.2.207 dev vpn0 proto static scope link src 10.144.204.217
> ?

Hi,

in this case, your route is a "device-route", that is a route with a
gateway equal to 0.0.0.0 (or on-link, or whatever you call that).

You can create such manual routes in NM, so that should work. Choose
0.0.0.0 as gateway.

(what you cannot create in NM are manual routes that use as gateway the
gateway provided from DHCP/SLAAC/VPN, like openvpn supports with
special names "vpn_gateway/net_gateway/remote_host").

You can also not directly specify "proto", "scope" or "src" for the
route, but that shouldn't matter for your case.

Thomas

> To me it seems NM expects next-hop IP address in manual routes
> specification.
> And in my case I cant know this in advance (this is corporate VPN and
> I can land on any of dozens entry points).
>
> Jeka
>
> On Mon, Aug 15, 2016 at 7:46 PM Thomas Haller <thaller redhat com>
> wrote:
> > On Sun, 2016-08-14 at 17:44 +0000, Jetchko Jekov wrote:
> > > Hi guys,
> > >
> > > I have following problem:
> > > I am trying to setup openvpn connection to VPN server accessible
> > not
> > > via default gateway.
> > > Wnen NM configures vpn connection it sets the route to VPN
> > server's
> > > IP address wrongly via default gateway.
> > > Here is an example:
> > > - before activating VPN connection my routing table looks like
> > this:
> > >
> > > default via 192.168.13.1 dev br0 proto static metric 425
> > > 10.0.0.0/8 dev vpn0 proto kernel scope link src 10.144.204.250
> > > metric 50
> > > 10.39.49.28 dev vpn0 proto static scope link src
> > 10.144.204.250
> > > metric 425
> > > 172.21.0.0/24 dev virbr0 proto kernel scope link src
> > 172.21.0.1
> > > linkdown
> > > 192.168.13.0/24 dev br0 proto kernel scope link src
> > 192.168.13.11
> > > metric 425
> > > 194.251.119.216 via 192.168.13.1 dev br0 proto static metric
> > 425
> > >
> > > (yes, the vpn I am trying to connect to is accessible via another
> > vpn
> > > (split-vpn) connection established in advance, but I guess this
> > > doesn't matter)
> > >
> > > Now, when I activate openvpn connection to server with address
> > > 192.167.3.254 accessible via http proxy at 10.39.49.28,
> > > and after successful connection my routing table look like this:
> > >
> > > default via 192.168.13.1 dev br0 proto static metric 425
> > > 10.0.0.0/8 dev vpn0 proto kernel scope link src 10.144.204.250
> > > metric 50
> > > 10.39.49.28 via 192.168.13.1 dev br0 proto static metric 425
> > > 172.21.0.0/24 dev virbr0 proto kernel scope link src
> > 172.21.0.1
> > > linkdown
> > > 192.167.0.0/16 via 192.167.15.1 dev tun0 proto static metric 50
> >
> > > 192.167.15.0/24 dev tun0 proto kernel scope link src
> > 192.167.15.66
> > > metric 50
> > > 192.168.13.0/24 dev br0 proto kernel scope link src
> > 192.168.13.11
> > > metric 425
> > > 194.251.119.216 via 192.168.13.1 dev br0 proto static metric
> > 425
> > >
> > > The problem is 3rd line. I have no idea why NM sets route this
> > wrong
> > > way.
> > > If correct this route manually to
> > > 10.39.49.28 dev vpn0 proto static scope link src
> > 10.144.204.250
> > > metric 425
> > > everything works as expected
> > >
> > > The question is: Have I missconfigured something on my end or NM
> > (or
> > > openvpn plugin) is broken in this regard.
> > >
> >
> > hi,
> >
> >
> > NM always associates a VPN connection with the "best-device", that
> > is
> > the device which currently has the default-route. And then it adds
> > a
> > direct route to the external gateway via that device. That is a
> > current
> > short-coming of NM, as it breaks down in your case.
> >
> > (there is no concrete plan how to fix that yet).
> >
> > How about you add a manual route to 10.39.49.28 to vpn0 with a
> > metric
> > lower then 425?
> >
> >
> > Thomas

Follow-Ups:
- Re: Problem with vpn connection
  - From: Thomas Haller

References:
- Problem with vpn connection
  - From: Jetchko Jekov
- Re: Problem with vpn connection
  - From: Thomas Haller
- Re: Problem with vpn connection
  - From: Jetchko Jekov
- Re: Problem with vpn connection
  - From: Thomas Haller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]