Re: Best practice for managing default routes over only VPN connections?

From: Thomas Haller <thaller redhat com>
To: Paul Swanson <psw protonmail com>, "networkmanager-list gnome org" <networkmanager-list gnome org>
Subject: Re: Best practice for managing default routes over only VPN connections?
Date: Mon, 07 Nov 2016 12:57:01 +0100

On Sun, 2016-11-06 at 19:30 -0500, Paul Swanson wrote:

Hi

I've recently been configuring my Ubuntu 16.10 laptop for default
routing via VPN only and have discovered some difficulties.


My goal is to only connect to the Internet via a VPN and ensure that
DNS requests are resolved by a trusted server only.

One thing I've noticed is that DNS resolution seems to be handled by
NM on a connection by connection basis, but I want to ensure that DNS
resolvers are fixed to my choice regardless of the underlying
connection, without giving up NM control and dnsmasq for caching.

From what I've seen so far, the configuration bias is towards VPN
connections providing tangential access to a private network and NOT
as the default route.



You ask here only about DNS. That is actually possible since 1.4.0 by
setting ipv4.dns-priority to a negative value. See 
https://developer.gnome.org/NetworkManager/stable/nm-settings.html#nm-settings.property.ipv4.dns-priority

  nmcli connection modify $VPN_CONNECTION ipv4.dns-priority -1
  nmcli connection up $VPN_CONNECTION



Another thing is ensuring that all traffic is routed via the VPN (that
is, controlling the configured routes). That is not supported by NM
directly (besize that you can manually configure your underlying
connection to have no default-route and only give a default-route to
the VPN connection). See for example
https://bugzilla.gnome.org/show_bug.cgi?id=749376 .

Is anyone aware of any clear guidance for configuring NM's behaviour
when seeking to use VPN for default routing and DNS safe connections?

I've had further issues with NetworkManager SSH VPN configuration.

I would like to be able to link my VPN configuration to the
underlying network adapters on my machine, so that regardless of
which Wireless SSID or ethernet connection is activated the VPN
connection is automatically and subsequently brought up and down as
required. Right now, this is a manual process for me.


A VPN connection can be set as "secondary" of another connection.
See 
https://developer.gnome.org/NetworkManager/stable/nm-settings.html#nm-settings.property.connection.secondaries
Another option might be to write a dispatcher script.
See https://developer.gnome.org/NetworkManager/stable/NetworkManager.html#id-1.2.10.6


best,
Thomas

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: Best practice for managing default routes over only VPN connections?
  - From: Chris Laprise

References:
- Best practice for managing default routes over only VPN connections?
  - From: Paul Swanson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]