On Mon, 2017-01-23 at 23:34 +0900, Tomasz Chmielewski wrote:
I have a VPN server which uses "push route..." options to push specific routes to the clients: # testing1 push "route 10.11.0.0 255.255.255.0" # testing2 push "route 10.12.0.0 255.255.255.0" # testing3 push "route 10.13.1.0 255.255.255.0" The same config file works correctly with command line openvpn on Linux (openvpn --config some.conf), with OpenVPN client for Windows, with OpenVPN client for Mac (TunnelBlick), with OpenVPN clients for Android and iOS - the routes are pushed to the clients. However, it does not work when the config is imported via NetworkManager (used version 1.2.6 on Ubuntu 16.10, but also tried several earlier Ubuntu versions, to no avail). To reproduce: case 1) in NM, import a openvpn config file where the server uses "push route..." option, but is *not* a default gateway (i.e. no "push redirect-gateway..." on the server). Expected result: config file is imported, when we initiate the connection via NM, the routes pushed by the server are applied on the client Real result: NM routes *all* traffic through the established connection. There is no connectivity anywhere anymore (device is "offlined"). case 2) in NM, import a openvpn config file where the server uses "push route..." option, but is *not* a default gateway (i.e. no "push redirect-gateway..." on the server). Additionally, in IPv4 settings -> Routes for this OpenVPN config, we select "Use this connection only for resources on its network". Expected result: config file is imported, when we initiate the connection via NM, the routes pushed by the server are applied on the client Real result: routes pushed by the server are not applied on the client. Please advise how to use NetworkManager for OpenVPN servers which are not default gateways and which push their own routes.
Hi, whether the VPN gets the default route, depends on the (inverse) "ipv4.never-default" setting. See `nmcli connection show "$MY_VPN"` Try to enable debug-logging of the VPN server: sudo nmcli logging general level TRACE domains ALL:VPN_PLUGIN (you need to re-activate the VPN connection for the change to take effect). (don't send the logfile with VPN_PLUGIN domain enabled, because it might contain private data) The "import" step is entirely separate from the later activation handling. That is, during import, the ovpn file is transformed to a NetworkManager connection profile. Whether you import a ovpn or click it manually makes no difference for the activation. Of course, it would be interesting *what* you actually import, and how NM's connection profile looks after the import step. best, Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part