Re: unable to use openvpn server which uses "push route..."

From: Thomas Haller <thaller redhat com>
To: Tomasz Chmielewski <mangoo wpkg org>
Cc: networkmanager-list gnome org
Subject: Re: unable to use openvpn server which uses "push route..."
Date: Tue, 24 Jan 2017 13:04:25 +0100

On Tue, 2017-01-24 at 09:55 +0900, Tomasz Chmielewski wrote:

On 2017-01-24 03:05, Thomas Haller wrote:

Please advise how to use NetworkManager for OpenVPN servers which
are 
not default gateways and which push their own routes.


whether the VPN gets the default route, depends on the (inverse)
"ipv4.never-default" setting. See `nmcli connection show "$MY_VPN"`


Why does NM attempt to set a default route for a OpenVPN connection 
where the OpenVPN server does not advertise itself as a default
route? 
It would almost never work, and sounds like a bug to me.


in many common setups, the VPN gateway will forward whatever packets
you send it. I don't agree that "would almost never work" is accurate.

Whether the default-route is routed along the VPN should be primarily
configured client-side (NetworkManager).

Optimally, ip4.never-default would support a 3rd value ~server-choice~, 
beside "yes" and "no". To allow the server to override it. This is a
missing feature.

Anyway, with "Use this connection only for resources on its network" 
set:

# nmcli connection show $MY_VPN|grep never-default
ipv4.never-default:                     yes
ipv6.never-default:                     no


It no longer sets the connection as a default route.

Try to enable debug-logging of the VPN server:

  sudo nmcli logging general level TRACE domains ALL:VPN_PLUGIN


# nmcli logging general level TRACE domains ALL:VPN_PLUGIN
Error: Object 'logging' is unknown, try 'nmcli help'.


ah, right. Typo

# nmcli general logging level TRACE domains ALL:VPN_PLUGIN
Error: failed to set logging: Unknown log level 'VPN_PLUGIN'

So in the end I came up with this one:

# nmcli general logging level TRACE domains VPN


Another typo. sorry.
Should be:

  sudo nmcli general logging level TRACE domains ALL,VPN_PLUGIN

It should be "VPN_PLUGIN". This enables debug logging for the VPN
service itself (openvpn).
Contrary to the "VPN" logging domain, which is VPN related logging
inside NetworkManager.

If "VPN_PLUGIN" is unrecognized, your NM version is too old for it.
In that case, you would need to follow
https://wiki.gnome.org/Projects/NetworkManager/Debugging#Debugging_NetworkManager-openvpn
to get debugging logs from the VPN service itself.

And it helped me debug this - thanks!


cool

Best,
Thomas

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: unable to use openvpn server which uses "push route..."
  - From: Tomasz Chmielewski

References:
- unable to use openvpn server which uses "push route..."
  - From: Tomasz Chmielewski
- Re: unable to use openvpn server which uses "push route..."
  - From: Thomas Haller
- Re: unable to use openvpn server which uses "push route..."
  - From: Tomasz Chmielewski

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]