Re: unable to use openvpn server which uses "push route..."

On Tue, 2017-01-24 at 09:55 +0900, Tomasz Chmielewski wrote:
On 2017-01-24 03:05, Thomas Haller wrote:

Please advise how to use NetworkManager for OpenVPN servers which
not default gateways and which push their own routes.

whether the VPN gets the default route, depends on the (inverse)
"ipv4.never-default" setting. See `nmcli connection show "$MY_VPN"`

Why does NM attempt to set a default route for a OpenVPN connection 
where the OpenVPN server does not advertise itself as a default
It would almost never work, and sounds like a bug to me.

in many common setups, the VPN gateway will forward whatever packets
you send it. I don't agree that "would almost never work" is accurate.

Whether the default-route is routed along the VPN should be primarily
configured client-side (NetworkManager).

Optimally, ip4.never-default would support a 3rd value ~server-choice~, 
beside "yes" and "no". To allow the server to override it. This is a
missing feature.

Anyway, with "Use this connection only for resources on its network" 

# nmcli connection show $MY_VPN|grep never-default
ipv4.never-default:                     yes
ipv6.never-default:                     no

It no longer sets the connection as a default route.

Try to enable debug-logging of the VPN server:

  sudo nmcli logging general level TRACE domains ALL:VPN_PLUGIN

# nmcli logging general level TRACE domains ALL:VPN_PLUGIN
Error: Object 'logging' is unknown, try 'nmcli help'.

ah, right. Typo

# nmcli general logging level TRACE domains ALL:VPN_PLUGIN
Error: failed to set logging: Unknown log level 'VPN_PLUGIN'

So in the end I came up with this one:

# nmcli general logging level TRACE domains VPN

Another typo. sorry.
Should be:

  sudo nmcli general logging level TRACE domains ALL,VPN_PLUGIN

It should be "VPN_PLUGIN". This enables debug logging for the VPN
service itself (openvpn).
Contrary to the "VPN" logging domain, which is VPN related logging
inside NetworkManager.

If "VPN_PLUGIN" is unrecognized, your NM version is too old for it.
In that case, you would need to follow
to get debugging logs from the VPN service itself.

And it helped me debug this - thanks!



Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]