Trouble converting full OpenVPN tunnel to split tunnel



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello NM folks,

I'm running into a problem converting an OpenVPN "full" tunnel configuration to
a split tunnel configuration. I've received an .ovpn file from a client which,
by default, routes all my traffic through their VPN. I want to configure my VPN
connection such that only traffic to/from resources within their network are
routed through the VPN, and all other traffic is routed through whatever network
I'm currently on.

I'm running:
- - openSUSE Tumbleweed with Gnome
- - Network Manager 1.28.0
- - NM OpenVPN Gnome plugin 1.8.12

I can modify the connection profile to route traffic to publicly accessible IP
addresses through the VPN by manually setting the ipv4.dns and ipv4.routes
options using nmcli. I'm able to modify the VPN connection profile as follows,
which allows me to access publicly resolvable resources.

# nmcli connection modify <split> ignore-auto-dns=true
# nmcli connection modify <split> dns=<local dns>    <- Current LAN DNS
# nmcli connection modify <split> +ipv4.routes <host-ip-A/32> <- public
# nmcli connection modify <split> +ipv4.routes <host-ip-B/32> <- private

By public/private here I mean I can access host-A with these options because my
LAN DNS can resolve the IP address, meanwhie host-B is unresolvable and I can't
figure out why.

Connected to the full tunnel shows the following nslookup output for an
"internal" host:

$ nslookup <the host>
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   <the host>
Address: 10.243.a.b
Name:   <the host>
Address: 10.243.c.d
Name:   <the host>
Address: 10.243.e.f

If I'm connected to the "full" tunnel, inspecting the connection profile returns
the following. I think the "IP4.ROUTE[1]" line means that all traffic is being
sent through their gateway.


$ nmcli connection show "Client VPN (Full)"
GENERAL.NAME:                           Client VPN (Full)
GENERAL.UUID:                           6a647d45-1740-4a49-81d1-6d49f5631a40
GENERAL.DEVICES:                        wlp0s20f3
GENERAL.IP-IFACE:                       wlp0s20f3
GENERAL.STATE:                          activated
GENERAL.DEFAULT:                        yes
GENERAL.DEFAULT6:                       no
GENERAL.SPEC-OBJECT:                   
/org/freedesktop/NetworkManager/ActiveConnection/2
GENERAL.VPN:                            yes
GENERAL.DBUS-PATH:                     
/org/freedesktop/NetworkManager/ActiveConnection/49
GENERAL.CON-PATH:                      
/org/freedesktop/NetworkManager/Settings/29
GENERAL.ZONE:                           --
GENERAL.MASTER-PATH:                   
/org/freedesktop/NetworkManager/Devices/3
IP4.ADDRESS[1]:                         a.b.c.d/23
IP4.GATEWAY:                            a.b.c.1
IP4.ROUTE[1]:                           dst = 0.0.0.0/0, nh = a.b.c.1, mt = 50
IP4.ROUTE[2]:                           dst = a.b.c.d/23, nh = 0.0.0.0, mt = 50
IP4.DNS[1]:                             a.b.c.d
IP4.DNS[2]:                             a.b.c.d
IP4.DOMAIN[1]:                          <company.com>
VPN.TYPE:                               openvpn
VPN.USERNAME:                           <my username>
VPN.GATEWAY:                            a.b.c.d:1194:udp, a.b.c.d:443:tcp
VPN.BANNER:                             --
VPN.VPN-STATE:                          5 - VPN connected
VPN.CFG[1]:                             ca = /home/chris/.cert/nm-
openvpn/client-ca.pem
VPN.CFG[2]:                             cert = /home/chris/.cert/nm-
openvpn/client-cert.pem
VPN.CFG[3]:                             cert-pass-flags = 0
VPN.CFG[4]:                             cipher = AES-256-CBC
VPN.CFG[5]:                             comp-lzo = no-by-default
VPN.CFG[6]:                             connect-timeout = 4
VPN.CFG[7]:                             connection-type = password-tls
VPN.CFG[8]:                             dev = tun
VPN.CFG[9]:                             dev-type = tun
VPN.CFG[10]:                            key = /home/chris/.cert/nm-
openvpn/client-key.pem
VPN.CFG[11]:                            ns-cert-type = server
VPN.CFG[12]:                            password-flags = 1
VPN.CFG[13]:                            remote = a.b.c.d:1194:udp,
a.b.c.d:443:tcp
VPN.CFG[14]:                            reneg-seconds = 604800
VPN.CFG[15]:                            ta = /home/chris/.cert/nm-
openvpn/client-tls-auth.pem
VPN.CFG[16]:                            ta-dir = 1
VPN.CFG[17]:                            username = <my-username>


Is there anything I can do to fix this configuration and route only
private/internal traffic through the VPN?

Thanks in advance,
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEss2dENO/PTuA9NTTOdNgxkl4+QMFAmAahCoACgkQOdNgxkl4
+QPLVg//dWLtUH8GaRYom/+/A0e6iaqtQXxaDFVVxd7dZz4LiJ+t44dulXJewTuh
ahihGsh8kqRRcI2KXe/pn1wL7Srdiuutw5yzjEjnOV1eX+7P5u6L4alA6EGWvNl0
Bpn4tnXoFyeVsMLBuPtNBj5j37fR65watXQjxOUQsF7Yv+FHDbPmFP3s+vBOrBJ1
s72lTJB/zjd9vmENl7WiHVPSF6aTU1d149QLCaG+S1hwL95b10B1mcwN3An00YE3
GZOwtaPC4swP/AwqTOHu2XnSEt4lbb7tdrn1RygF1lK8Aa0091ybMjwBPDky0i9E
BiUg0Pe41OCB6XpMyHdiqnuAZvfexEEt2vqJ/+PDRj5KZRszPOfqGuhADLXgkoAA
RQkESuXBab14WeIuINliS+Zesw3w5I6Zhd9R9ea13vHY9cgoXWsUt8JBkoIxeWk5
POHdCtpN/yTDG53SZblgmVqhl9Y9iRbM+eqpAXY6/nmLJyJhAFmtKkUNrCZ4uNIr
zY7EGOQmM1YyKlI7NlFZXr0/JNPd7wmAquP0sOPuoiOGoBr7+WQJ9wZZ2j3Py6ku
FvZ3f02CVsiQAFmWOWaISQ2bypkgpoBxv6iqbEbZZG3b5zpWCFDms1qqA3olHV0J
cFD3VfMGnxdbNAJ3kroindqoJbg2Up6qd4nOoFImKcdDgkXf1mM=
=wWKH
-----END PGP SIGNATURE-----



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]