Re: Trouble converting full OpenVPN tunnel to split tunnel

On Wed, 2021-02-03 at 12:08 +0100, Chris Coutinho via networkmanager-
list wrote:
Hello NM folks,

I'm running into a problem converting an OpenVPN "full" tunnel
configuration to
a split tunnel configuration. I've received an .ovpn file from a
client which,
by default, routes all my traffic through their VPN. I want to
configure my VPN
connection such that only traffic to/from resources within their
network are
routed through the VPN, and all other traffic is routed through
whatever network
I'm currently on.

I'm running:
- openSUSE Tumbleweed with Gnome
- Network Manager 1.28.0
- NM OpenVPN Gnome plugin 1.8.12

I can modify the connection profile to route traffic to publicly
accessible IP
addresses through the VPN by manually setting the ipv4.dns and
options using nmcli. I'm able to modify the VPN connection profile as
which allows me to access publicly resolvable resources.

# nmcli connection modify <split> ignore-auto-dns=true
# nmcli connection modify <split> dns=<local dns>    <- Current LAN
# nmcli connection modify <split> +ipv4.routes <host-ip-A/32> <-
# nmcli connection modify <split> +ipv4.routes <host-ip-B/32> <-

By public/private here I mean I can access host-A with these options
because my
LAN DNS can resolve the IP address, meanwhie host-B is unresolvable
and I can't
figure out why.

Connected to the full tunnel shows the following nslookup output for
"internal" host:

$ nslookup <the host>

Non-authoritative answer:
Name:   <the host>
Address: 10.243.a.b
Name:   <the host>
Address: 10.243.c.d
Name:   <the host>
Address: 10.243.e.f

If I'm connected to the "full" tunnel, inspecting the connection
profile returns
the following. I think the "IP4.ROUTE[1]" line means that all traffic
is being
sent through their gateway.

$ nmcli connection show "Client VPN (Full)"
GENERAL.NAME:                           Client VPN (Full)
GENERAL.UUID:                           6a647d45-1740-4a49-81d1-
GENERAL.DEVICES:                        wlp0s20f3
GENERAL.IP-IFACE:                       wlp0s20f3
GENERAL.STATE:                          activated
GENERAL.DEFAULT:                        yes
GENERAL.DEFAULT6:                       no
GENERAL.VPN:                            yes
GENERAL.ZONE:                           --
IP4.ADDRESS[1]:                         a.b.c.d/23
IP4.GATEWAY:                            a.b.c.1
IP4.ROUTE[1]:                           dst =, nh =
a.b.c.1, mt = 50
IP4.ROUTE[2]:                           dst = a.b.c.d/23, nh =, mt = 50
IP4.DNS[1]:                             a.b.c.d
IP4.DNS[2]:                             a.b.c.d
IP4.DOMAIN[1]:                          <>
VPN.TYPE:                               openvpn
VPN.USERNAME:                           <my username>
VPN.GATEWAY:                            a.b.c.d:1194:udp,
VPN.BANNER:                             --
VPN.VPN-STATE:                          5 - VPN connected
VPN.CFG[1]:                             ca = /home/chris/.cert/nm-
VPN.CFG[2]:                             cert = /home/chris/.cert/nm-
VPN.CFG[3]:                             cert-pass-flags = 0
VPN.CFG[4]:                             cipher = AES-256-CBC
VPN.CFG[5]:                             comp-lzo = no-by-default
VPN.CFG[6]:                             connect-timeout = 4
VPN.CFG[7]:                             connection-type = password-
VPN.CFG[8]:                             dev = tun
VPN.CFG[9]:                             dev-type = tun
VPN.CFG[10]:                            key = /home/chris/.cert/nm-
VPN.CFG[11]:                            ns-cert-type = server
VPN.CFG[12]:                            password-flags = 1
VPN.CFG[13]:                            remote = a.b.c.d:1194:udp,
VPN.CFG[14]:                            reneg-seconds = 604800
VPN.CFG[15]:                            ta = /home/chris/.cert/nm-
VPN.CFG[16]:                            ta-dir = 1
VPN.CFG[17]:                            username = <my-username>

Is there anything I can do to fix this configuration and route only
private/internal traffic through the VPN?


I think routing and DNS are mostly independent things.

Setting up routing so that only a certain subnet is reached via the VPN
is usually simple. Possibly also configure ipv4.never-default=yes.

Check the resulting routing table (after activating the VPN) with `ip
route` to confirm that it's right.

check that you can reach the right hosts with `ping $IP_ADDRESS` and
`traceroute -n $IP_ADDRESS`.

About DNS. If you don't enable split DNS (either dns=dnsmasq or
dns=systemd-resolved in `man NetworkManager.conf`), then all DNS
servers are equal. In that case, you probably would want that the DNS
server via the VPN is always consulted, because the public DNS server
cannot resolve internal names. You'd do that by setting ipv4.dns-
priority to a negative value.

If you have split DNS, the search domains act like "routes" for
lookups. In that case, you can have search domain via the
VPN and the default otherwise. Again, ipv4.dns-priority may also be
relevant in that setup...


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]