On Wed, 2021-02-03 at 12:08 +0100, Chris Coutinho via networkmanager- list wrote:
Hello NM folks, I'm running into a problem converting an OpenVPN "full" tunnel configuration to a split tunnel configuration. I've received an .ovpn file from a client which, by default, routes all my traffic through their VPN. I want to configure my VPN connection such that only traffic to/from resources within their network are routed through the VPN, and all other traffic is routed through whatever network I'm currently on. I'm running: - openSUSE Tumbleweed with Gnome - Network Manager 1.28.0 - NM OpenVPN Gnome plugin 1.8.12 I can modify the connection profile to route traffic to publicly accessible IP addresses through the VPN by manually setting the ipv4.dns and ipv4.routes options using nmcli. I'm able to modify the VPN connection profile as follows, which allows me to access publicly resolvable resources. # nmcli connection modify <split> ignore-auto-dns=true # nmcli connection modify <split> dns=<local dns> <- Current LAN DNS # nmcli connection modify <split> +ipv4.routes <host-ip-A/32> <- public # nmcli connection modify <split> +ipv4.routes <host-ip-B/32> <- private By public/private here I mean I can access host-A with these options because my LAN DNS can resolve the IP address, meanwhie host-B is unresolvable and I can't figure out why. Connected to the full tunnel shows the following nslookup output for an "internal" host: $ nslookup <the host> Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: <the host> Address: 10.243.a.b Name: <the host> Address: 10.243.c.d Name: <the host> Address: 10.243.e.f If I'm connected to the "full" tunnel, inspecting the connection profile returns the following. I think the "IP4.ROUTE[1]" line means that all traffic is being sent through their gateway. $ nmcli connection show "Client VPN (Full)" GENERAL.NAME: Client VPN (Full) GENERAL.UUID: 6a647d45-1740-4a49-81d1- 6d49f5631a40 GENERAL.DEVICES: wlp0s20f3 GENERAL.IP-IFACE: wlp0s20f3 GENERAL.STATE: activated GENERAL.DEFAULT: yes GENERAL.DEFAULT6: no GENERAL.SPEC-OBJECT: /org/freedesktop/NetworkManager/ActiveConnection/2 GENERAL.VPN: yes GENERAL.DBUS-PATH: /org/freedesktop/NetworkManager/ActiveConnection/49 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/Settings/29 GENERAL.ZONE: -- GENERAL.MASTER-PATH: /org/freedesktop/NetworkManager/Devices/3 IP4.ADDRESS[1]: a.b.c.d/23 IP4.GATEWAY: a.b.c.1 IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = a.b.c.1, mt = 50 IP4.ROUTE[2]: dst = a.b.c.d/23, nh = 0.0.0.0, mt = 50 IP4.DNS[1]: a.b.c.d IP4.DNS[2]: a.b.c.d IP4.DOMAIN[1]: <company.com> VPN.TYPE: openvpn VPN.USERNAME: <my username> VPN.GATEWAY: a.b.c.d:1194:udp, a.b.c.d:443:tcp VPN.BANNER: -- VPN.VPN-STATE: 5 - VPN connected VPN.CFG[1]: ca = /home/chris/.cert/nm- openvpn/client-ca.pem VPN.CFG[2]: cert = /home/chris/.cert/nm- openvpn/client-cert.pem VPN.CFG[3]: cert-pass-flags = 0 VPN.CFG[4]: cipher = AES-256-CBC VPN.CFG[5]: comp-lzo = no-by-default VPN.CFG[6]: connect-timeout = 4 VPN.CFG[7]: connection-type = password- tls VPN.CFG[8]: dev = tun VPN.CFG[9]: dev-type = tun VPN.CFG[10]: key = /home/chris/.cert/nm- openvpn/client-key.pem VPN.CFG[11]: ns-cert-type = server VPN.CFG[12]: password-flags = 1 VPN.CFG[13]: remote = a.b.c.d:1194:udp, a.b.c.d:443:tcp VPN.CFG[14]: reneg-seconds = 604800 VPN.CFG[15]: ta = /home/chris/.cert/nm- openvpn/client-tls-auth.pem VPN.CFG[16]: ta-dir = 1 VPN.CFG[17]: username = <my-username> Is there anything I can do to fix this configuration and route only private/internal traffic through the VPN?
Hi, I think routing and DNS are mostly independent things. Setting up routing so that only a certain subnet is reached via the VPN is usually simple. Possibly also configure ipv4.never-default=yes. Check the resulting routing table (after activating the VPN) with `ip route` to confirm that it's right. check that you can reach the right hosts with `ping $IP_ADDRESS` and `traceroute -n $IP_ADDRESS`. About DNS. If you don't enable split DNS (either dns=dnsmasq or dns=systemd-resolved in `man NetworkManager.conf`), then all DNS servers are equal. In that case, you probably would want that the DNS server via the VPN is always consulted, because the public DNS server cannot resolve internal names. You'd do that by setting ipv4.dns- priority to a negative value. If you have split DNS, the search domains act like "routes" for lookups. In that case, you can have company.com search domain via the VPN and the default otherwise. Again, ipv4.dns-priority may also be relevant in that setup... best, Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part