Re: Trouble converting full OpenVPN tunnel to split tunnel
- From: Chris Coutinho <chrisbcoutinho gmail com>
- To: Thomas Haller <thaller redhat com>, networkmanager-list gnome org
- Subject: Re: Trouble converting full OpenVPN tunnel to split tunnel
- Date: Wed, 03 Feb 2021 17:47:50 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, 2021-02-03 at 12:25 +0100, Thomas Haller wrote:
On Wed, 2021-02-03 at 12:08 +0100, Chris Coutinho via networkmanager-
list wrote:
Hello NM folks,
I'm running into a problem converting an OpenVPN "full" tunnel
configuration to
a split tunnel configuration. I've received an .ovpn file from a
client which,
by default, routes all my traffic through their VPN. I want to
configure my VPN
connection such that only traffic to/from resources within their
network are
routed through the VPN, and all other traffic is routed through
whatever network
I'm currently on.
I'm running:
- openSUSE Tumbleweed with Gnome
- Network Manager 1.28.0
- NM OpenVPN Gnome plugin 1.8.12
I can modify the connection profile to route traffic to publicly
accessible IP
addresses through the VPN by manually setting the ipv4.dns and
ipv4.routes
options using nmcli. I'm able to modify the VPN connection profile as
follows,
which allows me to access publicly resolvable resources.
# nmcli connection modify <split> ignore-auto-dns=true
# nmcli connection modify <split> dns=<local dns> <- Current LAN
DNS
# nmcli connection modify <split> +ipv4.routes <host-ip-A/32> <-
public
# nmcli connection modify <split> +ipv4.routes <host-ip-B/32> <-
private
By public/private here I mean I can access host-A with these options
because my
LAN DNS can resolve the IP address, meanwhie host-B is unresolvable
and I can't
figure out why.
Connected to the full tunnel shows the following nslookup output for
an
"internal" host:
$ nslookup <the host>
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: <the host>
Address: 10.243.a.b
Name: <the host>
Address: 10.243.c.d
Name: <the host>
Address: 10.243.e.f
If I'm connected to the "full" tunnel, inspecting the connection
profile returns
the following. I think the "IP4.ROUTE[1]" line means that all traffic
is being
sent through their gateway.
$ nmcli connection show "Client VPN (Full)"
GENERAL.NAME: Client VPN (Full)
GENERAL.UUID: 6a647d45-1740-4a49-81d1-
6d49f5631a40
GENERAL.DEVICES: wlp0s20f3
GENERAL.IP-IFACE: wlp0s20f3
GENERAL.STATE: activated
GENERAL.DEFAULT: yes
GENERAL.DEFAULT6: no
GENERAL.SPEC-OBJECT:
/org/freedesktop/NetworkManager/ActiveConnection/2
GENERAL.VPN: yes
GENERAL.DBUS-PATH:
/org/freedesktop/NetworkManager/ActiveConnection/49
GENERAL.CON-PATH:
/org/freedesktop/NetworkManager/Settings/29
GENERAL.ZONE: --
GENERAL.MASTER-PATH:
/org/freedesktop/NetworkManager/Devices/3
IP4.ADDRESS[1]: a.b.c.d/23
IP4.GATEWAY: a.b.c.1
IP4.ROUTE[1]: dst = 0.0.0.0/0, nh =
a.b.c.1, mt = 50
IP4.ROUTE[2]: dst = a.b.c.d/23, nh =
0.0.0.0, mt = 50
IP4.DNS[1]: a.b.c.d
IP4.DNS[2]: a.b.c.d
IP4.DOMAIN[1]: <company.com>
VPN.TYPE: openvpn
VPN.USERNAME: <my username>
VPN.GATEWAY: a.b.c.d:1194:udp,
a.b.c.d:443:tcp
VPN.BANNER: --
VPN.VPN-STATE: 5 - VPN connected
VPN.CFG[1]: ca = /home/chris/.cert/nm-
openvpn/client-ca.pem
VPN.CFG[2]: cert = /home/chris/.cert/nm-
openvpn/client-cert.pem
VPN.CFG[3]: cert-pass-flags = 0
VPN.CFG[4]: cipher = AES-256-CBC
VPN.CFG[5]: comp-lzo = no-by-default
VPN.CFG[6]: connect-timeout = 4
VPN.CFG[7]: connection-type = password-
tls
VPN.CFG[8]: dev = tun
VPN.CFG[9]: dev-type = tun
VPN.CFG[10]: key = /home/chris/.cert/nm-
openvpn/client-key.pem
VPN.CFG[11]: ns-cert-type = server
VPN.CFG[12]: password-flags = 1
VPN.CFG[13]: remote = a.b.c.d:1194:udp,
a.b.c.d:443:tcp
VPN.CFG[14]: reneg-seconds = 604800
VPN.CFG[15]: ta = /home/chris/.cert/nm-
openvpn/client-tls-auth.pem
VPN.CFG[16]: ta-dir = 1
VPN.CFG[17]: username = <my-username>
Is there anything I can do to fix this configuration and route only
private/internal traffic through the VPN?
Hi,
I think routing and DNS are mostly independent things.
Setting up routing so that only a certain subnet is reached via the VPN
is usually simple. Possibly also configure ipv4.never-default=yes.
Check the resulting routing table (after activating the VPN) with `ip
route` to confirm that it's right.
check that you can reach the right hosts with `ping $IP_ADDRESS` and
`traceroute -n $IP_ADDRESS`.
About DNS. If you don't enable split DNS (either dns=dnsmasq or
dns=systemd-resolved in `man NetworkManager.conf`), then all DNS
servers are equal. In that case, you probably would want that the DNS
server via the VPN is always consulted, because the public DNS server
cannot resolve internal names. You'd do that by setting ipv4.dns-
priority to a negative value.
If you have split DNS, the search domains act like "routes" for
lookups. In that case, you can have company.com search domain via the
VPN and the default otherwise. Again, ipv4.dns-priority may also be
relevant in that setup...
best,
Thomas
Hi Thomas,
I think in this case I would only like to route DNS queries through the VPN that aren't resolvable by my LAN,
except for
a few based on the dns search domain as you mention. I'm guessing that means I want split DNS along with a
split VPN
tunnel. I've installed and enabled systemd-resolved as the dns for NM, but it's not splitting the requests as
I had
intended.
Full VPN tunnel:
$ resolvectl status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1 8.8.8.8 (other ips ...)
DNS Domain: company.com
Link 2 (enp0s31f6)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 3 (wlp0s20f3)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 4 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 10 (tun0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 8.8.4.4
DNS Servers: 8.8.8.8 8.8.4.4
DNS Domain: company.com
Split (?) VPN doesn't appear to use the VPN at all anymore, and is just routing through my local network.
Even the `dns-
search` setting to the domains I need appear to be ignored.
This host is publicly available, but being routed through my local network. None of the private hosts are
resolvable
$ traceroute <host-A.company.com>
traceroute to <host-A.company.com> (<host-A-IP>), 30 hops max, 60 byte packets
1 mijnmodem.kpn (192.168.2.254) 1.229 ms 2.590 ms 2.555 ms
2 195-190-228-115.fixed.kpn.net (195.190.228.115) 589.236 ms 589.207 ms 589.179 m
$ resolve status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/unsupported
resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1 8.8.8.8 (other ips ...)
DNS Domain: company.com
Link 2 (enp0s31f6)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 3 (wlp0s20f3)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/unsupported
Current DNS Server: 192.168.2.201
DNS Servers: 192.168.2.201
Link 4 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 11 (tun0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Differences in the nm connection profiles
# diff -u /etc/NetworkManager/system-connections/company.nmconnection /etc/NetworkManager/system-
connections/split.nmconnection
--- "/etc/NetworkManager/system-connections/company.nmconnection" 2021-02-03 09:08:47.568470862 +0100
+++ /etc/NetworkManager/system-connections/split.nmconnection 2021-02-03 17:26:59.901658365 +0100
@@ -1,9 +1,9 @@
[connection]
-id=company
-uuid=6a647d45-1740-4a49-81d1-6d49f5631a40
+id=split
+uuid=66a562fb-1fee-496c-9ab8-7e5b910435fb
type=vpn
permissions=
-timestamp=1612339695
+timestamp=1612369074
[vpn]
ca=/home/chris/.cert/nm-openvpn/split-ca.pem
@@ -26,13 +26,17 @@
service-type=org.freedesktop.NetworkManager.openvpn
[ipv4]
-dns-search=
+dns-search=companyA.com;companyB.com;
+ignore-auto-dns=true
method=auto
+never-default=true
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
+ignore-auto-dns=true
ip6-privacy=0
method=auto
+never-default=true
[proxy]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEss2dENO/PTuA9NTTOdNgxkl4+QMFAmAa07YACgkQOdNgxkl4
+QNt/xAAhUecHdHRwjALEBTqa1FndfH2eTDRAH/rezwnhihskQvK4i23Uk7v+BLv
e52FKo/pCXh2m35uSQKyX1S04b4koJX1v/W9U3RvuIQQziN/7Rv+K62TJWs2rGtA
p5VCgwVT6UoNOamw7f32+4gS4qTv/7VQyxTHRywEIuL9serpCmRoBbAmwnozppBK
51Cyp8lXavZUj+ov5PBlw3wgCVXS6Grl18g4/ySSpM9RizzL7qc5ImCOdU37d2ns
obbotNSfa2yDhsiMqE7r5Io9LIr6wX33wH18jZYCmzKq/XXuPbxrdSzlH0LQ3yDR
r+mtySEn9VXGOGh1pg6+82lPacBAljXnj0ZWJEi8B0+SDtZGiyat/Qqk/Kp8sg5S
hk37JHnzfJTQ3k0YAzyzUS89TXz3exQsrt2z4rIAC8Ba/cLsj2KUNo3K7Whuos4f
S7meKYO9MOBanT8RRd/VBp4hY6+TVZdiH89U5AoMXmTvvlCsmB3B25ocNj6FO6Gj
FXV8VPsrPnnL6v8YdFj1FNKvhhw6KOcatb48rU8FRr22ribT6dwXRIs0dc4B7QH3
9ns5ldHknUSEyt+SxzMyQrZVTFKVEnM04MqbrLAv9N96VevDZPQ4fkfXSmUFuqRB
5EKXRs2HW9tU9s6BreScXmu09Zpurztosz9MkEVpox3MQ/GzgkM=
=jhE2
-----END PGP SIGNATURE-----
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
