Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?



Hello again:)

I don't know why this would be needed, but I noticed this can be worked around by pushing the route towards the server-ipv6 subnet from the openvpn server, with the directive:

push "route-ipv6 2001:bc8:3d1d:1337::/64"

I can totally live with that, but is it the expected behaviour? If so, why does it differ from starting openvpn manually from the cli or even as a systemd openvpn-client@.service?

Thanks in advance!

samuel

On Tue, 2021-06-01 at 13:27 +0000, Samuel Le Thiec via networkmanager-list wrote:
Note: sorry for the potential duplicate email, I sent it before & after having registered to the list!

Hello all,

I have a working openvpn config (see below) which I can't get to fully work with Network
Manager: the private IPv6 network is not accessible when connecting to the VPN with NM(*).

Here is what I get for tun0 when connecting with NM:

--------
$ ip a l tun0
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN
group default qlen 500
    link/none
    inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0
       valid_lft forever preferred_lft forever
    inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope global
noprefixroute
       valid_lft forever preferred_lft forever
--------

When connecting with systemd or via the command line (sudo openvpn --config vpn.conf) :
--------
$ ip a l tun0                                                                           
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN
group default qlen 500
    link/none                                                                           
    inet 10.66.6.4/24 scope global tun0                                                 
       valid_lft forever preferred_lft forever                                          
    inet6 2001:bc8:3d1d:1337::1002/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
--------

→ Note the scope global inet6 differences above: peer vs subnet

(*) In order to avoid having all my trafic routed through the vpn, I did check "Use this
connection only for resources on its network" for IPv4 & IPv6.

Is there a way to make Network Manager behave like openvpn --config vpn.conf?

Here is additionnal informations:

--------
$ nmcli device show tun0
GENERAL.DEVICE:                         tun0
GENERAL.TYPE:                           tun
GENERAL.HWADDR:                         (unknown)
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     tun0
GENERAL.CON-PATH:                     
/org/freedesktop/NetworkManager/ActiveConnection/27
IP4.ADDRESS[1]:                         10.66.6.4/24
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 10.66.6.0/24, nh = 0.0.0.0, mt = 50
IP6.ADDRESS[1]:                         2001:bc8:3d1d:1337::1002/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt = 256
IP6.ROUTE[2]:                           dst = 2001:bc8:3d1d:1337::1002/128, nh = ::, mt =
50
IP6.ROUTE[3]:                           dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt = 50
--------

And the openvpn client config I imported from NM (minus the certs&keys):
   | client
   | dev tun
   | # try standard port first
   | remote hub.nsoc.fr
   | remote hub.nsoc.fr 53
   | ping 25
   | ping-restart 120
   | persist-key
   | persist-tun
   | tls-version-min 1.3
   | remote-cert-tls server
   | mute-replay-warnings
   |
   | askpass
   | verb 3
   |
   | <ca></ca>
   | <cert></cert>
   | <key></key>
   | <tls-crypt-v2></tls-crypt-v2>


Thank you in advance!

Samuel

_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]