Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?

From: Samuel Le Thiec <sltrash posteo net>
To: networkmanager-list gnome org
Subject: Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
Date: Thu, 03 Jun 2021 07:17:31 +0000

On Tue, 2021-06-01 at 21:52 +0000, Samuel Le Thiec via networkmanager-list wrote:


On Tue, 2021-06-01 at 13:27 +0000, Samuel Le Thiec via networkmanager-list wrote:

Note: sorry for the potential duplicate email, I sent it before & after having
registered to the list!

Hello all,

I have a working openvpn config (see below) which I can't get to fully work with Network
Manager: the private IPv6 network is not accessible when connecting to the VPN with
NM(*).

Here is what I get for tun0 when connecting with NM:

--------
$ ip a l tun0
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UNKNOWN
group default qlen 500
    link/none 
    inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0
       valid_lft forever preferred_lft forever
    inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope global
noprefixroute 
       valid_lft forever preferred_lft forever
--------

When connecting with systemd or via the command line (sudo openvpn --config vpn.conf) :
--------
$ ip a l tun0                                                                           
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UNKNOWN
group default qlen 500
    link/none                                                                           
    inet 10.66.6.4/24 scope global tun0                                                 
       valid_lft forever preferred_lft forever                                          
    inet6 2001:bc8:3d1d:1337::1002/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
--------

→ Note the scope global inet6 differences above: peer vs subnet

(*) In order to avoid having all my trafic routed through the vpn, I did check "Use this
connection only for resources on its network" for IPv4 & IPv6.

Is there a way to make Network Manager behave like openvpn --config vpn.conf?

Hello again:)

I don't know why this would be needed, but I noticed this can be worked around by
pushing the route towards the server-ipv6 subnet from the openvpn server, with the
directive:

push "route-ipv6 2001:bc8:3d1d:1337::/64"


For a moment I thought that Network Manager may be assuming a point-to-point topology for
the VPN instead of the "topology subnet" as specified in the server.conf, so I did try to
'push "topology subnet"' to the clients, but it didn't help: without the 'push "route-ipv6
.."' above, the client is still missing the route to the subnet.

I can totally live with that, but is it the expected behaviour? If so, why does it
differ from starting openvpn manually from the cli or even as a systemd
openvpn-client@.service?

Thanks in advance!

samuel

Here is additionnal informations:

--------
$ nmcli device show tun0 
GENERAL.DEVICE:                         tun0
GENERAL.TYPE:                           tun
GENERAL.HWADDR:                         (unknown)
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     tun0
GENERAL.CON-PATH:                      
/org/freedesktop/NetworkManager/ActiveConnection/27
IP4.ADDRESS[1]:                         10.66.6.4/24
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 10.66.6.0/24, nh = 0.0.0.0, mt = 50
IP6.ADDRESS[1]:                         2001:bc8:3d1d:1337::1002/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt =
256
IP6.ROUTE[2]:                           dst = 2001:bc8:3d1d:1337::1002/128, nh = ::, mt
=
50
IP6.ROUTE[3]:                           dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt =
50
--------

And the openvpn client config I imported from NM (minus the certs&keys):
   | client
   | dev tun
   | # try standard port first
   | remote hub.nsoc.fr
   | remote hub.nsoc.fr 53
   | ping 25
   | ping-restart 120
   | persist-key
   | persist-tun
   | tls-version-min 1.3
   | remote-cert-tls server
   | mute-replay-warnings
   |
   | askpass
   | verb 3
   |
   | <ca></ca>
   | <cert></cert>
   | <key></key>
   | <tls-crypt-v2></tls-crypt-v2>


Thank you in advance!

Samuel

_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list



_______________________________________________
networkmanager-list mailing list
networkmanager-list gnome org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Follow-Ups:
- Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
  - From: Beniamino Galvani

References:
- openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
  - From: Samuel Le Thiec
- Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
  - From: Samuel Le Thiec

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]