Package: network-manager-openvpn Version: 1.2.4-1 Severity: important Dear Maintainer,
* What led up to the situation? Connecting to VPN network using OpenVPN plugin with disabled default route over VPN setting. * What was the outcome of this action? Routing table before establishing VPN connection: infestator@inftop ~ $ ip route default via 192.168.1.1 dev wlan0 proto static metric 600 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.134 metric 600 Network Manager log for connection: Sep 26 12:07:55 inftop nm-openvpn[8246]: TUN/TAP device tun0 opened Sep 26 12:07:55 inftop nm-openvpn[8246]: /usr/lib/NetworkManager/nm-openvpn- service-openvpn-helper --debug 0 8241 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_11 --tun -- tun0 1500 1544 172.18.152.6 255.255.255.0 init Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8321] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/10) Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8380] devices added (path: /sys/devices/virtual/net/tun0, iface: tun0) Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8383] device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found. Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8437] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",0]: VPN connection: (IP Config Get) reply received. Sep 26 12:07:55 inftop nm-openvpn[8246]: GID set to nogroup Sep 26 12:07:55 inftop nm-openvpn[8246]: UID set to nobody Sep 26 12:07:55 inftop nm-openvpn[8246]: Initialization Sequence Completed Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8446] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: VPN connection: (IP4 Config Get) reply received Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8460] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: VPN Gateway: 89.22.4.2 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8460] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Tunnel Device: "tun0" Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8460] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: IPv4 configuration: Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8460] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Internal Gateway: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8460] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Internal Address: 172.18.152.6 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Internal Prefix: 24 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Internal Point-to-Point Address: 172.18.152.6 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Maximum Segment Size (MSS): 0 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 10.64.255.0/24 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 11.0.0.0/8 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 64.151.85.176/28 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 69.59.168.184/32 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 69.59.168.185/32 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 69.59.168.186/32 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 69.59.168.187/32 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 69.59.174.65/32 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8461] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 172.16.0.0/12 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8462] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 173.1.54.208/28 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8462] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 173.1.205.0/25 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8462] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 173.204.123.128/25 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8462] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 204.51.129.144/28 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8462] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 204.51.236.0/25 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8462] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 208.113.72.160/28 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8462] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 208.113.76.160/27 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8462] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 216.121.3.128/25 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8462] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Static Route: 216.121.43.192/26 Next Hop: 172.18.152.1 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8462] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Forbid Default Route: yes Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8463] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: Internal DNS: 172.18.144.232 Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8463] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: DNS Domain: '(none)' Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8463] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: Data: No IPv6 configuration Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8463] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: VPN plugin: state changed: started (4) Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8473] vpn- connection[0x2947700,42458014-f0aa-49df-8926-8c3ef358bc91,"lupus",11:(tun0)]: VPN connection: (IP Config Get) complete Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8475] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41] Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8845] keyfile: add connection in-memory (ee5fde1c-3906-44e9-97d4-312f74d8c708,"tun0") Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8855] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41] Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.8867] device (tun0): Activation: starting connection 'tun0' (ee5fde1c-3906-44e9-97d4-312f74d8c708) Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.9004] device (tun0): state change: disconnected -> prepare (reason 'none') [30 40 0] Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.9013] device (tun0): state change: prepare -> config (reason 'none') [40 50 0] Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.9019] device (tun0): state change: config -> ip-config (reason 'none') [50 70 0] Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.9021] device (tun0): state change: ip-config -> ip-check (reason 'none') [70 80 0] Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.9026] device (tun0): state change: ip-check -> secondaries (reason 'none') [80 90 0] Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.9028] device (tun0): state change: secondaries -> activated (reason 'none') [90 100 0] Sep 26 12:07:55 inftop NetworkManager[2941]: <info> [1474880875.9267] device (tun0): Activation: successful, device activated. Routing table after establishing connection: infestator@inftop ~ $ ip route default via 192.168.1.1 dev wlan0 proto static metric 600 89.22.4.2 via 192.168.1.1 dev wlan0 proto static metric 600 172.18.152.0/24 dev tun0 proto kernel scope link src 172.18.152.6 metric 50 173.1.205.0/25 via 172.18.152.1 dev tun0 proto static metric 50 173.204.123.128/25 via 172.18.152.1 dev tun0 proto static metric 50 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.134 metric 600 192.168.1.1 dev wlan0 proto static scope link metric 600 204.51.129.144/28 via 172.18.152.1 dev tun0 proto static metric 50 204.51.236.0/25 via 172.18.152.1 dev tun0 proto static metric 50 208.113.72.160/28 via 172.18.152.1 dev tun0 proto static metric 50 208.113.76.160/27 via 172.18.152.1 dev tun0 proto static metric 50 216.121.3.128/25 via 172.18.152.1 dev tun0 proto static metric 50 216.121.43.192/26 via 172.18.152.1 dev tun0 proto static metric 50 You may see that 172.16.0.0/12, 11.0.0.0/8, 64.151.85.176/28 and all /32 routes routes are missing. However there is one route 172.18.152.0/24 which does not come from VPN DHCP and 89.22.4.2 route which is not necessary when setting default route through VPN is turned off. * What outcome did you expect instead? I expect to see all routes which pushed by DHCP server in routing table after connection is established. * What exactly did you do (or not do) that was effective (or ineffective)? 1. Testing (1.2.4) and unstable (1.4.0) version of Network Manager do no change behavior 2. Trying to manually add 172.16.0.0/12 route (using GNOME Network Setup UI) do no affect anything 3. [Workaround] Adding separate routes to 172.16.0.0/16, 172.17.0.0/16 and 172.18.0.0/18 networks solves the problem partially. It is not easy to add 256 routes to 11.0.0.0/8 network using UI, but it is possible. Also /32 routes are not added in any way. 4. [Workaround] Using setting default route through 172.18.152.1 also makes VPN resources accessible (local resources become not accessible at all). Thanks, Alex -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages network-manager-openvpn depends on: ii adduser 3.115 ii libc6 2.23-5 ii libglib2.0-0 2.49.6-1 ii libnm0 1.4.0-4 ii network-manager 1.4.0-4 ii openvpn 2.3.11-2 network-manager-openvpn recommends no packages. network-manager-openvpn suggests no packages. -- no debconf information
