-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, 2021-02-03 at 12:25 +0100, Thomas Haller wrote:
> On Wed, 2021-02-03 at 12:08 +0100, Chris Coutinho via networkmanager-
> list wrote:
> > Hello NM folks,
> >
> > I'm running into a problem converting an OpenVPN "full" tunnel
> > configuration to
> > a split tunnel configuration. I've received an .ovpn file from a
> > client which,
> > by default, routes all my traffic through their VPN. I want to
> > configure my VPN
> > connection such that only traffic to/from resources within their
> > network are
> > routed through the VPN, and all other traffic is routed through
> > whatever network
> > I'm currently on.
> >
> > I'm running:
> > - openSUSE Tumbleweed with Gnome
> > - Network Manager 1.28.0
> > - NM OpenVPN Gnome plugin 1.8.12
> >
> > I can modify the connection profile to route traffic to publicly
> > accessible IP
> > addresses through the VPN by manually setting the ipv4.dns and
> > ipv4.routes
> > options using nmcli. I'm able to modify the VPN connection profile as
> > follows,
> > which allows me to access publicly resolvable resources.
> >
> > # nmcli connection modify <split> ignore-auto-dns=true
> > # nmcli connection modify <split> dns=<local dns> <- Current LAN
> > DNS
> > # nmcli connection modify <split> +ipv4.routes <host-ip-A/32> <-
> > public
> > # nmcli connection modify <split> +ipv4.routes <host-ip-B/32> <-
> > private
> >
> > By public/private here I mean I can access host-A with these options
> > because my
> > LAN DNS can resolve the IP address, meanwhie host-B is unresolvable
> > and I can't
> > figure out why.
> >
> > Connected to the full tunnel shows the following nslookup output for
> > an
> > "internal" host:
> >
> > $ nslookup <the host>
> > Server: 8.8.8.8
> > Address: 8.8.8.8#53
> >
> > Non-authoritative answer:
> > Name: <the host>
> > Address: 10.243.a.b
> > Name: <the host>
> > Address: 10.243.c.d
> > Name: <the host>
> > Address: 10.243.e.f
> >
> > If I'm connected to the "full" tunnel, inspecting the connection
> > profile returns
> > the following. I think the "IP4.ROUTE[1]" line means that all traffic
> > is being
> > sent through their gateway.
> >
> >
> > $ nmcli connection show "Client VPN (Full)"
> > GENERAL.NAME: Client VPN (Full)
> > GENERAL.UUID: 6a647d45-1740-4a49-81d1-
> > 6d49f5631a40
> > GENERAL.DEVICES: wlp0s20f3
> > GENERAL.IP-IFACE: wlp0s20f3
> > GENERAL.STATE: activated
> > GENERAL.DEFAULT: yes
> > GENERAL.DEFAULT6: no
> > GENERAL.SPEC-OBJECT:
> > /org/freedesktop/NetworkManager/ActiveConnection/2
> > GENERAL.VPN: yes
> > GENERAL.DBUS-PATH:
> > /org/freedesktop/NetworkManager/ActiveConnection/49
> > GENERAL.CON-PATH:
> > /org/freedesktop/NetworkManager/Settings/29
> > GENERAL.ZONE: --
> > GENERAL.MASTER-PATH:
> > /org/freedesktop/NetworkManager/Devices/3
> > IP4.ADDRESS[1]: a.b.c.d/23
> > IP4.GATEWAY: a.b.c.1
> > IP4.ROUTE[1]: dst = 0.0.0.0/0, nh =
> > a.b.c.1, mt = 50
> > IP4.ROUTE[2]: dst = a.b.c.d/23, nh =
> > 0.0.0.0, mt = 50
> > IP4.DNS[1]: a.b.c.d
> > IP4.DNS[2]: a.b.c.d
> > IP4.DOMAIN[1]: <company.com>
> > VPN.TYPE: openvpn
> > VPN.USERNAME: <my username>
> > VPN.GATEWAY: a.b.c.d:1194:udp,
> > a.b.c.d:443:tcp
> > VPN.BANNER: --
> > VPN.VPN-STATE: 5 - VPN connected
> > VPN.CFG[1]: ca = /home/chris/.cert/nm-
> > openvpn/client-ca.pem
> > VPN.CFG[2]: cert = /home/chris/.cert/nm-
> > openvpn/client-cert.pem
> > VPN.CFG[3]: cert-pass-flags = 0
> > VPN.CFG[4]: cipher = AES-256-CBC
> > VPN.CFG[5]: comp-lzo = no-by-default
> > VPN.CFG[6]: connect-timeout = 4
> > VPN.CFG[7]: connection-type = password-
> > tls
> > VPN.CFG[8]: dev = tun
> > VPN.CFG[9]: dev-type = tun
> > VPN.CFG[10]: key = /home/chris/.cert/nm-
> > openvpn/client-key.pem
> > VPN.CFG[11]: ns-cert-type = server
> > VPN.CFG[12]: password-flags = 1
> > VPN.CFG[13]: remote = a.b.c.d:1194:udp,
> > a.b.c.d:443:tcp
> > VPN.CFG[14]: reneg-seconds = 604800
> > VPN.CFG[15]: ta = /home/chris/.cert/nm-
> > openvpn/client-tls-auth.pem
> > VPN.CFG[16]: ta-dir = 1
> > VPN.CFG[17]: username = <my-username>
> >
> >
> > Is there anything I can do to fix this configuration and route only
> > private/internal traffic through the VPN?
>
>
> Hi,
>
> I think routing and DNS are mostly independent things.
>
>
> Setting up routing so that only a certain subnet is reached via the VPN
> is usually simple. Possibly also configure ipv4.never-default=yes.
>
> Check the resulting routing table (after activating the VPN) with `ip
> route` to confirm that it's right.
>
> check that you can reach the right hosts with `ping $IP_ADDRESS` and
> `traceroute -n $IP_ADDRESS`.
>
>
> About DNS. If you don't enable split DNS (either dns=dnsmasq or
> dns=systemd-resolved in `man NetworkManager.conf`), then all DNS
> servers are equal. In that case, you probably would want that the DNS
> server via the VPN is always consulted, because the public DNS server
> cannot resolve internal names. You'd do that by setting ipv4.dns-
> priority to a negative value.
>
> If you have split DNS, the search domains act like "routes" for
> lookups. In that case, you can have company.com search domain via the
> VPN and the default otherwise. Again, ipv4.dns-priority may also be
> relevant in that setup...
>
>
>
>
> best,
> Thomas
Hi,
I think I came up with a solution that solves my routing problem by using
dispatcher hooks. Some of the domains are only resolvable while connected to the
VPN, which means I can't know what they are until the connection is established
- - this rules out the pre-up hooks. Instead, I 'reset' the nm configuration
every
time the particular VPN is turned off.
#!/usr/bin/env bash
DEVICE="$1"
COMMAND="$2"
echo Device: "$DEVICE"
echo Command: "$COMMAND"
echo UUID: "$CONNECTION_UUID"
if [[ "$CONNECTION_UUID" == "my-uuid" ]]
then
echo 'Found carnext_split VPN'
declare -a domains=(
# publicly accessible domains owned by company.com
"subA.company.com"
"subB.company.com"
# Private domains only resolvable from within network
"subA.provider1.com"
"subB.provider1.com"
)
case "$2" in
"vpn-pre-down")
echo Resetting routes
nmcli connection modify "$CONNECTION_UUID" ipv4.routes
''
nmcli connection modify "$CONNECTION_UUID" ipv6.routes
''
for domain in "${domains[@]}"; do
resolvectl query "$domain" | grep -oP
'(\d{1,3}(\.\d{1,3}){3})' | xargs -i echo {}/32
done | sort -n | xargs -n1 nmcli connection modify
"$CONNECTION_UUID" +ipv4.routes
;;
esac
fi
Thanks,
Chris
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEss2dENO/PTuA9NTTOdNgxkl4+QMFAmAcrAUACgkQOdNgxkl4
+QNI0Q/9FTyjgo5FgIFDv7MjO6PdjMwhoYVsbW0y3hF1bcnZPKkLjkAYTTX5DFKS
2lxPmRPBZvnwCGFcPdm1SdQfiySu6UXFFfTkn/+ArKAIk8+PQYgn/btohCZHeIRU
qDyowtfrPx1f66GSLgEUpCaHNI4sixP8kEkqzhbCZRAmYmkDq6fjnlZ7pMjDJubO
fL+CunYzR5hMM4uqWZYPd7rgxs3uW0T207kYGMaFAMSWdsw/d4Rc/loWZg3ZRHev
W/+BOOeSNK8f3t50Vy1gerSmDOAh8eDIZkwNaElT+D9g6el2+RiOuDB/mHHCmXSn
JlzcJMorLvidNoBrzkDY6w/MZ09EDQQ6q9H7GYepvXdvWo8W0tgq+cd2b/1vACgq
LBURr/A0uo+I8l7/bVFC1LcLv0bjLj6EcDcJiR7zcVXQ0O81ehdB7yPtAnD9CjiR
bHgdwdFZxxaGI8UU0+aPpNsGQt1Puxmy+7k62gNR7nYF1B3FJRQji1FyO4vdwOkJ
Snfo3hc+rO1DF816rSh1usxEFdZayCXJaZUCv+cn0+RWzt68n2+QKFW94C057LuH
YiLc6Bd8eheoP0I55+vBUVBFSMRrfKUicO+MmwAatfcpTG0dlQhHTwJ7WhNgCrm9
/HvaUMajnembe3krOQNjVPGI+XAWtsYeamc3dCY1WIdQbLh3cv8=
=bsGC
-----END PGP SIGNATURE-----
_______________________________________________
networkmanager-list mailing list
[email protected]
https://mail.gnome.org/mailman/listinfo/networkmanager-list
