Public bug reported:
I may be missing something, but I have done as much testing as I can
think of and have come up with the following:
OpenVPN Server v2.3.10-1ubuntu2 on Ubuntu Server 16.04.1 LTS 64bit
OpenVPN Client v2.3.10-1ubuntu2 on Ubuntu MATE 16.04 LTS 64bit
network-manager-openvpn-gnome version v1.1.93-1ubuntu1
When running OpenVPN from the CLI, and the server.conf instructs the
client to remove the default gateway and replace it with the tun0
adapter, it does as expected. However, using the same client.ovpn file
imported into the GUI does not remove the existing default gateway, it
simply moves it down the routing order. This can (and does) create a
routing leak on secure systems. Detailed info:
192.168.8.1 = local router (dirty router)
10.8.0.1 = vpn server tun adapter (gateway)
10.8.0.5 = laptop tun adapter address
12.34.56.78 = vpn server public internet address
# Connected to the dirty router, no VPN
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.8.1 0.0.0.0 UG 600 0 0 wlp2s0
192.168.8.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0
# Connected to the OpenVPN using command line version 2.3.10-1ubuntu2
# sudo openvpn --config /path/to/client.ovpn
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.5 0.0.0.0 UG 0 0 0 tun0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
12.34.56.78 192.168.8.1 255.255.255.255 UGH 0 0 0 wlp2s0
# Connected to the OpenVPN using network-manager-openvpn-gnome version
1.1.93-1ubuntu1
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.5 0.0.0.0 UG 50 0 0 tun0
0.0.0.0 192.168.8.1 0.0.0.0 UG 600 0 0 wlp2s0
<== this entry is creating a routing leak
10.8.0.1 10.8.0.5 255.255.255.255 UGH 50 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 50 0 0 tun0
12.34.56.78 192.168.8.1 255.255.255.255 UGH 600 0 0 wlp2s0
Here is the relevant section of the server.conf;
push "redirect-gateway bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
Note that the above does not include the 'def1' option in the push
redirect-gateway command, so the client is supposed to delete any
existing default gateways and install only the VPN default gateway. This
is the only way to be sure that 1) all traffic goes over the VPN, and 2)
when the client disconnects, the internet connection is severed and it's
much less likely that you accidentally lose your VPN and continue
transmitting unencrypted
** Affects: network-manager-openvpn (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager-openvpn in Ubuntu.
https://bugs.launchpad.net/bugs/1643042
Title:
GUI Not Honoring Default GW Removal
Status in network-manager-openvpn package in Ubuntu:
New
Bug description:
I may be missing something, but I have done as much testing as I can
think of and have come up with the following:
OpenVPN Server v2.3.10-1ubuntu2 on Ubuntu Server 16.04.1 LTS 64bit
OpenVPN Client v2.3.10-1ubuntu2 on Ubuntu MATE 16.04 LTS 64bit
network-manager-openvpn-gnome version v1.1.93-1ubuntu1
When running OpenVPN from the CLI, and the server.conf instructs the
client to remove the default gateway and replace it with the tun0
adapter, it does as expected. However, using the same client.ovpn file
imported into the GUI does not remove the existing default gateway, it
simply moves it down the routing order. This can (and does) create a
routing leak on secure systems. Detailed info:
192.168.8.1 = local router (dirty router)
10.8.0.1 = vpn server tun adapter (gateway)
10.8.0.5 = laptop tun adapter address
12.34.56.78 = vpn server public internet address
# Connected to the dirty router, no VPN
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.8.1 0.0.0.0 UG 600 0 0 wlp2s0
192.168.8.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0
# Connected to the OpenVPN using command line version 2.3.10-1ubuntu2
# sudo openvpn --config /path/to/client.ovpn
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.5 0.0.0.0 UG 0 0 0 tun0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
12.34.56.78 192.168.8.1 255.255.255.255 UGH 0 0 0 wlp2s0
# Connected to the OpenVPN using network-manager-openvpn-gnome version
1.1.93-1ubuntu1
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.5 0.0.0.0 UG 50 0 0 tun0
0.0.0.0 192.168.8.1 0.0.0.0 UG 600 0 0
wlp2s0 <== this entry is creating a routing leak
10.8.0.1 10.8.0.5 255.255.255.255 UGH 50 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 50 0 0 tun0
12.34.56.78 192.168.8.1 255.255.255.255 UGH 600 0 0 wlp2s0
Here is the relevant section of the server.conf;
push "redirect-gateway bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
Note that the above does not include the 'def1' option in the push
redirect-gateway command, so the client is supposed to delete any
existing default gateways and install only the VPN default gateway.
This is the only way to be sure that 1) all traffic goes over the VPN,
and 2) when the client disconnects, the internet connection is severed
and it's much less likely that you accidentally lose your VPN and
continue transmitting unencrypted
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1643042/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
