On Mon, 2020-09-28 at 16:40 -0500, Michael Catanzaro wrote: > On Mon, Sep 28, 2020 at 5:18 pm, Chuck Anderson <c...@alum.wpi.edu> > wrote: > > I think the VPN plugin and VPN server has some input, no? All the > > VPN > > servers I've used send routes to the VPN client to determine which > > traffic the client should send via the VPN. How does that interact > > with "use this connection only for resources on its network"? Does > > the user preference take precendence over the VPN server-provided > > routes? What if the VPN server doesn't send any route other than > > 0.0.0.0/0? > > Good question! So good that I don't know the answer. Yes, the VPN > plugin indeed gets to make decision based on configuration pushed by > the VPN server. The NetworkManager developers are experts in how > these > settings interact. I *think* the routes provided by the VPN take > precedence over the checkbox (but only for routing, not for DNS)? > But > this would certainly be good to document and explore more fully.
If you check "Use this connection..." then NetworkManager will: (a) never set the default route through the VPN (b) enable split DNS using the VPN-provided (or manually configured) DNS search domains If you do not check that box, then the VPN will become the default route and all your non-local traffic will be sent to it. Unfortunately you cannot rely on VPNs to "do the right thing" and always pass back 0.0.0.0 when it wants all the traffic. Plus the user may not want to pass all traffic to the VPN, regardless of what the VPN wants. If you have a corporate laptop and the company wants all your data to go through the VPN, then that laptop is presumably well-managed and the IT admin will enforce that "Use this connection..." is unchecked. Dan > This is actually at issue in > https://bugzilla.redhat.com/show_bug.cgi?id=1863041 where we > currently > wind up doing the wrong thing by default. See e.g. comment #81 where > the VPN plugin is constructing routing information to pass to > NetworkManager. > > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
