Casey Harkins wrote: > Jon Escombe wrote: >> ----- "Casey Harkins" <[EMAIL PROTECTED]> wrote: >> >>> I don't think openvpn should be trying to setup routes unless specific >>> options are being passed (--route, --route-gateway), but I could be >>> wrong. Either way, there's no harm in passing that option. >>> >> >> Could be, my gateway etc is pushed from the server options so that >> might be enough to prompt it. Here it sets up a specific route to the >> vpn server, and then sets up the default route via the gateway >> address I'm pushing (see below). I've added the --route-noexec option >> to nm-openvpn-service and that definitely stops all three 'ip route' >> commands. NM at this point correctly sets up the route to the vpn >> server, and changes the default route - just doesn't include the >> remote gateway.. >> > > > So, lets do this symbolically rather than with IP addressed: > > VPN_SERVER: public ip of vpn server > This appears to be called "gateway" in vpnc and "remote" in openvpn. > NM needs to establish a route to this ip over the underlying network > connection. For openvpn, this ip is also returned in the "trusted_ip" > env var and getting passed back to NM as the IP_CONFIG_GATEWAY. > > VPN_GATEWAY: gateway for vpn routed traffic > This is what the vpn server is returning for a gateway for the vpn'ed > traffic. This is in the "route_vpn_gateway" for openvpn, but is not > being handled currently. For vpnc, it looks like this is "VPNGATEWAY" > and is getting passed back to NM as the IP4_CONFIG_GATEWAY. NM should > be using this as the gateway for the default route (if all traffic is > going to be routed over the vpn). > > What I'm seeing is that NM is using IP4_CONFIG_GATEWAY to maintain a > route to the vpn server, and not specifying a gateway for the default > route. I presume this needs to be changed and we either need an > additional IP4_CONFIG variable for specifying the VPN_SERVER or vpn > plugins need to push a route to the VPN_SERVER to NM. > > Does this make sense? > > -casey Yes, that matches my understanding of how I think it should work. For info - I've just tested a server config that doesn't push a gateway down, and can confirm that the openvpn client doesn't set the route_vpn_gateway environment variable or attempt any routing in this case.
Regards, Jon _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
