-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello NM folks,
I'm running into a problem converting an OpenVPN "full" tunnel configuration to a split tunnel configuration. I've received an .ovpn file from a client which, by default, routes all my traffic through their VPN. I want to configure my VPN connection such that only traffic to/from resources within their network are routed through the VPN, and all other traffic is routed through whatever network I'm currently on. I'm running: - - openSUSE Tumbleweed with Gnome - - Network Manager 1.28.0 - - NM OpenVPN Gnome plugin 1.8.12 I can modify the connection profile to route traffic to publicly accessible IP addresses through the VPN by manually setting the ipv4.dns and ipv4.routes options using nmcli. I'm able to modify the VPN connection profile as follows, which allows me to access publicly resolvable resources. # nmcli connection modify <split> ignore-auto-dns=true # nmcli connection modify <split> dns=<local dns> <- Current LAN DNS # nmcli connection modify <split> +ipv4.routes <host-ip-A/32> <- public # nmcli connection modify <split> +ipv4.routes <host-ip-B/32> <- private By public/private here I mean I can access host-A with these options because my LAN DNS can resolve the IP address, meanwhie host-B is unresolvable and I can't figure out why. Connected to the full tunnel shows the following nslookup output for an "internal" host: $ nslookup <the host> Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: <the host> Address: 10.243.a.b Name: <the host> Address: 10.243.c.d Name: <the host> Address: 10.243.e.f If I'm connected to the "full" tunnel, inspecting the connection profile returns the following. I think the "IP4.ROUTE[1]" line means that all traffic is being sent through their gateway. $ nmcli connection show "Client VPN (Full)" GENERAL.NAME: Client VPN (Full) GENERAL.UUID: 6a647d45-1740-4a49-81d1-6d49f5631a40 GENERAL.DEVICES: wlp0s20f3 GENERAL.IP-IFACE: wlp0s20f3 GENERAL.STATE: activated GENERAL.DEFAULT: yes GENERAL.DEFAULT6: no GENERAL.SPEC-OBJECT: /org/freedesktop/NetworkManager/ActiveConnection/2 GENERAL.VPN: yes GENERAL.DBUS-PATH: /org/freedesktop/NetworkManager/ActiveConnection/49 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/Settings/29 GENERAL.ZONE: -- GENERAL.MASTER-PATH: /org/freedesktop/NetworkManager/Devices/3 IP4.ADDRESS[1]: a.b.c.d/23 IP4.GATEWAY: a.b.c.1 IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = a.b.c.1, mt = 50 IP4.ROUTE[2]: dst = a.b.c.d/23, nh = 0.0.0.0, mt = 50 IP4.DNS[1]: a.b.c.d IP4.DNS[2]: a.b.c.d IP4.DOMAIN[1]: <company.com> VPN.TYPE: openvpn VPN.USERNAME: <my username> VPN.GATEWAY: a.b.c.d:1194:udp, a.b.c.d:443:tcp VPN.BANNER: -- VPN.VPN-STATE: 5 - VPN connected VPN.CFG[1]: ca = /home/chris/.cert/nm- openvpn/client-ca.pem VPN.CFG[2]: cert = /home/chris/.cert/nm- openvpn/client-cert.pem VPN.CFG[3]: cert-pass-flags = 0 VPN.CFG[4]: cipher = AES-256-CBC VPN.CFG[5]: comp-lzo = no-by-default VPN.CFG[6]: connect-timeout = 4 VPN.CFG[7]: connection-type = password-tls VPN.CFG[8]: dev = tun VPN.CFG[9]: dev-type = tun VPN.CFG[10]: key = /home/chris/.cert/nm- openvpn/client-key.pem VPN.CFG[11]: ns-cert-type = server VPN.CFG[12]: password-flags = 1 VPN.CFG[13]: remote = a.b.c.d:1194:udp, a.b.c.d:443:tcp VPN.CFG[14]: reneg-seconds = 604800 VPN.CFG[15]: ta = /home/chris/.cert/nm- openvpn/client-tls-auth.pem VPN.CFG[16]: ta-dir = 1 VPN.CFG[17]: username = <my-username> Is there anything I can do to fix this configuration and route only private/internal traffic through the VPN? Thanks in advance, Chris -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEss2dENO/PTuA9NTTOdNgxkl4+QMFAmAahCoACgkQOdNgxkl4 +QPLVg//dWLtUH8GaRYom/+/A0e6iaqtQXxaDFVVxd7dZz4LiJ+t44dulXJewTuh ahihGsh8kqRRcI2KXe/pn1wL7Srdiuutw5yzjEjnOV1eX+7P5u6L4alA6EGWvNl0 Bpn4tnXoFyeVsMLBuPtNBj5j37fR65watXQjxOUQsF7Yv+FHDbPmFP3s+vBOrBJ1 s72lTJB/zjd9vmENl7WiHVPSF6aTU1d149QLCaG+S1hwL95b10B1mcwN3An00YE3 GZOwtaPC4swP/AwqTOHu2XnSEt4lbb7tdrn1RygF1lK8Aa0091ybMjwBPDky0i9E BiUg0Pe41OCB6XpMyHdiqnuAZvfexEEt2vqJ/+PDRj5KZRszPOfqGuhADLXgkoAA RQkESuXBab14WeIuINliS+Zesw3w5I6Zhd9R9ea13vHY9cgoXWsUt8JBkoIxeWk5 POHdCtpN/yTDG53SZblgmVqhl9Y9iRbM+eqpAXY6/nmLJyJhAFmtKkUNrCZ4uNIr zY7EGOQmM1YyKlI7NlFZXr0/JNPd7wmAquP0sOPuoiOGoBr7+WQJ9wZZ2j3Py6ku FvZ3f02CVsiQAFmWOWaISQ2bypkgpoBxv6iqbEbZZG3b5zpWCFDms1qqA3olHV0J cFD3VfMGnxdbNAJ3kroindqoJbg2Up6qd4nOoFImKcdDgkXf1mM= =wWKH -----END PGP SIGNATURE----- _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list