-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On Wed, 2021-02-03 at 12:25 +0100, Thomas Haller wrote: > On Wed, 2021-02-03 at 12:08 +0100, Chris Coutinho via networkmanager- > list wrote: > > Hello NM folks, > > > > I'm running into a problem converting an OpenVPN "full" tunnel > > configuration to > > a split tunnel configuration. I've received an .ovpn file from a > > client which, > > by default, routes all my traffic through their VPN. I want to > > configure my VPN > > connection such that only traffic to/from resources within their > > network are > > routed through the VPN, and all other traffic is routed through > > whatever network > > I'm currently on. > > > > I'm running: > > - openSUSE Tumbleweed with Gnome > > - Network Manager 1.28.0 > > - NM OpenVPN Gnome plugin 1.8.12 > > > > I can modify the connection profile to route traffic to publicly > > accessible IP > > addresses through the VPN by manually setting the ipv4.dns and > > ipv4.routes > > options using nmcli. I'm able to modify the VPN connection profile as > > follows, > > which allows me to access publicly resolvable resources. > > > > # nmcli connection modify <split> ignore-auto-dns=true > > # nmcli connection modify <split> dns=<local dns> <- Current LAN > > DNS > > # nmcli connection modify <split> +ipv4.routes <host-ip-A/32> <- > > public > > # nmcli connection modify <split> +ipv4.routes <host-ip-B/32> <- > > private > > > > By public/private here I mean I can access host-A with these options > > because my > > LAN DNS can resolve the IP address, meanwhie host-B is unresolvable > > and I can't > > figure out why. > > > > Connected to the full tunnel shows the following nslookup output for > > an > > "internal" host: > > > > $ nslookup <the host> > > Server: 8.8.8.8 > > Address: 8.8.8.8#53 > > > > Non-authoritative answer: > > Name: <the host> > > Address: 10.243.a.b > > Name: <the host> > > Address: 10.243.c.d > > Name: <the host> > > Address: 10.243.e.f > > > > If I'm connected to the "full" tunnel, inspecting the connection > > profile returns > > the following. I think the "IP4.ROUTE[1]" line means that all traffic > > is being > > sent through their gateway. > > > > > > $ nmcli connection show "Client VPN (Full)" > > GENERAL.NAME: Client VPN (Full) > > GENERAL.UUID: 6a647d45-1740-4a49-81d1- > > 6d49f5631a40 > > GENERAL.DEVICES: wlp0s20f3 > > GENERAL.IP-IFACE: wlp0s20f3 > > GENERAL.STATE: activated > > GENERAL.DEFAULT: yes > > GENERAL.DEFAULT6: no > > GENERAL.SPEC-OBJECT: > > /org/freedesktop/NetworkManager/ActiveConnection/2 > > GENERAL.VPN: yes > > GENERAL.DBUS-PATH: > > /org/freedesktop/NetworkManager/ActiveConnection/49 > > GENERAL.CON-PATH: > > /org/freedesktop/NetworkManager/Settings/29 > > GENERAL.ZONE: -- > > GENERAL.MASTER-PATH: > > /org/freedesktop/NetworkManager/Devices/3 > > IP4.ADDRESS[1]: a.b.c.d/23 > > IP4.GATEWAY: a.b.c.1 > > IP4.ROUTE[1]: dst = 0.0.0.0/0, nh = > > a.b.c.1, mt = 50 > > IP4.ROUTE[2]: dst = a.b.c.d/23, nh = > > 0.0.0.0, mt = 50 > > IP4.DNS[1]: a.b.c.d > > IP4.DNS[2]: a.b.c.d > > IP4.DOMAIN[1]: <company.com> > > VPN.TYPE: openvpn > > VPN.USERNAME: <my username> > > VPN.GATEWAY: a.b.c.d:1194:udp, > > a.b.c.d:443:tcp > > VPN.BANNER: -- > > VPN.VPN-STATE: 5 - VPN connected > > VPN.CFG[1]: ca = /home/chris/.cert/nm- > > openvpn/client-ca.pem > > VPN.CFG[2]: cert = /home/chris/.cert/nm- > > openvpn/client-cert.pem > > VPN.CFG[3]: cert-pass-flags = 0 > > VPN.CFG[4]: cipher = AES-256-CBC > > VPN.CFG[5]: comp-lzo = no-by-default > > VPN.CFG[6]: connect-timeout = 4 > > VPN.CFG[7]: connection-type = password- > > tls > > VPN.CFG[8]: dev = tun > > VPN.CFG[9]: dev-type = tun > > VPN.CFG[10]: key = /home/chris/.cert/nm- > > openvpn/client-key.pem > > VPN.CFG[11]: ns-cert-type = server > > VPN.CFG[12]: password-flags = 1 > > VPN.CFG[13]: remote = a.b.c.d:1194:udp, > > a.b.c.d:443:tcp > > VPN.CFG[14]: reneg-seconds = 604800 > > VPN.CFG[15]: ta = /home/chris/.cert/nm- > > openvpn/client-tls-auth.pem > > VPN.CFG[16]: ta-dir = 1 > > VPN.CFG[17]: username = <my-username> > > > > > > Is there anything I can do to fix this configuration and route only > > private/internal traffic through the VPN? > > > Hi, > > I think routing and DNS are mostly independent things. > > > Setting up routing so that only a certain subnet is reached via the VPN > is usually simple. Possibly also configure ipv4.never-default=yes. > > Check the resulting routing table (after activating the VPN) with `ip > route` to confirm that it's right. > > check that you can reach the right hosts with `ping $IP_ADDRESS` and > `traceroute -n $IP_ADDRESS`. > > > About DNS. If you don't enable split DNS (either dns=dnsmasq or > dns=systemd-resolved in `man NetworkManager.conf`), then all DNS > servers are equal. In that case, you probably would want that the DNS > server via the VPN is always consulted, because the public DNS server > cannot resolve internal names. You'd do that by setting ipv4.dns- > priority to a negative value. > > If you have split DNS, the search domains act like "routes" for > lookups. In that case, you can have company.com search domain via the > VPN and the default otherwise. Again, ipv4.dns-priority may also be > relevant in that setup... > > > > > best, > Thomas Hi Thomas, I think in this case I would only like to route DNS queries through the VPN that aren't resolvable by my LAN, except for a few based on the dns search domain as you mention. I'm guessing that means I want split DNS along with a split VPN tunnel. I've installed and enabled systemd-resolved as the dns for NM, but it's not splitting the requests as I had intended. Full VPN tunnel: $ resolvectl status Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported resolv.conf mode: foreign Fallback DNS Servers: 1.1.1.1 8.8.8.8 (other ips ...) DNS Domain: company.com Link 2 (enp0s31f6) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Link 3 (wlp0s20f3) Current Scopes: LLMNR/IPv4 LLMNR/IPv6 Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Link 4 (virbr0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Link 10 (tun0) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Current DNS Server: 8.8.4.4 DNS Servers: 8.8.8.8 8.8.4.4 DNS Domain: company.com Split (?) VPN doesn't appear to use the VPN at all anymore, and is just routing through my local network. Even the `dns- search` setting to the domains I need appear to be ignored. This host is publicly available, but being routed through my local network. None of the private hosts are resolvable $ traceroute <host-A.company.com> traceroute to <host-A.company.com> (<host-A-IP>), 30 hops max, 60 byte packets 1 mijnmodem.kpn (192.168.2.254) 1.229 ms 2.590 ms 2.555 ms 2 195-190-228-115.fixed.kpn.net (195.190.228.115) 589.236 ms 589.207 ms 589.179 m $ resolve status Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/unsupported resolv.conf mode: foreign Fallback DNS Servers: 1.1.1.1 8.8.8.8 (other ips ...) DNS Domain: company.com Link 2 (enp0s31f6) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Link 3 (wlp0s20f3) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/unsupported Current DNS Server: 192.168.2.201 DNS Servers: 192.168.2.201 Link 4 (virbr0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Link 11 (tun0) Current Scopes: LLMNR/IPv4 LLMNR/IPv6 Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Differences in the nm connection profiles # diff -u /etc/NetworkManager/system-connections/company.nmconnection /etc/NetworkManager/system- connections/split.nmconnection --- "/etc/NetworkManager/system-connections/company.nmconnection" 2021-02-03 09:08:47.568470862 +0100 +++ /etc/NetworkManager/system-connections/split.nmconnection 2021-02-03 17:26:59.901658365 +0100 @@ -1,9 +1,9 @@ [connection] -id=company -uuid=6a647d45-1740-4a49-81d1-6d49f5631a40 +id=split +uuid=66a562fb-1fee-496c-9ab8-7e5b910435fb type=vpn permissions= -timestamp=1612339695 +timestamp=1612369074 [vpn] ca=/home/chris/.cert/nm-openvpn/split-ca.pem @@ -26,13 +26,17 @@ service-type=org.freedesktop.NetworkManager.openvpn [ipv4] -dns-search= +dns-search=companyA.com;companyB.com; +ignore-auto-dns=true method=auto +never-default=true [ipv6] addr-gen-mode=stable-privacy dns-search= +ignore-auto-dns=true ip6-privacy=0 method=auto +never-default=true [proxy] -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEss2dENO/PTuA9NTTOdNgxkl4+QMFAmAa07YACgkQOdNgxkl4 +QNt/xAAhUecHdHRwjALEBTqa1FndfH2eTDRAH/rezwnhihskQvK4i23Uk7v+BLv e52FKo/pCXh2m35uSQKyX1S04b4koJX1v/W9U3RvuIQQziN/7Rv+K62TJWs2rGtA p5VCgwVT6UoNOamw7f32+4gS4qTv/7VQyxTHRywEIuL9serpCmRoBbAmwnozppBK 51Cyp8lXavZUj+ov5PBlw3wgCVXS6Grl18g4/ySSpM9RizzL7qc5ImCOdU37d2ns obbotNSfa2yDhsiMqE7r5Io9LIr6wX33wH18jZYCmzKq/XXuPbxrdSzlH0LQ3yDR r+mtySEn9VXGOGh1pg6+82lPacBAljXnj0ZWJEi8B0+SDtZGiyat/Qqk/Kp8sg5S hk37JHnzfJTQ3k0YAzyzUS89TXz3exQsrt2z4rIAC8Ba/cLsj2KUNo3K7Whuos4f S7meKYO9MOBanT8RRd/VBp4hY6+TVZdiH89U5AoMXmTvvlCsmB3B25ocNj6FO6Gj FXV8VPsrPnnL6v8YdFj1FNKvhhw6KOcatb48rU8FRr22ribT6dwXRIs0dc4B7QH3 9ns5ldHknUSEyt+SxzMyQrZVTFKVEnM04MqbrLAv9N96VevDZPQ4fkfXSmUFuqRB 5EKXRs2HW9tU9s6BreScXmu09Zpurztosz9MkEVpox3MQ/GzgkM= =jhE2 -----END PGP SIGNATURE----- _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list