-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, 2021-02-03 at 12:25 +0100, Thomas Haller wrote:
> On Wed, 2021-02-03 at 12:08 +0100, Chris Coutinho via networkmanager-
> list wrote:
> > Hello NM folks,
> >
> > I'm running into a problem converting an OpenVPN "full" tunnel
> > configuration to
> > a split tunnel configuration. I've received an .ovpn file from a
> > client which,
> > by default, routes all my traffic through their VPN. I want to
> > configure my VPN
> > connection such that only traffic to/from resources within their
> > network are
> > routed through the VPN, and all other traffic is routed through
> > whatever network
> > I'm currently on.
> >
> > I'm running:
> > - openSUSE Tumbleweed with Gnome
> > - Network Manager 1.28.0
> > - NM OpenVPN Gnome plugin 1.8.12
> >
> > I can modify the connection profile to route traffic to publicly
> > accessible IP
> > addresses through the VPN by manually setting the ipv4.dns and
> > ipv4.routes
> > options using nmcli. I'm able to modify the VPN connection profile as
> > follows,
> > which allows me to access publicly resolvable resources.
> >
> > # nmcli connection modify <split> ignore-auto-dns=true
> > # nmcli connection modify <split> dns=<local dns> <- Current LAN
> > DNS
> > # nmcli connection modify <split> +ipv4.routes <host-ip-A/32> <-
> > public
> > # nmcli connection modify <split> +ipv4.routes <host-ip-B/32> <-
> > private
> >
> > By public/private here I mean I can access host-A with these options
> > because my
> > LAN DNS can resolve the IP address, meanwhie host-B is unresolvable
> > and I can't
> > figure out why.
> >
> > Connected to the full tunnel shows the following nslookup output for
> > an
> > "internal" host:
> >
> > $ nslookup <the host>
> > Server: 8.8.8.8
> > Address: 8.8.8.8#53
> >
> > Non-authoritative answer:
> > Name: <the host>
> > Address: 10.243.a.b
> > Name: <the host>
> > Address: 10.243.c.d
> > Name: <the host>
> > Address: 10.243.e.f
> >
> > If I'm connected to the "full" tunnel, inspecting the connection
> > profile returns
> > the following. I think the "IP4.ROUTE[1]" line means that all traffic
> > is being
> > sent through their gateway.
> >
> >
> > $ nmcli connection show "Client VPN (Full)"
> > GENERAL.NAME: Client VPN (Full)
> > GENERAL.UUID: 6a647d45-1740-4a49-81d1-
> > 6d49f5631a40
> > GENERAL.DEVICES: wlp0s20f3
> > GENERAL.IP-IFACE: wlp0s20f3
> > GENERAL.STATE: activated
> > GENERAL.DEFAULT: yes
> > GENERAL.DEFAULT6: no
> > GENERAL.SPEC-OBJECT:
> > /org/freedesktop/NetworkManager/ActiveConnection/2
> > GENERAL.VPN: yes
> > GENERAL.DBUS-PATH:
> > /org/freedesktop/NetworkManager/ActiveConnection/49
> > GENERAL.CON-PATH:
> > /org/freedesktop/NetworkManager/Settings/29
> > GENERAL.ZONE: --
> > GENERAL.MASTER-PATH:
> > /org/freedesktop/NetworkManager/Devices/3
> > IP4.ADDRESS[1]: a.b.c.d/23
> > IP4.GATEWAY: a.b.c.1
> > IP4.ROUTE[1]: dst = 0.0.0.0/0, nh =
> > a.b.c.1, mt = 50
> > IP4.ROUTE[2]: dst = a.b.c.d/23, nh =
> > 0.0.0.0, mt = 50
> > IP4.DNS[1]: a.b.c.d
> > IP4.DNS[2]: a.b.c.d
> > IP4.DOMAIN[1]: <company.com>
> > VPN.TYPE: openvpn
> > VPN.USERNAME: <my username>
> > VPN.GATEWAY: a.b.c.d:1194:udp,
> > a.b.c.d:443:tcp
> > VPN.BANNER: --
> > VPN.VPN-STATE: 5 - VPN connected
> > VPN.CFG[1]: ca = /home/chris/.cert/nm-
> > openvpn/client-ca.pem
> > VPN.CFG[2]: cert = /home/chris/.cert/nm-
> > openvpn/client-cert.pem
> > VPN.CFG[3]: cert-pass-flags = 0
> > VPN.CFG[4]: cipher = AES-256-CBC
> > VPN.CFG[5]: comp-lzo = no-by-default
> > VPN.CFG[6]: connect-timeout = 4
> > VPN.CFG[7]: connection-type = password-
> > tls
> > VPN.CFG[8]: dev = tun
> > VPN.CFG[9]: dev-type = tun
> > VPN.CFG[10]: key = /home/chris/.cert/nm-
> > openvpn/client-key.pem
> > VPN.CFG[11]: ns-cert-type = server
> > VPN.CFG[12]: password-flags = 1
> > VPN.CFG[13]: remote = a.b.c.d:1194:udp,
> > a.b.c.d:443:tcp
> > VPN.CFG[14]: reneg-seconds = 604800
> > VPN.CFG[15]: ta = /home/chris/.cert/nm-
> > openvpn/client-tls-auth.pem
> > VPN.CFG[16]: ta-dir = 1
> > VPN.CFG[17]: username = <my-username>
> >
> >
> > Is there anything I can do to fix this configuration and route only
> > private/internal traffic through the VPN?
>
>
> Hi,
>
> I think routing and DNS are mostly independent things.
>
>
> Setting up routing so that only a certain subnet is reached via the VPN
> is usually simple. Possibly also configure ipv4.never-default=yes.
>
> Check the resulting routing table (after activating the VPN) with `ip
> route` to confirm that it's right.
>
> check that you can reach the right hosts with `ping $IP_ADDRESS` and
> `traceroute -n $IP_ADDRESS`.
>
>
> About DNS. If you don't enable split DNS (either dns=dnsmasq or
> dns=systemd-resolved in `man NetworkManager.conf`), then all DNS
> servers are equal. In that case, you probably would want that the DNS
> server via the VPN is always consulted, because the public DNS server
> cannot resolve internal names. You'd do that by setting ipv4.dns-
> priority to a negative value.
>
> If you have split DNS, the search domains act like "routes" for
> lookups. In that case, you can have company.com search domain via the
> VPN and the default otherwise. Again, ipv4.dns-priority may also be
> relevant in that setup...
>
>
>
>
> best,
> Thomas
Hi Thomas,
I think in this case I would only like to route DNS queries through the VPN
that aren't resolvable by my LAN, except for
a few based on the dns search domain as you mention. I'm guessing that means I
want split DNS along with a split VPN
tunnel. I've installed and enabled systemd-resolved as the dns for NM, but it's
not splitting the requests as I had
intended.
Full VPN tunnel:
$ resolvectl status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS
DNSSEC=allow-downgrade/supported
resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1 8.8.8.8 (other ips ...)
DNS Domain: company.com
Link 2 (enp0s31f6)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=allow-downgrade/supported
Link 3 (wlp0s20f3)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=allow-downgrade/supported
Link 4 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=allow-downgrade/supported
Link 10 (tun0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=allow-downgrade/supported
Current DNS Server: 8.8.4.4
DNS Servers: 8.8.8.8 8.8.4.4
DNS Domain: company.com
Split (?) VPN doesn't appear to use the VPN at all anymore, and is just routing
through my local network. Even the `dns-
search` setting to the domains I need appear to be ignored.
This host is publicly available, but being routed through my local network.
None of the private hosts are resolvable
$ traceroute <host-A.company.com>
traceroute to <host-A.company.com> (<host-A-IP>), 30 hops max, 60 byte
packets
1 mijnmodem.kpn (192.168.2.254) 1.229 ms 2.590 ms 2.555 ms
2 195-190-228-115.fixed.kpn.net (195.190.228.115) 589.236 ms 589.207 ms
589.179 m
$ resolve status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS
DNSSEC=allow-downgrade/unsupported
resolv.conf mode: foreign
Fallback DNS Servers: 1.1.1.1 8.8.8.8 (other ips ...)
DNS Domain: company.com
Link 2 (enp0s31f6)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=allow-downgrade/supported
Link 3 (wlp0s20f3)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=allow-downgrade/unsupported
Current DNS Server: 192.168.2.201
DNS Servers: 192.168.2.201
Link 4 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=allow-downgrade/supported
Link 11 (tun0)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=allow-downgrade/supported
Differences in the nm connection profiles
# diff -u /etc/NetworkManager/system-connections/company.nmconnection
/etc/NetworkManager/system-
connections/split.nmconnection
--- "/etc/NetworkManager/system-connections/company.nmconnection"
2021-02-03 09:08:47.568470862 +0100
+++ /etc/NetworkManager/system-connections/split.nmconnection
2021-02-03 17:26:59.901658365 +0100
@@ -1,9 +1,9 @@
[connection]
-id=company
-uuid=6a647d45-1740-4a49-81d1-6d49f5631a40
+id=split
+uuid=66a562fb-1fee-496c-9ab8-7e5b910435fb
type=vpn
permissions=
-timestamp=1612339695
+timestamp=1612369074
[vpn]
ca=/home/chris/.cert/nm-openvpn/split-ca.pem
@@ -26,13 +26,17 @@
service-type=org.freedesktop.NetworkManager.openvpn
[ipv4]
-dns-search=
+dns-search=companyA.com;companyB.com;
+ignore-auto-dns=true
method=auto
+never-default=true
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
+ignore-auto-dns=true
ip6-privacy=0
method=auto
+never-default=true
[proxy]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEss2dENO/PTuA9NTTOdNgxkl4+QMFAmAa07YACgkQOdNgxkl4
+QNt/xAAhUecHdHRwjALEBTqa1FndfH2eTDRAH/rezwnhihskQvK4i23Uk7v+BLv
e52FKo/pCXh2m35uSQKyX1S04b4koJX1v/W9U3RvuIQQziN/7Rv+K62TJWs2rGtA
p5VCgwVT6UoNOamw7f32+4gS4qTv/7VQyxTHRywEIuL9serpCmRoBbAmwnozppBK
51Cyp8lXavZUj+ov5PBlw3wgCVXS6Grl18g4/ySSpM9RizzL7qc5ImCOdU37d2ns
obbotNSfa2yDhsiMqE7r5Io9LIr6wX33wH18jZYCmzKq/XXuPbxrdSzlH0LQ3yDR
r+mtySEn9VXGOGh1pg6+82lPacBAljXnj0ZWJEi8B0+SDtZGiyat/Qqk/Kp8sg5S
hk37JHnzfJTQ3k0YAzyzUS89TXz3exQsrt2z4rIAC8Ba/cLsj2KUNo3K7Whuos4f
S7meKYO9MOBanT8RRd/VBp4hY6+TVZdiH89U5AoMXmTvvlCsmB3B25ocNj6FO6Gj
FXV8VPsrPnnL6v8YdFj1FNKvhhw6KOcatb48rU8FRr22ribT6dwXRIs0dc4B7QH3
9ns5ldHknUSEyt+SxzMyQrZVTFKVEnM04MqbrLAv9N96VevDZPQ4fkfXSmUFuqRB
5EKXRs2HW9tU9s6BreScXmu09Zpurztosz9MkEVpox3MQ/GzgkM=
=jhE2
-----END PGP SIGNATURE-----
_______________________________________________
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list
