On Tue, 2021-06-01 at 21:52 +0000, Samuel Le Thiec via networkmanager-list wrote:
> > On Tue, 2021-06-01 at 13:27 +0000, Samuel Le Thiec via networkmanager-list > wrote: > > Note: sorry for the potential duplicate email, I sent it before & after > > having > > registered to the list! > > > > Hello all, > > > > I have a working openvpn config (see below) which I can't get to fully work > > with Network > > Manager: the private IPv6 network is not accessible when connecting to the > > VPN with > > NM(*). > > > > Here is what I get for tun0 when connecting with NM: > > > > -------- > > $ ip a l tun0 > > 17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel > > state > > UNKNOWN > > group default qlen 500 > > link/none > > inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0 > > valid_lft forever preferred_lft forever > > inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope > > global > > noprefixroute > > valid_lft forever preferred_lft forever > > -------- > > > > When connecting with systemd or via the command line (sudo openvpn --config > > vpn.conf) : > > -------- > > $ ip a l tun0 > > > > 14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel > > state > > UNKNOWN > > group default qlen 500 > > link/none > > > > inet 10.66.6.4/24 scope global tun0 > > > > valid_lft forever preferred_lft forever > > > > inet6 2001:bc8:3d1d:1337::1002/64 scope global > > valid_lft forever preferred_lft forever > > inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy > > valid_lft forever preferred_lft forever > > -------- > > > > → Note the scope global inet6 differences above: peer vs subnet > > > > (*) In order to avoid having all my trafic routed through the vpn, I did > > check "Use this > > connection only for resources on its network" for IPv4 & IPv6. > > > > Is there a way to make Network Manager behave like openvpn --config > > vpn.conf? > > > Hello again:) > > I don't know why this would be needed, but I noticed this can be worked > around by > pushing the route towards the server-ipv6 subnet from the openvpn server, > with the > directive: > > push "route-ipv6 2001:bc8:3d1d:1337::/64" > > For a moment I thought that Network Manager may be assuming a point-to-point topology for the VPN instead of the "topology subnet" as specified in the server.conf, so I did try to 'push "topology subnet"' to the clients, but it didn't help: without the 'push "route-ipv6 .."' above, the client is still missing the route to the subnet. > I can totally live with that, but is it the expected behaviour? If so, why > does it > differ from starting openvpn manually from the cli or even as a systemd > openvpn-client@.service? > > Thanks in advance! > > samuel > > > Here is additionnal informations: > > > > -------- > > $ nmcli device show tun0 > > GENERAL.DEVICE: tun0 > > GENERAL.TYPE: tun > > GENERAL.HWADDR: (unknown) > > GENERAL.MTU: 1500 > > GENERAL.STATE: 100 (connected (externally)) > > GENERAL.CONNECTION: tun0 > > GENERAL.CON-PATH: > > /org/freedesktop/NetworkManager/ActiveConnection/27 > > IP4.ADDRESS[1]: 10.66.6.4/24 > > IP4.GATEWAY: -- > > IP4.ROUTE[1]: dst = 10.66.6.0/24, nh = 0.0.0.0, > > mt = 50 > > IP6.ADDRESS[1]: 2001:bc8:3d1d:1337::1002/64 > > IP6.GATEWAY: -- > > IP6.ROUTE[1]: dst = 2001:bc8:3d1d:1337::1/128, nh > > = ::, mt = > > 256 > > IP6.ROUTE[2]: dst = 2001:bc8:3d1d:1337::1002/128, > > nh = ::, mt > > = > > 50 > > IP6.ROUTE[3]: dst = 2001:bc8:3d1d:1337::1/128, nh > > = ::, mt = > > 50 > > -------- > > > > And the openvpn client config I imported from NM (minus the certs&keys): > > | client > > | dev tun > > | # try standard port first > > | remote hub.nsoc.fr > > | remote hub.nsoc.fr 53 > > | ping 25 > > | ping-restart 120 > > | persist-key > > | persist-tun > > | tls-version-min 1.3 > > | remote-cert-tls server > > | mute-replay-warnings > > | > > | askpass > > | verb 3 > > | > > | <ca></ca> > > | <cert></cert> > > | <key></key> > > | <tls-crypt-v2></tls-crypt-v2> > > > > > > Thank you in advance! > > > > Samuel > > > > _______________________________________________ > > networkmanager-list mailing list > > networkmanager-list@gnome.org > > https://mail.gnome.org/mailman/listinfo/networkmanager-list > > > _______________________________________________ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
