Bonding using nmcli for OVS
I have created an active-backup bond using nmcli under OVS. nmcli conn add type ovs-bridge conn.interface Bridge0 nmcli conn add type ovs-port conn.interface Bond0 master Bridge0 ovs-port.bond-mode active-backup nmcli conn add type ethernet conn.interface enp0s9 master Bond0 nmcli conn add type ethernet conn.interface enp0s10 master Bond0 0613ae9c-8647-416f-8044-409f5931f299 Manager "unix:/var/run/vmware/nsx-agent/nsxagent_ovsdb.sock" is_connected: true Bridge Bridge0 Port Bond0 Interface enp0s10 type: system Interface enp0s9 type: system ovs_version: "2.14.1.rhel82.17993018" [root@rhel82 system-connections]# ovs-appctl bond/show Bond0 bond_mode: active-backup bond may use recirculation: no, Recirc-ID : -1 bond-hash-basis: 0 lb_output action: disabled, bond-id: -1 updelay: 0 ms downdelay: 0 ms lacp_status: off lacp_fallback_ab: false active-backup primary: active slave mac: 08:00:27:d1:ec:a0(enp0s9) slave enp0s10: enabled may_enable: true slave enp0s9: enabled active slave may_enable: true - How can I change the active slave? Something like this does not work (saw this as for non-OVS bond) nmcli connection modify Bond0 ovs-port.bond-options primary=enp0s10 I don't see "options" [root@rhel82 system-connections]# nmcli device modify Bond0 ovs-port. ovs-port.bond-downdelay ovs-port.bond-updelayovs-port.tag ovs-port.bond-mode ovs-port.lacpovs-port.vlan-mode Also, I need to modify options, such as active passive timeout How can I modify these values after the bond is already created? Thanks Abu Rasheda ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
On Thu, Jun 03, 2021 at 07:17:31AM +, Samuel Le Thiec via networkmanager-list wrote: Hi, > For a moment I thought that Network Manager may be assuming a point-to-point > topology for > the VPN instead of the "topology subnet" as specified in the server.conf, so > I did try to > 'push "topology subnet"' to the clients, but it didn't help: without the > 'push "route-ipv6 > .."' above, the client is still missing the route to the subnet. Right, 'topology' has no effect for IPv6. > > I can totally live with that, but is it the expected behaviour? If so, why > > does it > > differ from starting openvpn manually from the cli or even as a systemd > > openvpn-client@.service? It's not expected. I think the NetworkManager OpenVPN plugin parses the IPv6 configuration incorrectly. If the server pushes, for example: ifconfig-ipv6 2001:db8:f00:bebe::1003/64 2001:db8:f00:bebe::1 NetworkManager considers the first argument as the subnet and the second as the peer, and so it does something equivalent to: ip addr add dev tun0 2001:db8:f00:bebe::1003/64 peer 2001:db8:f00:bebe::1 which appears in the "ip -6 addr" output as: inet6 2001:db8:f00:bebe::1003 peer 2001:db8:f00:bebe::1/128 scope global valid_lft forever preferred_lft forever Instead, according to 'man openvpn', NM should simply add address "2001:db8:f00:bebe::1003/64" and use the second argument as a fallback gateway for the routes specified by '--route-ipv6': --ifconfig-ipv6 ipv6addr/bits ipv6remote configure IPv6 address ipv6addr/bits on the ``tun'' device. The second parameter is used as route target for --route-ipv6 if no gateway is specified. --route-ipv6 ipv6addr/bits [gateway] [metric] setup IPv6 routing in the system to send the specified IPv6 net- work into OpenVPN's ``tun''. The gateway parameter is only used for IPv6 routes across ``tap'' devices, and if missing, the ``ipv6remote'' field from --ifconfig-ipv6 is used. I have opened an issue for this [1] and I will prepare a patch for it. [1] https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/71 Beniamino signature.asc Description: PGP signature ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
On Tue, 2021-06-01 at 21:52 +, Samuel Le Thiec via networkmanager-list wrote: > > On Tue, 2021-06-01 at 13:27 +, Samuel Le Thiec via networkmanager-list > wrote: > > Note: sorry for the potential duplicate email, I sent it before & after > > having > > registered to the list! > > > > Hello all, > > > > I have a working openvpn config (see below) which I can't get to fully work > > with Network > > Manager: the private IPv6 network is not accessible when connecting to the > > VPN with > > NM(*). > > > > Here is what I get for tun0 when connecting with NM: > > > > > > $ ip a l tun0 > > 17: tun0: mtu 1500 qdisc fq_codel > > state > > UNKNOWN > > group default qlen 500 > > link/none > > inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0 > > valid_lft forever preferred_lft forever > > inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope > > global > > noprefixroute > > valid_lft forever preferred_lft forever > > > > > > When connecting with systemd or via the command line (sudo openvpn --config > > vpn.conf) : > > > > $ ip a l tun0 > > > > 14: tun0: mtu 1500 qdisc fq_codel > > state > > UNKNOWN > > group default qlen 500 > > link/none > > > > inet 10.66.6.4/24 scope global tun0 > > > > valid_lft forever preferred_lft forever > > > > inet6 2001:bc8:3d1d:1337::1002/64 scope global > > valid_lft forever preferred_lft forever > > inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy > > valid_lft forever preferred_lft forever > > > > > > → Note the scope global inet6 differences above: peer vs subnet > > > > (*) In order to avoid having all my trafic routed through the vpn, I did > > check "Use this > > connection only for resources on its network" for IPv4 & IPv6. > > > > Is there a way to make Network Manager behave like openvpn --config > > vpn.conf? > > > Hello again:) > > I don't know why this would be needed, but I noticed this can be worked > around by > pushing the route towards the server-ipv6 subnet from the openvpn server, > with the > directive: > > push "route-ipv6 2001:bc8:3d1d:1337::/64" > > For a moment I thought that Network Manager may be assuming a point-to-point topology for the VPN instead of the "topology subnet" as specified in the server.conf, so I did try to 'push "topology subnet"' to the clients, but it didn't help: without the 'push "route-ipv6 .."' above, the client is still missing the route to the subnet. > I can totally live with that, but is it the expected behaviour? If so, why > does it > differ from starting openvpn manually from the cli or even as a systemd > openvpn-client@.service? > > Thanks in advance! > > samuel > > > Here is additionnal informations: > > > > > > $ nmcli device show tun0 > > GENERAL.DEVICE: tun0 > > GENERAL.TYPE: tun > > GENERAL.HWADDR: (unknown) > > GENERAL.MTU: 1500 > > GENERAL.STATE: 100 (connected (externally)) > > GENERAL.CONNECTION: tun0 > > GENERAL.CON-PATH: > > /org/freedesktop/NetworkManager/ActiveConnection/27 > > IP4.ADDRESS[1]: 10.66.6.4/24 > > IP4.GATEWAY: -- > > IP4.ROUTE[1]: dst = 10.66.6.0/24, nh = 0.0.0.0, > > mt = 50 > > IP6.ADDRESS[1]: 2001:bc8:3d1d:1337::1002/64 > > IP6.GATEWAY: -- > > IP6.ROUTE[1]: dst = 2001:bc8:3d1d:1337::1/128, nh > > = ::, mt = > > 256 > > IP6.ROUTE[2]: dst = 2001:bc8:3d1d:1337::1002/128, > > nh = ::, mt > > = > > 50 > > IP6.ROUTE[3]: dst = 2001:bc8:3d1d:1337::1/128, nh > > = ::, mt = > > 50 > > > > > > And the openvpn client config I imported from NM (minus the certs): > > | client > > | dev tun > > | # try standard port first > > | remote hub.nsoc.fr > > | remote hub.nsoc.fr 53 > > | ping 25 > > | ping-restart 120 > > | persist-key > > | persist-tun > > | tls-version-min 1.3 > > | remote-cert-tls server > > | mute-replay-warnings > > | > > | askpass > > | verb 3 > > | > > | > > | > > | > > | > > > > > > Thank you in advance! > > > > Samuel > > > > ___ > > networkmanager-list mailing list > > networkmanager-list@gnome.org > > https://mail.gnome.org/mailman/listinfo/networkmanager-list > > > ___ > networkmanager-list mailing list >
