Re: NM ignores knobs regarding ipv6
On Tue, 2016-02-09 at 19:21 +0100, Olaf Hering wrote: > On Fri, Feb 05, Dan Williams wrote: > > > Can you grab some NM log output? the NetworkManager openvpn plugin > > does have support for IPv6, but we need to figure out if: > > > > 1) NM or NM-openvpn is somehow ignoring your request to have them > > ignore IPv6 configuration > > In nm-connection-editor I had set IPv6 to "Ignore", which I > interpreted > as "whenever the peer offers ipv6, just ignore that offering". So > this > interpretion of "ignore" was wrong. Not sure which part of the system > does actually apply the offered addresses and routes. Are you saying > there might be some sort of autoconfiguration going on, like it could > be > done for wired connections? It could be better documented, it really means "don't do anything IPv6 related in NetworkManager, but don't prevent anything else either". So NM isn't touching IPv6, but the kernel also has IPv6 autoconfiguration capability and that's what is likely running on the interface outside of NetworkManager. > Once I changed it to "Automatic (VPN)" the "Routes ..." knob > appeared. Now you've allowed NM to handle the IPv6 configuration on the interface. > Here the default is for "Use the connection only for resources for > this > network" is disabled. Once I checked that box, the default route is > not > applied. I did the same already for ipv4 to avoid that all traffic > goes > through tun0. Sounds right. > For short: now that I have the checkbox for "Use the connection only > for > resources for this network" enabled my connection works as expected. > > If something can be done about the misleading "Ignore", that would be > great. Yeah, we should add a 'disabled' too. Dan ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: NM ignores knobs regarding ipv6
On Fri, Feb 05, Dan Williams wrote: > Can you grab some NM log output? the NetworkManager openvpn plugin > does have support for IPv6, but we need to figure out if: > > 1) NM or NM-openvpn is somehow ignoring your request to have them > ignore IPv6 configuration In nm-connection-editor I had set IPv6 to "Ignore", which I interpreted as "whenever the peer offers ipv6, just ignore that offering". So this interpretion of "ignore" was wrong. Not sure which part of the system does actually apply the offered addresses and routes. Are you saying there might be some sort of autoconfiguration going on, like it could be done for wired connections? Once I changed it to "Automatic (VPN)" the "Routes ..." knob appeared. Here the default is for "Use the connection only for resources for this network" is disabled. Once I checked that box, the default route is not applied. I did the same already for ipv4 to avoid that all traffic goes through tun0. For short: now that I have the checkbox for "Use the connection only for resources for this network" enabled my connection works as expected. If something can be done about the misleading "Ignore", that would be great. Olaf ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: NM ignores knobs regarding ipv6
On Fri, 2016-02-05 at 16:49 +0100, Olaf Hering wrote: > On Fri, Feb 05, Thomas Haller wrote: > > > On Fri, 2016-02-05 at 09:01 +0100, Olaf Hering wrote: > > > The openvpn connection I have been using for months just gained > > > support for ipv6. A few months ago I already set ipv6 to > > > "Disabled" > > > in the IPv6 tab of nm-connection-editor 1.0.8. But when the > > > tunnel > > > is established NM applies the settings received from the peer > > > anyway. > > There exists no ipv6 method "Disabled" until now. What exists is > > "Ignore" which means, NM leaves it all to the kernel. > > What does it leave to the kernel? I think there is nothing the kernel > can do on tun0, should there be some autonegitation for link-local? > Its > unlikely, and tun0 gets just the provided ipv4+ipv6 address. And > addition also the ipv6 default route is set to tun0. > Every knob in the ipv6 tab is ignored. Can you grab some NM log output? the NetworkManager openvpn plugin does have support for IPv6, but we need to figure out if: 1) NM or NM-openvpn is somehow ignoring your request to have them ignore IPv6 configuration OR 2) NM is honoring your ipv6.method=ignore, and leaving everything to the kernel, which sends Router Solictiations over tun0 and gets a reply back from an IPv6 router on the other side of the VPN. The NM logs should make that pretty clear, and they'll look something like this: VPN connection 'My VPN' (IP4 Config Get) reply received. VPN Gateway: 1.2.3.4 Tunnel Device: asdadf IPv4 configuration: Internal Address: 2.3.4.5 Internal Prefix: 32 Internal Point-to-Point Address: 2.3.4.6 Maximum Segment Size (MSS): 0 Forbid Default Route: yes Internal DNS: 5.6.7.8 Internal DNS: 5.6.7.9 DNS Domain: 'myvpn.com' No IPv6 configuration If in your logs you see "No IPv6 configuration", then it's the kernel doing it's IPv6 stuff on the interface. If you see "IPv6 configuration: " then it's NM not honoring ipv6.method=ignore. Dan > > Can you show > > nmcli connection show $CONNECTION_ID > > > connection.id: $VPN > connection.uuid:b210995e-b03d-4f35-882c > -523fcf3fe264 > connection.interface-name: -- > connection.type:vpn > connection.autoconnect: no > connection.autoconnect-priority:0 > connection.timestamp: 1454686875 > connection.read-only: no > connection.permissions: user:olaf > connection.zone:-- > connection.master: -- > connection.slave-type: -- > connection.autoconnect-slaves: -1 (default) > connection.secondaries: > connection.gateway-ping-timeout:0 > connection.metered: unknown > ipv4.method:auto > ipv4.dns: > ipv4.dns-search: > ipv4.addresses: > ipv4.gateway: -- > ipv4.routes: > ipv4.route-metric: -1 > ipv4.ignore-auto-routes:no > ipv4.ignore-auto-dns: no > ipv4.dhcp-client-id:-- > ipv4.dhcp-send-hostname:yes > ipv4.dhcp-hostname: -- > ipv4.never-default: yes > ipv4.may-fail: yes > ipv6.method:ignore > ipv6.dns: > ipv6.dns-search: > ipv6.addresses: > ipv6.gateway: -- > ipv6.routes: > ipv6.route-metric: -1 > ipv6.ignore-auto-routes:no > ipv6.ignore-auto-dns: no > ipv6.never-default: no > ipv6.may-fail: yes > ipv6.ip6-privacy: 0 (disabled) > ipv6.dhcp-send-hostname:yes > ipv6.dhcp-hostname: -- > vpn.service-type: > org.freedesktop.NetworkManager.openvpn > vpn.user-name: -- > vpn.data: $cmdline > vpn.secrets: > vpn.persistent: no > GENERAL.NAME: $VPN > GENERAL.UUID: b210995e-b03d-4f35-882c > -523fcf3fe264 > GENERAL.DEVICES:br0 > GENERAL.STATE: activated > GENERAL.DEFAULT:no > GENERAL.DEFAULT6: no > GENERAL.VPN:yes > GENERAL.ZONE: -- > GENERAL.DBUS-PATH: > /org/freedesktop/NetworkManager/ActiveConnection/12 > GENERAL.CON-PATH: > /org/freedesktop/NetworkManager/Settings/4 > GENERAL.SPEC-OBJ
Re: NM ignores knobs regarding ipv6
On Fri, Feb 05, Thomas Haller wrote: > On Fri, 2016-02-05 at 09:01 +0100, Olaf Hering wrote: > > The openvpn connection I have been using for months just gained > > support for ipv6. A few months ago I already set ipv6 to "Disabled" > > in the IPv6 tab of nm-connection-editor 1.0.8. But when the tunnel > > is established NM applies the settings received from the peer > > anyway. > There exists no ipv6 method "Disabled" until now. What exists is > "Ignore" which means, NM leaves it all to the kernel. What does it leave to the kernel? I think there is nothing the kernel can do on tun0, should there be some autonegitation for link-local? Its unlikely, and tun0 gets just the provided ipv4+ipv6 address. And addition also the ipv6 default route is set to tun0. Every knob in the ipv6 tab is ignored. > Can you show > nmcli connection show $CONNECTION_ID connection.id: $VPN connection.uuid:b210995e-b03d-4f35-882c-523fcf3fe264 connection.interface-name: -- connection.type:vpn connection.autoconnect: no connection.autoconnect-priority:0 connection.timestamp: 1454686875 connection.read-only: no connection.permissions: user:olaf connection.zone:-- connection.master: -- connection.slave-type: -- connection.autoconnect-slaves: -1 (default) connection.secondaries: connection.gateway-ping-timeout:0 connection.metered: unknown ipv4.method:auto ipv4.dns: ipv4.dns-search: ipv4.addresses: ipv4.gateway: -- ipv4.routes: ipv4.route-metric: -1 ipv4.ignore-auto-routes:no ipv4.ignore-auto-dns: no ipv4.dhcp-client-id:-- ipv4.dhcp-send-hostname:yes ipv4.dhcp-hostname: -- ipv4.never-default: yes ipv4.may-fail: yes ipv6.method:ignore ipv6.dns: ipv6.dns-search: ipv6.addresses: ipv6.gateway: -- ipv6.routes: ipv6.route-metric: -1 ipv6.ignore-auto-routes:no ipv6.ignore-auto-dns: no ipv6.never-default: no ipv6.may-fail: yes ipv6.ip6-privacy: 0 (disabled) ipv6.dhcp-send-hostname:yes ipv6.dhcp-hostname: -- vpn.service-type: org.freedesktop.NetworkManager.openvpn vpn.user-name: -- vpn.data: $cmdline vpn.secrets: vpn.persistent: no GENERAL.NAME: $VPN GENERAL.UUID: b210995e-b03d-4f35-882c-523fcf3fe264 GENERAL.DEVICES:br0 GENERAL.STATE: activated GENERAL.DEFAULT:no GENERAL.DEFAULT6: no GENERAL.VPN:yes GENERAL.ZONE: -- GENERAL.DBUS-PATH: /org/freedesktop/NetworkManager/ActiveConnection/12 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/Settings/4 GENERAL.SPEC-OBJECT: /org/freedesktop/NetworkManager/ActiveConnection/0 GENERAL.MASTER-PATH: /org/freedesktop/NetworkManager/Devices/1 IP4.ADDRESS[1]: 10.163.0.87/32 IP4.GATEWAY:10.163.0.1 IP4.ROUTE[1]: dst = 10.163.0.0/21, nh = 10.163.0.1, mt = 50 IP4.ROUTE[2]: dst = 10.0.0.0/8, nh = 10.163.0.1, mt = 50 IP4.ROUTE[3]: dst = 149.44.0.0/16, nh = 10.163.0.1, mt = 50 IP4.ROUTE[4]: dst = 147.2.0.0/16, nh = 10.163.0.1, mt = 50 IP4.ROUTE[5]: dst = 164.99.0.0/16, nh = 10.163.0.1, mt = 50 IP4.ROUTE[6]: dst = 137.65.0.0/16, nh = 10.163.0.1, mt = 50 IP4.ROUTE[7]: dst = 151.155.128.0/17, nh = 10.163.0.1, mt = 50 IP4.DNS[1]: 10.160.0.1 IP4.DNS[2]: 10.160.2.88 IP4.DOMAIN[1]: $domain IP6.ADDRESS[1]: 2620:113:80c0:8100:10:163:0:87/64 IP6.GATEWAY: IP6.ROUTE[1]: dst = 2620:113:80c0:8000::/50, nh = 2620:113:80c0:8100:10:163:0:2, mt = 50 VPN.TYPE: openvpn VPN.USERNAME:
Re: NM ignores knobs regarding ipv6
On Fri, 2016-02-05 at 09:01 +0100, Olaf Hering wrote: > The openvpn connection I have been using for months just gained > support > for ipv6. A few months ago I already set ipv6 to "Disabled" in the > IPv6 > tab of nm-connection-editor 1.0.8. But when the tunnel is established > NM > applies the settings received from the peer anyway. There exists no ipv6 method "Disabled" until now. What exists is "Ignore" which means, NM leaves it all to the kernel. > I also tried to apply just the addresses, ignore the received routes. > Whatever happens, all ipv6 traffic goes through the tunnel as a > result. > > Why does NM ignore the knobs? It calls openvpn like that: > > /usr/sbin/openvpn > --remote $host 443 tcp > --comp-lzo > --nobind > --dev tun > --dev-type tun > --cipher AES-256-CBC > --auth SHA512 > --auth-nocache > --tls-auth $key 1 > --reneg-sec 0 > --syslog nm-openvpn > --script-security 2 > --up /usr/lib/nm-openvpn-service-openvpn-helper > --tun > -- > --up-restart > --persist-key > --persist-tun > --management /var/run/NetworkManager/nm-openvpn-05c972e7-1f61-4bca- > a5a0-c6b0ed7b44a6 unix > --management-client-user root > --management-client-group root > --management-query-passwords > --auth-retry interact > --route-noexec > --ifconfig-noexec > --client > --ca $crt > --cert $crt > --key $key > --auth-user-pass > --user nm-openvpn > --group nm-openvpn > > Does openvpn do all the address assignment by itself? The vpn service reports the addresses/routes back to NetworkManager, and NetworkManager does configuration according to the connection's configuration + the stuff reported from the VPN service. Can you show nmcli connection show $CONNECTION_ID ip addr ip route Thanks, Thomas signature.asc Description: This is a digitally signed message part ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
NM ignores knobs regarding ipv6
The openvpn connection I have been using for months just gained support for ipv6. A few months ago I already set ipv6 to "Disabled" in the IPv6 tab of nm-connection-editor 1.0.8. But when the tunnel is established NM applies the settings received from the peer anyway. I also tried to apply just the addresses, ignore the received routes. Whatever happens, all ipv6 traffic goes through the tunnel as a result. Why does NM ignore the knobs? It calls openvpn like that: /usr/sbin/openvpn --remote $host 443 tcp --comp-lzo --nobind --dev tun --dev-type tun --cipher AES-256-CBC --auth SHA512 --auth-nocache --tls-auth $key 1 --reneg-sec 0 --syslog nm-openvpn --script-security 2 --up /usr/lib/nm-openvpn-service-openvpn-helper --tun -- --up-restart --persist-key --persist-tun --management /var/run/NetworkManager/nm-openvpn-05c972e7-1f61-4bca-a5a0-c6b0ed7b44a6 unix --management-client-user root --management-client-group root --management-query-passwords --auth-retry interact --route-noexec --ifconfig-noexec --client --ca $crt --cert $crt --key $key --auth-user-pass --user nm-openvpn --group nm-openvpn Does openvpn do all the address assignment by itself? Olaf ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list