Re: NM ignores knobs regarding ipv6

[Dan Williams]

On Tue, 2016-02-09 at 19:21 +0100, Olaf Hering wrote:
> On Fri, Feb 05, Dan Williams wrote:
> 
> > Can you grab some NM log output?  the NetworkManager openvpn plugin
> > does have support for IPv6, but we need to figure out if:
> > 
> > 1) NM or NM-openvpn is somehow ignoring your request to have them
> > ignore IPv6 configuration
> 
> In nm-connection-editor I had set IPv6 to "Ignore", which I
> interpreted
> as "whenever the peer offers ipv6, just ignore that offering". So
> this
> interpretion of "ignore" was wrong. Not sure which part of the system
> does actually apply the offered addresses and routes. Are you saying
> there might be some sort of autoconfiguration going on, like it could
> be
> done for wired connections?

It could be better documented, it really means "don't do anything IPv6
related in NetworkManager, but don't prevent anything else either".  So
NM isn't touching IPv6, but the kernel also has IPv6 autoconfiguration
capability and that's what is likely running on the interface outside
of NetworkManager.

> Once I changed it to "Automatic (VPN)" the "Routes ..." knob
> appeared.

Now you've allowed NM to handle the IPv6 configuration on the
interface.

> Here the default is for "Use the connection only for resources for
> this
> network" is disabled. Once I checked that box, the default route is
> not
> applied. I did the same already for ipv4 to avoid that all traffic
> goes
> through tun0.

Sounds right.

> For short: now that I have the checkbox for "Use the connection only
> for
> resources for this network" enabled my connection works as expected.
> 
> If something can be done about the misleading "Ignore", that would be
> great.

Yeah, we should add a 'disabled' too.

Dan

___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: NM ignores knobs regarding ipv6

[Olaf Hering]

On Fri, Feb 05, Dan Williams wrote:

> Can you grab some NM log output?  the NetworkManager openvpn plugin
> does have support for IPv6, but we need to figure out if:
> 
> 1) NM or NM-openvpn is somehow ignoring your request to have them
> ignore IPv6 configuration

In nm-connection-editor I had set IPv6 to "Ignore", which I interpreted
as "whenever the peer offers ipv6, just ignore that offering". So this
interpretion of "ignore" was wrong. Not sure which part of the system
does actually apply the offered addresses and routes. Are you saying
there might be some sort of autoconfiguration going on, like it could be
done for wired connections?

Once I changed it to "Automatic (VPN)" the "Routes ..." knob appeared.
Here the default is for "Use the connection only for resources for this
network" is disabled. Once I checked that box, the default route is not
applied. I did the same already for ipv4 to avoid that all traffic goes
through tun0.

For short: now that I have the checkbox for "Use the connection only for
resources for this network" enabled my connection works as expected.

If something can be done about the misleading "Ignore", that would be
great.

Olaf
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: NM ignores knobs regarding ipv6

[Dan Williams]

On Fri, 2016-02-05 at 16:49 +0100, Olaf Hering wrote:
> On Fri, Feb 05, Thomas Haller wrote:
> 
> > On Fri, 2016-02-05 at 09:01 +0100, Olaf Hering wrote:
> > > The openvpn connection I have been using for months just gained
> > > support for ipv6. A few months ago I already set ipv6 to
> > > "Disabled"
> > > in the IPv6 tab of nm-connection-editor 1.0.8. But when the
> > > tunnel
> > > is established NM applies the settings received from the peer
> > > anyway.
> > There exists no ipv6 method "Disabled" until now. What exists is
> > "Ignore" which means, NM leaves it all to the kernel.
> 
> What does it leave to the kernel? I think there is nothing the kernel
> can do on tun0, should there be some autonegitation for link-local?
> Its
> unlikely, and tun0 gets just the provided ipv4+ipv6 address. And
> addition also the ipv6 default route is set to tun0.
> Every knob in the ipv6 tab is ignored.

Can you grab some NM log output?  the NetworkManager openvpn plugin
does have support for IPv6, but we need to figure out if:

1) NM or NM-openvpn is somehow ignoring your request to have them
ignore IPv6 configuration

OR

2) NM is honoring your ipv6.method=ignore, and leaving everything to
the kernel, which sends Router Solictiations over tun0 and gets a reply
back from an IPv6 router on the other side of the VPN.

The NM logs should make that pretty clear, and they'll look something
like this:

  VPN connection 'My VPN' (IP4 Config Get) reply received.
  VPN Gateway: 1.2.3.4
  Tunnel Device: asdadf
  IPv4 configuration:
Internal Address: 2.3.4.5
Internal Prefix: 32
Internal Point-to-Point Address: 2.3.4.6
Maximum Segment Size (MSS): 0
Forbid Default Route: yes
Internal DNS: 5.6.7.8
Internal DNS: 5.6.7.9
DNS Domain: 'myvpn.com'
  No IPv6 configuration

If in your logs you see "No IPv6 configuration", then it's the kernel
doing it's IPv6 stuff on the interface.  If you see "IPv6
configuration: " then it's NM not honoring ipv6.method=ignore.

Dan

> > Can you show
> >   nmcli connection show $CONNECTION_ID
> 
> 
> connection.id:  $VPN
> connection.uuid:b210995e-b03d-4f35-882c
> -523fcf3fe264
> connection.interface-name:  --
> connection.type:vpn
> connection.autoconnect: no
> connection.autoconnect-priority:0
> connection.timestamp:   1454686875
> connection.read-only:   no
> connection.permissions: user:olaf
> connection.zone:--
> connection.master:  --
> connection.slave-type:  --
> connection.autoconnect-slaves:  -1 (default)
> connection.secondaries: 
> connection.gateway-ping-timeout:0
> connection.metered: unknown
> ipv4.method:auto
> ipv4.dns:   
> ipv4.dns-search:
> ipv4.addresses: 
> ipv4.gateway:   --
> ipv4.routes:
> ipv4.route-metric:  -1
> ipv4.ignore-auto-routes:no
> ipv4.ignore-auto-dns:   no
> ipv4.dhcp-client-id:--
> ipv4.dhcp-send-hostname:yes
> ipv4.dhcp-hostname: --
> ipv4.never-default: yes
> ipv4.may-fail:  yes
> ipv6.method:ignore
> ipv6.dns:   
> ipv6.dns-search:
> ipv6.addresses: 
> ipv6.gateway:   --
> ipv6.routes:
> ipv6.route-metric:  -1
> ipv6.ignore-auto-routes:no
> ipv6.ignore-auto-dns:   no
> ipv6.never-default: no
> ipv6.may-fail:  yes
> ipv6.ip6-privacy:   0 (disabled)
> ipv6.dhcp-send-hostname:yes
> ipv6.dhcp-hostname: --
> vpn.service-type:  
>  org.freedesktop.NetworkManager.openvpn
> vpn.user-name:  --
> vpn.data:   $cmdline
> vpn.secrets:
> vpn.persistent: no
> GENERAL.NAME:   $VPN
> GENERAL.UUID:   b210995e-b03d-4f35-882c
> -523fcf3fe264
> GENERAL.DEVICES:br0
> GENERAL.STATE:  activated
> GENERAL.DEFAULT:no
> GENERAL.DEFAULT6:   no
> GENERAL.VPN:yes
> GENERAL.ZONE:   --
> GENERAL.DBUS-PATH: 
>  /org/freedesktop/NetworkManager/ActiveConnection/12
> GENERAL.CON-PATH:  
>  /org/freedesktop/NetworkManager/Settings/4
> GENERAL.SPEC-OBJ

Re: NM ignores knobs regarding ipv6

[Olaf Hering]

On Fri, Feb 05, Thomas Haller wrote:

> On Fri, 2016-02-05 at 09:01 +0100, Olaf Hering wrote:
> > The openvpn connection I have been using for months just gained
> > support for ipv6. A few months ago I already set ipv6 to "Disabled"
> > in the IPv6 tab of nm-connection-editor 1.0.8. But when the tunnel
> > is established NM applies the settings received from the peer
> > anyway.
> There exists no ipv6 method "Disabled" until now. What exists is
> "Ignore" which means, NM leaves it all to the kernel.

What does it leave to the kernel? I think there is nothing the kernel
can do on tun0, should there be some autonegitation for link-local? Its
unlikely, and tun0 gets just the provided ipv4+ipv6 address. And
addition also the ipv6 default route is set to tun0.
Every knob in the ipv6 tab is ignored.

> Can you show
>   nmcli connection show $CONNECTION_ID


connection.id:  $VPN
connection.uuid:b210995e-b03d-4f35-882c-523fcf3fe264
connection.interface-name:  --
connection.type:vpn
connection.autoconnect: no
connection.autoconnect-priority:0
connection.timestamp:   1454686875
connection.read-only:   no
connection.permissions: user:olaf
connection.zone:--
connection.master:  --
connection.slave-type:  --
connection.autoconnect-slaves:  -1 (default)
connection.secondaries: 
connection.gateway-ping-timeout:0
connection.metered: unknown
ipv4.method:auto
ipv4.dns:   
ipv4.dns-search:
ipv4.addresses: 
ipv4.gateway:   --
ipv4.routes:
ipv4.route-metric:  -1
ipv4.ignore-auto-routes:no
ipv4.ignore-auto-dns:   no
ipv4.dhcp-client-id:--
ipv4.dhcp-send-hostname:yes
ipv4.dhcp-hostname: --
ipv4.never-default: yes
ipv4.may-fail:  yes
ipv6.method:ignore
ipv6.dns:   
ipv6.dns-search:
ipv6.addresses: 
ipv6.gateway:   --
ipv6.routes:
ipv6.route-metric:  -1
ipv6.ignore-auto-routes:no
ipv6.ignore-auto-dns:   no
ipv6.never-default: no
ipv6.may-fail:  yes
ipv6.ip6-privacy:   0 (disabled)
ipv6.dhcp-send-hostname:yes
ipv6.dhcp-hostname: --
vpn.service-type:   org.freedesktop.NetworkManager.openvpn
vpn.user-name:  --
vpn.data:   $cmdline
vpn.secrets:
vpn.persistent: no
GENERAL.NAME:   $VPN
GENERAL.UUID:   b210995e-b03d-4f35-882c-523fcf3fe264
GENERAL.DEVICES:br0
GENERAL.STATE:  activated
GENERAL.DEFAULT:no
GENERAL.DEFAULT6:   no
GENERAL.VPN:yes
GENERAL.ZONE:   --
GENERAL.DBUS-PATH:  
/org/freedesktop/NetworkManager/ActiveConnection/12
GENERAL.CON-PATH:   
/org/freedesktop/NetworkManager/Settings/4
GENERAL.SPEC-OBJECT:
/org/freedesktop/NetworkManager/ActiveConnection/0
GENERAL.MASTER-PATH:
/org/freedesktop/NetworkManager/Devices/1
IP4.ADDRESS[1]: 10.163.0.87/32
IP4.GATEWAY:10.163.0.1
IP4.ROUTE[1]:   dst = 10.163.0.0/21, nh = 10.163.0.1, 
mt = 50
IP4.ROUTE[2]:   dst = 10.0.0.0/8, nh = 10.163.0.1, mt = 
50
IP4.ROUTE[3]:   dst = 149.44.0.0/16, nh = 10.163.0.1, 
mt = 50
IP4.ROUTE[4]:   dst = 147.2.0.0/16, nh = 10.163.0.1, mt 
= 50
IP4.ROUTE[5]:   dst = 164.99.0.0/16, nh = 10.163.0.1, 
mt = 50
IP4.ROUTE[6]:   dst = 137.65.0.0/16, nh = 10.163.0.1, 
mt = 50
IP4.ROUTE[7]:   dst = 151.155.128.0/17, nh = 
10.163.0.1, mt = 50
IP4.DNS[1]: 10.160.0.1
IP4.DNS[2]: 10.160.2.88
IP4.DOMAIN[1]:  $domain
IP6.ADDRESS[1]: 2620:113:80c0:8100:10:163:0:87/64
IP6.GATEWAY:
IP6.ROUTE[1]:   dst = 2620:113:80c0:8000::/50, nh = 
2620:113:80c0:8100:10:163:0:2, mt = 50
VPN.TYPE:   openvpn
VPN.USERNAME: 

Re: NM ignores knobs regarding ipv6

[Thomas Haller]

On Fri, 2016-02-05 at 09:01 +0100, Olaf Hering wrote:
> The openvpn connection I have been using for months just gained
> support
> for ipv6. A few months ago I already set ipv6 to "Disabled" in the
> IPv6
> tab of nm-connection-editor 1.0.8. But when the tunnel is established
> NM
> applies the settings received from the peer anyway.

There exists no ipv6 method "Disabled" until now. What exists is
"Ignore" which means, NM leaves it all to the kernel.




> I also tried to apply just the addresses, ignore the received routes.
> Whatever happens, all ipv6 traffic goes through the tunnel as a
> result.
> 
> Why does NM ignore the knobs? It calls openvpn like that:
> 
> /usr/sbin/openvpn
> --remote $host 443 tcp
> --comp-lzo
> --nobind
> --dev tun
> --dev-type tun
> --cipher AES-256-CBC
> --auth SHA512
> --auth-nocache
> --tls-auth $key 1
> --reneg-sec 0
> --syslog nm-openvpn
> --script-security 2
> --up /usr/lib/nm-openvpn-service-openvpn-helper
> --tun
> --
> --up-restart
> --persist-key
> --persist-tun
> --management /var/run/NetworkManager/nm-openvpn-05c972e7-1f61-4bca-
> a5a0-c6b0ed7b44a6 unix
> --management-client-user root
> --management-client-group root
> --management-query-passwords
> --auth-retry interact
> --route-noexec
> --ifconfig-noexec
> --client
> --ca $crt
> --cert $crt
> --key $key
> --auth-user-pass
> --user nm-openvpn
> --group nm-openvpn
> 
> Does openvpn do all the address assignment by itself?

The vpn service reports the addresses/routes back to NetworkManager,
and NetworkManager does configuration according to the connection's
configuration + the stuff reported from the VPN service.



Can you show
  nmcli connection show $CONNECTION_ID
  ip addr
  ip route


Thanks,
Thomas

signature.asc
Description: This is a digitally signed message part
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

NM ignores knobs regarding ipv6

[Olaf Hering]

The openvpn connection I have been using for months just gained support
for ipv6. A few months ago I already set ipv6 to "Disabled" in the IPv6
tab of nm-connection-editor 1.0.8. But when the tunnel is established NM
applies the settings received from the peer anyway.

I also tried to apply just the addresses, ignore the received routes.
Whatever happens, all ipv6 traffic goes through the tunnel as a result.

Why does NM ignore the knobs? It calls openvpn like that:

/usr/sbin/openvpn
--remote $host 443 tcp
--comp-lzo
--nobind
--dev tun
--dev-type tun
--cipher AES-256-CBC
--auth SHA512
--auth-nocache
--tls-auth $key 1
--reneg-sec 0
--syslog nm-openvpn
--script-security 2
--up /usr/lib/nm-openvpn-service-openvpn-helper
--tun
--
--up-restart
--persist-key
--persist-tun
--management 
/var/run/NetworkManager/nm-openvpn-05c972e7-1f61-4bca-a5a0-c6b0ed7b44a6 unix
--management-client-user root
--management-client-group root
--management-query-passwords
--auth-retry interact
--route-noexec
--ifconfig-noexec
--client
--ca $crt
--cert $crt
--key $key
--auth-user-pass
--user nm-openvpn
--group nm-openvpn

Does openvpn do all the address assignment by itself?

Olaf
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list