Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
On Thu, 2021-06-03 at 17:44 +0200, Beniamino Galvani wrote: > On Thu, Jun 03, 2021 at 07:17:31AM +, Samuel Le Thiec via > networkmanager-list wrote: > > Hi, > > > For a moment I thought that Network Manager may be assuming a > > point-to-point topology > > for > > the VPN instead of the "topology subnet" as specified in the server.conf, > > so I did try > > to > > 'push "topology subnet"' to the clients, but it didn't help: without the > > 'push "route- > > ipv6 > > .."' above, the client is still missing the route to the subnet. > > Right, 'topology' has no effect for IPv6. > > > > I can totally live with that, but is it the expected behaviour? If so, > > > why does it > > > differ from starting openvpn manually from the cli or even as a systemd > > > openvpn-client@.service? > > It's not expected. I think the NetworkManager OpenVPN plugin parses > the IPv6 configuration incorrectly. If the server pushes, for example: > > ifconfig-ipv6 2001:db8:f00:bebe::1003/64 2001:db8:f00:bebe::1 > > NetworkManager considers the first argument as the subnet and the > second as the peer, and so it does something equivalent to: > > ip addr add dev tun0 2001:db8:f00:bebe::1003/64 peer 2001:db8:f00:bebe::1 > > which appears in the "ip -6 addr" output as: > > inet6 2001:db8:f00:bebe::1003 peer 2001:db8:f00:bebe::1/128 scope global > valid_lft forever preferred_lft forever > > Instead, according to 'man openvpn', NM should simply add address > "2001:db8:f00:bebe::1003/64" and use the second argument as a fallback > gateway for the routes specified by '--route-ipv6': > > --ifconfig-ipv6 ipv6addr/bits ipv6remote > configure IPv6 address ipv6addr/bits on the ``tun'' device. The > second parameter is used as route target for --route-ipv6 if no > gateway is specified. > > --route-ipv6 ipv6addr/bits [gateway] [metric] > setup IPv6 routing in the system to send the specified IPv6 net- > work into OpenVPN's ``tun''. The gateway parameter is only used > for IPv6 routes across ``tap'' devices, and if missing, the > ``ipv6remote'' field from --ifconfig-ipv6 is used. > > I have opened an issue for this [1] and I will prepare a patch for it. > > [1] https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/71 > > Beniamino Hello Beniamino, This seems great, thank you! On a unrelated subject, may I ask here why NM tries to reroute everything through the vpn by default instead of letting the vpn server decide of the default behaviour? I find it somewhat counterintuitive but there's certainly a good reason! Thanks again, samuel signature.asc Description: This is a digitally signed message part ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
On Thu, Jun 03, 2021 at 07:17:31AM +, Samuel Le Thiec via networkmanager-list wrote: Hi, > For a moment I thought that Network Manager may be assuming a point-to-point > topology for > the VPN instead of the "topology subnet" as specified in the server.conf, so > I did try to > 'push "topology subnet"' to the clients, but it didn't help: without the > 'push "route-ipv6 > .."' above, the client is still missing the route to the subnet. Right, 'topology' has no effect for IPv6. > > I can totally live with that, but is it the expected behaviour? If so, why > > does it > > differ from starting openvpn manually from the cli or even as a systemd > > openvpn-client@.service? It's not expected. I think the NetworkManager OpenVPN plugin parses the IPv6 configuration incorrectly. If the server pushes, for example: ifconfig-ipv6 2001:db8:f00:bebe::1003/64 2001:db8:f00:bebe::1 NetworkManager considers the first argument as the subnet and the second as the peer, and so it does something equivalent to: ip addr add dev tun0 2001:db8:f00:bebe::1003/64 peer 2001:db8:f00:bebe::1 which appears in the "ip -6 addr" output as: inet6 2001:db8:f00:bebe::1003 peer 2001:db8:f00:bebe::1/128 scope global valid_lft forever preferred_lft forever Instead, according to 'man openvpn', NM should simply add address "2001:db8:f00:bebe::1003/64" and use the second argument as a fallback gateway for the routes specified by '--route-ipv6': --ifconfig-ipv6 ipv6addr/bits ipv6remote configure IPv6 address ipv6addr/bits on the ``tun'' device. The second parameter is used as route target for --route-ipv6 if no gateway is specified. --route-ipv6 ipv6addr/bits [gateway] [metric] setup IPv6 routing in the system to send the specified IPv6 net- work into OpenVPN's ``tun''. The gateway parameter is only used for IPv6 routes across ``tap'' devices, and if missing, the ``ipv6remote'' field from --ifconfig-ipv6 is used. I have opened an issue for this [1] and I will prepare a patch for it. [1] https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/71 Beniamino signature.asc Description: PGP signature ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
On Tue, 2021-06-01 at 21:52 +, Samuel Le Thiec via networkmanager-list wrote: > > On Tue, 2021-06-01 at 13:27 +, Samuel Le Thiec via networkmanager-list > wrote: > > Note: sorry for the potential duplicate email, I sent it before & after > > having > > registered to the list! > > > > Hello all, > > > > I have a working openvpn config (see below) which I can't get to fully work > > with Network > > Manager: the private IPv6 network is not accessible when connecting to the > > VPN with > > NM(*). > > > > Here is what I get for tun0 when connecting with NM: > > > > > > $ ip a l tun0 > > 17: tun0: mtu 1500 qdisc fq_codel > > state > > UNKNOWN > > group default qlen 500 > > link/none > > inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0 > > valid_lft forever preferred_lft forever > > inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope > > global > > noprefixroute > > valid_lft forever preferred_lft forever > > > > > > When connecting with systemd or via the command line (sudo openvpn --config > > vpn.conf) : > > > > $ ip a l tun0 > > > > 14: tun0: mtu 1500 qdisc fq_codel > > state > > UNKNOWN > > group default qlen 500 > > link/none > > > > inet 10.66.6.4/24 scope global tun0 > > > > valid_lft forever preferred_lft forever > > > > inet6 2001:bc8:3d1d:1337::1002/64 scope global > > valid_lft forever preferred_lft forever > > inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy > > valid_lft forever preferred_lft forever > > > > > > → Note the scope global inet6 differences above: peer vs subnet > > > > (*) In order to avoid having all my trafic routed through the vpn, I did > > check "Use this > > connection only for resources on its network" for IPv4 & IPv6. > > > > Is there a way to make Network Manager behave like openvpn --config > > vpn.conf? > > > Hello again:) > > I don't know why this would be needed, but I noticed this can be worked > around by > pushing the route towards the server-ipv6 subnet from the openvpn server, > with the > directive: > > push "route-ipv6 2001:bc8:3d1d:1337::/64" > > For a moment I thought that Network Manager may be assuming a point-to-point topology for the VPN instead of the "topology subnet" as specified in the server.conf, so I did try to 'push "topology subnet"' to the clients, but it didn't help: without the 'push "route-ipv6 .."' above, the client is still missing the route to the subnet. > I can totally live with that, but is it the expected behaviour? If so, why > does it > differ from starting openvpn manually from the cli or even as a systemd > openvpn-client@.service? > > Thanks in advance! > > samuel > > > Here is additionnal informations: > > > > > > $ nmcli device show tun0 > > GENERAL.DEVICE: tun0 > > GENERAL.TYPE: tun > > GENERAL.HWADDR: (unknown) > > GENERAL.MTU: 1500 > > GENERAL.STATE: 100 (connected (externally)) > > GENERAL.CONNECTION: tun0 > > GENERAL.CON-PATH: > > /org/freedesktop/NetworkManager/ActiveConnection/27 > > IP4.ADDRESS[1]: 10.66.6.4/24 > > IP4.GATEWAY: -- > > IP4.ROUTE[1]: dst = 10.66.6.0/24, nh = 0.0.0.0, > > mt = 50 > > IP6.ADDRESS[1]: 2001:bc8:3d1d:1337::1002/64 > > IP6.GATEWAY: -- > > IP6.ROUTE[1]: dst = 2001:bc8:3d1d:1337::1/128, nh > > = ::, mt = > > 256 > > IP6.ROUTE[2]: dst = 2001:bc8:3d1d:1337::1002/128, > > nh = ::, mt > > = > > 50 > > IP6.ROUTE[3]: dst = 2001:bc8:3d1d:1337::1/128, nh > > = ::, mt = > > 50 > > > > > > And the openvpn client config I imported from NM (minus the certs): > > | client > > | dev tun > > | # try standard port first > > | remote hub.nsoc.fr > > | remote hub.nsoc.fr 53 > > | ping 25 > > | ping-restart 120 > > | persist-key > > | persist-tun > > | tls-version-min 1.3 > > | remote-cert-tls server > > | mute-replay-warnings > > | > > | askpass > > | verb 3 > > | > > | > > | > > | > > | > > > > > > Thank you in advance! > > > > Samuel > > > > ___ > > networkmanager-list mailing list > > networkmanager-list@gnome.org > > https://mail.gnome.org/mailman/listinfo/networkmanager-list > > > ___ > networkmanager-list mailing list >
Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
Hello again:) I don't know why this would be needed, but I noticed this can be worked around by pushing the route towards the server-ipv6 subnet from the openvpn server, with the directive: push "route-ipv6 2001:bc8:3d1d:1337::/64" I can totally live with that, but is it the expected behaviour? If so, why does it differ from starting openvpn manually from the cli or even as a systemd openvpn-client@.service? Thanks in advance! samuel On Tue, 2021-06-01 at 13:27 +, Samuel Le Thiec via networkmanager-list wrote: > Note: sorry for the potential duplicate email, I sent it before & after having > registered to the list! > > Hello all, > > I have a working openvpn config (see below) which I can't get to fully work > with Network > Manager: the private IPv6 network is not accessible when connecting to the > VPN with > NM(*). > > Here is what I get for tun0 when connecting with NM: > > > $ ip a l tun0 > 17: tun0: mtu 1500 qdisc fq_codel > state > UNKNOWN > group default qlen 500 > link/none > inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0 > valid_lft forever preferred_lft forever > inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope global > noprefixroute > valid_lft forever preferred_lft forever > > > When connecting with systemd or via the command line (sudo openvpn --config > vpn.conf) : > > $ ip a l tun0 > > 14: tun0: mtu 1500 qdisc fq_codel > state > UNKNOWN > group default qlen 500 > link/none > > inet 10.66.6.4/24 scope global tun0 > > valid_lft forever preferred_lft forever > > inet6 2001:bc8:3d1d:1337::1002/64 scope global > valid_lft forever preferred_lft forever > inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy > valid_lft forever preferred_lft forever > > > → Note the scope global inet6 differences above: peer vs subnet > > (*) In order to avoid having all my trafic routed through the vpn, I did > check "Use this > connection only for resources on its network" for IPv4 & IPv6. > > Is there a way to make Network Manager behave like openvpn --config vpn.conf? > > Here is additionnal informations: > > > $ nmcli device show tun0 > GENERAL.DEVICE: tun0 > GENERAL.TYPE: tun > GENERAL.HWADDR: (unknown) > GENERAL.MTU: 1500 > GENERAL.STATE: 100 (connected (externally)) > GENERAL.CONNECTION: tun0 > GENERAL.CON-PATH: > /org/freedesktop/NetworkManager/ActiveConnection/27 > IP4.ADDRESS[1]: 10.66.6.4/24 > IP4.GATEWAY: -- > IP4.ROUTE[1]: dst = 10.66.6.0/24, nh = 0.0.0.0, mt > = 50 > IP6.ADDRESS[1]: 2001:bc8:3d1d:1337::1002/64 > IP6.GATEWAY: -- > IP6.ROUTE[1]: dst = 2001:bc8:3d1d:1337::1/128, nh = > ::, mt = > 256 > IP6.ROUTE[2]: dst = 2001:bc8:3d1d:1337::1002/128, > nh = ::, mt > = > 50 > IP6.ROUTE[3]: dst = 2001:bc8:3d1d:1337::1/128, nh = > ::, mt = > 50 > > > And the openvpn client config I imported from NM (minus the certs): > | client > | dev tun > | # try standard port first > | remote hub.nsoc.fr > | remote hub.nsoc.fr 53 > | ping 25 > | ping-restart 120 > | persist-key > | persist-tun > | tls-version-min 1.3 > | remote-cert-tls server > | mute-replay-warnings > | > | askpass > | verb 3 > | > | > | > | > | > > > Thank you in advance! > > Samuel > > ___ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
Note: sorry for the potential duplicate email, I sent it before & after having registered to the list! Hello all, I have a working openvpn config (see below) which I can't get to fully work with Network Manager: the private IPv6 network is not accessible when connecting to the VPN with NM(*). Here is what I get for tun0 when connecting with NM: $ ip a l tun0 17: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0 valid_lft forever preferred_lft forever inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope global noprefixroute valid_lft forever preferred_lft forever When connecting with systemd or via the command line (sudo openvpn --config vpn.conf) : $ ip a l tun0 14: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.66.6.4/24 scope global tun0 valid_lft forever preferred_lft forever inet6 2001:bc8:3d1d:1337::1002/64 scope global valid_lft forever preferred_lft forever inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy valid_lft forever preferred_lft forever → Note the scope global inet6 differences above: peer vs subnet (*) In order to avoid having all my trafic routed through the vpn, I did check "Use this connection only for resources on its network" for IPv4 & IPv6. Is there a way to make Network Manager behave like openvpn --config vpn.conf? Here is additionnal informations: $ nmcli device show tun0 GENERAL.DEVICE: tun0 GENERAL.TYPE: tun GENERAL.HWADDR: (unknown) GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected (externally)) GENERAL.CONNECTION: tun0 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/27 IP4.ADDRESS[1]: 10.66.6.4/24 IP4.GATEWAY: -- IP4.ROUTE[1]: dst = 10.66.6.0/24, nh = 0.0.0.0, mt = 50 IP6.ADDRESS[1]: 2001:bc8:3d1d:1337::1002/64 IP6.GATEWAY: -- IP6.ROUTE[1]: dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt = 256 IP6.ROUTE[2]: dst = 2001:bc8:3d1d:1337::1002/128, nh = ::, mt = 50 IP6.ROUTE[3]: dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt = 50 And the openvpn client config I imported from NM (minus the certs): | client | dev tun | # try standard port first | remote hub.nsoc.fr | remote hub.nsoc.fr 53 | ping 25 | ping-restart 120 | persist-key | persist-tun | tls-version-min 1.3 | remote-cert-tls server | mute-replay-warnings | | askpass | verb 3 | | | | | Thank you in advance! Samuel ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
Hello all, Please, make sure to CC me in your replies so I'm sure to get them! I have a working openvpn config (see below) which I can't get to fully work with Network Manager: the private IPv6 network is not accessible when connecting to the VPN with NM(*). Here is what I get for tun0 when connecting with NM: $ ip a l tun0 17: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0 valid_lft forever preferred_lft forever inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope global noprefixroute valid_lft forever preferred_lft forever When connecting with systemd or via the command line (sudo openvpn --config vpn.conf) : $ ip a l tun0 14: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.66.6.4/24 scope global tun0 valid_lft forever preferred_lft forever inet6 2001:bc8:3d1d:1337::1002/64 scope global valid_lft forever preferred_lft forever inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy valid_lft forever preferred_lft forever → Note the scope global inet6 differences above: peer vs subnet (*) In order to avoid having all my trafic routed through the vpn, I did check "Use this connection only for resources on its network" for IPv4 & IPv6. Is there a way to make Network Manager behave like openvpn --config vpn.conf? Here is additionnal informations: $ nmcli device show tun0 GENERAL.DEVICE: tun0 GENERAL.TYPE: tun GENERAL.HWADDR: (unknown) GENERAL.MTU:1500 GENERAL.STATE: 100 (connected (externally)) GENERAL.CONNECTION: tun0 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/27 IP4.ADDRESS[1]: 10.66.6.4/24 IP4.GATEWAY:-- IP4.ROUTE[1]: dst = 10.66.6.0/24, nh = 0.0.0.0, mt = 50 IP6.ADDRESS[1]: 2001:bc8:3d1d:1337::1002/64 IP6.GATEWAY:-- IP6.ROUTE[1]: dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt = 256 IP6.ROUTE[2]: dst = 2001:bc8:3d1d:1337::1002/128, nh = ::, mt = 50 IP6.ROUTE[3]: dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt = 50 And the openvpn client config I imported from NM (minus the certs): | client | dev tun | # try standard port first | remote hub.nsoc.fr | remote hub.nsoc.fr 53 | ping 25 | ping-restart 120 | persist-key | persist-tun | tls-version-min 1.3 | remote-cert-tls server | mute-replay-warnings | | askpass | verb 3 | | | | | Thank you in advance! Samuel ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list