I am trying to get some Ubuntu 20.04 clients at work to connect to a new OpenVPN server provided by our new server provider.
The goal is to route only certain traffic into the tunnel (the corresponding routes are pushed by the OpenVPN server) and make the clients use the DNS server pushed by the OpenVPN server as well.
This works with Windows 10 clients and OpenVPN GUI 2.5 out of the box. It works as well using openvpn
(2.4.7) from terminal like this: sudo openvpn --config config.ovpn
and the following client config file config.ovpn
:
dev tun
tun-ipv6
persist-tun
persist-key
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote <ipadressOfProvider> <port> udp4
verify-x509-name "<name>" name
auth-user-pass
remote-cert-tls server
compress
# The following is added only in the config for Ubuntu 20.04
dhcp-option DOMAIN <domainToResolveWithRemoteSiteDNS>
script-security 2
up /etc/openvpn/update-systemd-resolved
up-restart
down /etc/openvpn/update-systemd-resolved
down-pre
The problems start when using network-manager-openvpn
(1.8.12) and the above config file. The connection is established and the pushed DNS server is updated in systemd-resolved (even without the additional up
and down
scripts in the openvpn config) correctly.
However, all traffic is routed into the tun0
interface, even public traffic. The result is that I can access ressources at the remote site even using internal domain names, but can not access internet because the OpenVPN subnet does not have direct internet access.
Changing the option Use this connection only for resources on its network in the network manager openvpn config (which corresponds with the option ipv4.neverdefault
displayed via nmcli c show config
) solves the routing problem: Now, only traffic concerning the pushed routes is directed into the tunnel. However, it also prevents that the pushed DNS server is applied to /run/systemd/resolve/resolv.conf
.
Until now I haven't found an option to accept the pushed DNS and route only traffic which concerns the pushed routes simultaneously with network manager.
Some maybe interesting observations so far:
1. Routes
Network Manager with ipv4.neverdefault=no
creates a second default gateway with lower metric in addition to the pushed routes:
$ ip route
default via 10.*.*.* dev tun0 proto static metric 50
default via 192.168.***.** dev wlp3s0 proto dhcp metric 600
10.*.*.*/24 dev tun0 proto kernel scope link src 10.*.*.* metric 50
158.***.**.** via 192.168.***.** dev wlp3s0 proto static metric 600
169.254.0.0/16 dev wlp3s0 scope link metric 1000
172.**.***.*/24 via 10.*.*.* dev tun0 proto static metric 50
192.168.*.*/24 via 10.*.*.* dev tun0 proto static metric 50
192.168.*.*/24 via 10.*.*.* dev tun0 proto static metric 50
192.168.***.*/24 dev wlp3s0 proto kernel scope link src 192.168.***.*** metric 600
192.168.***.** dev wlp3s0 proto static scope link metric 600
Network Manager with ipv4.neverdefault=yes
creates no second default gateway in addition to the pushed routes (same as above, without first line).
openvpn
in terminal creates no secondary default gateway in addition to the pushed routes:
default via 192.168.***.** dev wlp3s0 proto dhcp metric 600
10.*.*.*/24 dev tun0 proto kernel scope link src 10.*.*.*
169.254.0.0/16 dev wlp3s0 scope link metric 1000
172.**.***.*/24 via 10.*.*.* dev tun0
192.168.*.*/24 via 10.*.*.* dev tun0
192.168.*.*/24 via 10.*.*.* dev tun0
192.168.***.*/24 dev wlp3s0 proto kernel scope link src 192.168.***.*** metric 600
2. DNS server
Network Manager with ipv4.neverdefault=no
does overwrite /run/systemd/resolve/resolv.conf
:
nameserver 172.**.***.**
Network Manager with ipv4.neverdefault=yes
does not:
nameserver 192.168.***.**
nameserver ****:***:****:****::**
openvpn
in terminal adds the dns server to the existing ones and adds the domain name served by remote dns server as defined in the config.ovpn
:
nameserver 192.168.***.**
nameserver ****:***:****:****::**
nameserver 172.**.***.***
search <domainToResolveWithRemoteSiteDNS>
If you have any idea which options could be changed in network manager to process the config.ovpn
as the openvpn terminal client does, I will be happy to hear your thoughts.
Thanks, Valentin
After some additional "research" (mainly trial and error) I was able to successfully connect to the remote site via network manager while only routing traffic of the pushed routes and using the pushed dns server.
Setting the vpn connection in network manager to
neverdefault
(as already discussed in OP):nmcli c modify <connectionname> ipv4.never-default yes
Setting the connection
dns-search
to the internal domains of the remote site:nmcli c modify <connectionname> ipv4.dns-search <domainname>
This option makes networkmanager somehow add the DNS server in
run/systemd/resolve/resolv.conf
again (adds, not overwrites), despite ofipv4.never-default
being active.Alternatively,
<domainname>
can be replaced with~.
which will lead to an overwrite ofrun/systemd/resolve/resolv.conf
and thus makes the pushed DNS server the only one answering all dns requests.Thank you @Valentin!
Your solution is spot on!
In my case using Ubuntu 20.04 client connecting to 20.04 server also using the gnome-network-manager openvpn options it was not necessary to set dns-search - only the never-default option.
To allow for folder/network (samba) connectivity I also had to edit the "interfaces" option under the "Networking" directive of the smb.conf file on my server as follows
Where the last line was added with X.X.X.X/XX being the CIDR notation of the IP address range that will be assigned by the same openvpn server.