I am trying to get some Ubuntu 20.04 clients at work to connect to a new OpenVPN server provided by our new server provider.
The goal is to route only certain traffic into the tunnel (the corresponding routes are pushed by the OpenVPN server) and make the clients use the DNS server pushed by the OpenVPN server as well.
This works with Windows 10 clients and OpenVPN GUI 2.5 out of the box. It works as well using openvpn
(2.4.7) from terminal like this: sudo openvpn --config config.ovpn
and the following client config file config.ovpn
:
dev tun
tun-ipv6
persist-tun
persist-key
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote <ipadressOfProvider> <port> udp4
verify-x509-name "<name>" name
auth-user-pass
remote-cert-tls server
compress
# The following is added only in the config for Ubuntu 20.04
dhcp-option DOMAIN <domainToResolveWithRemoteSiteDNS>
script-security 2
up /etc/openvpn/update-systemd-resolved
up-restart
down /etc/openvpn/update-systemd-resolved
down-pre
The problems start when using network-manager-openvpn
(1.8.12) and the above config file. The connection is established and the pushed DNS server is updated in systemd-resolved (even without the additional up
and down
scripts in the openvpn config) correctly.
However, all traffic is routed into the tun0
interface, even public traffic. The result is that I can access ressources at the remote site even using internal domain names, but can not access internet because the OpenVPN subnet does not have direct internet access.
Changing the option Use this connection only for resources on its network in the network manager openvpn config (which corresponds with the option ipv4.neverdefault
displayed via nmcli c show config
) solves the routing problem: Now, only traffic concerning the pushed routes is directed into the tunnel. However, it also prevents that the pushed DNS server is applied to /run/systemd/resolve/resolv.conf
.
Until now I haven't found an option to accept the pushed DNS and route only traffic which concerns the pushed routes simultaneously with network manager.
Some maybe interesting observations so far:
1. Routes
Network Manager with ipv4.neverdefault=no
creates a second default gateway with lower metric in addition to the pushed routes:
$ ip route
default via 10.*.*.* dev tun0 proto static metric 50
default via 192.168.***.** dev wlp3s0 proto dhcp metric 600
10.*.*.*/24 dev tun0 proto kernel scope link src 10.*.*.* metric 50
158.***.**.** via 192.168.***.** dev wlp3s0 proto static metric 600
169.254.0.0/16 dev wlp3s0 scope link metric 1000
172.**.***.*/24 via 10.*.*.* dev tun0 proto static metric 50
192.168.*.*/24 via 10.*.*.* dev tun0 proto static metric 50
192.168.*.*/24 via 10.*.*.* dev tun0 proto static metric 50
192.168.***.*/24 dev wlp3s0 proto kernel scope link src 192.168.***.*** metric 600
192.168.***.** dev wlp3s0 proto static scope link metric 600
Network Manager with ipv4.neverdefault=yes
creates no second default gateway in addition to the pushed routes (same as above, without first line).
openvpn
in terminal creates no secondary default gateway in addition to the pushed routes:
default via 192.168.***.** dev wlp3s0 proto dhcp metric 600
10.*.*.*/24 dev tun0 proto kernel scope link src 10.*.*.*
169.254.0.0/16 dev wlp3s0 scope link metric 1000
172.**.***.*/24 via 10.*.*.* dev tun0
192.168.*.*/24 via 10.*.*.* dev tun0
192.168.*.*/24 via 10.*.*.* dev tun0
192.168.***.*/24 dev wlp3s0 proto kernel scope link src 192.168.***.*** metric 600
2. DNS server
Network Manager with ipv4.neverdefault=no
does overwrite /run/systemd/resolve/resolv.conf
:
nameserver 172.**.***.**
Network Manager with ipv4.neverdefault=yes
does not:
nameserver 192.168.***.**
nameserver ****:***:****:****::**
openvpn
in terminal adds the dns server to the existing ones and adds the domain name served by remote dns server as defined in the config.ovpn
:
nameserver 192.168.***.**
nameserver ****:***:****:****::**
nameserver 172.**.***.***
search <domainToResolveWithRemoteSiteDNS>
If you have any idea which options could be changed in network manager to process the config.ovpn
as the openvpn terminal client does, I will be happy to hear your thoughts.
Thanks, Valentin