F28, openvpn, NetworkManager - users - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

1995

1994

1993

1992

1991

1990

1989

1988

1987

1986

1985

1984

1983

1982

1981

1980

F28, openvpn, NetworkManager

is grubby a dumb software?

DHCP fails on wired Ethernet after...

Jack Craig

Sunday, 26 May 2019 Sun, 26 May '19

8:34 p.m.

hi all, anyone got openvpn doing proper route management with vpn start/stop? my take appears to suggest NM to be the problem, but short on proof. anyone? tia, jackc...

Attachments:

attachment.html (text/html — 280 bytes)

Reply

Show replies by thread

Ed Greshko

Sunday, 26 May Sun, 26 May

8:58 p.m.

On 5/27/19 9:34 AM, Jack Craig wrote:

anyone got openvpn doing proper route management with vpn start/stop? my take appears to suggest NM to be the problem, but short on proof.

I had no problems on F28. Now on F30 with no issues. You'll need to describe what problem you having. -- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme

Reply

Jack Craig

9:23 p.m.

so, i have enp420 & tun0. when tun0 comes up, route are not properly update for tun0 routing. i think... default via 10.0.0.1 dev enp4s0 proto dhcp metric 100 10.0.0.0/24 via 10.0.0.1 dev enp4s0 proto static metric 2 10.0.0.0/24 dev enp4s0 proto kernel scope link src 10.0.0.101 metric 100 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 10.8.1.0/24 via 10.8.0.2 dev tun0 10.8.2.0/24 via 10.8.0.2 dev tun0 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown looks like maybe some NM policy is broke? does NM create proper route for your vpn on NM restart? On Sun, May 26, 2019 at 6:59 PM Ed Greshko <ed.greshko(a)greshko.com> wrote:

On 5/27/19 9:34 AM, Jack Craig wrote: > anyone got openvpn doing proper route management with vpn start/stop? > > my take appears to suggest NM to be the problem, but short on proof. I had no problems on F28. Now on F30 with no issues. You'll need to describe what problem you having. -- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ users mailing list -- users(a)lists.fedoraproject.org To unsubscribe send an email to users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Reply

Ed Greshko

10:18 p.m.

On 5/27/19 10:23 AM, Jack Craig wrote:

so, i have enp420 & tun0. when tun0 comes up, route are not properly update for tun0 routing. i think... default via 10.0.0.1 dev enp4s0 proto dhcp metric 100 10.0.0.0/24 <http://10.0.0.0/24> via 10.0.0.1 dev enp4s0 proto static metric 2 10.0.0.0/24 <http://10.0.0.0/24> dev enp4s0 proto kernel scope link src 10.0.0.101 metric 100 10.8.0.0/24 <http://10.8.0.0/24> dev tun0 proto kernel scope link src 10.8.0.1 10.8.1.0/24 <http://10.8.1.0/24> via 10.8.0.2 dev tun0 10.8.2.0/24 <http://10.8.2.0/24> via 10.8.0.2 dev tun0 192.168.122.0/24 <http://192.168.122.0/24> dev virbr0 proto kernel scope link src 192.168.122.1 linkdown looks like maybe some NM policy is broke? does NM create proper route for your vpn on NM restart?

Before the vpn is started... [egreshko@meimei ~]$ ip -4 route show default via 192.168.1.1 dev enp2s0 proto static metric 100 192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.18 metric 100 [root@meimei ~]# tcptraceroute 151.101.129.67 Running: traceroute -T -O info 151.101.129.67 traceroute to 151.101.129.67 (151.101.129.67), 30 hops max, 60 byte packets 1 wifi.greshko.com (192.168.1.1) 0.607 ms 0.546 ms 2.658 ms 2 211-75-128-254.HINET-IP.hinet.net (211.75.128.254) 6.886 ms 6.919 ms 6.897 ms 3 tpdt-3308.hinet.net (168.95.211.46) 7.212 ms 6.867 ms 7.150 ms 4 tpdt-3022.hinet.net (220.128.27.94) 7.819 ms 220-128-1-102.HINET-IP.hinet.net (220.128.1.102) 7.338 ms 7.760 ms 5 r4103-s2.tp.hinet.net (220.128.2.109) 7.224 ms r4103-s2.tp.hinet.net (220.128.2.13) 7.022 ms 7.020 ms 6 r4003-s2.tp.hinet.net (220.128.3.249) 7.036 ms 6.781 ms r4003-s2.tp.hinet.net (220.128.3.145) 19.583 ms 7 211-22-33-77.HINET-IP.hinet.net (211.22.33.77) 39.508 ms 39.141 ms 39.083 ms 8 HundredGE0-5-0-0.br02.hkg12.pccwbtn.net (63.218.174.197) 30.705 ms 31.085 ms 31.056 ms 9 HundredGE0-5-0-0.br02.hkg12.pccwbtn.net (63.218.174.197) 30.298 ms 30.503 ms 30.797 ms 10 fastly.bundle24.br02.hkg12.pccwbtn.net (63.217.237.106) 30.157 ms 30.205 ms 30.114 ms 11 151.101.129.67 (151.101.129.67) <syn,ack> 38.761 ms 36.893 ms 36.795 ms After the vpn is started... [egreshko@meimei ~]$ ip -4 route show default via 25.0.9.1 dev tun0 proto static metric 50 default via 192.168.1.1 dev enp2s0 proto static metric 100 25.0.9.0/24 dev tun0 proto kernel scope link src 25.0.9.5 metric 50 173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100 192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.18 metric 100 192.168.1.1 dev enp2s0 proto static scope link metric 100 [root@meimei ~]# tcptraceroute 151.101.129.67 Running: traceroute -T -O info 151.101.129.67 traceroute to 151.101.129.67 (151.101.129.67), 30 hops max, 60 byte packets 1 _gateway (25.0.9.1) 208.511 ms 208.499 ms 208.497 ms 2 * * * 3 66.55.141.1 (66.55.141.1) 209.053 ms 209.060 ms 209.058 ms 4 * * * 5 * vl42-er1-q8.pnj1.choopa.net (108.61.2.90) 416.846 ms * 6 * * fastly-1.nyiix.net (198.32.160.22) 209.044 ms 7 151.101.129.67 (151.101.129.67) <syn,ack> 208.678 ms 208.799 ms fastly-1.nyiix.net (198.32.160.22) 209.042 ms I've not looked at the openVPN protocol in quite some time. However, if your configuration has the IPv4 configuration for the connection set to "Automatic" then isn't the server side responsible for sending routing information to the client? -- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme

Reply

Jack Craig

11:17 p.m.

i thought what i read was after nm brings up the vpn, only then is the default route to vpn created. more, its torn down first on shutdown. i'm thinking along this line, ... https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default... On Sun, May 26, 2019 at 8:19 PM Ed Greshko <ed.greshko(a)greshko.com> wrote:

On 5/27/19 10:23 AM, Jack Craig wrote: > so, i have enp420 & tun0. when tun0 comes up, route are not properly update for tun0 > routing. i think... > > default via 10.0.0.1 dev enp4s0 proto dhcp metric 100 > 10.0.0.0/24 <http://10.0.0.0/24> via 10.0.0.1 dev enp4s0 proto static metric 2 > 10.0.0.0/24 <http://10.0.0.0/24> dev enp4s0 proto kernel scope link src 10.0.0.101 > metric 100 > 10.8.0.0/24 <http://10.8.0.0/24> dev tun0 proto kernel scope link src 10.8.0.1 > 10.8.1.0/24 <http://10.8.1.0/24> via 10.8.0.2 dev tun0 > 10.8.2.0/24 <http://10.8.2.0/24> via 10.8.0.2 dev tun0 > 192.168.122.0/24 <http://192.168.122.0/24> dev virbr0 proto kernel scope link src > 192.168.122.1 linkdown > > looks like maybe some NM policy is broke? > > does NM create proper route for your vpn on NM restart? > > Before the vpn is started... [egreshko@meimei ~]$ ip -4 route show default via 192.168.1.1 dev enp2s0 proto static metric 100 192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.18 metric 100 [root@meimei ~]# tcptraceroute 151.101.129.67 Running: traceroute -T -O info 151.101.129.67 traceroute to 151.101.129.67 (151.101.129.67), 30 hops max, 60 byte packets 1 wifi.greshko.com (192.168.1.1) 0.607 ms 0.546 ms 2.658 ms 2 211-75-128-254.HINET-IP.hinet.net (211.75.128.254) 6.886 ms 6.919 ms 6.897 ms 3 tpdt-3308.hinet.net (168.95.211.46) 7.212 ms 6.867 ms 7.150 ms 4 tpdt-3022.hinet.net (220.128.27.94) 7.819 ms 220-128-1-102.HINET-IP.hinet.net (220.128.1.102) 7.338 ms 7.760 ms 5 r4103-s2.tp.hinet.net (220.128.2.109) 7.224 ms r4103-s2.tp.hinet.net (220.128.2.13) 7.022 ms 7.020 ms 6 r4003-s2.tp.hinet.net (220.128.3.249) 7.036 ms 6.781 ms r4003-s2.tp.hinet.net (220.128.3.145) 19.583 ms 7 211-22-33-77.HINET-IP.hinet.net (211.22.33.77) 39.508 ms 39.141 ms 39.083 ms 8 HundredGE0-5-0-0.br02.hkg12.pccwbtn.net (63.218.174.197) 30.705 ms 31.085 ms 31.056 ms 9 HundredGE0-5-0-0.br02.hkg12.pccwbtn.net (63.218.174.197) 30.298 ms 30.503 ms 30.797 ms 10 fastly.bundle24.br02.hkg12.pccwbtn.net (63.217.237.106) 30.157 ms 30.205 ms 30.114 ms 11 151.101.129.67 (151.101.129.67) <syn,ack> 38.761 ms 36.893 ms 36.795 ms After the vpn is started... [egreshko@meimei ~]$ ip -4 route show default via 25.0.9.1 dev tun0 proto static metric 50 default via 192.168.1.1 dev enp2s0 proto static metric 100 25.0.9.0/24 dev tun0 proto kernel scope link src 25.0.9.5 metric 50 173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100 192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.18 metric 100 192.168.1.1 dev enp2s0 proto static scope link metric 100 [root@meimei ~]# tcptraceroute 151.101.129.67 Running: traceroute -T -O info 151.101.129.67 traceroute to 151.101.129.67 (151.101.129.67), 30 hops max, 60 byte packets 1 _gateway (25.0.9.1) 208.511 ms 208.499 ms 208.497 ms 2 * * * 3 66.55.141.1 (66.55.141.1) 209.053 ms 209.060 ms 209.058 ms 4 * * * 5 * vl42-er1-q8.pnj1.choopa.net (108.61.2.90) 416.846 ms * 6 * * fastly-1.nyiix.net (198.32.160.22) 209.044 ms 7 151.101.129.67 (151.101.129.67) <syn,ack> 208.678 ms 208.799 ms fastly-1.nyiix.net (198.32.160.22) 209.042 ms I've not looked at the openVPN protocol in quite some time. However, if your configuration has the IPv4 configuration for the connection set to "Automatic" then isn't the server side responsible for sending routing information to the client? -- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ users mailing list -- users(a)lists.fedoraproject.org To unsubscribe send an email to users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Reply

Ed Greshko

Monday, 27 May Mon, 27 May

12:16 a.m.

On 5/27/19 12:17 PM, Jack Craig wrote:

i thought what i read was after nm brings up the vpn, only then is the default route to vpn created. more, its torn down first on shutdown. i'm thinking along this line, ... https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default...

I've never used that configuration setting. Could you show your routes before vpn and after vpn activation? I find it odd that you don't show routes similar to a default route such as... default via 25.0.8.1 dev tun0 proto static metric 50 and a specific route to the VPN server like 173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100 Are you connecting to a commercial openvpn service? Or, are you setting up your own openvpn server? -- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme

Reply

Jack Craig

12:38 a.m.

On Sun, May 26, 2019 at 10:17 PM Ed Greshko <ed.greshko(a)greshko.com> wrote:

On 5/27/19 12:17 PM, Jack Craig wrote: > i thought what i read was after nm brings up the vpn, only then is the default route to > vpn created. more, its torn down first on shutdown. > > i'm thinking along this line, ... > > https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default... > I've never used that configuration setting. Could you show your routes before vpn and after vpn activation?

the table didnt change. dorking with it did blow my default route out, so i will resume in the am after rest

I find it odd that you don't show routes similar to a default route such as...

me too!

default via 25.0.8.1 dev tun0 proto static metric 50 and a specific route to the VPN server like 173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100

i expect what should happen is that after each interface comes up via NM a default route is set to it so eth0 up, default route to , say, 10.0.0./24, then vpn comes and default route is now pointed at the vpn. and this process in reverse on shutdown...

Are you connecting to a commercial openvpn service? Or, are you setting up your own openvpn server?

afaik, openvpn is an open source pkg that i built from src code to my goal of anonymous functioning server. the consumer version found here, ... https://openvpn.net/

-- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ users mailing list -- users(a)lists.fedoraproject.org To unsubscribe send an email to users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Reply

Ed Greshko

12:51 a.m.

On 5/27/19 1:38 PM, Jack Craig wrote:

On Sun, May 26, 2019 at 10:17 PM Ed Greshko <ed.greshko(a)greshko.com <mailto:ed.greshko@greshko.com>> wrote: On 5/27/19 12:17 PM, Jack Craig wrote: > i thought what i read was after nm brings up the vpn, only then is the default route to > vpn created. more, its torn down first on shutdown. > > i'm thinking along this line, ... > > https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default... > I've never used that configuration setting. Could you show your routes before vpn and after vpn activation? the table didnt change. dorking with it did blow my default route out, so i will resume in the am after rest I find it odd that you don't show routes similar to a default route such as... me too! default via 25.0.8.1 dev tun0 proto static metric 50 and a specific route to the VPN server like 173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100 i expect what should happen is that after each interface comes up via NM a default route is set to it so eth0 up, default route to , say, 10.0.0./24 <http://10.0.0./24>;, then vpn comes and default route is now pointed at the vpn. and this process in reverse on shutdown...

Yes, but all the routing information needed by the client should be provided by the server, in most cases.

Are you connecting to a commercial openvpn service? Or, are you setting up your own openvpn server? afaik, openvpn is an open source pkg that i built from src code to my goal of anonymous functioning server. the consumer version found here, ... https://openvpn.net/

I didn't phrase my question very well. I was asking if you have created your own OpenVPN server and you're trying to use it, or you're connection to a VPN service like NordVPN or Ironsocket or another service provider. I'm connecting to Ironsocket. I get the feeling, based on what you've said, your configuring your own OpenVPN server, yes? If that is the case, you may want to show folks your configuration. It seems something may be missing. -- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme

Reply

Jack Craig

12:52 a.m.

starting here in the am, see policy based routing,... https://docs.fedoraproject.org/en-US/Fedora/24/html/Networking_Guide/inde... i think i will find what i crave there... On Sun, May 26, 2019 at 10:38 PM Jack Craig <jack.craig.aptos(a)gmail.com> wrote:

On Sun, May 26, 2019 at 10:17 PM Ed Greshko <ed.greshko(a)greshko.com> wrote: > On 5/27/19 12:17 PM, Jack Craig wrote: > > i thought what i read was after nm brings up the vpn, only then is the > default route to > > vpn created. more, its torn down first on shutdown. > > > > i'm thinking along this line, ... > > > > > https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default... > > > > I've never used that configuration setting. > > Could you show your routes before vpn and after vpn activation? > the table didnt change. dorking with it did blow my default route out, so i will resume in the am after rest > > I find it odd that you don't show routes similar to a default route such > as... > me too! > default via 25.0.8.1 dev tun0 proto static metric 50 > > and a specific route to the VPN server like > > 173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100 > i expect what should happen is that after each interface comes up via NM a default route is set to it so eth0 up, default route to , say, 10.0.0./24, then vpn comes and default route is now pointed at the vpn. and this process in reverse on shutdown... > Are you connecting to a commercial openvpn service? Or, are you setting > up your own > openvpn server? > afaik, openvpn is an open source pkg that i built from src code to my goal of anonymous functioning server. the consumer version found here, ... https://openvpn.net/ > > -- > Right: I dislike the default color scheme Wrong: What idiot picked the > default color scheme > _______________________________________________ > users mailing list -- users(a)lists.fedoraproject.org > To unsubscribe send an email to users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org >

Reply

Jack Craig

12:59 a.m.

On Sun, May 26, 2019 at 10:52 PM Ed Greshko <ed.greshko(a)greshko.com> wrote:

On 5/27/19 1:38 PM, Jack Craig wrote: > > > On Sun, May 26, 2019 at 10:17 PM Ed Greshko <ed.greshko(a)greshko.com > <mailto:ed.greshko@greshko.com>> wrote: > > On 5/27/19 12:17 PM, Jack Craig wrote: > > i thought what i read was after nm brings up the vpn, only then is the default > route to > > vpn created. more, its torn down first on shutdown. > > > > i'm thinking along this line, ... > > > > https: <https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default... what should happen is that after each interface comes up via NM a default route > is set to it > so eth0 up, default route to , say, 10.0.0./24 <http://10.0.0./24>;, then vpn comes and > default route is now pointed at the vpn. > > and this process in reverse on shutdown... Yes, but all the routing information needed by the client should be provided by the server, in most cases. > > > Are you connecting to a commercial openvpn service? Or, are you setting up your own > openvpn server? > > > afaik, openvpn is an open source pkg that i built from src code to my goal of anonymous > functioning server. > > the consumer version found here, ... > > https://openvpn.net/ > I didn't phrase my question very well. I was asking if you have created your own OpenVPN server and you're trying to use it, or you're connection to a VPN service like NordVPN or Ironsocket or another service provider. I'm connecting to Ironsocket.

i see, well, i want to learn this more advanced networking for the coming cyber war! :) (kidding) seriously, i am a retired sw engineer want to build it from src up so i learn it by experience.

I get the feeling, based on what you've said, your configuring your own OpenVPN server, yes?

yes. openssl is already done, i got a start on opendns, httpd, ffmpeg video transcoding,etc... i have made some progress since beginning this journey.

If that is the case, you may want to show folks your configuration. It seems something may be missing.

i may have to, but gotta due my due diligence first! a lazy mind is a dull mind,... Not kidding. much...

-- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ users mailing list -- users(a)lists.fedoraproject.org To unsubscribe send an email to users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Reply

Mike Wright

8:41 a.m.

On 5/26/19 10:59 PM, Jack Craig wrote:

On Sun, May 26, 2019 at 10:52 PM Ed Greshko <ed.greshko(a)greshko.com <mailto:ed.greshko@greshko.com>> wrote: On 5/27/19 1:38 PM, Jack Craig wrote: > > > On Sun, May 26, 2019 at 10:17 PM Ed Greshko <ed.greshko(a)greshko.com <mailto:ed.greshko@greshko.com> > <mailto:ed.greshko@greshko.com <mailto:ed.greshko@greshko.com>>> wrote: > > On 5/27/19 12:17 PM, Jack Craig wrote: > > i thought what i read was after nm brings up the vpn, only then is the default > route to > > vpn created. more, its torn down first on shutdown. > > > > i'm thinking along this line, ... > > > > https: <https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default... what should happen is that after each interface comes up via NM a default route > is set to it > so eth0 up, default route to , say, 10.0.0./24 <http://10.0.0./24> <http://10.0.0./24>;, then vpn comes and > default route is now pointed at the vpn. > > and this process in reverse on shutdown...

What I've seen is two additional, more specific, default routes added: 0.0.0.0/1 and 128.0.0.0/1, which cover the entire ipv4 address space. By doing it this way the new routes can be deleted and the original default route remains. This works because a more specific route trumps the less specific route (0.0.0.0). Unfortunately, I can't remember who adds/removes those routes but I suspect it is NM. Good travels on your adventure, :m

Reply

Jack Craig

2:07 p.m.

On Mon, May 27, 2019 at 6:42 AM Mike Wright <nobody(a)nospam.hostisimo.com> wrote:

On 5/26/19 10:59 PM, Jack Craig wrote: > <http://10.0.0./24> <http://10.0.0./24>;, then vpn comes and > > default route is now pointed at the vpn. > > > > and this process in reverse on shutdown... What I've seen is two additional, more specific, default routes added: 0.0.0.0/1 and 128.0.0.0/1, which cover the entire ipv4 address space. By doing it this way the new routes can be deleted and the original default route remains. This works because a more specific route trumps the less specific route (0.0.0.0). Unfortunately, I can't remember who adds/removes those routes but I suspect it is NM.

i think you are right, ... [ws:root:/etc/sysconfig/network-scripts]# grep "ip route add" *

Good travels on your adventure,

Thx! :m

_______________________________________________ users mailing list -- users(a)lists.fedoraproject.org To unsubscribe send an email to users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org

Reply

1794

days inactive

1794

days old

users@lists.fedoraproject.org

Manage subscription

11 comments

3 participants

tags (0)

participants (3)

Ed Greshko
Jack Craig
Mike Wright