hi all,
anyone got openvpn doing proper route management with vpn start/stop?
my take appears to suggest NM to be the problem, but short on proof.
anyone? tia, jackc...
On 5/27/19 9:34 AM, Jack Craig wrote:
anyone got openvpn doing proper route management with vpn start/stop?
my take appears to suggest NM to be the problem, but short on proof.
I had no problems on F28. Now on F30 with no issues.
You'll need to describe what problem you having.
so, i have enp420 & tun0. when tun0 comes up, route are not properly update for tun0 routing. i think...
default via 10.0.0.1 dev enp4s0 proto dhcp metric 100 10.0.0.0/24 via 10.0.0.1 dev enp4s0 proto static metric 2 10.0.0.0/24 dev enp4s0 proto kernel scope link src 10.0.0.101 metric 100 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 10.8.1.0/24 via 10.8.0.2 dev tun0 10.8.2.0/24 via 10.8.0.2 dev tun0 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
looks like maybe some NM policy is broke?
does NM create proper route for your vpn on NM restart?
On Sun, May 26, 2019 at 6:59 PM Ed Greshko ed.greshko@greshko.com wrote:
On 5/27/19 9:34 AM, Jack Craig wrote:
anyone got openvpn doing proper route management with vpn start/stop?
my take appears to suggest NM to be the problem, but short on proof.
I had no problems on F28. Now on F30 with no issues.
You'll need to describe what problem you having.
-- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 5/27/19 10:23 AM, Jack Craig wrote:
so, i have enp420 & tun0. when tun0 comes up, route are not properly update for tun0 routing. i think...
default via 10.0.0.1 dev enp4s0 proto dhcp metric 100 10.0.0.0/24 http://10.0.0.0/24 via 10.0.0.1 dev enp4s0 proto static metric 2 10.0.0.0/24 http://10.0.0.0/24 dev enp4s0 proto kernel scope link src 10.0.0.101 metric 100 10.8.0.0/24 http://10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 10.8.1.0/24 http://10.8.1.0/24 via 10.8.0.2 dev tun0 10.8.2.0/24 http://10.8.2.0/24 via 10.8.0.2 dev tun0 192.168.122.0/24 http://192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
looks like maybe some NM policy is broke?
does NM create proper route for your vpn on NM restart?
Before the vpn is started...
[egreshko@meimei ~]$ ip -4 route show default via 192.168.1.1 dev enp2s0 proto static metric 100 192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.18 metric 100
[root@meimei ~]# tcptraceroute 151.101.129.67 Running: traceroute -T -O info 151.101.129.67 traceroute to 151.101.129.67 (151.101.129.67), 30 hops max, 60 byte packets 1 wifi.greshko.com (192.168.1.1) 0.607 ms 0.546 ms 2.658 ms 2 211-75-128-254.HINET-IP.hinet.net (211.75.128.254) 6.886 ms 6.919 ms 6.897 ms 3 tpdt-3308.hinet.net (168.95.211.46) 7.212 ms 6.867 ms 7.150 ms 4 tpdt-3022.hinet.net (220.128.27.94) 7.819 ms 220-128-1-102.HINET-IP.hinet.net (220.128.1.102) 7.338 ms 7.760 ms 5 r4103-s2.tp.hinet.net (220.128.2.109) 7.224 ms r4103-s2.tp.hinet.net (220.128.2.13) 7.022 ms 7.020 ms 6 r4003-s2.tp.hinet.net (220.128.3.249) 7.036 ms 6.781 ms r4003-s2.tp.hinet.net (220.128.3.145) 19.583 ms 7 211-22-33-77.HINET-IP.hinet.net (211.22.33.77) 39.508 ms 39.141 ms 39.083 ms 8 HundredGE0-5-0-0.br02.hkg12.pccwbtn.net (63.218.174.197) 30.705 ms 31.085 ms 31.056 ms 9 HundredGE0-5-0-0.br02.hkg12.pccwbtn.net (63.218.174.197) 30.298 ms 30.503 ms 30.797 ms 10 fastly.bundle24.br02.hkg12.pccwbtn.net (63.217.237.106) 30.157 ms 30.205 ms 30.114 ms 11 151.101.129.67 (151.101.129.67) <syn,ack> 38.761 ms 36.893 ms 36.795 ms
After the vpn is started...
[egreshko@meimei ~]$ ip -4 route show default via 25.0.9.1 dev tun0 proto static metric 50 default via 192.168.1.1 dev enp2s0 proto static metric 100 25.0.9.0/24 dev tun0 proto kernel scope link src 25.0.9.5 metric 50 173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100 192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.18 metric 100 192.168.1.1 dev enp2s0 proto static scope link metric 100
[root@meimei ~]# tcptraceroute 151.101.129.67 Running: traceroute -T -O info 151.101.129.67 traceroute to 151.101.129.67 (151.101.129.67), 30 hops max, 60 byte packets 1 _gateway (25.0.9.1) 208.511 ms 208.499 ms 208.497 ms 2 * * * 3 66.55.141.1 (66.55.141.1) 209.053 ms 209.060 ms 209.058 ms 4 * * * 5 * vl42-er1-q8.pnj1.choopa.net (108.61.2.90) 416.846 ms * 6 * * fastly-1.nyiix.net (198.32.160.22) 209.044 ms 7 151.101.129.67 (151.101.129.67) <syn,ack> 208.678 ms 208.799 ms fastly-1.nyiix.net (198.32.160.22) 209.042 ms
I've not looked at the openVPN protocol in quite some time. However, if your configuration has the IPv4 configuration for the connection set to "Automatic" then isn't the server side responsible for sending routing information to the client?
i thought what i read was after nm brings up the vpn, only then is the default route to vpn created. more, its torn down first on shutdown.
i'm thinking along this line, ...
https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default-ro...
On Sun, May 26, 2019 at 8:19 PM Ed Greshko ed.greshko@greshko.com wrote:
On 5/27/19 10:23 AM, Jack Craig wrote:
so, i have enp420 & tun0. when tun0 comes up, route are not properly
update for tun0
routing. i think...
default via 10.0.0.1 dev enp4s0 proto dhcp metric 100 10.0.0.0/24 http://10.0.0.0/24 via 10.0.0.1 dev enp4s0 proto static
metric 2
10.0.0.0/24 http://10.0.0.0/24 dev enp4s0 proto kernel scope link src
10.0.0.101
metric 100 10.8.0.0/24 http://10.8.0.0/24 dev tun0 proto kernel scope link src
10.8.0.1
10.8.1.0/24 http://10.8.1.0/24 via 10.8.0.2 dev tun0 10.8.2.0/24 http://10.8.2.0/24 via 10.8.0.2 dev tun0 192.168.122.0/24 http://192.168.122.0/24 dev virbr0 proto kernel
scope link src
192.168.122.1 linkdown
looks like maybe some NM policy is broke?
does NM create proper route for your vpn on NM restart?
Before the vpn is started...
[egreshko@meimei ~]$ ip -4 route show default via 192.168.1.1 dev enp2s0 proto static metric 100 192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.18 metric 100
[root@meimei ~]# tcptraceroute 151.101.129.67 Running: traceroute -T -O info 151.101.129.67 traceroute to 151.101.129.67 (151.101.129.67), 30 hops max, 60 byte packets 1 wifi.greshko.com (192.168.1.1) 0.607 ms 0.546 ms 2.658 ms 2 211-75-128-254.HINET-IP.hinet.net (211.75.128.254) 6.886 ms 6.919 ms 6.897 ms 3 tpdt-3308.hinet.net (168.95.211.46) 7.212 ms 6.867 ms 7.150 ms 4 tpdt-3022.hinet.net (220.128.27.94) 7.819 ms 220-128-1-102.HINET-IP.hinet.net (220.128.1.102) 7.338 ms 7.760 ms 5 r4103-s2.tp.hinet.net (220.128.2.109) 7.224 ms r4103-s2.tp.hinet.net (220.128.2.13) 7.022 ms 7.020 ms 6 r4003-s2.tp.hinet.net (220.128.3.249) 7.036 ms 6.781 ms r4003-s2.tp.hinet.net (220.128.3.145) 19.583 ms 7 211-22-33-77.HINET-IP.hinet.net (211.22.33.77) 39.508 ms 39.141 ms 39.083 ms 8 HundredGE0-5-0-0.br02.hkg12.pccwbtn.net (63.218.174.197) 30.705 ms 31.085 ms 31.056 ms 9 HundredGE0-5-0-0.br02.hkg12.pccwbtn.net (63.218.174.197) 30.298 ms 30.503 ms 30.797 ms 10 fastly.bundle24.br02.hkg12.pccwbtn.net (63.217.237.106) 30.157 ms 30.205 ms 30.114 ms 11 151.101.129.67 (151.101.129.67) <syn,ack> 38.761 ms 36.893 ms 36.795 ms
After the vpn is started...
[egreshko@meimei ~]$ ip -4 route show default via 25.0.9.1 dev tun0 proto static metric 50 default via 192.168.1.1 dev enp2s0 proto static metric 100 25.0.9.0/24 dev tun0 proto kernel scope link src 25.0.9.5 metric 50 173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100 192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.18 metric 100 192.168.1.1 dev enp2s0 proto static scope link metric 100
[root@meimei ~]# tcptraceroute 151.101.129.67 Running: traceroute -T -O info 151.101.129.67 traceroute to 151.101.129.67 (151.101.129.67), 30 hops max, 60 byte packets 1 _gateway (25.0.9.1) 208.511 ms 208.499 ms 208.497 ms 2 * * * 3 66.55.141.1 (66.55.141.1) 209.053 ms 209.060 ms 209.058 ms 4 * * * 5 * vl42-er1-q8.pnj1.choopa.net (108.61.2.90) 416.846 ms * 6 * * fastly-1.nyiix.net (198.32.160.22) 209.044 ms 7 151.101.129.67 (151.101.129.67) <syn,ack> 208.678 ms 208.799 ms fastly-1.nyiix.net (198.32.160.22) 209.042 ms
I've not looked at the openVPN protocol in quite some time. However, if your configuration has the IPv4 configuration for the connection set to "Automatic" then isn't the server side responsible for sending routing information to the client?
-- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 5/27/19 12:17 PM, Jack Craig wrote:
i thought what i read was after nm brings up the vpn, only then is the default route to vpn created. more, its torn down first on shutdown.
i'm thinking along this line, ...
https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default-ro...
I've never used that configuration setting.
Could you show your routes before vpn and after vpn activation?
I find it odd that you don't show routes similar to a default route such as...
default via 25.0.8.1 dev tun0 proto static metric 50
and a specific route to the VPN server like
173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100
Are you connecting to a commercial openvpn service? Or, are you setting up your own openvpn server?
On Sun, May 26, 2019 at 10:17 PM Ed Greshko ed.greshko@greshko.com wrote:
On 5/27/19 12:17 PM, Jack Craig wrote:
i thought what i read was after nm brings up the vpn, only then is the
default route to
vpn created. more, its torn down first on shutdown.
i'm thinking along this line, ...
https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default-ro...
I've never used that configuration setting.
Could you show your routes before vpn and after vpn activation?
the table didnt change. dorking with it did blow my default route out, so i will resume in the am after rest
I find it odd that you don't show routes similar to a default route such as...
me too!
default via 25.0.8.1 dev tun0 proto static metric 50
and a specific route to the VPN server like
173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100
i expect what should happen is that after each interface comes up via NM a default route is set to it so eth0 up, default route to , say, 10.0.0./24, then vpn comes and default route is now pointed at the vpn.
and this process in reverse on shutdown...
Are you connecting to a commercial openvpn service? Or, are you setting up your own openvpn server?
afaik, openvpn is an open source pkg that i built from src code to my goal of anonymous functioning server.
the consumer version found here, ...
-- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 5/27/19 1:38 PM, Jack Craig wrote:
On Sun, May 26, 2019 at 10:17 PM Ed Greshko <ed.greshko@greshko.com mailto:ed.greshko@greshko.com> wrote:
On 5/27/19 12:17 PM, Jack Craig wrote: > i thought what i read was after nm brings up the vpn, only then is the default route to > vpn created. more, its torn down first on shutdown. > > i'm thinking along this line, ... > > https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default-route/ > I've never used that configuration setting. Could you show your routes before vpn and after vpn activation?the table didnt change. dorking with it did blow my default route out, so i will resume in the am after rest
I find it odd that you don't show routes similar to a default route such as...me too!
default via 25.0.8.1 dev tun0 proto static metric 50 and a specific route to the VPN server like 173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100i expect what should happen is that after each interface comes up via NM a default route is set to it so eth0 up, default route to , say, 10.0.0./24 http://10.0.0./24, then vpn comes and default route is now pointed at the vpn.
and this process in reverse on shutdown...
Yes, but all the routing information needed by the client should be provided by the server, in most cases.
Are you connecting to a commercial openvpn service? Or, are you setting up your own openvpn server?afaik, openvpn is an open source pkg that i built from src code to my goal of anonymous functioning server.
the consumer version found here, ...
I didn't phrase my question very well.
I was asking if you have created your own OpenVPN server and you're trying to use it, or you're connection to a VPN service like NordVPN or Ironsocket or another service provider. I'm connecting to Ironsocket.
I get the feeling, based on what you've said, your configuring your own OpenVPN server, yes?
If that is the case, you may want to show folks your configuration. It seems something may be missing.
starting here in the am, see policy based routing,...
https://docs.fedoraproject.org/en-US/Fedora/24/html/Networking_Guide/index.h...
i think i will find what i crave there...
On Sun, May 26, 2019 at 10:38 PM Jack Craig jack.craig.aptos@gmail.com wrote:
On Sun, May 26, 2019 at 10:17 PM Ed Greshko ed.greshko@greshko.com wrote:
On 5/27/19 12:17 PM, Jack Craig wrote:
i thought what i read was after nm brings up the vpn, only then is the
default route to
vpn created. more, its torn down first on shutdown.
i'm thinking along this line, ...
https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default-ro...
I've never used that configuration setting.
Could you show your routes before vpn and after vpn activation?
the table didnt change. dorking with it did blow my default route out, so i will resume in the am after rest
I find it odd that you don't show routes similar to a default route such as...
me too!
default via 25.0.8.1 dev tun0 proto static metric 50
and a specific route to the VPN server like
173.199.122.227 via 192.168.1.1 dev enp2s0 proto static metric 100
i expect what should happen is that after each interface comes up via NM a default route is set to it so eth0 up, default route to , say, 10.0.0./24, then vpn comes and default route is now pointed at the vpn.
and this process in reverse on shutdown...
Are you connecting to a commercial openvpn service? Or, are you setting up your own openvpn server?
afaik, openvpn is an open source pkg that i built from src code to my goal of anonymous functioning server.
the consumer version found here, ...
-- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On Sun, May 26, 2019 at 10:52 PM Ed Greshko ed.greshko@greshko.com wrote:
On 5/27/19 1:38 PM, Jack Craig wrote:
On Sun, May 26, 2019 at 10:17 PM Ed Greshko <ed.greshko@greshko.com mailto:ed.greshko@greshko.com> wrote:
On 5/27/19 12:17 PM, Jack Craig wrote: > i thought what i read was after nm brings up the vpn, only then isthe default
route to > vpn created. more, its torn down first on shutdown. > > i'm thinking along this line, ... > > https:https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default-route/xpect what should happen is that after each interface comes up via NM a default route
is set to it so eth0 up, default route to , say, 10.0.0./24 http://10.0.0./24,
then vpn comes and
default route is now pointed at the vpn.
and this process in reverse on shutdown...
Yes, but all the routing information needed by the client should be provided by the server, in most cases.
Are you connecting to a commercial openvpn service? Or, are yousetting up your own
openvpn server?afaik, openvpn is an open source pkg that i built from src code to my
goal of anonymous
functioning server.
the consumer version found here, ...
I didn't phrase my question very well.
I was asking if you have created your own OpenVPN server and you're trying to use it, or you're connection to a VPN service like NordVPN or Ironsocket or another service provider. I'm connecting to Ironsocket.
i see, well, i want to learn this more advanced networking for the coming cyber war! :) (kidding)
seriously, i am a retired sw engineer want to build it from src up so i learn it by experience.
I get the feeling, based on what you've said, your configuring your own OpenVPN server, yes?
yes. openssl is already done, i got a start on opendns, httpd, ffmpeg video transcoding,etc... i have made some progress since beginning this journey.
If that is the case, you may want to show folks your configuration. It seems something may be missing.
i may have to, but gotta due my due diligence first! a lazy mind is a dull mind,... Not kidding. much...
-- Right: I dislike the default color scheme Wrong: What idiot picked the default color scheme _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 5/26/19 10:59 PM, Jack Craig wrote:
On Sun, May 26, 2019 at 10:52 PM Ed Greshko <ed.greshko@greshko.com mailto:ed.greshko@greshko.com> wrote:
On 5/27/19 1:38 PM, Jack Craig wrote: > > > On Sun, May 26, 2019 at 10:17 PM Ed Greshko <ed.greshko@greshko.com <mailto:ed.greshko@greshko.com> > <mailto:ed.greshko@greshko.com <mailto:ed.greshko@greshko.com>>> wrote: > > On 5/27/19 12:17 PM, Jack Craig wrote: > > i thought what i read was after nm brings up the vpn, only then is the default > route to > > vpn created. more, its torn down first on shutdown. > > > > i'm thinking along this line, ... > > > > https: <https://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default-route/>xpect what should happen is that after each interface comes up via NM a default route > is set to it > so eth0 up, default route to , say, 10.0.0./24 <http://10.0.0./24> <http://10.0.0./24>, then vpn comes and > default route is now pointed at the vpn. > > and this process in reverse on shutdown...
What I've seen is two additional, more specific, default routes added: 0.0.0.0/1 and 128.0.0.0/1, which cover the entire ipv4 address space. By doing it this way the new routes can be deleted and the original default route remains. This works because a more specific route trumps the less specific route (0.0.0.0).
Unfortunately, I can't remember who adds/removes those routes but I suspect it is NM.
Good travels on your adventure, :m
On Mon, May 27, 2019 at 6:42 AM Mike Wright nobody@nospam.hostisimo.com wrote:
On 5/26/19 10:59 PM, Jack Craig wrote:
<http://10.0.0./24> <http://10.0.0./24>, then vpn comes and > default route is now pointed at the vpn. > > and this process in reverse on shutdown...What I've seen is two additional, more specific, default routes added: 0.0.0.0/1 and 128.0.0.0/1, which cover the entire ipv4 address space. By doing it this way the new routes can be deleted and the original default route remains. This works because a more specific route trumps the less specific route (0.0.0.0).
Unfortunately, I can't remember who adds/removes those routes but I suspect it is NM.
i think you are right, ...
[ws:root:/etc/sysconfig/network-scripts]# grep "ip route add" *
Good travels on your adventure,
Thx!
:m
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
-
Ed Greshko -
Jack Craig -
Mike Wright