On 06/18/2018 04:30 AM, Mick wrote:
Hi Grant,
Hi Mick,
I am not overly familiar with networkmanager and the OP has not shared any
screenshots or tab-by-tab NM settings, but had a look on a Gnome desktop
and when hovering over the "Use only for resources on this connection"
setting in the IPv4 Routes tab, it offers this tip:
"If enabled, this connection will never be used as the default network
connection."
This tip alone hints that enabling it ought to create a split tunnel,
for any subnets defined within this tab to be routed via the VPN, but
everything else to be routed via the default route.
Agreed.
When Hilco enabled it he obtained this route table:
…
The above does not offer him a route into the company's LAN and he cannot
connect to the servers *.i.company.com.
Small nuance that routes don't deal with names and that names must be
translated to IPs. But that does require making sure there are routes
to the proper name server to do said translation.
When the above setting is left disabled, then Hilco can access the company
domain, but not the Internet - a full tunnel. His route table now shows
tun0 as being the default NIC:
It seems like you're using "full tunnel" to mean that everything is
routed through the tunnel. Save for the VPN tunnel traffic itself.
I figured that's what you meant, but I wanted to ask and be sure.
My understanding of a "split tunnel" or "split horizon" as you call it
involves two routes:
1. Route for connections via the VPN tunnel:
One route is used to direct datagrams from a local subnet or a virtual
VPN IP allocated by the remote VPN gateway, e.g. $SOME_COMPANY_IP_1,
via the VPN tunnel (tun0) to the remote company's LAN.
2. Route for all other connections, outside the VPN tunnel:
A second route is typically the default route of the PC for all other
connections and it is used to route datagrams outside the VPN tunnel.
Agreed. Though there may be more routes for additional subnets routed
through the VPN. This is what I think Hilco is wanting to do.
Some VPN clients add a new routing policy rule table (e.g. strongswan),
but others (e.g. racoon) add routes for the VPN tunnel in the main
routing policy rule table.
I was not aware that any VPNs used alternate routing tables and rules to
use them. But that does make sense. Programmatically, that may be
simpler to maintain and clean up after the VPN is shut down too. I.e.
assume that anything in the routing table is for the VPN and safe to
remove, along with the single predictable rule referencing said table.
In contrast, a "full tunnel" directs all outgoing datagrams from any
local subnet via the VPN.
I agree at a high level. The nuanced nitpicks don't matter at this point.
I appreciate what I describe above is inverse to what the setting "Use
only for resources on this connection" is meant to do, but I merely go
by the route tables Hilco has provided.
My not-yet-awake brain doesn't see the inverse issue that you're
referring to. But I'm used to dealing with VPNs, so maybe something is
instinctive for me.
Hmm ... prompted by your question in this post I had to give it a second
thought, and I've come up with this hypothesis:
IF no specific subnet routes are defined on the NM routes tab AND the "Use
only for resources on this connection" is selected, then it may be that
networkmanager translates no subnet entry to mean 0.0.0.0/0 - ALL routes
will be tunneled via the VPN, leaving nothing for the default route.
Using a (translated or not) route of "0.0.0.0/0" seems antithetical to
"Use only for resources on this connection".
Without more information on NM's specific settings I'm not sure why
routing is screwed up like this. :-)
I don't think it is screwed up. Enabling "Use only for resources on
this connection" doesn't change the default route. Disabling "Use only
for resources on this connection" does change the default route.
It does look like NetworkManager has the concept of additional routes
that should be routed through the VPN. However when hovering over the
box that I think you enter them in, "Editing IPv4 routes for VPN
connection $NAME", I get a tool tip balloon that says "IP addresses
identify your computer on the network. Click the Add button to add an
IP address.". Which makes one think the dialog box is for enter IP
addresses. However I suspect that's an artifact of how the dialog box
is constructed and re-using the same code as for entering IPs. The
Address, Netmask, Gateway, and Metric fields do sound like routes.
Though I question the wisdom of a static gateway in this case verses the
tunnel device.
Nevertheless, adding a route manually for the remote LAN subnet as per
my previous post should deliver a 'split tunnel/horizon', assuming the
DNS nameservers are also somehow sorted out.
I suspect that the client needs to be directed to use the DNS servers on
the corporate LAN and ensure that their IPs / networks are also routed
through the LAN.
Or do something creative like run a local DNS server that knows to send
queries for company.com to a DNS server through the VPN.
--
Grant. . . .
unix || die
