[Bug 391849] Re: helper adds route to my inner gateway too late
Dennis van Dok
dvandok at gmail.com
Wed Sep 16 01:11:07 UTC 2009
I have a similar or identical problem and did some digging around in the
code. What openvpn does if used stand-alone is add routes according to
what the vpn server tells it. As a safety measure (this is key!) it adds
an explicit routing rule to the openvpn endpoint through the original
gateway (192.168.1.1 in your case) and the original interface (eth1 in
your case) to prevent the big Fail of trying to connect to the vpn
server through its own tunnel. This explicit rule is needed if a general
route, like 213.180.0.0/16 in your case is added for the tunnel.
The way openvpn is used by networkmanager is that a command script
(/usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper) is
used to take care of the routes; openvpn passes the routes it would have
set up through environment variables. The helper packages these and
sends them to networkmanager, which implements them.
Here is a script that could be used as a wrapper in place of the helper
to see the environment variables that are being pushed:
cd /usr/lib/network-manager-openvpn/
mv nm-openvpn-service-openvpn-helper nm-openvpn-service-openvpn-helper.real
cat > nm-openvpn-service-openvpn-helper <EOF
#!/bin/sh
env > /tmp/vpn.$$.env
exec $0.real "$@"
EOF
chmod +x nm-openvpn-service-openvpn-helper
Start the connection and observe the output in /tmp/vpn.xxx.env.
What is clear is that openvpn suggests to add a route for the original
gateway, like it would have done itself. But the interface to use for
this route is not retained.
When the networkmanager starts to implement the routes, it dutifully creates a route for the endpoint, but through the tun0 interface oblivious of this problem. Some more goes wrong in that instant, and I don't know what the following lines mean but another route gets added for the original gateway, to also go through the tunnel. This effectively silences the internet.
NetworkManagerSystem.c:134-- (function nm_system_device_set_ip4_route)
/* Add the route */
err = rtnl_route_add (nlh, route, 0);
if (err == -ESRCH && ip4_gateway) {
/* Gateway might be over a bridge; try adding a route to gateway first */
struct rtnl_route *route2;
route2 = create_route (iface_idx, mss);
if (route2) {
/* Add route to gateway over bridge */
rtnl_route_set_dst (route2, gw_addr);
err = rtnl_route_add (nlh, route2, 0);
if (!err) {
/* Try adding the route again */
err = rtnl_route_add (nlh, route, 0);
if (err)
rtnl_route_del (nlh, route2, 0);
}
rtnl_route_put (route2);
}
}
if (gw_addr)
nl_addr_put (gw_addr);
** Attachment added: "sample output of helper environment"
http://launchpadlibrarian.net/31871488/vpn.8816.env
--
helper adds route to my inner gateway too late
https://bugs.launchpad.net/bugs/391849
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list