Bug 1417169
Summary: | NetworkManager OpenVPN pushed routes are ignored | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Giovanni Tirloni <giovanni.tirloni> | ||||||||||||
Component: | NetworkManager-openvpn | Assignee: | Lubomir Rintel <lkundrak> | ||||||||||||
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||||
Priority: | unspecified | ||||||||||||||
Version: | 25 | CC: | airey.andy, bgalvani, chewi, choeger, dcbw, dptec, ekanter, giovanni.tirloni, huzaifas, lkundrak, rs, steve, thaller, wpoely86 | ||||||||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | Unspecified | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2017-12-12 10:39:30 UTC | Type: | Bug | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Attachments: |
|
Description
Giovanni Tirloni
2017-01-27 12:06:43 UTC
I can't reproduce the problem with openvpn-2.3.14-1.fc25.x86_64 NetworkManager-openvpn-1.2.6-1.fc25.x86_64 NetworkManager-1.4.4-3.fc25.x86_64 Can you please run 'nmcli general logging trace' as root, activate the VPN and attach logs from 'journalctl -u NetworkManager -e -b'? Thanks! I cannot reproduce it anymore. Before opening this BZ, I rebooted the machine a couple of times and did the whole "wifi off; wifi on; vpn on; vpn off;" process a couple of times, and it always ignored the pushed routes. I looked at the DNF logs and I don't see anything particularly relevant to NetworkManager or OpenVPN. Thanks for trying to reproduce this issue. I believe this BZ can be closed. (In reply to Giovanni Tirloni from comment #2) > Thanks for trying to reproduce this issue. I believe this BZ can be closed. Ok, thanks. I was able to rebuild the environment and reproduce the issue. The issue happens when the OpenVPN server is configured to advertise a certain network as being local (10.10.10.10/24) and the pushed routes are for IPs within that range (10.10.10.{59,60,61,61}). It seems these errors are relevant: Feb 11 20:32:47 main NetworkManager[1101]: <debug> [1486852367.9674] platform: route: adding or updating IPv4 route: 10.10.10.59/32 via 192.168.0.1 dev 14 metric 50 mss 0 src vpn Feb 11 20:32:47 main NetworkManager[1101]: <debug> [1486852367.9674] platform-linux: netlink: recvmsg: error message from kernel: Network is unreachable (101) for request 263 Feb 11 20:32:47 main NetworkManager[1101]: <error> [1486852367.9674] platform-linux: do-add-ip4-route[14: 10.10.10.59/32 50]: failure 101 (Network is unreachable) Please see the attached files for more details. Created attachment 1249407 [details]
openvpn manual - pushed routes work
Created attachment 1249408 [details]
nm openvpn - pushed routes error
Created attachment 1249409 [details]
nm openvpn - pushed routes error - tracing enabled
Created attachment 1249410 [details]
pfsense openvpn server configuration
Created attachment 1249423 [details]
openvpn manual - verbose output
The reasoning behind these pushed routes is that, for certain IPs, we don't want their traffic to go through the VPN but continue to go through the public Internet (because they are VoIP/SIP servers). There is one pushed route for the VPN server itself to avoid a loop once the VPN is established. It seems running OpenVPN manually, the correct `ip route add` commands are executed. I see the problem now: push "route 10.10.10.10 255.255.255.255 net_gateway" NM-openvpn at the moment does not support special route keywords as 'vpn_gateway', 'net_gateway' or 'remote_host'. Not sure if related or relevant, before opening a new one wanted to ask about https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1603600 Upstream bug for this feature (https://bugzilla.gnome.org/show_bug.cgi?id=758702). > Feb 11 20:27:57 main NetworkManager[1101]: <info> [1486852077.4032] vpn-connection[0x561d9082f740,2c6bd6fb-0ebd-44eb-a26e-4a42bda705f6,"EXAMPLE",13:(tun0)]: Data: Static Route: 10.10.10.62/32 Next Hop: 192.168.0.1 it seems that openvpn calls the helper script with the special "net_gateway" already resolved. Instead, the helper would need to know that this is "net_gateway". this problem is present also on my version: Version-Release number of selected component (if applicable): openvpn-2.4.3-1.fc25.x86_64 NetworkManager-openvpn-1.2.8-2.fc25.x86_64 NetworkManager-openvpn-gnome-1.2.8-2.fc25.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure a OpenVPN connection in NetworkManager (to a server that pushes routes) 2. Verify that the routing table does not have the routes Actual results: Pushed routes are not added Expected results: Pushed routes are added Running openvpn manually all is correct. This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. This is still an issue in Fedora 33, Apr 28 18:41:04 host nm-openvpn[2069577]: [myvpn] Peer Connection Initiated with [AF_INET6]2001:XXX Apr 28 18:41:05 host nm-openvpn[2069577]: OpenVPN ROUTE: remote_host undefined Apr 28 18:41:05 host nm-openvpn[2069577]: OpenVPN ROUTE: failed to parse/resolve route for host/network: remote_host # rpm -qa|grep openvpn NetworkManager-openvpn-1.8.12-1.fc33.1.x86_64 plasma-nm-openvpn-5.20.5-1.fc33.x86_64 openvpn-2.4.10-1.fc33.x86_64 |