Ubuntu
openvpn package

Network Manager OpenVPN nested connections fail to setup routes correctly

Bug #1917887 reported by Riccardo Battistini
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenVPN
Fix Released
Unknown
network-manager (Ubuntu)
Triaged
Undecided
Unassigned
openvpn (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Setup:
Host lan: 192.168.0.238/24
Host Default gw: 192.168.0.1

ip route:
default via 192.168.0.1 dev eno1 proto dhcp metric 100
169.254.0.0/16 dev eno1 scope link metric 1000
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100

Primary OpenVPN (check "Use this connection only for resources on its network"):
server ip: public a.b.c.d
OpenVPN Tunnel: 192.168.1.0/24
routes pushed: 192.168.100.0/24

First VPN works OK:
default via 192.168.0.1 dev eno1 proto dhcp metric 100
169.254.0.0/16 dev eno1 scope link metric 1000
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100
192.168.0.1 dev eno1 proto static scope link metric 100
192.168.100.0/24 via 192.168.10.1 dev tun0 proto static metric 50
a.b.c.d via 192.168.0.1 dev eno1 proto static metric 100

Secondary OpenVPN (check "Use this connection only for resources on its network"):
server ip: private 192.168.100.10
OpenVPN Tunnel: 192.168.20.0/24
routes pushed: 192.168.200.0/24

Second VPN Connect OK, routing table is wrong:
default via 192.168.0.1 dev eno1 proto dhcp metric 100
192.168.200.0/24 via 192.168.20.1 dev tun1
192.168.20.0/24 dev tun1 proto kernel scope link src 192.168.20.59
169.254.0.0/16 dev eno1 scope link metric 1000
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100
192.168.0.1 dev eno1 proto static scope link metric 100
192.168.100.0/24 via 192.168.10.1 dev tun0 proto static metric 50
a.b.c.d via 192.168.0.1 dev eno1 proto static metric 100
192.168.100.10 via 192.168.0.1 dev eno1 proto static metric 100 <- this is wrong, the openVPN#2 Gateway is not on the local lan

Correct routing table using "sudo /usr/sbin/openvpn /path/to/config.openvpn" (same a Network Manager)

default via 192.168.0.1 dev eno1 proto dhcp metric 100
192.168.200.0/24 via 192.168.20.1 dev tun1
192.168.20.0/24 dev tun1 proto kernel scope link src 192.168.20.59
169.254.0.0/16 dev eno1 scope link metric 1000
192.168.0.0/24 dev eno1 proto kernel scope link src 192.168.0.238 metric 100
192.168.0.1 dev eno1 proto static scope link metric 100
192.168.100.0/24 via 192.168.10.1 dev tun0 proto static metric 50
a.b.c.d via 192.168.0.1 dev eno1 proto static metric 100

It seems that Network Manager add a wrong additional route not added by the openvpn bin:

192.168.100.10 via 192.168.0.1 dev eno1 proto static metric 100

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: openvpn 2.4.7-1ubuntu2
ProcVersionSignature: Ubuntu 5.8.0-44.50~20.04.1-generic 5.8.18
Uname: Linux 5.8.0-44-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Fri Mar 5 12:44:39 2021
InstallationDate: Installed on 2021-02-19 (13 days ago)
InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1)
ProcEnviron:
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=it_IT.UTF-8
 SHELL=/bin/bash
SourcePackage: openvpn
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Riccardo Battistini (rickb) wrote :
summary: - Network Manager OpenVPN nested connection fail to setup routes correctly
+ Network Manager OpenVPN nested connections fail to setup routes
+ correctly
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thank you for taking the time to file a bug report.

From what you described it seems that Network Manager is the one responsible for adding the unexpected routing rule, so this might not affect OpenVPN itself. I quickly tried to reproduce your setup but did not notice the bug there. Could you please share your config files to see if I missed something?

Since there is not enough information in your report to begin triage or to
differentiate between a local configuration problem and a bug in Ubuntu, I
am marking this bug as "Incomplete". We would be grateful if you would:
provide a more complete description of the problem, explain why you
believe this is a bug in Ubuntu rather than a problem specific to your
system, and then change the bug status back to "New".

For local configuration issues, you can find assistance here:
http://www.ubuntu.com/support/community

Changed in network-manager (Ubuntu):
status: New → Incomplete
Changed in openvpn (Ubuntu):
status: New → Incomplete
Revision history for this message
Riccardo Battistini (rickb) wrote :

I agree that is a problem with Network Manager, maybe also affects different vpn besides OpenVPN; this same problem is present in CentOS 7 and 8.

Which config do you need?

I tried to draw the network scheme to help understanding my setup.

Regards
Riccardo

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thank you for your reply, Riccardo.

I found the following upstream bug report that looks similar to yours:

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/204

Can you confirm that this is the same issue?

Your setup seems a bit complex to configure locally, and given that you said you were able to reproduce this problem on more than one version of CentOS, I am inclined to believe that, if this is indeed an issue, it came from upstream.

Revision history for this message
Riccardo Battistini (rickb) wrote :

Hi, it seems the same problem, I removed the extra routing with the same workaround ip command and the traffic flows correctly.

The upstream bug seems to be ignored, are there chances to be fixed?

Regards
Riccardo

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Unfortunately I don't know. I would recommend commenting on the bug in order to let upstream know that more people are affected by this problem. You can try posting your reproduction instructions there, and provide more information if upstream needs it.

I am marking this bug as Triaged, although I have not reproduced it myself.

Changed in network-manager (Ubuntu):
status: Incomplete → Triaged
Changed in openvpn (Ubuntu):
status: Incomplete → Invalid
Bug Watch Updater (bug-watch-updater)
Changed in openvpn:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in openvpn:
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in openvpn:
status: Fix Released → New
Bug Watch Updater (bug-watch-updater)
Changed in openvpn:
status: New → Fix Released
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

The following changes were applied upstream to fix this issue in network-manager:

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1491/diffs

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.