Ask Your Question

vpn routes with "use this connection only..."

asked 2018-03-06 19:36:25 -0500

jidar gravatar image

updated 2018-03-09 15:18:19 -0500

By default, the vpn connection works and all traffic is routing the tunnel, this sucks for my work because they get tons of traffic not required.

So when I manually set routes with the option "use this connection only for resources on its network" it's fine.

When attempting to set a route based on a device/interface, the GUI doesn't let me. However, if I add the routes manually from the command line, it's fine:

ip route add dev tun0

ip route add dev tun0

I want to script/automate the routes being added without forcing all traffic over the default route.

One last thing, by default routes are assigned to the VPN's IP, this is from DHCP so I can't force the gateway to a DHCP address.


When attempting to follow some instructions from this post, I'll note that my gateway does not change when connecting to the VPN:

route after connecting

route prior to connecting

So I am not able to determine my route from the connection at all.

I also tried a few things, like using or expecting maybe that the network on the other end is a /24.

I also tried looking at a tracepath from another server at work and trying to trace back to the VPN IP, to see if it hit a specific route, at that point trying to even start the VPN fails.

tracepath to the VPN IP from elsewhere on the network

When I use that IP and try to route only the vpn connection fails to establish.

I've also captured the logs when connecting, we can see the vpn connection is providing me a "next-hop" of the DHCP address I'm being handed.

I attempt to set a static route to and the connections fails:

keyfile: update /etc/NetworkManager/system-connections/mycompany (<uuid>,"mycompany")
keyfile: update /etc/NetworkManager/system-connections/mycompany (<uuid>,"mycompany") after persisting connection
audit: op="connection-update" uuid="<uuid>" name="mycompany" args="ipv4.routes" pid=4372 uid=1000 result="success"
audit: op="connection-activate" uuid="<uuid>" name="mycompany" pid=4372 uid=1000 result="success"
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: Started the VPN service, PID 5524
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: Saw the service appear; activating connection
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN plugin: state changed: starting (3)
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN connection: (ConnectInteractive) reply received
manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/22)
link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN connection: (IP4 Config Get) reply received from old-style plug
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: VPN Gateway: <public-ip>
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: Tunnel Device: "tun0"
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: IPv4 configuration:
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal Address:
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal Prefix: 32
vpn-connection[0x5590ddc342b0 ...
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2018-03-09 05:41:28 -0500

reclusivegeek gravatar image

You should never use a tun device in your routing configs. If you bring up a more than one device you can't be sure that the kernel will always give you the same tun device for a VPN Link. You have to use IP addresses.

Almost all IPSEC/OpenVPN etc servers use DHCP to allocate both random and fixed client IP Addresses. Also most network admins will set the config option to push default route. Without some detective work you not going to know what the VPN server is sending or how its networks are configured.

You need to treat this problem not as a VPN issue but an IP routing issue and command netstat -nr is your friend.

Here is a example:

First thing is to do a netstat -nr so you can see the Kernel IP routing table before you activate the VPN. image description

Next I configure the VPN GUI like this :- image description

Now I am going to activate the VPN from the GUI and do another netstat -nr image description

So now from netstat we can learn the following about the server and the dhcp settings

On the second line we see destination gateway genmask dveice tun0 and we know that the subnet for dhcp network is and the IP range is to

Next we need to know is what the default gateway for this network is, and line five tells us as I now the network is a remote network and the gateway for this network is

Now we know that the VPN network has the following properties :- Network Broadcats Default GW

Now regardless of tun device (tun0, tun1, tun2 etc) it will always have this IP network so we can now configure the vpn.

So now the GUI will look like :- image description

Bring it up and test it.

All should work regarless of the number of VPN's in use or tun

Hope this help


edit flag offensive delete link more


I absolutely understand what and why you are suggesting I do not use the device. Please see my recent edit for an explanation as to why I see no other options.

jidar gravatar imagejidar ( 2018-03-09 11:52:27 -0500 )edit

Do you know what the VPN server is that your company is using and also do you have a config file or is all the config pushed by the server when you login ?

reclusivegeek gravatar imagereclusivegeek ( 2018-03-09 14:34:38 -0500 )edit

Also make sure that you have Routes Automatic OFF as this should stop the Destination gateway genmask tun0 line getting added to the kernel table.

reclusivegeek gravatar imagereclusivegeek ( 2018-03-09 14:42:57 -0500 )edit

answered 2018-03-08 06:13:04 -0500

reclusivegeek gravatar image

Just replace tun0 with the IP address of the server. So if tun0 has an IP address of say and a subnet of it's probable that the gateway address is or

If that does not work remove the address and untick the "connection only" and let the VPN connect. The on a command line type netstat -nr and find the gateway for the Kernel IP routing table.

Hope that helps


edit flag offensive delete link more


This just isn't how it (appears to) work, when I uncheck the "connection only" box, the route that gets created is "default dev tun0 proto static scope link metric 50" and " dev tun0 proto kernel scope link src metric 50" but when I try to add a route for that network that tun0 is on, I get an error: Error: Nexthop has invalid gateway. When I add a route for thatspecificip that I get from DHCP, I can route traffic fine. So either I need to use the DHCP IP, or the device

jidar gravatar imagejidar ( 2018-03-08 10:49:42 -0500 )edit

Question Tools

1 follower


Asked: 2018-03-06 19:35:05 -0500

Seen: 1,627 times

Last updated: Mar 09 '18