Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

vpn routes with "use this connection only..."

By default, the vpn connection works and all traffic is routing the tunnel, this sucks for my work because they get tons of traffic not required.

So when I manually set routes with the option "use this connection only for resources on its network" it's fine.

When attempting to set a route based on a device/interface, the GUI doesn't let me. However, if I add the routes manually from the command line, it's fine:

ip route add 172.16.0.0/16 dev tun0

ip route add 10.0.0.0/8 dev tun0

I want to script/automate the routes being added without forcing all traffic over the default route.

One last thing, by default routes are assigned to the VPN's IP, this is from DHCP so I can't force the gateway to a DHCP address.

GUI

vpn routes with "use this connection only..."

By default, the vpn connection works and all traffic is routing the tunnel, this sucks for my work because they get tons of traffic not required.

So when I manually set routes with the option "use this connection only for resources on its network" it's fine.

When attempting to set a route based on a device/interface, the GUI doesn't let me. However, if I add the routes manually from the command line, it's fine:

ip route add 172.16.0.0/16 dev tun0

ip route add 10.0.0.0/8 dev tun0

I want to script/automate the routes being added without forcing all traffic over the default route.

One last thing, by default routes are assigned to the VPN's IP, this is from DHCP so I can't force the gateway to a DHCP address.

GUI

When attempting to follow some instructions from this post, I'll note that my gateway does not change when connecting to the VPN:

route after connecting

route prior to connecting

So I am not able to determine my route from the connection at all.

I also tried a few things, like using 172.16.16.1 or 172.16.16.254 expecting maybe that the network on the other end is a /24.

I also tried looking at a tracepath from another server at work and trying to trace back to the VPN IP, to see if _it_ hit a specific route, at that point trying to even start the VPN fails.

tracepath to the VPN IP from elsewhere on the network

When I use that IP 10.1.1.254 and try to route only 172.16.0.0/16 the vpn connection fails to establish.

Also, I understand the explanation being provided about not using the device, and while it makes sense I don't see a way around using it in this scenario.

vpn routes with "use this connection only..."

By default, the vpn connection works and all traffic is routing the tunnel, this sucks for my work because they get tons of traffic not required.

So when I manually set routes with the option "use this connection only for resources on its network" it's fine.

When attempting to set a route based on a device/interface, the GUI doesn't let me. However, if I add the routes manually from the command line, it's fine:

ip route add 172.16.0.0/16 dev tun0

ip route add 10.0.0.0/8 dev tun0

I want to script/automate the routes being added without forcing all traffic over the default route.

One last thing, by default routes are assigned to the VPN's IP, this is from DHCP so I can't force the gateway to a DHCP address.

GUI

When attempting to follow some instructions from this post, I'll note that my gateway does not change when connecting to the VPN:

route after connecting

route prior to connecting

So I am not able to determine my route from the connection at all.

I also tried a few things, like using 172.16.16.1 or 172.16.16.254 expecting maybe that the network on the other end is a /24.

I also tried looking at a tracepath from another server at work and trying to trace back to the VPN IP, to see if _it_ hit a specific route, at that point trying to even start the VPN fails.

tracepath to the VPN IP from elsewhere on the network

When I use that IP 10.1.1.254 and try to route only 172.16.0.0/16 the vpn connection fails to establish.

I've also captured the logs when connecting, we can see the vpn connection is providing me a "next-hop" of the DHCP address I'm being handed.

I attempt to set a static route to 10.0.0.0/8 and the connections fails:

keyfile: update /etc/NetworkManager/system-connections/mycompany (<uuid>,"mycompany")
keyfile: update /etc/NetworkManager/system-connections/mycompany (<uuid>,"mycompany") after persisting connection
audit: op="connection-update" uuid="<uuid>" name="mycompany" args="ipv4.routes" pid=4372 uid=1000 result="success"
audit: op="connection-activate" uuid="<uuid>" name="mycompany" pid=4372 uid=1000 result="success"
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: Started the VPN service, PID 5524
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: Saw the service appear; activating connection
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN plugin: state changed: starting (3)
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN connection: (ConnectInteractive) reply received
manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/22)
link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN connection: (IP4 Config Get) reply received from old-style plug
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: VPN Gateway: 50.225.201.113
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: Tunnel Device: "tun0"
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: IPv4 configuration:
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal Address: 172.16.16.199
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal Prefix: 32
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal Point-to-Point Address: 172.16.16.199
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Maximum Segment Size (MSS): 0
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Static Route: 10.0.0.0/8   Next Hop: 172.16.16.1
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Forbid Default Route: yes
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal DNS: 172.16.1.20
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   DNS Domain: 'mycompany.com mycompany.lan'
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: No IPv6 configuration
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: VPN plugin: state changed: started (4)

platform-linux: do-add-ip4-route[22: 10.0.0.0/8 50]: failure 101 (Network is unreachable)
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: VPN connection: did not receive valid IP config information
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN service disappeared

This only happens when I attempt to set any sort of static route against an IP that I expect could be the next hop _after_ my DHCP address on the VPN.

Also, I understand the explanation being provided about not using the device, and while it makes sense I don't see a way around using it in this scenario.

vpn routes with "use this connection only..."

By default, the vpn connection works and all traffic is routing the tunnel, this sucks for my work because they get tons of traffic not required.

So when I manually set routes with the option "use this connection only for resources on its network" it's fine.

When attempting to set a route based on a device/interface, the GUI doesn't let me. However, if I add the routes manually from the command line, it's fine:

ip route add 172.16.0.0/16 dev tun0

ip route add 10.0.0.0/8 dev tun0

I want to script/automate the routes being added without forcing all traffic over the default route.

One last thing, by default routes are assigned to the VPN's IP, this is from DHCP so I can't force the gateway to a DHCP address.

GUI

When attempting to follow some instructions from this post, I'll note that my gateway does not change when connecting to the VPN:

route after connecting

route prior to connecting

So I am not able to determine my route from the connection at all.

I also tried a few things, like using 172.16.16.1 or 172.16.16.254 expecting maybe that the network on the other end is a /24.

I also tried looking at a tracepath from another server at work and trying to trace back to the VPN IP, to see if _it_ hit a specific route, at that point trying to even start the VPN fails.

tracepath to the VPN IP from elsewhere on the network

When I use that IP 10.1.1.254 and try to route only 172.16.0.0/16 the vpn connection fails to establish.

I've also captured the logs when connecting, we can see the vpn connection is providing me a "next-hop" of the DHCP address I'm being handed.

I attempt to set a static route to 10.0.0.0/8 and the connections fails:

keyfile: update /etc/NetworkManager/system-connections/mycompany (<uuid>,"mycompany")
keyfile: update /etc/NetworkManager/system-connections/mycompany (<uuid>,"mycompany") after persisting connection
audit: op="connection-update" uuid="<uuid>" name="mycompany" args="ipv4.routes" pid=4372 uid=1000 result="success"
audit: op="connection-activate" uuid="<uuid>" name="mycompany" pid=4372 uid=1000 result="success"
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: Started the VPN service, PID 5524
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: Saw the service appear; activating connection
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN plugin: state changed: starting (3)
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN connection: (ConnectInteractive) reply received
manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/22)
link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN connection: (IP4 Config Get) reply received from old-style plug
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: VPN Gateway: 50.225.201.113
<public-ip>
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: Tunnel Device: "tun0"
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: IPv4 configuration:
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal Address: 172.16.16.199
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal Prefix: 32
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal Point-to-Point Address: 172.16.16.199
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Maximum Segment Size (MSS): 0
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Static Route: 10.0.0.0/8   Next Hop: 172.16.16.1
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Forbid Default Route: yes
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   Internal DNS: 172.16.1.20
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data:   DNS Domain: 'mycompany.com mycompany.lan'
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: Data: No IPv6 configuration
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: VPN plugin: state changed: started (4)

platform-linux: do-add-ip4-route[22: 10.0.0.0/8 50]: failure 101 (Network is unreachable)
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",22:(tun0)]: VPN connection: did not receive valid IP config information
vpn-connection[0x5590ddc342b0,<uuid>,"mycompany",0]: VPN service disappeared

This only happens when I attempt to set any sort of static route against an IP that I expect could be the next hop _after_ my DHCP address on the VPN.

Also, I understand the explanation being provided about not using the device, and while it makes sense I don't see a way around using it in this scenario.