1 |
Hi Grant, |
2 |
|
3 |
On Monday, 18 June 2018 03:59:32 BST Grant Taylor wrote: |
4 |
> On 06/17/2018 03:05 PM, Mick wrote: |
5 |
> > TBH I wouldn't select "Use only for resources on this connection", |
6 |
> |
7 |
> I thought "Use only for resources on this connection" would enable (what |
8 |
> I know as) "split horizon", which is what I thought the OP wanted to do. |
9 |
> In other words route company traffic through the VPN and route |
10 |
> everything not to the company via the ISP. |
11 |
|
12 |
I am not overly familiar with networkmanager and the OP has not shared any |
13 |
screenshots or tab-by-tab NM settings, but had a look on a Gnome desktop and |
14 |
when hovering over the "Use only for resources on this connection" setting in |
15 |
the IPv4 Routes tab, it offers this tip: |
16 |
|
17 |
"If enabled, this connection will never be used as the default network |
18 |
connection." |
19 |
|
20 |
This tip alone hints that enabling it ought to create a split tunnel, for any |
21 |
subnets defined within this tab to be routed via the VPN, but everything else |
22 |
to be routed via the default route. |
23 |
|
24 |
When Hilco enabled it he obtained this route table: |
25 |
|
26 |
$ ip route |
27 |
default via 192.168.151.1 dev eth0 proto static metric 100 |
28 |
$SOME_COMPANY_IP_1 dev tun0 proto kernel scope link src |
29 |
$SOME_COMPANY_IP_1 metric 50 |
30 |
127.0.0.0/8 via 127.0.0.1 dev lo |
31 |
192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric |
32 |
100 |
33 |
192.168.151.1 dev eth0 proto static scope link metric 100 |
34 |
$VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100 |
35 |
|
36 |
The above does not offer him a route into the company's LAN and he cannot |
37 |
connect to the servers *.i.company.com. |
38 |
|
39 |
When the above setting is left disabled, then Hilco can access the company |
40 |
domain, but not the Internet - a full tunnel. His route table now shows tun0 |
41 |
as being the default NIC: |
42 |
|
43 |
$ ip route |
44 |
default dev tun0 proto static scope link metric 50 |
45 |
default via 192.168.151.1 dev eth0 proto static metric 100 |
46 |
$SOME_COMPANY_IP_2 dev tun0 proto kernel scope link src |
47 |
$SOME_COMPANY_IP_2 metric 50 |
48 |
127.0.0.0/8 via 127.0.0.1 dev lo |
49 |
192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric |
50 |
100 |
51 |
192.168.151.1 dev eth0 proto static scope link metric 100 |
52 |
$VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100 |
53 |
|
54 |
> > because this creates a full tunnel. |
55 |
> |
56 |
> What does "full tunnel" mean to you? |
57 |
> |
58 |
> I would think that it's the same tunnel, just different traffic routed |
59 |
> through it. |
60 |
|
61 |
My understanding of a "split tunnel" or "split horizon" as you call it |
62 |
involves two routes: |
63 |
|
64 |
1. Route for connections via the VPN tunnel: |
65 |
|
66 |
One route is used to direct datagrams from a local subnet or a virtual VPN IP |
67 |
allocated by the remote VPN gateway, e.g. $SOME_COMPANY_IP_1, via the VPN |
68 |
tunnel (tun0) to the remote company's LAN. |
69 |
|
70 |
2. Route for all other connections, outside the VPN tunnel: |
71 |
|
72 |
A second route is typically the default route of the PC for all other |
73 |
connections and it is used to route datagrams outside the VPN tunnel. |
74 |
|
75 |
Some VPN clients add a new routing policy rule table (e.g. strongswan), but |
76 |
others (e.g. racoon) add routes for the VPN tunnel in the main routing policy |
77 |
rule table. |
78 |
|
79 |
|
80 |
In contrast, a "full tunnel" directs all outgoing datagrams from any local |
81 |
subnet via the VPN. |
82 |
|
83 |
I appreciate what I describe above is inverse to what the setting "Use only |
84 |
for resources on this connection" is meant to do, but I merely go by the route |
85 |
tables Hilco has provided. |
86 |
|
87 |
Hmm ... prompted by your question in this post I had to give it a second |
88 |
thought, and I've come up with this hypothesis: |
89 |
|
90 |
IF no specific subnet routes are defined on the NM routes tab AND the "Use |
91 |
only for resources on this connection" is selected, then it may be that |
92 |
networkmanager translates no subnet entry to mean 0.0.0.0/0 - ALL routes will |
93 |
be tunneled via the VPN, leaving nothing for the default route. |
94 |
|
95 |
Without more information on NM's specific settings I'm not sure why routing is |
96 |
screwed up like this. :-) |
97 |
|
98 |
Nevertheless, adding a route manually for the remote LAN subnet as per my |
99 |
previous post should deliver a 'split tunnel/horizon', assuming the DNS |
100 |
nameservers are also somehow sorted out. |
101 |
|
102 |
-- |
103 |
Regards, |
104 |
Mick |