| 1 |
Hi Grant, |
| 2 |
|
| 3 |
On Monday, 18 June 2018 03:59:32 BST Grant Taylor wrote: |
| 4 |
> On 06/17/2018 03:05 PM, Mick wrote: |
| 5 |
> > TBH I wouldn't select "Use only for resources on this connection", |
| 6 |
> |
| 7 |
> I thought "Use only for resources on this connection" would enable (what |
| 8 |
> I know as) "split horizon", which is what I thought the OP wanted to do. |
| 9 |
> In other words route company traffic through the VPN and route |
| 10 |
> everything not to the company via the ISP. |
| 11 |
|
| 12 |
I am not overly familiar with networkmanager and the OP has not shared any |
| 13 |
screenshots or tab-by-tab NM settings, but had a look on a Gnome desktop and |
| 14 |
when hovering over the "Use only for resources on this connection" setting in |
| 15 |
the IPv4 Routes tab, it offers this tip: |
| 16 |
|
| 17 |
"If enabled, this connection will never be used as the default network |
| 18 |
connection." |
| 19 |
|
| 20 |
This tip alone hints that enabling it ought to create a split tunnel, for any |
| 21 |
subnets defined within this tab to be routed via the VPN, but everything else |
| 22 |
to be routed via the default route. |
| 23 |
|
| 24 |
When Hilco enabled it he obtained this route table: |
| 25 |
|
| 26 |
$ ip route |
| 27 |
default via 192.168.151.1 dev eth0 proto static metric 100 |
| 28 |
$SOME_COMPANY_IP_1 dev tun0 proto kernel scope link src |
| 29 |
$SOME_COMPANY_IP_1 metric 50 |
| 30 |
127.0.0.0/8 via 127.0.0.1 dev lo |
| 31 |
192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric |
| 32 |
100 |
| 33 |
192.168.151.1 dev eth0 proto static scope link metric 100 |
| 34 |
$VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100 |
| 35 |
|
| 36 |
The above does not offer him a route into the company's LAN and he cannot |
| 37 |
connect to the servers *.i.company.com. |
| 38 |
|
| 39 |
When the above setting is left disabled, then Hilco can access the company |
| 40 |
domain, but not the Internet - a full tunnel. His route table now shows tun0 |
| 41 |
as being the default NIC: |
| 42 |
|
| 43 |
$ ip route |
| 44 |
default dev tun0 proto static scope link metric 50 |
| 45 |
default via 192.168.151.1 dev eth0 proto static metric 100 |
| 46 |
$SOME_COMPANY_IP_2 dev tun0 proto kernel scope link src |
| 47 |
$SOME_COMPANY_IP_2 metric 50 |
| 48 |
127.0.0.0/8 via 127.0.0.1 dev lo |
| 49 |
192.168.151.0/24 dev eth0 proto kernel scope link src 192.168.151.103 metric |
| 50 |
100 |
| 51 |
192.168.151.1 dev eth0 proto static scope link metric 100 |
| 52 |
$VPN_GATEWAY via 192.168.151.1 dev eth0 proto static metric 100 |
| 53 |
|
| 54 |
> > because this creates a full tunnel. |
| 55 |
> |
| 56 |
> What does "full tunnel" mean to you? |
| 57 |
> |
| 58 |
> I would think that it's the same tunnel, just different traffic routed |
| 59 |
> through it. |
| 60 |
|
| 61 |
My understanding of a "split tunnel" or "split horizon" as you call it |
| 62 |
involves two routes: |
| 63 |
|
| 64 |
1. Route for connections via the VPN tunnel: |
| 65 |
|
| 66 |
One route is used to direct datagrams from a local subnet or a virtual VPN IP |
| 67 |
allocated by the remote VPN gateway, e.g. $SOME_COMPANY_IP_1, via the VPN |
| 68 |
tunnel (tun0) to the remote company's LAN. |
| 69 |
|
| 70 |
2. Route for all other connections, outside the VPN tunnel: |
| 71 |
|
| 72 |
A second route is typically the default route of the PC for all other |
| 73 |
connections and it is used to route datagrams outside the VPN tunnel. |
| 74 |
|
| 75 |
Some VPN clients add a new routing policy rule table (e.g. strongswan), but |
| 76 |
others (e.g. racoon) add routes for the VPN tunnel in the main routing policy |
| 77 |
rule table. |
| 78 |
|
| 79 |
|
| 80 |
In contrast, a "full tunnel" directs all outgoing datagrams from any local |
| 81 |
subnet via the VPN. |
| 82 |
|
| 83 |
I appreciate what I describe above is inverse to what the setting "Use only |
| 84 |
for resources on this connection" is meant to do, but I merely go by the route |
| 85 |
tables Hilco has provided. |
| 86 |
|
| 87 |
Hmm ... prompted by your question in this post I had to give it a second |
| 88 |
thought, and I've come up with this hypothesis: |
| 89 |
|
| 90 |
IF no specific subnet routes are defined on the NM routes tab AND the "Use |
| 91 |
only for resources on this connection" is selected, then it may be that |
| 92 |
networkmanager translates no subnet entry to mean 0.0.0.0/0 - ALL routes will |
| 93 |
be tunneled via the VPN, leaving nothing for the default route. |
| 94 |
|
| 95 |
Without more information on NM's specific settings I'm not sure why routing is |
| 96 |
screwed up like this. :-) |
| 97 |
|
| 98 |
Nevertheless, adding a route manually for the remote LAN subnet as per my |
| 99 |
previous post should deliver a 'split tunnel/horizon', assuming the DNS |
| 100 |
nameservers are also somehow sorted out. |
| 101 |
|
| 102 |
-- |
| 103 |
Regards, |
| 104 |
Mick |
Archives