Ubuntu
network-manager-openvpn package

GUI Not Honoring Default GW Removal

Bug #1643042 reported by Ben
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager-openvpn (Ubuntu)
New
Undecided
Unassigned

Bug Description

I may be missing something, but I have done as much testing as I can think of and have come up with the following:

OpenVPN Server v2.3.10-1ubuntu2 on Ubuntu Server 16.04.1 LTS 64bit
OpenVPN Client v2.3.10-1ubuntu2 on Ubuntu MATE 16.04 LTS 64bit
network-manager-openvpn-gnome version v1.1.93-1ubuntu1

When running OpenVPN from the CLI, and the server.conf instructs the client to remove the default gateway and replace it with the tun0 adapter, it does as expected. However, using the same client.ovpn file imported into the GUI does not remove the existing default gateway, it simply moves it down the routing order. This can (and does) create a routing leak on secure systems. Detailed info:

192.168.8.1 = local router (dirty router)
10.8.0.1 = vpn server tun adapter (gateway)
10.8.0.5 = laptop tun adapter address
12.34.56.78 = vpn server public internet address

# Connected to the dirty router, no VPN
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.8.1 0.0.0.0 UG 600 0 0 wlp2s0
192.168.8.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp2s0

# Connected to the OpenVPN using command line version 2.3.10-1ubuntu2
# sudo openvpn --config /path/to/client.ovpn
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.5 0.0.0.0 UG 0 0 0 tun0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
12.34.56.78 192.168.8.1 255.255.255.255 UGH 0 0 0 wlp2s0

# Connected to the OpenVPN using network-manager-openvpn-gnome version 1.1.93-1ubuntu1
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.5 0.0.0.0 UG 50 0 0 tun0
0.0.0.0 192.168.8.1 0.0.0.0 UG 600 0 0 wlp2s0 <== this entry is creating a routing leak
10.8.0.1 10.8.0.5 255.255.255.255 UGH 50 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 50 0 0 tun0
12.34.56.78 192.168.8.1 255.255.255.255 UGH 600 0 0 wlp2s0

Here is the relevant section of the server.conf;
push "redirect-gateway bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

Note that the above does not include the 'def1' option in the push redirect-gateway command, so the client is supposed to delete any existing default gateways and install only the VPN default gateway. This is the only way to be sure that 1) all traffic goes over the VPN, and 2) when the client disconnects, the internet connection is severed and it's much less likely that you accidentally lose your VPN and continue transmitting unencrypted

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.