NetworkManager ignores pushed openvpn routes

Bug #1603600 reported by Allen McIntosh
168
This bug affects 35 people
Affects Status Importance Assigned to Milestone
network-manager-openvpn (Ubuntu)
Confirmed
High
Unassigned

Bug Description

Relevant information that may or may not have been included by ubuntu-bug:

Ubuntu release 16.04
Package network-manager 1.2.0-0ubuntu0.16.04.2
Package network-manager-openvpn 1.1.93-1ubuntu1

NetworkManager ignores pushed openvpn routes when "Use this connection only for resources on its network" is checked. This is a behavior change since 14.04.

To repeat:

1) Use an OpenVpn server that pushes routes. I suggest using a server that pushes several routes since this makes their absence obvious. Set up a NetworkManager VPN of type OpenVpn to this server. Select "Use this connection only for resources on its network" in the "Routes" section of the IPV4 options.

2) Set up a raw OpenVpn connection to the same server.

3) Connect to the server using the raw OpenVpn connection. The pushed routes are all there.

4) Connect to the server using NetworkManager. The only route added is a n interface level route to the tunnel device network.

Using the same setup on 14.04, all pushed routes are added.

The missing routes are also "Resources on the VPN network", and should be added in the absence of further direction. Ignoring pushed routes should be controlled by the "Ignore automatically obtained routes" checkbox.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: network-manager-openvpn 1.1.93-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-31.50-generic 4.4.13
Uname: Linux 4.4.0-31-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: GNOME-Flashback:Unity
Date: Fri Jul 15 23:12:55 2016
InstallationDate: Installed on 2016-05-04 (72 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
SourcePackage: network-manager-openvpn
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Allen McIntosh (aamcintosh) wrote :
Revision history for this message
Allen McIntosh (aamcintosh) wrote :

I'm going to have to tag my own bug report as "cannot duplicate". The problem went away just now after a couple of reboots. I have no idea why - I don't think I changed anything.

It doesn't look like I can easily mark this appropriately. Can someone else do it if I don't succeed?

Thanks, and sorry to bother.

Changed in network-manager-openvpn (Ubuntu):
status: New → Invalid
Revision history for this message
Maximilian Federle (ppd) wrote :

I can confirm this bug.

network-manager 1.2.2-0ubuntu0.16.04.3
network-manager-openvpn 1.1.93-1ubuntu1

The pushed routes are totally lacking, as are the DNS servers if one doesn't use the VPN as the default gateway for all traffic (i.e. by activating "Use this connection only for resources on its network").

Sadly, this means it's quite unusable except for the most trivial applications..

Changed in network-manager-openvpn (Ubuntu):
status: Invalid → Confirmed
Revision history for this message
Maximilian Federle (ppd) wrote :

After some digging around I found that installing the new upstream releases of both network-manager (1.4.2) and network-manager-openvpn (1.2.6) fixed this problem.

Changed in network-manager-openvpn (Ubuntu):
importance: Undecided → High
Revision history for this message
Dan Mick (dmick-m) wrote :

Any chance of getting a backport to xenial? This is a severe issue for those with OpenVPNs.

Revision history for this message
Michal Hlavac (hlavki) wrote :

I tested this behaviour and discovered this:

Routes are pushed correctly with "Use this connection only for resources on its network" settings when there is only one client from same network connected to openvpn server. If there are more than one clients connected from same network (router) it doesnt work.

Revision history for this message
Dan Mick (dmick-m) wrote :

hlavki, I can't imagine that the misbehaving client is even aware of other clients on the same network segment. Surely this is coincidental.

Revision history for this message
Ben (lip-reader-2) wrote :

Hi,
I am also affected by this bug. Any chance to ask maintainers to upgrade both packages?

https://wiki.gnome.org/Projects/NetworkManager
https://git.gnome.org/browse/network-manager-openvpn

Revision history for this message
Parasit (parasit-go2) wrote :

Hello,
I am also affected.
Ubuntu 16.04
network-manager-openvpn-gnome 1.1.93-1ubuntu1.1

The same config file used from bash, works fine, in GUI ignores most of pushed routes.
There are lots logs like:
Apr 26 20:54:21 dell NetworkManager[1170]: <info> [1493232861.9544] vpn-connection[blabla,"vpn",20:(tun0)]: Data: Static Route: 10.42.0.0/16 Next Hop: 10.8.0.4
9
But finally routing table is not changed.

Revision history for this message
Adam Donnison (ajdonnison) wrote :

I am also affected, although this was working when using OpenVPN over the default port 1194 on UDP. I had to regenerate keys and in the process decided to move to port 443 TCP to better handle firewalls, and after this could see the "Data: Static Route:" information in the log, but no route was added.

Revision history for this message
Adam Donnison (ajdonnison) wrote :

Update on the above - after a reboot the routes were correctly added. So it seems that changing the config can upset the ability to create routes until a reboot.

Revision history for this message
Parasit (parasit-go2) wrote :

Same problem with newest stable version:

network-manager-openvpn/now 1.2.6-2ubuntu1 amd64
network-manager-openvpn-gnome/now 1.2.6-2ubuntu1 amd64

In logs i see many routes but only one or two (??!!) of them are really added to routing table.

P.S. Guys... this very annoing bug in next days will have birthday...

Revision history for this message
Matthew Darwin (bugs-mdarwin) wrote :

Issue is reproducible for me on Ubuntu (Kubuntu) 17.04:

network-manager-openvpn 1.2.6-2ubuntu1
openvpn 2.4.0-4ubuntu1.3

Revision history for this message
Miika Vesti (mve1) wrote :

Temporary workaround that can be used instead of reboot:
 $ sudo systemctl restart NetworkManager

This works for me. After restarting NetworkManager all pushed routes are correctly set.

Revision history for this message
Marco Witte (uiuntcone) wrote :

as parasit-go2 said:
Within cli, works:
$ sudo openvpn --config file.ovpn
verify connection and check "ps" of openvpn
now disconnect.

Now start via gui.
Verify connection and check "ps" of openvpn
See the differences?

Revision history for this message
Dan Mick (dmick-m) wrote :

This is *still* happening in Artful, nm 1.8.4-1ubuntu3, nm-openvpn 1.2.10-0ubuntu2. Seriously, this needs to be fixed. How do I get someone's attention? I have tried and cannot follow the path of the code through the dbus amazingness.

Revision history for this message
Andrey Arapov (andrey-arapov) wrote :

The same issue :-/

Ubuntu 16.04.4 LTS

network-manager-openvpn 1.1.93-1ubuntu1.1
network-manager-openvpn-gnome 1.1.93-1ubuntu1.1

I am usually setting:
VPN connection settings -> IPv4 Settings -> Routes... -> [x] Use this connection only for resources on its network.

So that my default GW is not changed as I need only the VPN routes.
Except that with this bug, the VPN routes are not really applied on my system.

When running openvpn on its own, everything is working.

Revision history for this message
WalterNicholls (walter-nic) wrote :

Confirmed, just setting up new Xubuntu virtual machine 17.10 - after all updates.
Architecture: amd64
network-manager-openvpn and network-manager-openvpn-gnome both Version: 1.2.10-0ubuntu2

I originally started with a config downloaded from pfSense. As usual, openvpn from command line is flawless.
After reboot was able to connect with NM getting

Seriously, while nearly 2 years old is nothing for an open-source bug, this is one of a whole set of bugs in the Gnome openVPN plugin. I've never had these troubles with KDE. The plugin could do with some love.

Revision history for this message
Roman (zhukov.roman) wrote :

$ sudo systemctl restart NetworkManager
also fixed pushed routes from server. Thanks author of comment #14

Revision history for this message
Torsten Bronger (bronger) wrote :

[Re-posted because I accidentally clicked on “Post Comment”. Sorry for that.]

Confirmed with Ubuntu 19.04. An

   push "route 134.94.0.0 255.255.0.0 net_gateway"

is ignored. The pushed route is mentioned in the NetworkManager log:

    NetworkManager[893]: <info> […] Data: Static Route: 134.94.0.0/16 Next Hop: 134.94.16.1

(The gateway is even correct.) However, no route is actually added. Interestingly enough, a

    push "route 134.94.0.0 255.255.0.0 vpn_gateway"

*is* added to the routes. I suspect the device is wrong, because a manual

    # route add -net 134.94.0.0/16 gw 134.94.16.1 dev tun0
    SIOCADDRT: Network is unreachable

fails obviously. Instead of “tun0”, it must be the normal net device for which the gateway is valid. Possibly, NetworkManager tries to add the route to “tun0” always, which would be wrong.

Is there an upstream bug report?

Revision history for this message
Torsten Bronger (bronger) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.