Not working routes with TAP device
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
network-manager-openvpn (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
Binary package hint: network-
I am using gutsy, up to date with updates.
I have been playing with openvpn, and i realized i would like more TAP interface instead of TUN. I want it because it work more like normal device and i can have ipv4 configuration with openvpn config and also ipv6 using external radvd listening on device tap_vpn on server.
There is checkbox for TAP type device, that is good. Problem is, it is not supported enough to work with other options. It cannot pull routes, which is unfortunate, but can be changed manually in dialog. I wanted to route only my private ranges, so i can work at full speed of internet connection and still have connection to home. So i added 192.168.70.0/24 and some more routes to manually specify networks. This option does work pretty well for tun device.
Problem is, tap device acts like ethernet device, not like point-to-point. So you need arp there to locate remote end. And there is problem, because all routes added to route table have not specified gateway ip. For tap device, you cannot simply route it to tap device, you have to specify also gateway ip. And using NM gui, i cannot set that. So i tried to remove specific routes and route all traffic to vpn. Interesting is, it does not work also, because same problem there. Default route has gateway ip 0.0.0.0 with route 0.0.0.0/0 on device tap0. That cannot work and really does not work. So, for tap device, it needs more changes than one checkox for overriding dev tun command. So in fact, TAP device can work only as connection to IP of vpn server, it cannot route to next hops. I think this is what most users want.
It does work well in windows and linux using command line openvpn, because i can fix this on server push configuration. I need add gateway ip to push route commands. But using nm it does not allow any changes even it if does not work at all.
Please dont fix it using switch to tun device. It might be possible, but still it is not the same. Someone may need tap for whatever reason, and it is offered, but not fully functional.
I can confirm this behaviour; I'm a Debian user but have used the Ubuntu source to build network- manager- openvpn.
I'm using OpenVPN with a tap interface to create a bridged configuration; everything works fine when stopping and restarting OpenVPN by hand, but the network-manager plugin treats the TAP device like a point-to-point interface, and ignores options pushed by the server that are designed to set up the appropriate routes.
My server config for this client includes the options
ifconfig-push rose 255.255.255.0
push "redirect-gateway def1"
('rose' resolves to the intended IP, 192.168.113.224)
Here's the routing table I get:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
203.122.249.19 192.168.0.1 255.255.255.255 UGH 0 0 0 wlan1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan1
192.168.254.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tap1
But this is what it should be:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
203.122.249.19 192.168.0.1 255.255.255.255 UGH 0 0 0 wlan1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan1
192.168.254.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
192.168.113.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1
0.0.0.0 192.168.113.106 128.0.0.0 UG 0 0 0 tap1
128.0.0.0 192.168.113.106 128.0.0.0 UG 0 0 0 tap1
In my syslog, I see network- manager- openvpn/ nm-openvpn- service- openvpn- helper tap1 1500 1576 192.168.113.224 255.255.255.0 init
Jul 11 14:03:43 rose nm-openvpn[14790]: TUN/TAP device tap1 opened
Jul 11 14:03:43 rose nm-openvpn[14790]: ifconfig tap1 192.168.113.224 netmask 255.255.255.0 mtu 1500 broadcast 192.168.113.255
Jul 11 14:03:43 rose avahi-daemon[9140]: New relevant interface tap1.IPv4 for mDNS.
Jul 11 14:03:43 rose avahi-daemon[9140]: Joining mDNS multicast group on interface tap1.IPv4 with address 192.168.113.224.
Jul 11 14:03:43 rose avahi-daemon[9140]: Registering new address record for 192.168.113.224 on tap1.
Jul 11 14:03:43 rose nm-openvpn[14790]: /usr/lib/
Jul 11 14:03:43 rose NetworkManager: <information>^IVPN Activation (Huiac) Stage 4 of 4 (IP Config Get) reply received.
Jul 11 14:03:43 rose nm-openvpn[14790]: ERROR: Linux route add command failed: shell command exited with error status: 7
Note that I only see one error, although the directives specified by the server should result in 3 routes being added (rather than the 1 bogus Point-to-pint style default route which I end up with).
This appears to be an upstream bug and there appear to be several duplicates in launchpad, but there doesn't appear to have been any movement on it; I'd be very interested to see it addressed, because it's one of the principal roadblocks which currently prevent us from recommending or offering Ubuntu to our corporate clients for deployment on laptops - they currently use Windows XP with "direct" OpenVPN su...