Comment 17 for bug 1608646

I would like to revive this bug report.

I will describe the problem in detail.

I run an ovpn script from the command line and everything goes well.

The ovpn file:

client
dev tun
remote nl.vpn.******.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
mute-replay-warnings
route 10.0.1.0 255.255.255.0 10.0.2.136
route 10.0.0.0 255.255.255.0 10.0.2.136
route-delay 5
verb 3
explicit-exit-notify 5
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
key-direction 1

I left out certivicates because they are here irrelevant.

The route table before the execution of openvpn is:

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.2.136 0.0.0.0 UG 100 0 0 enp3s0
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp3s0

10.0.2.136 is my home router.

After the execution of sudo openvpn <ovpn file> the route table is:

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.17.76.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.2.136 0.0.0.0 UG 100 0 0 enp3s0
10.0.0.0 10.0.2.136 255.255.255.0 UG 0 0 0 enp3s0
10.0.1.0 10.0.2.136 255.255.255.0 UG 0 0 0 enp3s0
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp3s0
10.17.76.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
128.0.0.0 10.17.76.1 128.0.0.0 UG 0 0 0 tun0
213.152.162.73 10.0.2.136 255.255.255.255 UGH 0 0 0 enp3s0

This looks a bit complicated to me but it is working. Note the two lines for the networks 10.0.1.0/24 and 10.0.0.0/24.
They are needed to divert traffic for those networks to my home router 10.0.2.136.
Traffic for my home network 10.0.2.0/24 stays in the home network.
All other traffic goes to the tun0 device (the vpn provider).

In the Network Manager I imported the ovpn file and the resulting network manager file /etc/NetworkManager/system-connections/vpnnl file is:

id=provider_UDP-443
uuid=88baf716****
type=vpn
autoconnect=false
permissions=

[vpn]
cert-pass-flags=0
cipher=AES-256-CBC
comp-lzo=no-by-default
connection-type=tls
dev=tun
key=***.pem
remote=nl.vpn.provider.org:443
remote-cert-tls=server
ta-dir=1
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
dns-search=
method=auto
route1=10.0.1.0/24,10.0.2.136
route2=10.0.0.0/24,10.0.2.136

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

I left out some statements concerning security and privacy. Note the two route statements.
When I make the vpn connection with this connections file I get the error message:
connection failed because VPN service returned invalid configuration.

When I remove the two route statements in the network-manager/ edit connections section the connection is properly made but ofcourse without the two route statements in the route table:

Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.2.136 0.0.0.0 UG 100 0 0 enp3s0
10.0.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp3s0
10.0.2.136 0.0.0.0 255.255.255.255 UH 100 0 0 enp3s0
10.27.44.0 0.0.0.0 255.255.255.0 U 50 0 0 tun0
213.152.162.148 10.0.2.136 255.255.255.255 UGH 100 0 0 enp3s0

there are more differences that I don't fully understand. I can, ofcourse, add these route statements by hand but that is not the point. (I can also live for a short moment with an unreachable network).

When I change the 2 extra route statement (10.0.2.136 changed in 0.0.0.0) (in the vpnnl file) the error message disappears but the two route statements (in the route table) divert the traffic then to tun0 (should be enp3s0).

If you want to know more please ask.