Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[S] OpenVPN + NetworkManager: no internet after wifi reset
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
McLink
Apprentice
Apprentice


Joined: 02 Feb 2008
Posts: 171
Location: /dev/chair

PostPosted: Thu Jul 14, 2016 10:21 am    Post subject: [S] OpenVPN + NetworkManager: no internet after wifi reset Reply with quote

I'm using OpenVPN and NetworkManager on my new laptop , and I want to route my traffic through OpenVPN if possible, so I'm using the redirect-gateway def1 option. However, if the network connection drops for any reason (that's not uncommon on wireless connections), I'm left with broken routes, leaving me with no internet until I manually restart OpenVPN. I would use networkmanager-openvpn, but AFAICT it doesn't support redirect-gateway def1.

OpenVPN client configuration:
Code:
client
dev tap
proto tcp
remote my.vpn.url 1194
resolv-retry infinite
nobind

auth-user-pass

user nobody
group nobody
persist-key
persist-tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key

ns-cert-type server

tls-auth /etc/openvpn/ta.key 1

comp-lzo

verb 4

redirect-gateway def1
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4


Correct routing tables with OpenVPN (192.168.3.1 is my local router, 192.168.42.1 is my OpenVPN gateway, xxx.xxx.xxx.xxx is the OpenVPN server's external IP, which I prefer not to post on a public forum ;) ):
Code:
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.42.1    128.0.0.0       UG    0      0        0 tap0
0.0.0.0         192.168.3.1     0.0.0.0         UG    600    0        0 wlan0
xxx.xxx.xxx.xxx  192.168.3.1     255.255.255.255 UGH   0      0        0 wlan0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
128.0.0.0       192.168.42.1    128.0.0.0       UG    0      0        0 tap0
192.168.3.0     0.0.0.0         255.255.255.0   U     600    0        0 wlan0
192.168.42.0    0.0.0.0         255.255.255.0   U     0      0        0 tap0


Broken routing tables after disconnecting and reconnecting the wifi:
Code:
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.42.1    128.0.0.0       UG    0      0        0 tap0
0.0.0.0         192.168.3.1     0.0.0.0         UG    600    0        0 wlan0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
128.0.0.0       192.168.42.1    128.0.0.0       UG    0      0        0 tap0
192.168.3.0     0.0.0.0         255.255.255.0   U     600    0        0 wlan0
192.168.42.0    0.0.0.0         255.255.255.0   U     0      0        0 tap0


Does anyone have any ideas on how to fix this?
_________________
Mc'abit wrote:
Islam isn't the problem, religion is.


Last edited by McLink on Sat Jul 16, 2016 8:06 pm; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Thu Jul 14, 2016 7:35 pm    Post subject: Reply with quote

Maybe add that line to your routing table after reconnecting?
Code:
xxx.xxx.xxx.xxx  192.168.3.1     255.255.255.255 UGH   0      0        0 wlan

At the first glance it seems to be the only difference, and it's hardly a surprising one.

You can also use a bridge to separate your routing rules from physical connection.
Have a bridge enslave your wlan0 and configure all routing on the bridge instead. This way physical connection going down won't remove associated rules (because the bridge is up even if there are no physical interfaces attached to it)

Hint:
Code:
# equery b $(which brctl )
 * Searching for /sbin/brctl ...
net-misc/bridge-utils-1.5 (/sbin/brctl)
# brctl --help
Usage: brctl [commands]
commands:
   addbr        <bridge>      add bridge
   delbr        <bridge>      delete bridge
   addif        <bridge> <device>   add interface to bridge
   delif        <bridge> <device>   delete interface from bridge
   hairpin      <bridge> <port> {on|off}   turn hairpin on/off
   setageing    <bridge> <time>      set ageing time
   setbridgeprio   <bridge> <prio>      set bridge priority
   setfd        <bridge> <time>      set bridge forward delay
   sethello     <bridge> <time>      set hello time
   setmaxage    <bridge> <time>      set max message age
   setpathcost   <bridge> <port> <cost>   set path cost
   setportprio   <bridge> <port> <prio>   set port priority
   show         [ <bridge> ]      show a list of bridges
   showmacs     <bridge>      show a list of mac addrs
   showstp      <bridge>      show bridge stp info
   stp          <bridge> {on|off}   turn stp on/off

Back to top
View user's profile Send private message
McLink
Apprentice
Apprentice


Joined: 02 Feb 2008
Posts: 171
Location: /dev/chair

PostPosted: Thu Jul 14, 2016 11:05 pm    Post subject: Reply with quote

szatox wrote:
Maybe add that line to your routing table after reconnecting?
Code:
xxx.xxx.xxx.xxx  192.168.3.1     255.255.255.255 UGH   0      0        0 wlan

At the first glance it seems to be the only difference, and it's hardly a surprising one.[/code]
I've thought about that, but then I'd need to (1) store the IP address somewhere (it's a dynamic IP, hence the need to connect by host name) when OpenVPN connects and (2) execute a script when NetworkManager reconnects to re-add the route. (1) should be easy, albeit kludgy, but I don't know how to do (2).

However, I hadn't considered the possibility of using a bridge. That seems like quite an elegant solution. I'll play around with that a bit. Thanks!

EDIT: meh, looks bridging a client wireless connection isn't actually possible. :/
_________________
Mc'abit wrote:
Islam isn't the problem, religion is.
Back to top
View user's profile Send private message
McLink
Apprentice
Apprentice


Joined: 02 Feb 2008
Posts: 171
Location: /dev/chair

PostPosted: Fri Jul 15, 2016 12:36 am    Post subject: Reply with quote

Turns out I'm an idiot. I figured it out by comparing my OpenVPN configuration with the one I use on my phone. The problem is the persist-tun line. Removing this (along with the user and group lines because of permission errors) allows the tunnel to reset itself properly.

I'd still like to know if there's a way to execute a script when NM establishes a connection, though: OpenVPN does not reconnect until it figures out that stuff is timing out, so I want to send it a SIGUSR1 whenever NM connects.
_________________
Mc'abit wrote:
Islam isn't the problem, religion is.
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Fri Jul 15, 2016 5:27 pm    Post subject: Reply with quote

Quote:
EDIT: meh, looks bridging a client wireless connection isn't actually possible. :/

I dare disagree
Code:
# brctl show
bridge name   bridge id      STP enabled   interfaces
br0      8000.000000000000   no      
lan0      8000.00e04ceb8d77   no      eth0
                     eth1
                     wlan0
It's handled differently though, in my case it's hostapd that talks to the wifi driver and attaches it. Actually I completely forgot about this little detail.
Either way, I'm glad to see you you found a solution to your problem.

Now, I don't use NM myself, but THIS looks like the right question to ask. The top answers I got are:
1) Start shell script on Network Manager successful connection | TechyTalk
2) dbus - Add a hook to run when NetworkManager connects - Super User
Back to top
View user's profile Send private message
McLink
Apprentice
Apprentice


Joined: 02 Feb 2008
Posts: 171
Location: /dev/chair

PostPosted: Sat Jul 16, 2016 8:05 pm    Post subject: Reply with quote

szatox wrote:
Now, I don't use NM myself, but THIS looks like the right question to ask. The top answers I got are:
1) Start shell script on Network Manager successful connection | TechyTalk
2) dbus - Add a hook to run when NetworkManager connects - Super User
Ah, sweet! That appears to do the job. Thanks!
_________________
Mc'abit wrote:
Islam isn't the problem, religion is.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum