How to make openvpn3-linux client work with network manager?

[adityaguru149]

When I connect the VPN using openvpn3 session-start --config client.ovpn I am able to connect to the internet alongwith the VPN local IPs but when I connect using network-manager, I am able to connect to the VPN local IPs but not able to connect to the internet. I have the update-systemd-resolve setup and I am able to resolve DNS while connected to VPN to get that out of the way.

network-manager

aguru@pc:~$ resolvectl query github.com
github.com: 192.30.255.113                     -- link: tun0

-- Information acquired via protocol DNS in 1.1ms.
-- Data is authenticated: no

openvpn3 uses my wifi for all internet and tun0 only for certain IPs?

aguru@pc:~$ resolvectl query github.com
github.com: 13.234.210.38                      -- link: wlp0s20f3

-- Information acquired via protocol DNS in 97.6ms.
-- Data is authenticated: no

The only difference that I could note was the link.

System:

aguru@pc:~$ uname -a
Linux pc 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
aguru@pc:~$ 
aguru@pc:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:    20.04
Codename:   focal
aguru@pc:~$ 
aguru@pc:~$ openvpn3 version
OpenVPN 3/Linux v13_beta (openvpn3)
OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.
aguru@pc:~$ 
aguru@pc:~$ openvpn --version
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
aguru@pc:~$ 
aguru@pc:~$ nmcli --version
nmcli tool, version 1.22.10

I have 2 openvpn versions (as mentioned in the output above)- any probable conflicts?

From what I can understand nmcli is not able to correctly setup routes that are pushed by VPN server? Is there someway to correctly setup network-manager?

[dsommers]

A few details needs to be clarified here.

OpenVPN 3 Linux does currently not have a direct integration with NetworkManager. We have just barely started discussing how that would be accomplished. The only interfaces we currently provide for OpenVPN 3 Linux are through the openvpn3, openvpn3-autoload and openvpn2 commands.

OpenVPN 3 Linux DOES integrate with systemd-resolved, but it currently needs to be activated manually. As of the next v14_beta release, it will be activated by default on recent enough Linux distributions which is known to ship with systemd-resolved enabled out-of-the-box. OpenVPN 3 Linux also provides a complete VPN config and session management which also accounts for proper privilege separation, so unprivileged users can start their own VPN sessions.

The openvpn command is from the classic OpenVPN 2.x version, which does have NetworkManager integration through the networkmanager-openvpn plug-in and NetworkManager must be used if unprivileged users should start and manage their VPN sessions. With OpenVPN 2.x unprivileged end-users must use NetworkManager for config and session management. Individual configuration files can be handled outside of NetworkManager if the user can start the openvpn with root privileges and via the openvpn-client@.service and openvpn-server@.service systemd unit files, and in these cases the configuration file must be updated to allow updating the DNS resolver settings.

The openvpn package can operate independently of the openvpn3 package and vice versa.

[adityaguru149]

Thanks @dsommers

I guessed my issue was around the tunnel trying to syphoon all network traffic instead of just local IPs. Is that not the case here?

Any ticket tracking openvpn3 and network-manager integration? That would be awesome

[dsommers]

It's really not that clear to me. You need to compare the routing tables and the DNS resolver settings after the VPN connection is established.

Depending on the VPN configuration and what the OpenVPN server pushes of routing rules, are the two first places where "route all traffic via the VPN tunnel" is determined. Then the network-manager integration also has its own flag ("Use this connection only for resources on its network") which also changes the routing slightly. And whether this gives a functional Internet experience depends on if the DNS resolver settings points at a reachable DNS server.

So, first identify where your Internet traffic is routed and if that is as expected, then check if the DNS resolver settings are as expected (typically checking /etc/resolv.conf and the output of resolvectl).

[praetore]

Is there an update on this issue?

[jfly]

In case anyone finds this useful, this issue tracks adding support for openvpn3 to the network manager openvpn plugin: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/69