openvpn split tunnel

Question

5

openvpn split tunnel

asked 2019-01-22 20:36:02 +0200

jsm
166 ●4 ●7 ●9

updated 2019-01-23 09:44:31 +0200

jiit

2678 ●32 ●58 ●59

admin

It seems that use of remote gateway is hardcoded into the internet openvpn connection GUI. Why? If i execute openvpn on the cli on the Jolla C sailfish 3 without using /usr/lib/connman/scripts/openvpn-script and --route-noexec I get the wanted result, which is a split tunnel to the internet and to my home network via vpn0. I always get a 0.0.0.0 default gw with dev vpn0 with the gui.

How can I remain using my lte connection directly for non related vpn networks using the VPN GUI?

Thanks.

edit retag flag offensive close delete

Comments

1

Thats why I use openvpn only on the cli. Maybe they had fix this "bug" .

FYI: I use up/down scripts (mentioned by openvpn), but this does not work with the gui vpn (see here)

utkiek ( 2019-01-23 12:27:14 +0200 )edit

1

The behaviour that you described is probably the desired one - i.e., route _all_ traffic through VPN, which is extremely useful when you want to protect yourself on an insecure WLAN. The use case that you are describing is for when you want to use services that are not public on the internet, but are available on your own network. I don't think this is a bug - perhaps a feature request to support this option? I am assuming that your ovpn server config doesn't push a route and yet SFOS decides to set it as a default gateway? if this is the case, why do you need to use --route-noexec in the init script?

gabriel ( 2019-01-23 14:35:30 +0200 )edit

Yeah I'm aware of the common use case. It should have said without using /usr/lib/connman/scripts/openvpn-script and without using --route-noexec. Yes it is a feature request, but i think that the ones using the vpn as def remote gateway should just configure their vpn to send def route. I cannot see why this should be (hard?)coded this way..

jsm ( 2019-01-23 17:56:31 +0200 )edit

Thats why I use openvpn only on the cli. Maybe they had fix this "bug" .
FYI: I use up/down scripts (mentioned by openvpn), but this does not work with the gui vpn (see here)
utkiek ( 2019-01-23 12:27:14 +0200 )edit
The behaviour that you described is probably the desired one - i.e., route _all_ traffic through VPN, which is extremely useful when you want to protect yourself on an insecure WLAN. The use case that you are describing is for when you want to use services that are not public on the internet, but are available on your own network. I don't think this is a bug - perhaps a feature request to support this option? I am assuming that your ovpn server config doesn't push a route and yet SFOS decides to set it as a default gateway? if this is the case, why do you need to use --route-noexec in the init script?
gabriel ( 2019-01-23 14:35:30 +0200 )edit
Yeah I'm aware of the common use case. It should have said without using /usr/lib/connman/scripts/openvpn-script and without using --route-noexec. Yes it is a feature request, but i think that the ones using the vpn as def remote gateway should just configure their vpn to send def route. I cannot see why this should be (hard?)coded this way..
jsm ( 2019-01-23 17:56:31 +0200 )edit

Answer 1

2

answered 2019-01-25 07:31:50 +0200

melg01
6069 ●57 ●75 ●68

updated 2019-01-25 07:40:22 +0200

It's a perfectly valid requesr. Split VPN - or individually targeted routing, can be desirable in some situations, even from a business perspective. Let me point you to three typical use cases, that may arise when working remotely, e.g. at home office or as a consulter or technician at the site of your client, connected simultaneously to two networks:

privacy: you don't want your private internet traffic going through your employers network, while you're accessing the business ressources. This is valid from the employers point of view as well: he has no log files of what else you do, it's nothing of his business.
access of local ressources: you need to use ip-ressources which are on another network, e.g. your network printer at home or some storage.
You set up a VPN tunnel between two partners and want to specify the different routing possibilities.

Of course, there are serious security issues to this kind of setup with split-vpn, and I'd probably not allow it in my business. But as a request and sometimes even need, it can make sense.

edit flag offensive delete publish link

Answer 2

1

answered 2019-07-30 23:15:37 +0200

JulienBlanc
563 ●12 ●15 ●19

Replying to myself, i found how to do this properly.

Edit your vpn provider configuration :

/home/.system/var/lib/connman-vpn/provider_xxx_sailfishos/settings

add the following :

DefaultRoute=false

(just after Host=xxx, for example).

Reboot your phone, and voilà !

Now ask jolla why this settings is not available in the default interface :(

edit flag offensive delete publish link

Comments

Shouldn't you accept your answer, too? :)

Direc ( 2019-08-04 13:41:11 +0200 )edit

Answer 3

0

answered 2019-01-24 21:43:40 +0200

dominican
256 ●13 ●19 ●21

That's not a bug, when sailfish route all the traffic through the VPN, it's protecting you from an insecure WLAN connection, and that's something that personally i love from sailfish OS X, maybe as @gabriel says, you must request a new feature to Jolla.

edit flag offensive delete publish link

Comments

I never marked it as a bug, but as a feature request :-)

jsm ( 2019-01-24 21:53:37 +0200 )edit

certainly :)

dominican ( 2019-01-24 22:05:33 +0200 )edit

hm hint for all surveillance guys: use ipv6 in WIFI spots! Happy side routing! (yes, there is another ip protocol and it is ignored by tunnel builders - even Jolla)

cy8aer ( 2019-01-25 10:38:55 +0200 )edit

You only have to block the ipv6 protocol using the iptables :)

dominican ( 2019-01-25 17:42:49 +0200 )edit

Nope you have to implement v6 - on both sides

cy8aer ( 2019-01-26 17:28:59 +0200 )edit

Answer 4

0

answered 2019-07-30 20:46:28 +0200

JulienBlanc
563 ●12 ●15 ●19

I have the same request, and i’ll add i consider this a bug.

Routes should be set by the VPN server : adding a default route just render them unusable. Other openvpn clients do not do this, they honor the routes set by the server. Since the problem does not reside at openvpn level, there is simply no way from the server to prevent this (basically, connecting to a non routing server vpn just break all internet connection on the device).

Whether this is a “safe” setup is up to debate (it depends on what you use your vpn for). But the fact is that it is a fully supported openvpn setup.

As a side note, this behaviour also prevents from connecting to multiple VPNs at once (which, again, is a perfectly valid openvpn supported scheme, working without issues from any linux box).

edit flag offensive delete publish link

openvpn split tunnel

Comments

4 Answers

Comments

Comments

Question tools

Stats

Related questions

openvpn split tunnel

Comments

4 Answers

Comments

Comments

Question tools

Public thread

Stats

Related questions