nm-openconnect-service-openconnect-helper disregards split routes
Description of problem:
nm-openconnect-service-openconnect-helper disregards split-route specifications for the VPN.
Version-Release number of selected component (if applicable):
NetworkManager-openconnect-1.2.8-3.fc37.x86_64
, but really all versions up to now.
How reproducible:
Always.
Steps to Reproduce:
- Connect to a corporate VPN which specifies split routes for networks to be excluded from the VPN tunnel and routed directly.
- Look at routing table.
- Observe lack of routing exceptions.
Actual results:
Default route into VPN tunnel. Only exception is (pre-existing) local network route.
E.g. going from this (pre-VPN):
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
To this (post-VPN):
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 50 0 0 vpn1
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth1
xxx.xxx.64.0 0.0.0.0 255.255.240.0 U 50 0 0 vpn1
xxx.xxx.137.24 192.168.1.1 255.255.255.255 UGH 50 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
192.168.1.1 0.0.0.0 255.255.255.255 UH 50 0 0 eth1
Expected results:
E.g. going from this (pre-VPN):
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
To this (post-VPN):
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 vpn0
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 20100 0 0 eth1
xxx.xxx.64.0 0.0.0.0 255.255.240.0 U 0 0 0 vpn0
13.107.6.152 192.168.1.1 255.255.255.254 UG 100 0 0 eth1
13.107.6.152 192.168.1.1 255.255.255.254 UG 20100 0 0 eth1
13.107.18.10 192.168.1.1 255.255.255.254 UG 100 0 0 eth1
13.107.18.10 192.168.1.1 255.255.255.254 UG 20100 0 0 eth1
13.107.64.0 192.168.1.1 255.255.192.0 UG 100 0 0 eth1
13.107.64.0 192.168.1.1 255.255.192.0 UG 20100 0 0 eth1
13.107.128.0 192.168.1.1 255.255.252.0 UG 100 0 0 eth1
13.107.128.0 192.168.1.1 255.255.252.0 UG 20100 0 0 eth1
13.107.136.0 192.168.1.1 255.255.252.0 UG 100 0 0 eth1
13.107.136.0 192.168.1.1 255.255.252.0 UG 20100 0 0 eth1
23.103.160.0 192.168.1.1 255.255.240.0 UG 100 0 0 eth1
23.103.160.0 192.168.1.1 255.255.240.0 UG 20100 0 0 eth1
40.96.0.0 192.168.1.1 255.248.0.0 UG 100 0 0 eth1
40.96.0.0 192.168.1.1 255.248.0.0 UG 20100 0 0 eth1
40.104.0.0 192.168.1.1 255.254.0.0 UG 100 0 0 eth1
40.104.0.0 192.168.1.1 255.254.0.0 UG 20100 0 0 eth1
40.108.128.0 192.168.1.1 255.255.128.0 UG 100 0 0 eth1
40.108.128.0 192.168.1.1 255.255.128.0 UG 20100 0 0 eth1
52.96.0.0 192.168.1.1 255.252.0.0 UG 100 0 0 eth1
52.96.0.0 192.168.1.1 255.252.0.0 UG 20100 0 0 eth1
52.104.0.0 192.168.1.1 255.252.0.0 UG 100 0 0 eth1
52.104.0.0 192.168.1.1 255.252.0.0 UG 20100 0 0 eth1
52.112.0.0 192.168.1.1 255.252.0.0 UG 100 0 0 eth1
52.112.0.0 192.168.1.1 255.252.0.0 UG 20100 0 0 eth1
52.120.0.0 192.168.1.1 255.252.0.0 UG 100 0 0 eth1
52.120.0.0 192.168.1.1 255.252.0.0 UG 20100 0 0 eth1
104.146.128.0 192.168.1.1 255.255.128.0 UG 100 0 0 eth1
104.146.128.0 192.168.1.1 255.255.128.0 UG 20100 0 0 eth1
131.253.33.215 192.168.1.1 255.255.255.255 UGH 100 0 0 eth1
131.253.33.215 192.168.1.1 255.255.255.255 UGH 20100 0 0 eth1
132.245.0.0 192.168.1.1 255.255.0.0 UG 100 0 0 eth1
132.245.0.0 192.168.1.1 255.255.0.0 UG 20100 0 0 eth1
xxx.xxx.137.24 192.168.1.1 255.255.255.255 UGH 100 0 0 eth1
xxx.xxx.137.24 192.168.1.1 255.255.255.255 UGH 20100 0 0 eth1
150.171.32.0 192.168.1.1 255.255.252.0 UG 100 0 0 eth1
150.171.32.0 192.168.1.1 255.255.252.0 UG 20100 0 0 eth1
150.171.40.0 192.168.1.1 255.255.252.0 UG 100 0 0 eth1
150.171.40.0 192.168.1.1 255.255.252.0 UG 20100 0 0 eth1
191.234.140.0 192.168.1.1 255.255.252.0 UG 100 0 0 eth1
191.234.140.0 192.168.1.1 255.255.252.0 UG 20100 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth1
204.79.197.215 192.168.1.1 255.255.255.255 UGH 100 0 0 eth1
204.79.197.215 192.168.1.1 255.255.255.255 UGH 20100 0 0 eth1
Additional info:
The correct behavior can be observed when invoking openconnect manually on command line and specifying the vpnc-script, e.g.:
sudo openconnect ..... -s /etc/vpnc/vpnc-script ....
That script honors the split networks passed to it through the environment:
#* CISCO_SPLIT_INC -- number of networks in split-network-list
#* CISCO_SPLIT_INC_%d_ADDR -- network address
#* CISCO_SPLIT_INC_%d_MASK -- subnet mask (for example: 255.255.255.0)
#* CISCO_SPLIT_INC_%d_MASKLEN -- subnet masklen (for example: 24)
#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0); unused
#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0); unused
#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0); unused
#* CISCO_IPV6_SPLIT_INC -- number of networks in IPv6 split-network-list
#* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address
#* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen
and demonstrates the desired behavior.
The helper used when the VPN tunnel is triggered through the Gnome applet (/usr/libexec/nm-openconnect-service-openconnect-helper) either disregards or does not act on those configurations passed into it.