`route` via pushed gateway is added as an on-link route (TAP)
Consider this OpenVPN configuration (unrelated directives elided):
<...>
client
dev tap
route-nopull
route 172.18.130.0 255.255.255.0
<...>
Together with the following push configuration:
2024-01-15 18:32:33 PUSH: Received control message: 'PUSH_REPLY,sndbuf 393216,rcvbuf 393216,redirect-gateway def1 bypass-dhcp,route-gateway 192.168.95.1,ping 10,ping-restart 120,socket-flags TCP_NODELAY,ifconfig 192.168.95.128 255.255.255.0,peer-id 0,cipher AES-256-GCM'
In this case, the expected behavior is to ignore the redirect-gateway
due to route-nopull
, but add the locally defined route 172.18.130.0 255.255.255.0
via the pushed gateway 192.168.95.1
:
$ ip -4 addr show dev tap0
17: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
inet 192.168.95.128/24 scope global tap0
valid_lft forever preferred_lft forever
$ ip -4 route show dev tap0
172.18.130.0/24 via 192.168.95.1
192.168.95.0/24 proto kernel scope link src 192.168.95.128
However, when imported into NetworkManager, this configuration is mishandled in two ways:
-
route-nopull
is not taken into account, resulting in the default gateway being silently added, unlessipv4.never-default
andipv6.never-default
are set manually (this is arguably worse, but this is not the focus of the present report); -
The locally defined route is added as an on-link route without honoring the
--route
directive semantics when gateway is not specified:gateway default taken from --route-gateway or the second parameter to --ifconfig when --dev tun is specified.
(see
openvpn
(8) for details)
This results in the following (broken) iproute configuration:
$ ip -4 addr show dev tap0
18: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
inet 192.168.95.128/24 brd 192.168.95.255 scope global noprefixroute tap0
valid_lft forever preferred_lft forever
$ ip -4 route show dev tap0
default via 192.168.95.1 proto static metric 50
172.18.130.0/24 proto static scope link metric 50
192.168.95.0/24 proto kernel scope link src 192.168.95.128 metric 50
What needs to happen here:
-
route-nopull
should result inipv4.ignore-auto-routes
andipv6.ignore-auto-routes
being set (again, offtopic for the present report; mentioned for completeness); -
route
directives with the gateway (3rd parameter) omitted should default their gateway to the value of theroute-gateway
directive (either local or pushed).