Skip to content

WIP: Support redirect-gateway & don't redirect gateway by default

Katelyn Schiesser requested to merge slowbro/NetworkManager-openvpn:issue-48 into master

Old title: "Config import: don't redirect all traffic over the VPN connection unless asked to"

Ref issue: #48 (closed)

By default, OpenVPN does not adjust the default gateway on a client unless the route 0.0.0.0 0.0.0.0 or redirect-gateway ... config options are present. The opposite is being upheld currently, as the default value of NM_SETTING_IP_CONFIG_NEVER_DEFAULT (false) is being used.

This change makes the NEVER_DEFAULT value default to TRUE (i.e. the connection will never override the default gateway). It will be set to FALSE (and redirect all traffic) if: a) redirect-gateway with any options is present, or b) route with '0.0.0.0 0.0.0.0' is present (already checked for previously).

This also adds tests for all of the above conditions.

It should be noted that redirect-gateway has a number of options that are ignored by this code; it may be desirable to support some or all of them in the future. From the manual:

Option flags:

local — Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. The local flag will cause step 1 above to be omitted.

autolocal — Try to automatically determine whether to enable local flag above.

def1 — Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.

bypass-dhcp — Add a direct route to the DHCP server (if it is non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).

bypass-dns — Add a direct route to the DNS server(s) (if they are non-local) which bypasses the tunnel (Available on Windows clients, may not be available on non-Windows clients).

block-local — Block access to local LAN when the tunnel is active, except for the LAN gateway itself. This is accomplished by routing the local LAN (except for the LAN gateway address) into the tunnel.

ipv6 — Redirect IPv6 routing into the tunnel. This works similar to the def1 flag, that is, more specific IPv6 routes are added (2000::/4, 3000::/4), covering the whole IPv6 unicast space.

!ipv4 — Do not redirect IPv4 traffic – typically used in the flag pair ipv6 !ipv4 to redirect IPv6-only.
Edited by Antonio Cardace

Merge request reports