NetworkManager, dhclient and software controlled tunnel problem

Hello everyone,

I have the following problem.
I use Softether VPN server and clients to connect my home and work PCs, laptops, etc.

Softether VPN client creates the tun type interface with the name vpn_0 when it starts and then connects automatically to the remote endpoint. The IP address is received through dhcp.

Using **ifup **I can easily configure everything by creating the interface configuration file in /etc/sysconfig/network, specifying this interface as hotplug and dhcp. ifup receives an IP address automatically when the interface vpn_0 appears.

However I would like to do the same using NetworkManager. I tried various ways and nothing works.

  1. NetworkManager considers the vpn_0 interface as unmanaged. I tried to configure the interface as managed but then I don’t understand what to do next. Ethernet connection type doesn’t work with the tun interface. Creation any type of vpn or tunnel connections in NetworkManager require additional parameters which I don’t have and they are not needed.
  2. I tried to configure the interface adding [connection-vpn_0] section to the /etc/NetworkManager/NetworkManager.conf file, but it doesn’t seem to have any effect.
  3. Dispatcher scripts don’t get any events about the vpn_0 interface

The second problem is when I run dhclient for the vpn_0 interface, it adds the default route with higher priority:

ar-hp:/ # ip route
default via 192.168.77.1 dev wlan0 proto dhcp metric 600
192.168.77.0/24 dev wlan0 proto kernel scope link src 192.168.77.7 metric 600
ar-hp:/ # dhclient vpn_0
ar-hp:/ # ip route
default dev vpn_0 scope link
default via 192.168.77.1 dev wlan0 proto dhcp metric 600
192.168.77.0/24 dev wlan0 proto kernel scope link src 192.168.77.7 metric 600
192.168.110.0/24 dev vpn_0 proto kernel scope link src 192.168.110.28

.

My dhcp server don’t send any gateways/routers in the responses. I tested that using the command

sudo nmap --script broadcast-dhcp-discover -e vpn_0

. It displays the following:

Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-12 14:41 EESTPre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.110.29
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 192.168.110.1
|     IP Address Lease Time: 5m00s
|     Subnet Mask: 255.255.255.0
|_    Domain Name: xxxxxxxxxxx
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.44 seconds

.

Any suggestions or solutions please.

You need to create connection of type tun using nmcli:

10:/home/bor # nmcli con
NAME                UUID                                  TYPE      DEVICE   
Wired connection 2  76c288c0-6767-3005-a644-557a1fb76735  ethernet  my_net   
test-tun            0c3fd27e-afa4-4467-9bab-adadae9dfc2a  tun       test_tun 
Wired connection 1  8a618910-31de-3d8d-94dd-5c1ea03c58d2  ethernet  --       
10:/home/bor # nmcli dev
DEVICE    TYPE      STATE         CONNECTION         
my_net    ethernet  connected     Wired connection 2 
test_tun  tun       connected     test-tun           
eth1      ethernet  disconnected  --                 
lo        loopback  unmanaged     --                 
10:/home/bor # nmcli con show test-tun  | grep -E 'connection.type|ipv4.method|ipv4.address|interface-name'
connection.type:                        tun
connection.interface-name:              test_tun
ipv4.method:                            manual
ipv4.addresses:                         1.2.3.4/24

10:/home/bor # ip a show dev test_tun
4: test_tun: <NO-CARRIER,POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 500
    link/none 
    inet 1.2.3.4/24 brd 1.2.3.255 scope global noprefixroute test_tun
       valid_lft forever preferred_lft forever
   inet6 fe80::9b2a:29fb:bf1e:d770/64 scope link noprefixroute 
      valid_lft forever preferred_lft forever
10:/home/bor # 
  1. I tried to configure the interface adding [connection-vpn_0] section to the /etc/NetworkManager/NetworkManager.conf file, but it doesn’t seem to have any effect.

What did you expect exactly? Connection definitions are not stored in NetworkManater.conf.

  1. Dispatcher scripts don’t get any events about the vpn_0 interface

I did not check this but I expect that NM should invoke dispatcher as long as it accepts and brings up interface.

The second problem is when I run dhclient for the vpn_0 interface, it adds the default route with higher priority:

ar-hp:/ # ip route
default via 192.168.77.1 dev wlan0 proto dhcp metric 600
192.168.77.0/24 dev wlan0 proto kernel scope link src 192.168.77.7 metric 600
ar-hp:/ # dhclient vpn_0
ar-hp:/ # ip route
default dev vpn_0 scope link
default via 192.168.77.1 dev wlan0 proto dhcp metric 600
192.168.77.0/24 dev wlan0 proto kernel scope link src 192.168.77.7 metric 600
192.168.110.0/24 dev vpn_0 proto kernel scope link src 192.168.110.28

Add code to dhcient-script to dump all environment, then we can see what it gets from dhclient.

You may create VPN connection with NM without use of SoftEther.

IMO
You first have to understand what you already have setup (SoftEther).
It’s a specific set of tools that supports specific types of VPN protocols used in a SoftEther VPN.network.
There are signs that a SoftEther VPN network is not a generic VPN network.

https://www.softether.org/

So,
Now if you want to use Network Manager instead,
You need to first consider that <maybe> you can’t use the same VPN server network because SoftEther has its own tools and protocols which might be set up to work only with each other. I briefly skimmed the SoftEther setup and can’t determine one way or another how proprietary it might be.
I didn’t inspect the contents of the SoftEther archive that when unpacked contains everything that’s necessary to connect to a SoftEther network, there probably is important info there.

The TUN network device is just one way to set up a VPN, not necessarily important.

Some basic things you need to collect to set up a VPN connection using Network Manager…
VPN server list
Supported VPN protocols (possibly related to servers in the server list)
A password or certificate used for the initial connection

There may be more that could be required, but the above is a starter list to fill in the input fields in Network Manager.

BTW -
It’s a bit worrisome that a quick Internet search didn’t turn up any results of people who have tried this before.

HTH,
TSU

Thank you, this solved the issue. I created the connection from the command line and tweaked the connection file manually.
One of the important parameters is tun mode 2 (ethernet-like layer).


[connection]
id=vpn_0
uuid=d29e1ddc-f21c-4dc8-8f51-3d09b06feefc
type=tun
autoconnect=true
interface-name=vpn_0
permissions=


[tun]
mode=2


[ipv4]
method=auto
ignore-auto-dns=true
ignore-auto-routes=true
never-default=true


[ipv6]
addr-gen-mode=stable-privacy
dns-priority=100
dns-search=
method=link-local

NM now receives an IP address through DHCP when the vpn_0 interface appears.

NM uses another script for dhclient and issues with standard dhclient call are related with that.