You are not logged in.

#1 2020-03-18 08:30:06

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 697
Website

[SOLVED] NetworkManager-wireguard: No internet when connected

On my notebook I use NetworkManager to dynamically connect to networks.
I use the plugin networkmanager-wireguard-git from the AUR to configure Wireguard networks.
Everything works so far, except that internet access breaks as soon as I connect to a WireGuard VPN.
Manually assigning IP adresses and routes, as well as checking the "Use connection for this network only" (translated) box do not seem to have an effect.

$ cat /etc/NetworkManager/system-connections/VPN\ 1.nmconnection 
[connection]
id=Intranet
uuid=911da7f1-1363-4b32-873e-6e0989c1c70b
type=vpn
autoconnect=false
permissions=user:rne:;
timestamp=1584519731

[vpn]
local-ip4=10.200.200.4/32
local-private-key=REDACTED
peer-endpoint=REDACTED
peer-persistent-keep-alive=25
peer-preshared-key=REDACTED
peer-public-key=iDL6YJGyFBMIsOT7U0vCbGC98l1YpIpzTJ1knihEZjo=
service-type=org.freedesktop.NetworkManager.wireguard

[ipv4]
dns-search=
method=auto
never-default=true

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

[proxy]
$ ip route
default via 172.23.56.254 dev wlo1 proto dhcp metric 600 
172.23.56.0/24 dev wlo1 proto kernel scope link src 172.23.56.21 metric 600 

I can ping my FritzBox

$ ping 172.23.56.254
PING 172.23.56.254 (172.23.56.254) 56(84) bytes of data.
64 bytes from 172.23.56.254: icmp_seq=1 ttl=64 time=1.79 ms
64 bytes from 172.23.56.254: icmp_seq=2 ttl=64 time=1.79 ms
64 bytes from 172.23.56.254: icmp_seq=3 ttl=64 time=1.84 ms
^C
--- 172.23.56.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.791/1.808/1.842/0.023 ms

And the VPN server

$ ping 10.200.200.254
PING 10.200.200.254 (10.200.200.254) 56(84) bytes of data.
64 bytes from 10.200.200.254: icmp_seq=1 ttl=64 time=20.9 ms
64 bytes from 10.200.200.254: icmp_seq=2 ttl=64 time=115 ms
64 bytes from 10.200.200.254: icmp_seq=3 ttl=64 time=35.6 ms
^C
--- 10.200.200.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 20.869/57.082/114.772/41.233 ms

But nothing on the internet

$ ping bbs.archlinux.de
PING bbs.archlinux.de (176.9.50.155) 56(84) bytes of data.
^C
--- bbs.archlinux.de ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3049ms

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4050ms

I also noticed that NetworkManager seems to create some nftables rules:

table ip6 wg-quick-Intranet {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
	}

	chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

	chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}
table ip wg-quick-Intranet {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
		iifname != "Intranet" ip daddr 10.200.200.4 fib saddr type != local drop
	}

	chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

	chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}

In the office I use the same network, but statically configured via systemd-network.
With that setup I can simultaneously use the VPN and the internet.
However I'd like to keep using NetworkManager on my notebook.
How can I get the internet access to work while connected to the VPN?

Update
I think, that I found the culprit:

$ journalctl -au NetworkManager --since=now --follow
-- Logs begin at Sun 2019-05-26 13:12:59 CEST. --
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.1475] audit: op="connection-activate" uuid="911da7f1-1363-4b32-873e-6e0989c1c70b" name="Intranet" pid=10560 uid=1000 result="success"
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.1537] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",0]: Started the VPN service, PID 14610
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.1626] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",0]: Saw the service appear; activating connection
Mär 18 09:40:10 envy NetworkManager[14613]: [#] ip link add Intranet type wireguard
Mär 18 09:40:10 envy NetworkManager[14613]: [#] wg setconf Intranet /dev/fd/63
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.1906] manager: (Intranet): new WireGuard device (/org/freedesktop/NetworkManager/Devices/13)
Mär 18 09:40:10 envy NetworkManager[14613]: [#] ip -4 address add 10.200.200.4/32 dev Intranet
Mär 18 09:40:10 envy NetworkManager[14613]: [#] ip link set mtu 1420 up dev Intranet
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.2487] device (Intranet): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.2526] device (Intranet): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.2536] device (Intranet): Activation: starting connection 'Intranet' (1ecd136a-3bf6-488a-a39a-418260177bbd)
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.2539] device (Intranet): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.2543] device (Intranet): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.2549] device (Intranet): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.2552] device (Intranet): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
Mär 18 09:40:10 envy NetworkManager[14613]: [#] wg set Intranet fwmark 51820
Mär 18 09:40:10 envy NetworkManager[14613]: [#] ip -6 route add ::/0 dev Intranet table 51820
Mär 18 09:40:10 envy NetworkManager[14613]: [#] ip -6 rule add not fwmark 51820 table 51820
Mär 18 09:40:10 envy NetworkManager[14613]: [#] ip -6 rule add table main suppress_prefixlength 0
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.2701] device (Intranet): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.2706] device (Intranet): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.2726] device (Intranet): Activation: successful, device activated.
Mär 18 09:40:10 envy NetworkManager[14613]: [#] nft -f /dev/fd/63
Mär 18 09:40:10 envy NetworkManager[14613]: [#] ip -4 route add 0.0.0.0/0 dev Intranet table 51820
Mär 18 09:40:10 envy NetworkManager[14613]: [#] ip -4 rule add not fwmark 51820 table 51820
Mär 18 09:40:10 envy NetworkManager[14613]: [#] ip -4 rule add table main suppress_prefixlength 0
Mär 18 09:40:10 envy NetworkManager[14613]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
Mär 18 09:40:10 envy NetworkManager[14613]: [#] nft -f /dev/fd/63
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3005] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",0]: VPN plugin: state changed: starting (3)
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3006] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",0]: VPN connection: (ConnectInteractive) reply received
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3007] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",0]: VPN connection: (IP Config Get) reply received.
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3009] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: VPN connection: (IP4 Config Get) reply received
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3013] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: Data: Tunnel Device: "Intranet"
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3014] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: Data: IPv4 configuration:
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3014] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: Data:   Internal Address: 10.200.200.4
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3014] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: Data:   Internal Prefix: 32
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3014] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: Data:   Internal Point-to-Point Address: 10.200.200.4
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3014] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: Data:   Static Route: 10.200.200.0/24   Next Hop: 10.200.200.254
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3015] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: Data:   Internal DNS: 10.200.200.254
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3015] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: Data:   DNS Domain: '(none)'
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3015] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: Data: No IPv6 configuration
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3015] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: VPN plugin: state changed: started (4)
Mär 18 09:40:10 envy NetworkManager[12818]: <info>  [1584520810.3040] vpn-connection[0x5580be4104e0,911da7f1-1363-4b32-873e-6e0989c1c70b,"Intranet",34:(Intranet)]: VPN connection: (IP Config Get) complete
^C

NetworkManager is adding a route 0.0.0.0/0 dev Intranet in table 51820.
How can I prevent it from doing this?

Solution
Adding

/usr/bin/ip route flush table 51820

to PostUp in the WireGuard configuration solved the issue for me.

Last edited by schard (2020-03-18 09:36:29)

Offline

Board footer

Powered by FluxBB