You are not logged in.

First I tried systemd-networkd + wpa_supplicant for wifi, which worked fine, until I needed VPN.
And since I haven't been able to configure openvpn client config to be used just with certificate + user and password I just used Network Manager + networkmanager-openvpn to just import the profile.
The problem is that when I enable VPN while connected to ethernet (gateway: 192.168.1.1) the VPN (gateway: 10.40.204.1) "takes over" the ethernet and I am only able to access 10.40.x.x intranet.
When I enable WiFi(gateway: 10.0.0.138) I am able to access public internet again, but just trying pinging google.com one time does not work since it goes through vpn, then it goes through wifi somehow and works, its just mess.
Asking on IRC, alyptik pointed out that it might be with multiple defaults, so ip route looks like this:
[pulec@archlinux ~]$ ip r && echo "----------" && ip -6 r
default via 10.40.204.1 dev tun0 proto static metric 50
default via 192.168.1.1 dev enp0s31f6 proto static metric 100
default via 10.0.0.138 dev wlp58s0 proto static metric 600
10.0.0.0/24 dev wlp58s0 proto kernel scope link src 10.0.0.7 metric 600
10.0.0.0/8 via 10.40.204.1 dev tun0 proto static metric 50
10.40.204.0/22 dev tun0 proto kernel scope link src 10.40.205.10 metric 50
192.168.1.0/24 dev enp0s31f6 proto kernel scope link src 192.168.1.243 metric 100
192.168.1.1 dev enp0s31f6 proto static scope link metric 100
213.175.37.11 via 192.168.1.1 dev enp0s31f6 proto static metric 100
----------
2a00:1028:83a2:5e22::/64 dev wlp58s0 proto ra metric 600 pref medium
fdf4:3c4f:eddf::980 dev enp0s31f6 proto kernel metric 256 pref medium
fdf4:3c4f:eddf::/64 dev enp0s31f6 proto ra metric 100 pref medium
fdf4:3c4f:eddf::/48 via fe80::21a:92ff:fe62:3061 dev enp0s31f6 proto ra metric 100 pref medium
fe80::1 dev wlp58s0 proto static metric 600 pref medium
fe80::/64 dev enp0s31f6 proto kernel metric 256 pref medium
fe80::/64 dev wlp58s0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::1 dev wlp58s0 proto static metric 600 pref mediumBy running
# ip route add default via 192.168.1.1 dev enp0s31f6Things seem to work as expected, but it does not seem right. at all, there should be just one default right?
I am sure I disabled systemd-networkd, systemd-resolved and wpa_supplicant, so there should not be any conflict.
Do I need to change something in Network Manager so I have only one default route or I have to use this "hack" by adding another default route?
Last edited by Pulec (2017-10-18 15:19:09)
IRC: pulec
Offline

Is the value "metric" like some sort of administrative distance (or routing preference if you like) ? Personally i don't use any vpn, but you could just change that value to set your public route as most reliable default gateway, but still i'm not sure if one wants to keep his vpn as somewhat "default but not preferred"..
Offline

Is the value "metric" like some sort of administrative distance (or routing preference if you like) ? Personally i don't use any vpn, but you could just change that value to set your public route as most reliable default gateway, but still i'm not sure if one wants to keep his vpn as somewhat "default but not preferred"..
I didn't have any touch in those matric and they seem to matter.
I have been able to add new default route via the 192.168.1.1 with lower metric and delete the old one and that worked best, still hacky tho...
I haven't been able to add higher metric for the tun0, that is just somehow unmovable.
Weird enough, if I just connect to VPN via wifi all is fine, when I connect ethernet, all gets borked again.
No idea where I can change default metric in Network Manager.
For now I will just use this "ip add/del solution".
Does the routing somehow just tries to reach some IP with the connection with lowest metric and if that does not work then tries another?
IRC: pulec
Offline

Does the routing somehow just tries to reach some IP with the connection with lowest metric and if that does not work then tries another?
AFAIK that's how it should work  but i never had the need to set up a vpn so..couldn't you just delete everything which isn't 192.168.x.x and add your vpn's by passing a --metric value, according to what you need?
 but i never had the need to set up a vpn so..couldn't you just delete everything which isn't 192.168.x.x and add your vpn's by passing a --metric value, according to what you need?
Last edited by lo1 (2017-10-18 09:06:48)
Offline

I tried googling but I am unable to use "ip route change", only del and add works for me.
Deleting everything would probably be just "ip route flush" and then re add stuff, I am not sure how that is better then just changing the broken ethernet connection. Maybe I will try that tomorrow.
But maybe I will just check in with other arch users in the company or set up openvpn without network manager which is for another topic.
Thanks so far.
BTW to the lowest metric - https://serverfault.com/questions/64827 … -vs-metric
Last edited by Pulec (2017-10-17 21:03:10)
IRC: pulec
Offline

That's probably better, let us know.
You're welcome. It's the least i could do, i know you for the python class 
The reading was useful so thank you too!
Edit: now that i think about it, you'll probably need two static routes, one for your wifi interface and one for your ethernet. But this is getting tricky enough 'til now...
Last edited by lo1 (2017-10-17 21:52:05)
Offline

Found those openvpn client configs and when I launch it directly through openvpn all is working fine, no defaults, no extra low metrics so SOLVED I guess.
Weird enough that Network Manager is doing such "conflict" tho.
I did run systemd-networkd and Network Manager at same time for a while, I am wondering if that broke something permanently (e.g. some configs edited).
Hopefully that routing part will be useful to someone in future.
IRC: pulec
Offline

One more thing, I gave up on the systemd-networkd solution, since its advised to just let tun0 connection unmanaged by systemd, and I wanted to set metric so it would be considered as "primary" and I could do kinit in vpn properly. Also activating wifi network with password and variable token is somehow easier via nmcli c "wifi" -ask then using wpa_supplicant. Too bad passwords are unecrypted, not a fan of gnome-keyring or kde wallet.
Instead of changing the routes manually as root I just modified metrics on the ethernet, which is saved to some profile not available in nm-applet and that gets applied after reactivating the connection so that would probably by ideal fix for this case.
Example for 500 metric ipv4, ipv6.route-metric for ipv6.
You can provide uuid instead of connection name.
$ nmcli connection modify "CONNECTION NAME" ipv4.route-metric 500See http://blog.felipe.lessa.nom.br/?p=129 and other examples.
IRC: pulec
Offline