VPN-in-VPN messes up routing
I need to access a network at work which is not directly available using the Corporate VPN (a Cisco AnyConnect one, set up by central IT services). Instead, I need to route data over a second network (an OpenVPN one, set up by myself), to be able to reach the hosts that I need to.
I have configured the OpenConnect NetworkManager plugin for the first VPN, and that works well; I can reach everything on the Internet, as well as everything through the first VPN. Also, when I configure the OpenVPN vpn using the OpenVPN systemd unit (i.e., sudo systemctl start openvpn-client@client
), then all works well, and I can reach the necessary hosts without issue.
However, when I use the OpenVPN NetworkManager plugin to configure the OpenVPN network (by using the "import configuration file" option from the configuration file used for the systemd unit), it fails in two interesting and slightly related ways:
- The default setting of the OpenVPN plugin is to reroute all traffic through the VPN, as though the "redirect-gateway" setting was set in the OpenVPN configuration file. This means that all network traffic, including the one for the first VPN which is required to be able to reach the OpenVPN server, will be redirected through the OpenVPN network. Since that means the OpenVPN tunnel now tries to tunnel the tunnel that tunnels it, obviously nothing works anymore (including traffic that isn't meant to go through any VPN). This can be disabled by switching on the "only use for traffic to these networks" option (or whatever it's called in English -- using it in Dutch here, sorry), so it's only a minor issue; but I would think that if the config file import did not see the "redirect-gateway" option in the configuration file, this setting should not be set in the first place...
- Even after disabling the option described in the previous bullet, the OpenVPN plugin still adds a static route for the OpenVPN server which goes through my default gateway (i.e., outside the AnyConnect VPN). This is obviously wrong, and it means the connection won't work until I run
sudo ip route del <OpenVPN server> via <default gateway>
, which rather defeats the point of using a GUI to set up the VPN in the first place.
I note that there is also a Debian bug about the gateway issue (at least), which has been open for quite a while, although it seems a bit outdated.