On Tue, Jun 19, 2018 at 1:02 PM, Grant Taylor <gtay...@gentoo.tnetconsulting.net> wrote: > On 06/19/2018 05:57 AM, Mick wrote: >> >> Actually, I don't know if there is a way to set up multiple nameservers >> for corresponding name resolution in/out of the tunnel, without using a >> domain- specific override as you would with dnsmasq and without leaking DNS >> queries to the ISP if you are meant to be querying the tunnel's nameservers. > > > My go to solution would be a local DNS server that decides where different > queries go.
That's what NM does. It uses dnsmasq. (Maybe not by default but that's how I've got it running.) >> Yes, those VPN implementations that set up separate routing policy tables >> help to keep main and 'VPN' rules separate, which is neat and easy to >> maintain. only contains the route from the local VPN subnet to the remote >> LAN subnet. > > > Yep. > >> Quite. The user (or his VPN client via some NM plugin) is meant to add in >> this networkmanager IPv4/Route tab the remote LAN subnet(s) and enable "Use >> only for resources on this connection" in order to set up a split tunnel. >> Then tun0 will only be used to tunnel connections to these subnets. All >> other connections to the Internet or local LAN will go outside the tunnel, >> using the default local gateway. > > > *nod* > >> Given Hilco's results I'm surmising an empty table in the NM translates as >> 0.0.0.0/0 and all connections end up being routed via the VPN stack, but I >> could be wrong because I don't know what he may have entered in this table. > > Agreed. Originally, I had nothing in there. Adding the one route (see my email on June 7th) makes it working ... mostly. >> Yes, but leaving the routes table empty ... it seems to tunnel everything >> through it ... I don't know without trying it out myself or getting more >> info on the settings. > > > Ya. This is unexpected behavior to me. I also don't have a convenient way > to reproduce it. > >> I expect you can set up a subnet here and from this the NM will configure >> the route accordingly to make it go through the VPN stack. > > > That is the expected behavior. > > IMHO the lack of additional routes mean that nothing other than the VPN link > itself should be routed through the VPN. > >> Is this something I can manipulate via resolv.conf on the local PC >> (without a local resolver) to make sure DNS searches meant for the VPN stack >> are tunneled to the remote nameservers not leaked outside it? > > > I don't know of a good way to do this without a local DNS server. > >> PS. Thanks for your write up on network namespaces. I'll look into this >> in more depth when I get a minute, because I would like to contain/isolate >> desktop applications I inherently mistrust - e.g. Skype. > > > You're welcome. I'm glad to hear people benefiting from it. Feel free to > reach out if you have any questions. Thanks for discussing this. At minimum it's quite interesting. :-)
