On Sun, 2016-11-06 at 19:30 -0500, Paul Swanson wrote: Hi
> I've recently been configuring my Ubuntu 16.10 laptop for default > routing via VPN only and have discovered some difficulties. > > > My goal is to only connect to the Internet via a VPN and ensure that > DNS requests are resolved by a trusted server only. > > One thing I've noticed is that DNS resolution seems to be handled by > NM on a connection by connection basis, but I want to ensure that DNS > resolvers are fixed to my choice regardless of the underlying > connection, without giving up NM control and dnsmasq for caching. > > From what I've seen so far, the configuration bias is towards VPN > connections providing tangential access to a private network and NOT > as the default route. You ask here only about DNS. That is actually possible since 1.4.0 by setting ipv4.dns-priority to a negative value. See https://developer.gnome.org/NetworkManager/stable/nm-settings.html#nm-settings.property.ipv4.dns-priority nmcli connection modify $VPN_CONNECTION ipv4.dns-priority -1 nmcli connection up $VPN_CONNECTION Another thing is ensuring that all traffic is routed via the VPN (that is, controlling the configured routes). That is not supported by NM directly (besize that you can manually configure your underlying connection to have no default-route and only give a default-route to the VPN connection). See for example https://bugzilla.gnome.org/show_bug.cgi?id=749376 . > Is anyone aware of any clear guidance for configuring NM's behaviour > when seeking to use VPN for default routing and DNS safe connections? > > I've had further issues with NetworkManager SSH VPN configuration. > > I would like to be able to link my VPN configuration to the > underlying network adapters on my machine, so that regardless of > which Wireless SSID or ethernet connection is activated the VPN > connection is automatically and subsequently brought up and down as > required. Right now, this is a manual process for me. A VPN connection can be set as "secondary" of another connection. See https://developer.gnome.org/NetworkManager/stable/nm-settings.html#nm-settings.property.connection.secondaries Another option might be to write a dispatcher script. See https://developer.gnome.org/NetworkManager/stable/NetworkManager.html#id-1.2.10.6 best, Thomas
signature.asc
Description: This is a digitally signed message part
_______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
