~eduvpn/server#135: 
use NetworkManager or networkd

Status
REPORTED
Submitter
~fkooman
Assigned to
No-one
Submitted
1 year, 8 months ago
Updated
1 year, 2 days ago
Labels
v4.x

~fkooman 1 year, 8 months ago

"Modern" approach to handling just WireGuard using NetworkManager, I am sure this is also possible with OpenVPN, just didn't investigate yet.

This should work "out of the box" on Fedora/EL.

We first stop using wg-quick to manage the WireGuard interface, and instead switch to using NetworkManager:

$ sudo systemctl disable --now wg-quick@wg0
$ nmcli con import type wireguard file /etc/wireguard/wg0.conf

We assume that the VPN server's link to the Internet is already established, e.g. eth0 is configured and working. We'll define and configure eth1 and call the interface nat-gw:

$ sudo nmcli connection add type ethernet con-name nat-gw ifname eth1 ipv4.method manual ipv4.addresses 192.168.1.100/24 ipv4.routes "0.0.0.0/0 192.168.1.1 table=5000"

Now we'll route WireGuard traffic over this interface:

$ sudo nmcli connection modify wg0 ifname wg0 ipv4.routes "10.10.10.0/24 table=5000" ipv4.routing-rules "priority 5 from 10.10.10.0/24 table 5000"

TODO: investigate integrating with firewalld

TODO: update tooling, i.e. vpn-maint-apply-changes and /usr/libexec/vpn-server-node-server-config to also support NetworkManager...

~fkooman 1 year, 8 months ago*

with IPv6:

$ sudo nmcli connection \
    add \
    type ethernet \
    con-name nat-gw \
    ifname eth1 \
    ipv4.method manual \
    ipv4.addresses 192.168.1.100/24 \
    ipv6.addresses fd00:1010:1010:1010::100/64 \
    ipv4.routes "0.0.0.0/0 192.168.1.1 table=5000" \
    ipv6.routes "::/0 fd00:1010:1010:1010::1 table=5000"

$ sudo nmcli connection \
    modify wg0 \
    ifname wg0 \
    ipv4.routes "10.10.10.0/24 table=5000" \
    ipv6.routes "fd00:4242:4242:4242::/64 table=5000" \
    ipv4.routing-rules "priority 5 from 10.10.10.0/24 table 5000" \
    ipv6.routing-rules "priority 5 from fd00:4242:4242:4242::/64 table 5000"

~fkooman 1 year, 8 months ago

OpenVPN server configurations are not supported by NetworkManager, so we can't use that for OpenVPN.

I don't know how to configure policy routing persistently on EL9 for OpenVPN in a supported way.

~gvde 1 year, 2 days ago ยท edit

I don't know if that matches 100% to what you are looking for, but I have put my additional internal interface completely into a separate routing-table and configured it like this, e.g. in a /etc/NetworkManager/system-connections/enX1.nmconnection for enX1:

...
[ipv4]
address1=192.168.100.1/24
gateway=192.168.100.254
may-fail=false
method=manual
route-table=100
routing-rule1=priority 100 from 192.168.100.0/24 table 100
routing-rule2=priority 101 from 10.123.212.0/24 table 100

[ipv6]
...

This way the main routing table does not contain any routes about the internal interface and networks, but only the specific table 100. rule1 routes the traffic of the server using the interface IP 192.168.100.1 correctly through table 100 (to prevent it from going out the external interface). rule2 routes the traffic sourced from the vpn subnet.