openconnect does not work from network manager

I am trying to setup VPN connection to use RDP to connect to ma work desktop
Using:

sudo openconnect --protocol=gp gp.myserver.com

I am successfully connected to VPN and using remmina i can connect to my machine in the network.

But when i setup VPN connection trough KDE gui network manager it looks like i am successfully connected to VPN, but remmina can not connect to my remote desktop.

i have checked after connecting via gui app:

journalctl -u NetworkManager.service
mar 09 17:58:00 lpc openconnect[22196]: ESP session established with server
mar 09 17:58:00 lpc openconnect[22196]: ESP tunnel connected; exiting HTTPS mainloop.

checking:

sudo lsof -i -P -n

openconne 2914 nm-openconnect    7u  IPv4  70048      0t0  UDP 192.168.1.11:35092->ip_addr:4501 

Look like connection is established but user is nm-openconnect and remmina dont see that. When setting up connection from console as sudo, only difference I see is user (root)

Is it possible to set up connection via gui manager as sudo, or make remmina work with user nm-openconnect?

That appears to be two separate issues.

Firstly, verify that the VPN is active and you can access the remote network.

Then look at remmina.

It looks like i can not access remote network when setup trough gui manager.
I have also noticed that when using network manager:

ip address
4: vpn0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1422 qdisc fq_codel state UP group default qlen 500
    link/none 
    inet 172.29.31.83/32 scope global noprefixroute vpn0
       valid_lft forever preferred_lft forever
    inet6 fe80::d364:1f05:9fed:40f4/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

using sudo openconnect:

ip address
4: vpn0: <POINTOPOINT,MULTICAST,NOARP> mtu 1422 qdisc fq_codel state DOWN group default qlen 500
    link/none 
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1422 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 172.29.31.86/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::b5e1:6544:2044:2cd2/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

On wire-shark i can see that with second method all traffic goes trough tun0 interface
With first one, only some DNS request are visible on vpn0 interface

1 Like

What's the output of ip route in each situation?

network menager:

default via 192.168.1.1 dev enp2s0 proto dhcp metric 100 
90.230.17.90 via 192.168.1.1 dev enp2s0 proto static metric 100 
172.29.0.15 dev vpn0 proto static scope link metric 50 
172.29.6.131 dev vpn0 proto static scope link metric 50 
192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.11 metric 100 
192.168.1.1 dev enp2s0 proto static scope link metric 100 

sudo:

default dev tun0 scope link 
default via 192.168.1.1 dev enp2s0 proto dhcp metric 100 
91.230.17.190 via 192.168.1.1 dev enp2s0 src 192.168.1.11 
172.29.0.15 dev tun0 scope link 
172.29.6.131 dev tun0 scope link 
172.29.31.96 dev tun0 scope link 
192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.11 metric 100 

OK, so Network Manager isn't setting up the default route to go via the VPN.

You should be able to control routes using the NM settings:

image

The example above shows how to use the VPN only for that IP range rather than pass all traffic over the VPN.

Try switching those settings, reconnecting, and check the output of ip route.

2 Likes

I think I know where te problem is:
when using sudo i have assigned 3 addresses:

172.29.0.15 dev tun0 scope link 
172.29.6.131 dev tun0 scope link 
172.29.31.96 dev tun0 scope link 

with nm only 2:

172.29.0.15 dev vpn0 proto static scope link metric 50 
172.29.6.131 dev vpn0 proto static scope link metric 50 

And it looks like remote desktop uses the third one

remmina    9871 lukasz   42u  IPv4 205411      0t0  TCP 172.29.31.108:52738->10.3.102.12:3389 (ESTABLISHED)

Pinging other two addresses works.
Problem is why this address is not assigned automatically?

more logs from journalctl -u NetworkManager.service

Data:   Internal Address: 172.29.31.114
ESP session established with server
Data:   Internal Prefix: 32
ESP tunnel connected; exiting HTTPS mainloop.
Data:   Internal Point-to-Point Address: 172.29.31.114
Data:   Static Route: 172.29.6.131/32   Next Hop: 0.0.0.0
Data:   Static Route: 172.29.0.15/32   Next Hop: 0.0.0.0
Data:   Internal DNS: 172.29.0.15
Data:   Internal DNS: 172.29.6.131
Data:   DNS Domain: 'xxx_devnet.pl'
Data: No IPv6 configuration
VPN plugin: state changed: started (4)
VPN connection: (IP Config Get) complete

You can add that route manually via the settings menu I posted above.

1 Like

Thank you very much for help, I have added this rule to table and it works now :grinning:

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by