Quantcast

Network manager and split DNS for a VPN?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Network manager and split DNS for a VPN?

Karl Auer
Has anyone got split DNS working with a vpnc VPN connection under
16.04-2?

All my googling suggests that this is still a basic bug in
NM/Ubuntu16.04, but maybe someone has figured it out.

I could probably get it working the hard way by installing the real
dnsmasq and hardcoding a suitable split in dnsmasq.conf, but that is a
sad and inflexible method. It would be so much nicer if NM would do it.

It looks as if it wants to. The log is full of optimistic statements
about what it will do - but it just doesn't do it!

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Peter Silva
fwiw, every time I startup a vpn connection, dns breaks, it won't answer any queries, so I kill dnsmasq.  Something starts it back up, and it's OK (resolves the internal addresses as per the vpn connection.)   It started a month or two ago...


On Tue, Apr 11, 2017 at 2:39 PM, Karl Auer <[hidden email]> wrote:
Has anyone got split DNS working with a vpnc VPN connection under
16.04-2?

All my googling suggests that this is still a basic bug in
NM/Ubuntu16.04, but maybe someone has figured it out.

I could probably get it working the hard way by installing the real
dnsmasq and hardcoding a suitable split in dnsmasq.conf, but that is a
sad and inflexible method. It would be so much nicer if NM would do it.

It looks as if it wants to. The log is full of optimistic statements
about what it will do - but it just doesn't do it!

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Karl Auer
On Tue, 2017-04-11 at 18:46 -0400, Peter Silva wrote:
> fwiw, every time I startup a vpn connection, dns breaks, it won't
> answer any queries, so I kill dnsmasq.  Something starts it back up,
> and it's OK (resolves the internal addresses as per the vpn
> connection.)   It started a month or two ago...

Thanks.

I can resolve stuff over the VPN if I disable dnsmasq and restart NM. I
can resolve local addresses as long as either dnsmasq is running OR the
VPN is not up. As soon as the VPN comes up without dnsmasq, the
nameservers acquired over the VPN are first in /etc/resolv.conf, and my
local nameservers are never queried.

What I want is *split* DNS, so that queries for the domain at the other
end of the VPN are answered by the nameservers picked up over the VPN,
while local queries are answered by the nameservers picked up from the
local environment.

It *should* work, and dnsmasq it even *looks* as if it is doing it, but
it isn't actually working. Here is a sample bit of dnsmasq log file
after the VPN comes up:

Apr 12 04:40:36 kt dnsmasq[14038]: setting upstream servers from DBus
Apr 12 04:40:36 kt dnsmasq[14038]: using nameserver 192.168.100.54#53 for domain example.com.au
Apr 12 04:40:36 kt dnsmasq[14038]: using nameserver 192.168.100.54#53 for domain 255.52.168.192.in-addr.arpa
Apr 12 04:40:36 kt dnsmasq[14038]: using nameserver 192.168.100.54#53 for domain 168.192.in-addr.arpa
Apr 12 04:40:36 kt dnsmasq[14038]: using nameserver 192.168.100.54#53 for domain 16.172.in-addr.arpa
Apr 12 04:40:36 kt dnsmasq[14038]: using nameserver 192.168.100.54#53 for domain 17.172.in-addr.arpa
[...]

Regards, K.


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Paul Smith-2
On Wed, 2017-04-12 at 09:03 +1000, Karl Auer wrote:

> On Tue, 2017-04-11 at 18:46 -0400, Peter Silva wrote:
> > fwiw, every time I startup a vpn connection, dns breaks, it won't
> > answer any queries, so I kill dnsmasq.  Something starts it back up,
> > and it's OK (resolves the internal addresses as per the vpn
> > connection.)   It started a month or two ago...
>
> Thanks.
>
> I can resolve stuff over the VPN if I disable dnsmasq and restart NM. I
> can resolve local addresses as long as either dnsmasq is running OR the
> VPN is not up. As soon as the VPN comes up without dnsmasq, the
> nameservers acquired over the VPN are first in /etc/resolv.conf, and my
> local nameservers are never queried.

I'm fairly sure you're all experiencing this bug:

https://bugs.launchpad.net/bugs/1639776

There is a fix (to dnsmasq-base) already in -proposed for both Xenial
and Yakkety.  I'm waiting and hoping for this fix to get promoted to
-updates soon; it's been verified for almost 2 weeks now (but, it's a
busy time).

You can run "sudo killall -HUP NetworkManager" to fix it; you can add a
script to force that to happen every time you bring up a VPN interface,
or you can get this package from -proposed.

Cheers!

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Xen
In reply to this post by Karl Auer
Karl Auer schreef op 12-04-2017 1:03:

> It *should* work, and dnsmasq it even *looks* as if it is doing it, but
> it isn't actually working. Here is a sample bit of dnsmasq log file
> after the VPN comes up:

Question: can you query the dnsmasq contents while it is running?

I never really liked the fact that dnsmasq (as a local nameserver) is
used by default by NetworkManager,

although I guess it moves the inflexibility (?) of /etc/resolv.conf to
something more developed.

For a user seeing /etc/resolv.conf output something like:

127.0.1.1 localhost

and then not being able to verify the contents of that nameserver is a
bit disheartening.

Particularly as I think the commands are updated over dbus and the user
has no control over that at all.

Regards.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Karl Auer
In reply to this post by Paul Smith-2
On Tue, 2017-04-11 at 19:53 -0400, Paul Smith wrote:
> You can run "sudo killall -HUP NetworkManager" to fix it

Well spin my nipple-nuts and send me to Alaska; that does work a treat.
Well done. It doesn't fix the failure to add the additional domain to
the search list, but its a heap better than no split at all. I look
forward to the next LTS release.

> you can add a script to force that to happen every time you bring up
> a VPN interface

Can you suggest where that script should be located or hooked in? No
option within NetworkManager that I can see. udev beckons, but is
brittle and tricky. ifupdown?

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Chris Green
In reply to this post by Xen
On Wed, Apr 12, 2017 at 09:13:49AM +0200, Xen wrote:

> Karl Auer schreef op 12-04-2017 1:03:
>
> > It *should* work, and dnsmasq it even *looks* as if it is doing it, but
> > it isn't actually working. Here is a sample bit of dnsmasq log file
> > after the VPN comes up:
>
> Question: can you query the dnsmasq contents while it is running?
>
> I never really liked the fact that dnsmasq (as a local nameserver) is used
> by default by NetworkManager,
>
> although I guess it moves the inflexibility (?) of /etc/resolv.conf to
> something more developed.
>
> For a user seeing /etc/resolv.conf output something like:
>
> 127.0.1.1 localhost
>
> and then not being able to verify the contents of that nameserver is a bit
> disheartening.
>
> Particularly as I think the commands are updated over dbus and the user has
> no control over that at all.
>
I absolutely agree, it's a pain not being able to easily see where
one's DNS is *actually* being resolved.  

The way that dnsmasq is used 'automatically' by Network Manager is
very inflexible.

There should be:-

    A well documented way to configure the dnsmasq used by Network
    Manager as a full/proper dnsmasq, or a way to unhook it from
    Network Manager.

    Somewhere easy to find the actual upstream DNS servers (i.e.  the
    ones recommended by your ISP or whatever) that are being used.

--
Chris Green

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Tom H-4
In reply to this post by Xen
On Wed, Apr 12, 2017 at 3:13 AM, Xen <[hidden email]> wrote:

> Karl Auer schreef op 12-04-2017 1:03:
>
>> It *should* work, and dnsmasq it even *looks* as if it is doing it, but
>> it isn't actually working. Here is a sample bit of dnsmasq log file
>> after the VPN comes up:
>
> Question: can you query the dnsmasq contents while it is running?
>
> I never really liked the fact that dnsmasq (as a local nameserver) is used
> by default by NetworkManager,
>
> although I guess it moves the inflexibility (?) of /etc/resolv.conf to
> something more developed.
>
> For a user seeing /etc/resolv.conf output something like:
>
> 127.0.1.1 localhost
>
> and then not being able to verify the contents of that nameserver is a bit
> disheartening.
>
> Particularly as I think the commands are updated over dbus and the user has
> no control over that at all.

root@localhost ~ # cat nm.sh
#!/bin/sh
echo "#### using uuid ####"
nmcli -f IP4 c sh uuid $(nmcli -t -f UUID c sh --active)
echo
echo "#### using id ####"
nmcli -f IP4 c sh id "$(nmcli -t -f NAME c sh --active)"

root@localhost ~ # ./nm.sh
#### using uuid ####
IP4.ADDRESS[1]:                         192.168.0.108/24
IP4.GATEWAY:                            192.168.0.1
IP4.DNS[1]:                             8.8.8.8
IP4.DNS[2]:                             8.8.4.4

#### using id ####
IP4.ADDRESS[1]:                         192.168.0.108/24
IP4.GATEWAY:                            192.168.0.1
IP4.DNS[1]:                             8.8.8.8
IP4.DNS[2]:                             8.8.4.4

[previous versions of NM had "nm-tool"]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Tom H-4
In reply to this post by Chris Green
On Wed, Apr 12, 2017 at 5:45 AM, Chris Green <[hidden email]> wrote:

> On Wed, Apr 12, 2017 at 09:13:49AM +0200, Xen wrote:
>>
>> For a user seeing /etc/resolv.conf output something like:
>>
>> 127.0.1.1 localhost
>>
>> and then not being able to verify the contents of that nameserver is a bit
>> disheartening.
>>
>> Particularly as I think the commands are updated over dbus and the user has
>> no control over that at all.
>>
> I absolutely agree, it's a pain not being able to easily see where
> one's DNS is *actually* being resolved.
>
> The way that dnsmasq is used 'automatically' by Network Manager is
> very inflexible.
>
> There should be:-
>
> A well documented way to configure the dnsmasq used by Network
> Manager as a full/proper dnsmasq, or a way to unhook it from
> Network Manager.

When you're using dhcp, by default:

- set "dns=none" in "/etc/NetworkManager/NetworkManager.conf" and NM
won't populate "/etc/resolv.conf"

- set "dns=default" in "/etc/NetworkManager/NetworkManager.conf" and
NM'll populate "/run/NetworkManager/resolv.conf" with the dhcp
client's nameserver(s)

- set "dns=dnsmasq" in "/etc/NetworkManager/NetworkManager.conf" and
NM'll populate "/run/NetworkManager/resolv.conf" with "127.0.1.1" and
dnsmasq'll use the dhcp client's nameserver(s)


> Somewhere easy to find the actual upstream DNS servers (i.e. the
> ones recommended by your ISP or whatever) that are being used
.
See my previous email about issuing nmcli.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Xen
In reply to this post by Tom H-4
Tom H schreef op 12-04-2017 17:27:

> root@localhost ~ # cat nm.sh
> #!/bin/sh
> echo "#### using uuid ####"
> nmcli -f IP4 c sh uuid $(nmcli -t -f UUID c sh --active)
> echo
> echo "#### using id ####"
> nmcli -f IP4 c sh id "$(nmcli -t -f NAME c sh --active)"
>
> root@localhost ~ # ./nm.sh
> #### using uuid ####
> IP4.ADDRESS[1]:                         192.168.0.108/24
> IP4.GATEWAY:                            192.168.0.1
> IP4.DNS[1]:                             8.8.8.8
> IP4.DNS[2]:                             8.8.4.4
>
> #### using id ####
> IP4.ADDRESS[1]:                         192.168.0.108/24
> IP4.GATEWAY:                            192.168.0.1
> IP4.DNS[1]:                             8.8.8.8
> IP4.DNS[2]:                             8.8.4.4

Yah, maybe it's just me, but I still don't consider NetworkManager to be
the "trusted party" to go to for information.

There is probably a shorter command than the above that does the same, I
once used it. And I had forgotten since how to do it. NM is to me just
not a "central" thing to remember and based yourself on.

That's probably just me (right? ;-)) but the above is pretty convoluted
as a form of "standard" way to find some information.

I understand that NM manages DNSmasq and therefore knows this
information and is the frontend that dnsmasq itself lacks.

nmcli itself has a syntax I find impossible to remember.

I once suggested they turn nmcli into a graphical tool and then perfect
the interface of the graphical tool and then use that to inform any
changes to nmcli, in the sense of having a secondary thing to work on
that doesn't have to "be" anything yet.

Turns out they already had one. Or were thinking of one. The
NetworkManager people are really quite responsive and helpful and they
are one of the few teams I have ever seen that conduct surveys as to
their popularity and user-friendliness in that sense.

I just think that whatever was introduced should have stayed closer to
the old paradigmn and build on that instead of replacing it as it does
now. One of the biggest examples if you give an IP to a managed
connection using standard command line tools, within a few seconds NM
will reset the interface again and take the IP off of it.

Which is just hugely frustrating but just goes to show what the
relationship is between the two systems.

I will always keep seeing NetworkManager as an invader and I really turn
it off if I don't need the roaming support or the VPN desktop icon lock
ability support, and stuff like that. I only use it for the widget in
your desktop environment of choice.

You can import VPN configuration or make it the same but then it becomes
impossible for instance to have a non-encrypted connection because NM
didn't support it (yet) which leaves you fiddling with some wrapper
around a binary to change the actual parameters given to openvpn etc.

The wealth of configuration available in standard openvpn.conf files ...
I just don't think a good "inbetween" was found but that's just me,
right ;-).

Well, sorry for complaining here I guess.

I don't like these old pleasant systems being replaced by something new
and more powerful but lacking in so many ways that it isn't even funny.
And then wereas before you could script around stuff or change things
easily now it becomes a matter of waiting for the next pre-compiled
binary arrives that maybe will have fixed something.

It becomes just the same as any commercial system over which you have no
control from my point of view.

Forever dependent on upstream fixes...

And the system just doesn't respect your choices. Well anyway.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Tony Arnold-3
In reply to this post by Karl Auer
Karl,

On Wed, 2017-04-12 at 19:30 +1000, Karl Auer wrote:
>
> Well spin my nipple-nuts and send me to Alaska; that does work a
> treat.
>

What a great turn of phrase! I really must work that into a
conversation sometime; maybe at an important meeting at work!

Regards,
Tony.
--
Tony Arnold MBCS, CITP | Senior IT Security Analyst | Directorate of IT Services | G64, Kilburn Building | The University of Manchester | Manchester M13 9PL | T: +44 161 275 6093 | M: +44 773 330 0039
--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Paul Smith-2
In reply to this post by Karl Auer
On Wed, 2017-04-12 at 19:30 +1000, Karl Auer wrote:
> On Tue, 2017-04-11 at 19:53 -0400, Paul Smith wrote:
> > You can run "sudo killall -HUP NetworkManager" to fix it
>
> Well spin my nipple-nuts and send me to Alaska; that does work a treat.
> Well done. It doesn't fix the failure to add the additional domain to
> the search list, but its a heap better than no split at all. I look
> forward to the next LTS release.

I got a notice that the new dnsmasq-base was released via SRU to xenial-
updates today.  So if you're running 16.04 LTS you should be able to run
"sudo apt update && sudo apt upgrade" and get a fix for this problem.

I'm not sure what the story is with fixes for Yakkety or Zesty.  For
Yakkety you can fix it now, by enabling the -proposed repository.

> > you can add a script to force that to happen every time you bring up
> > a VPN interface
>
> Can you suggest where that script should be located or hooked in? No
> option within NetworkManager that I can see. udev beckons, but is
> brittle and tricky. ifupdown?

Sure, easy: just create a script in /etc/NetworkManager/dispatcher.d:

  $ sudo -s

  # (echo '#!/bin/sh'; \
      echo '[ "$1 $2" != "tun0 up" ] || killall -HUP NetworkManager') \
      > /etc/NetworkManager/dispatcher.d/99resetnm

  # chmod 755 /etc/NetworkManager/dispatcher.d/99resetnm

Note that this assumes that your VPN device using tun not tap, and
always uses tun0.  You can check the VPN config and/or run "ifconfig -a"
when the VPN is running, to see what devices are being used.

The next time you start an interface this script will be run.  Delete
that file when you no longer need it (when you have the new dnsmasq
package).

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Paul Smith-2
In reply to this post by Xen
On Wed, 2017-04-12 at 09:13 +0200, Xen wrote:
> Karl Auer schreef op 12-04-2017 1:03:
>
> > It *should* work, and dnsmasq it even *looks* as if it is doing it, but
> > it isn't actually working. Here is a sample bit of dnsmasq log file
> > after the VPN comes up:
>
> Question: can you query the dnsmasq contents while it is running?

I don't know of a way to query it.  But you can turn on logging; do
this:

  $ sudo -s

  # echo log-queries > /etc/NetworkManager/dnsmasq.d/log-queries

  # killall -HUP NetworkManager

Now every DNS lookup you make will have lots of information about
exactly how the lookup was done logged: to see it use for example:

  $ journalctl -t dnsmasq

Delete the log-queries file if you no longer need the debugging.

> I never really liked the fact that dnsmasq (as a local nameserver) is 
> used by default by NetworkManager, although I guess it moves the
> inflexibility (?) of /etc/resolv.conf to something more developed.

It is annoying that what used to be easily available is now hidden away,
I agree.  On the other hand the functionality it provides is important
if you need more advanced networking than wired systems with a single
static-ish interface, such as split tunneling, VPN, virtual networking
(for VMs etc.) and probably other reasons.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Tom H-4
In reply to this post by Xen
On Wed, Apr 12, 2017 at 1:27 PM, Xen <[hidden email]> wrote:
> Tom H schreef op 12-04-2017 17:27:


>> root@localhost ~ # cat nm.sh
>> #!/bin/sh
>> echo "#### using uuid ####"
>> nmcli -f IP4 c sh uuid $(nmcli -t -f UUID c sh --active)
>> echo
>> echo "#### using id ####"
>> nmcli -f IP4 c sh id "$(nmcli -t -f NAME c sh --active)"
>>
>> root@localhost ~ # ./nm.sh
>> #### using uuid ####
>> IP4.ADDRESS[1]:                         192.168.0.108/24
>> IP4.GATEWAY:                            192.168.0.1
>> IP4.DNS[1]:                             8.8.8.8
>> IP4.DNS[2]:                             8.8.4.4
>>
>> #### using id ####
>> IP4.ADDRESS[1]:                         192.168.0.108/24
>> IP4.GATEWAY:                            192.168.0.1
>> IP4.DNS[1]:                             8.8.8.8
>> IP4.DNS[2]:                             8.8.4.4
>
> Yah, maybe it's just me, but I still don't consider NetworkManager to
> be the "trusted party" to go to for information.

If you're trusting NM to set up your network, including the
nameservers. You should trust it to return accurate information about
your network setup, including the nameservers.


> There is probably a shorter command than the above that does the same,
> I once used it. And I had forgotten since how to do it. NM is to me
> just not a "central" thing to remember and based yourself on.

I thought that I'd said in my original email that previous versions of
NM had "nm-tool". It's too bad that it was removed, although I'd have
preferred it to be "nmtool"...


> That's probably just me (right? ;-)) but the above is pretty
> convoluted as a form of "standard" way to find some information.
>
> I understand that NM manages DNSmasq and therefore knows this
> information and is the frontend that dnsmasq itself lacks.

The reason that dnsmasq lacks a frontend is that it's not the "full"
package, dnsmasq, that's used by NM; it's dnsmasq-base.

dnsmasq-base installs "/usr/sbin/dnsmasq" and
"/etc/dbus-1/system.d/dnsmasq.conf".

dnsmasq installs "/etc/dnsmasq.conf", "/etc/init.d/dnsmasq", and
"/lib/systemd/system/dnsmasq.service".

If you use dnsmasq and resolvconf, IIRC, you can run "cat
/run/resolvconf/resolv.conf" (or possibly "cat
/run/dnsmasq/resolv.conf"; I don't have them installed to check,
sorry).


> nmcli itself has a syntax I find impossible to remember.

The above is the only nmcli command that I know and use.

I remember them because

"c sh" is short for "connection show" and is similar to ip's "a
sh"/address show".

"-f" stands for "field(s)". I sometimes type "ipv4" rather than "IP4"
for the first one and then realize that I've screwed up...

I prefer the "uuid ... UUID" version because they correspond, whereas
in the "id ... NAME" I have to remember that the output of "NAME" is
the input of "id".


> I once suggested they turn nmcli into a graphical tool and then
> perfect the interface of the graphical tool and then use that to
> inform any changes to nmcli, in the sense of having a secondary thing
> to work on that doesn't have to "be" anything yet.
>
> Turns out they already had one. Or were thinking of one.

I don't understand.

There's also "nmtui" but it's not the same thing as "nmcli". The GUI
tools are "nm-applet" and "nm-connection-editor".

I've never actually checked but I suspect that the different panes of
one the GUI applications correspond to the nmcli verbs.


> The NetworkManager people are really quite responsive and helpful and
> they are one of the few teams I have ever seen that conduct surveys as
> to their popularity and user-friendliness in that sense.

I only "know" the lead developer, Dan Williams. I've never dealt with
him directly but I've noticed in various posts that he's helpful and
open to suggestions and requests in spite of all of the NM bashing.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Xen
Tom H schreef op 13-04-2017 7:36:

> If you're trusting NM to set up your network, including the
> nameservers. You should trust it to return accurate information about
> your network setup, including the nameservers.

Aye. Trust is a big word. Anyway, sorry for complaining.

> I thought that I'd said in my original email that previous versions of
> NM had "nm-tool". It's too bad that it was removed, although I'd have
> preferred it to be "nmtool"...

aye but your nmcli command probably also works with less parameters.

I just can't test because I don't have any NetworkManager system I think
:p.

> The reason that dnsmasq lacks a frontend is that it's not the "full"
> package, dnsmasq, that's used by NM; it's dnsmasq-base.
>
> dnsmasq-base installs "/usr/sbin/dnsmasq" and
> "/etc/dbus-1/system.d/dnsmasq.conf".
>
> dnsmasq installs "/etc/dnsmasq.conf", "/etc/init.d/dnsmasq", and
> "/lib/systemd/system/dnsmasq.service".
>
> If you use dnsmasq and resolvconf, IIRC, you can run "cat
> /run/resolvconf/resolv.conf" (or possibly "cat
> /run/dnsmasq/resolv.conf"; I don't have them installed to check,
> sorry).

Oh. Well that would be nice. So they're basically using dnsmasq as a
plugin almost.

>> nmcli itself has a syntax I find impossible to remember.
>
> The above is the only nmcli command that I know and use.
>
> I remember them because
>
> "c sh" is short for "connection show" and is similar to ip's "a
> sh"/address show".

Okay so they modelled it on that. For some reason "ip" is not as hard to
remember, although I sometimes get lost in the confusion of "ip table
show second" or "ip show table second" and stuff like that ;-).

> "-f" stands for "field(s)". I sometimes type "ipv4" rather than "IP4"
> for the first one and then realize that I've screwed up...
>
> I prefer the "uuid ... UUID" version because they correspond, whereas
> in the "id ... NAME" I have to remember that the output of "NAME" is
> the input of "id".

Well all of that just goes to show how unusable it is.

Not saying, for instance, that's easy in MS Windows. You have some netsh
command that is equally impossible to remember.

In Windows it would be

netsh interface ipv4 show dnsservers

But I would much rather have it show with "ipconfig", same as
"ifconfig". Ifconfig in Linux is just a nice informative tool, even if
it is "deprecated".

Well, enough.

>> I once suggested they turn nmcli into a graphical tool and then
>> perfect the interface of the graphical tool and then use that to
>> inform any changes to nmcli, in the sense of having a secondary thing
>> to work on that doesn't have to "be" anything yet.
>>
>> Turns out they already had one. Or were thinking of one.
>
> I don't understand.
>
> There's also "nmtui" but it's not the same thing as "nmcli". The GUI
> tools are "nm-applet" and "nm-connection-editor".

I think I meant nmtui.

I think the nmcli hierarchy is just so complex that I thought they
should use something else (as a secondary) to evolve the command
structure in a GUI (ncurses) and then when they are content with that
and it is very usable, use that to inform changes to nmcli.

Then you don't have to change anything until you are completely
comfortable with that.

nmcli will never be changed incrementally.

Well.

>> The NetworkManager people are really quite responsive and helpful and
>> they are one of the few teams I have ever seen that conduct surveys as
>> to their popularity and user-friendliness in that sense.
>
> I only "know" the lead developer, Dan Williams. I've never dealt with
> him directly but I've noticed in various posts that he's helpful and
> open to suggestions and requests in spite of all of the NM bashing.

Yes, this is the IRC channel headline:

"Stop by and bitch, moan, rave, flame, suggest, request, patch, anything
you like."

So they are really just quite chill about it.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Chris Green
On Thu, Apr 13, 2017 at 09:32:30AM +0200, Xen wrote:

> aye but your nmcli command probably also works with less parameters.
>
> I just can't test because I don't have any NetworkManager system I think :p.
>
> > The reason that dnsmasq lacks a frontend is that it's not the "full"
> > package, dnsmasq, that's used by NM; it's dnsmasq-base.
> >
> > dnsmasq-base installs "/usr/sbin/dnsmasq" and
> > "/etc/dbus-1/system.d/dnsmasq.conf".
> >
> > dnsmasq installs "/etc/dnsmasq.conf", "/etc/init.d/dnsmasq", and
> > "/lib/systemd/system/dnsmasq.service".
> >
> > If you use dnsmasq and resolvconf, IIRC, you can run "cat
> > /run/resolvconf/resolv.conf" (or possibly "cat
> > /run/dnsmasq/resolv.conf"; I don't have them installed to check,
> > sorry).
>
> Oh. Well that would be nice. So they're basically using dnsmasq as a plugin
> almost.
>
It *would* be nice, however....

On my systems running the 'dnsmasq plugin' from NM I see:-

    chris$ cat /run/resolvconf/resolv.conf
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
    resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 127.0.1.1
    search zbmc.eu


... and on the system where I'm running a 'real' dnsmasq I see:-

    chris@raspberrypi:~$ cat /run/resolvconf/resolv.conf
    cat: /run/resolvconf/resolv.conf: No such file or directory
    chris@raspberrypi:~$

--
Chris Green

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Xen
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Xen
Chris Green schreef op 13-04-2017 10:19:

> It *would* be nice, however....
>
> On my systems running the 'dnsmasq plugin' from NM I see:-
>
>     chris$ cat /run/resolvconf/resolv.conf
>     # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
>     resolvconf(8)
>     #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN
>     nameserver 127.0.1.1
>     search zbmc.eu
>
>
> ... and on the system where I'm running a 'real' dnsmasq I see:-
>
>     chris@raspberrypi:~$ cat /run/resolvconf/resolv.conf
>     cat: /run/resolvconf/resolv.conf: No such file or directory
>     chris@raspberrypi:~$

dnsmasq just lacks a proper querying method for all I'm concerned. At
least the versions I am familiar with are capable of e.g. writing a file
with DHCP lease contents, but actually having a user frontend, no.

Apparently that channel exists in the form of dbus. But it shouldn't be
so hard to have a form of "dnsmasq -q" command that would just query the
contents of its database.

Well anyway, there is never a lack of stuff to change ;-).

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Karl Auer
In reply to this post by Paul Smith-2
On Wed, 2017-04-12 at 17:39 -0400, Paul Smith wrote:
> I got a notice that the new dnsmasq-base was released via SRU to
> xenial-updates today.  So if you're running 16.04 LTS you should be
> able to run "sudo apt update && sudo apt upgrade" and get a fix for
> this problem.

I am, I did and I did. Excellent! Thanks for the pointers.

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Karl Auer
In reply to this post by Tony Arnold-3
On Wed, 2017-04-12 at 20:42 +0000, Tony Arnold wrote:
> On Wed, 2017-04-12 at 19:30 +1000, Karl Auer wrote:
> > Well spin my nipple-nuts and send me to Alaska; that does work a
> > treat.
> >
> What a great turn of phrase! I really must work that into a
> conversation sometime; maybe at an important meeting at work!

I wish I could claim it was mine, but it's a (slightly modified) line
from Red Dwarf. It's spoken by a robot called Kryten. You can get it on
a t-shirt!

https://store.ministryofbritishcomedy.com/products/spin-my-nipple-nuts-
and-send-me-to-alaska

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Network manager and split DNS for a VPN?

Tom H-4
In reply to this post by Xen
On Thu, Apr 13, 2017 at 3:32 AM, Xen <[hidden email]> wrote:
> Tom H schreef op 13-04-2017 7:36:


>> I thought that I'd said in my original email that previous versions of
>> NM had "nm-tool". It's too bad that it was removed, although I'd have
>> preferred it to be "nmtool"...
>
> aye but your nmcli command probably also works with less parameters.

If you know the UUID or ID of the active connection, you can use one "nmcli"

nmcli -f IP4 c sh uuid <UUID>
or
nmcli -f IP4 c sh id <ID>

The command that I'd posted pulled out the active connection with the
"$(nmcli ... --active)" part.


>>> nmcli itself has a syntax I find impossible to remember.
>>
>> The above is the only nmcli command that I know and use.
>>
>> I remember them because
>>
>> "c sh" is short for "connection show" and is similar to ip's "a
>> sh"/address show".
>
> Okay so they modelled it on that. For some reason "ip" is not as hard to
> remember, although I sometimes get lost in the confusion of "ip table show
> second" or "ip show table second" and stuff like that ;-).

It's a question of how often you use them. If I don't use "mdadm" for
three months or so, I have to skim through its man page to refresh my
memory.


>> "-f" stands for "field(s)". I sometimes type "ipv4" rather than "IP4"
>> for the first one and then realize that I've screwed up...
>>
>> I prefer the "uuid ... UUID" version because they correspond, whereas
>> in the "id ... NAME" I have to remember that the output of "NAME" is
>> the input of "id".
>
> Well all of that just goes to show how unusable it is.

Unusable, no. Quirky, yes.


> Not saying, for instance, that's easy in MS Windows. You have some netsh
> command that is equally impossible to remember.
>
> In Windows it would be
>
> netsh interface ipv4 show dnsservers
>
> But I would much rather have it show with "ipconfig", same as "ifconfig".
> Ifconfig in Linux is just a nice informative tool, even if it is
> "deprecated".

The problem, AIUI, is that the CLI commands more or less mimic the GUI tool.

For example, "networksetup" is the macOS CLI command (on my Mac, I've
renamed "Wi-Fi", the default name, "wifi" because it's faster to
type...).

root@localhost ~ # networksetup -listallnetworkservices
An asterisk (*) denotes that a network service is disabled.
*LPSS Serial Adapter
wifi
*Bluetooth PAN

root@localhost ~ # networksetup -getinfo wifi
Manual Configuration
IP address: 192.168.0.54
Subnet mask: 255.255.255.0
Router: 192.168.0.1
IPv6: Off
Wi-Fi ID: a8:66:7f:3a:64:b2

root@localhost ~ # networksetup -getdnsservers wifi
8.8.8.8

Apple has chosen to use very long but clear and verbose options.
There's no way to remember them all but you don't have to remember how
to combine various subcommands and options. If you don't know the
exact option, you can run "networksetup -help | sort" and find the
invocation that you need.

Solaris has split up its previous, standard-Unix "ifconfig" into
"dladm" for layer 2 and "ipadm" for layer 3 but they're unrelated to
any GUI tool and they have add-* create-* down-* enable-* set-* show-*
delete-* disable-* remove-* subcommands.

Solaris also has something similar to NM called NWAM (Network
Auto-Magic) with "netcfg" and "netadm" commands. I've never used
"netcfg" and I've only used "netadm enable -p ncp DefaultFixed" in
order to disable NWAM and set up a static connection manually, then

root@localhost ~ # ipadm show-if
IFNAME     CLASS    STATE    ACTIVE OVER
lo0        loopback ok       yes    --
net0       ip       ok       yes    --

root@localhost ~ # ipadm show-addr
ADDROBJ        TYPE     STATE    ADDR
lo0/v4         static   ok       127.0.0.1/8
net0/v4static  static   ok       192.168.0.192/24
lo0/v6         static   ok       ::1/128

root@localhost ~ # svccfg -s network/dns/client listprop config/nameserver
config/nameserver net_address 8.8.8.8

It's a trend...

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
12
Loading...