Bug 394754

*** Bug 391164 has been marked as a duplicate of this bug. ***

*** Bug 350884 has been marked as a duplicate of this bug. ***

*** Bug 413573 has been marked as a duplicate of this bug. ***

Since the default route (pushed by the OpenVPN server) is _silently_ ignored, there are major security concerns against Suse11. This bug blocks us from deploying it on our road-warrior laptops. 

Harald, please do not change severity and priority of a bug.

Please read: http://en.opensuse.org/Bugs/Definitions

This is not critical, I think the right severity is major (I could even argue normal).

The bug had no priority so far (P5) and I ask Tambet to adjust it, I cannot judge whether P2 is the right one - but it's Tambet's task to set it.

Sorry, but I disagree about the severity. If the OpenVPN client (the road-warrior laptop) ignores the routing information sent by the company server, then the old routing information is still active, which is a serious security problem.

Unfortunately your Definitions page ignores security issues. IMHO this security problem should have the same severity as a crash: You cannot use the OpenVPN support in Network Manager without putting the system at risk.

Harald, mentioning that you disagree is fine but you should not *change* the severity yourself!

Sure. 

Please add some guidelines about security issues to the Definitions page.

so is this a openvpn or network manager problem?

It's a NetworkManager bug and will be fixed in 11.1 alpha2.

"If the OpenVPN client (the road-warrior laptop) ignores the routing information sent by the company server, then the old routing information is still active, which is a serious security problem."

Could you please explain why it's a security problem? By that definition, the laptop always has a security problem until VPN is activated?

Yes, the laptop _does_ have a security problem if it is plugged into an unknown network, e.g. in an Internet Cafe or a hotel lobby. The evil gateway can be used to support a man-in-the-middle attack, for example. Even if it is just snooping around looking at which other hosts the laptop user tries to reach, this is information I do not want anybody else to see.

Fixed in factory.

I'm not sure what to do with all the other distributions. None of them has ever supported sever provided VPN routes, there's even no infrastructure to support it in the older releases. It can't be fixed without breaking the public API (and thus possibly breaking random applications).

By other distributions, do you mean older Suse releases, or other Linux distros (Debian, Fedora, etc.)?

Surely OpenVPN is a very special case, since it is rarely used. But DHCP is in much wider use. What about all the dhcp-options(5) affecting routing? Were they ignored by NM, too?

"By other distributions, do you mean older Suse releases, or other Linux distros
(Debian, Fedora, etc.)?" 

I meant suse releases, but it applies to all Linux distributions.

"Surely OpenVPN is a very special case, since it is rarely used. But DHCP is in
much wider use. What about all the dhcp-options(5) affecting routing? Were they
ignored by NM, too?"

No, only VPN (openvpn, vpnc, novellvpn, pptp) routes sent from server have always been ignored.

I tried 11.1beta5 (Gnome): Very much better now. I can connect, and the default route is setup. 

Minor problem: My OpenVPN server pushes "redirect-gateway def1". The "def1" seems to be ignored on the client, but this is surely not security relevant.

Closing this bug. It's fixed in the latest openSUSE release (11.1) and also in SLE11 betas/rc-s.