[eduVPN-deploy] eduVPN client routing table behaviour on MacOS
Louis Twomey
louis.twomey at heanet.ie
Fri Jul 10 12:59:13 CEST 2020
Hi Rogier,
Thanks a lot for the clarification, the symptoms certainly do fit with the NCSI issue.
For info, here is a portion of the routing table from an affected Windows laptop (x.y.5.128/25 is the eduVPN pool range):
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.165 25
0.0.0.0 128.0.0.0 x.y.5.129 x.y.5.135 259
x.y.5.128 255.255.255.192 On-link x.y.5.135 259
x.y.5.135 255.255.255.255 On-link x.y.5.135 259
x.y.5.191 255.255.255.255 On-link x.y.5.135 259
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 x.y.5.129 x.y.5.135 259
I don’t have any other info from an affected Windows machine yet (e.g. whether it shows the “No internet” message), but I’m hoping to receive such info soon.
I have also attached a screenshot of the error that appears on an affected MacOS laptop.
[cid:543E9EC2-92A6-4D9F-B811-171F4D4DD065]
Regards,
Louis
-------
Louis Twomey
Technical Architect
PGP key: C77D9256
HEAnet CLG, Ireland’s National Education and Research Network
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040 louis.twomey at heanet.ie<mailto:louis.twomey at heanet.ie> www.heanet.ie<http://www.heanet.ie>
Registered in Ireland, No. 275301. CRA No. 20036270
On 8 Jul 2020, at 20:09, Rogier Spoor <Rogier.Spoor at SURF.nl<mailto:Rogier.Spoor at SURF.nl>> wrote:
CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe.
Hi Louis,
The O365 issue some of our users are experiencing is different to the one described on Github. Our users can successfully access O365 and open documents in the browser, but attempts to open the same documents in local MS apps fail. And this is happening on both a Windows laptop and a MacOS laptop.
You describe exactly the same issue. In browser it works but not in
Outlook app. I notice the ticket is writing about O365, but am sure this
is only related to app-usage and not browser.
Background is how NCSI – Network Connection Status Indicator is checking
'the internet'.
(https://support.microsoft.com/en-us/help/4494446/an-internet-explorer-or-edge-window-opens-when-your-computer-connects)
In future we might change the NCSI behaviour via the windows-app, maybe
by changing the NCSI server to 127.0.0.1 (as suggested here:
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Windows-NCSI). But am
not yet sure, needs some further investigation. We'd prefer to fix it in
a future OpenVPN release instead of fixing it in the eduVPN app.
Regarding macOS I'd guess the root cause is something else. Do you have
a screenshot what type of app is being used and what the error is all
about?
regards,
Rogier
One user believed they fixed the problem by flushing their routing table
- I suspect that flushing the table was not actually relevant at all but
while looking into this I discovered the difference in behaviour between
the two versions of MacOS eduVPN client.
Regards,
Louis
-------
Louis Twomey
Technical Architect
PGP key: C77D9256
HEAnet CLG, Ireland’s National Education and Research Network
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040 louis.twomey at heanet.ie<mailto:louis.twomey at heanet.ie> www.heanet.ie<http://www.heanet.ie>
Registered in Ireland, No. 275301. CRA No. 20036270
On 8 Jul 2020, at 16:51, Rogier Spoor <Rogier.Spoor at SURF.nl<mailto:Rogier.Spoor at SURF.nl>> wrote:
CAUTION[External]: This email originated from outside of the organisation. Do not click on links or open the attachments unless you recognise the sender and know the content is safe.
hi Louis,
The v1.2.1. macOS app (DMG installer) is an old app version. We strongly
advice user with macOS 10.14 and higher to deinstall this app and
install the Appstore version:
https://www.eduvpn.org/blog/new-macos-app.html
The Appstore app integrates more nicely with macOS because it uses a
NetworkExtensions API. This should be the most solid way to integrate in
the OS.
To be honest I don't really understand the logic of the
"networkextensions" routing table. I notice /32-like routing entries for
the nameservers and other destinations, but I really have no clue why.
Tried to find sometime ago documentation about this new routing table
approach but so far didn't find any explanation.
I did noticed WireGuard, which also is using NetworkExtensions API, has
same kind of strange routing table entries.
Regarding the O365 issue. For windows this is a known issue. Can be
'fixed' by adding a 0.0.0.0 route on the eduVPN server. All details and
background about this issue:
https://github.com/Amebis/eduVPN/issues/136
Hope this helps.
cheers,
Rogier
On 07/07/2020 18:35, Louis Twomey via eduVPN-deploy wrote:
Hi,
I am troubleshooting a problem where some of our staff occasionally experience problems when accessing O365 services via our eduVPN servers. They can access Sharepoint, and they can open Sharepoint documents in the browser, but they can’t open the same documents in their local apps - the nature of the error suggests a possible networking issue.
The problem affected two staff members today, at least one of them is using a MacOS 10.15.5 laptop and a recent version of the eduVPN client, v2.1.7 (837). I have not experienced this problem, I have a MacOS 10.15.5 laptop too, but my eduVPN client is v1.2.1.
When looking at the routing table on my laptop, and the affected laptop, they are very different and I wonder whether this is because the newer eduVPN client behaves differently?
My laptop routing table is very short and very “clean", my older eduVPN client adds only 6 routes via the virtual/tunnel interface (for: 0/1,128.0/1, 192.168.0.0/25, 192.168.0.128/25, host route for gateway IP of eduVPN server, eduVPN pool range). By complete contrast, the laptop with the newer eduVPN client has over 30 additional routes and most of them are host routes, here is a snippet of the IPv4 table:
Internet:
Destination Gateway Flags Netif Expire
default link#18 UCS utun2
default 192.168.0.1 UGScI en0
1.1.1.1 link#18 UHW3I utun2 2
1.2.3.4 link#18 UHW3I utun2 1
8.8.8.8 link#18 UHW3I utun2 3
13.88.28.53 link#18 UHWIi utun2
40.126.1.143 link#18 UHWIi utun2
Is it standard behaviour of the newer MacOS eduVPN client to add a “default” route as above, and to add multiple host routes?
Thanks,
Louis
-------
Louis Twomey
Technical Architect
PGP key: C77D9256
HEAnet CLG, Ireland’s National Education and Research Network
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040 louis.twomey at heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270
_______________________________________________
eduVPN-deploy mailing list
eduVPN-deploy at list.surfnet.nl
https://list.surfnet.nl/mailman/listinfo/eduvpn-deploy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200710/b4390032/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot 2020-07-07 at 15.42.21.png
Type: image/png
Size: 88195 bytes
Desc: Screenshot 2020-07-07 at 15.42.21.png
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20200710/b4390032/attachment-0001.png>
More information about the eduVPN-deploy
mailing list