tun0 configuration via script using nmcli

John the Ripper

8/18/24, 11:56 AM

Background

For work I have to use Appgate SDP which is a VPN client. It creates a tun0 device, adds a bunch (300+) routes and is supposed to setup the DNS servers with domain search for tun0. At some point in the last week the DNS configuration stopped working and I could no longer resolve server names to IP addresses. I suspect some update, either NetworkManager or resolved, could have caused this but I don't really know.

Technically this is an issue that Appgate should solve, however in the meantime if I can script a solution that would be best for me at this point.

Partial solution

Using a small script with nmcli I was able to configure the DNS and search domain on tun0 and my DNS resolution was working again.

nmcli con mod tun0 ipv4.dns "10.x.x.x"
ncmli con mod tun0 ip4.dns-search "~example.com"

The only issue with this approach is that all of the routes added by Appgate are gone after running my script. I checked the Appgate logs and this application uses the ip route add way to add those routes which is not persisted after running nmcli.

Question

Is there some way I could parse and re-add those routes with nmcli?

# Setup DNS for tun0
nmcli con mod tun0 ipv4.dns "10.x.x.x"
ncmli con mod tun0 ip4.dns-search "~example.com"
# Code to parse the current tun0 routes into memory

. . . 

# Add routes for tun0
for route in "${routes[@]}"
do
    nmcli con mod tun0 +ipv4.routes "route"
done

Bonus

At this point every time I use Appgate I only really need tun0. Can I simply just route all traffic through tun0 when connected to Appgate and then reset all routing to eth0 when I exit Appgate?

1 + 3

static-routes

nmcli

Esa Jokinen

8/18/24, 4:37 PM

Wouldn't you first have to read the current routes and then setup the DNS which removes the routes?

John the Ripper

8/18/24, 5:36 PM

@EsaJokinen. You are absolutely correct and I have actually created and tested a working script. I just haven't had time to update my answer yet :)

Esa Jokinen

8/18/24, 5:43 PM

That's not a question anymore, but an answer. Please post it as an answer instead of an edit. :)

Score:0

Server

John the Ripper

8/18/24, 5:47 PM

Google fu and some trial and error and I was able to get a working script

As Esa pointed out in their comment my script should grab the routes before adding the DNS because if I add the DNS it will delete all of the routes.

So after some testing I came up with this:

# Code to parse the current tun0 routes into memory
rts=($(route | grep tun0 | awk '{print $1}'))

# Setup DNS for tun0
nmcli con mod tun0 ipv4.dns "10.x.x.x"
ncmli con mod tun0 ip4.dns-search "~example.com"

# Add routes for tun0
for i in "${rts[@]}"
do
    nmcli con mod tun0 +ipv4.routes "$i/32"
done

# Reapply rules
nmcli device reapply tun0

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: tun0 configuration via script using nmcli

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.