Hello, I'm also affected by this bug. Inspection of the upstream code shows that the NetworkManager OpenVPN plugin has no notion of the --data-ciphers flag of OpenVPN. The previously used --cipher flag, which NM does know about, used to imply appending the cipher to the --data-ciphers list, but that is no longer the case as of OpenVPN 2.6 [1].
I've attached a very rudamentary patch that adds support for --data-ciphers to network-manager-openvpn, and passes the corresponding string on as an OpenVPN argument. The patch is a bit crude, and treats --data-ciphers _exactly_ like --ciphers was already treated. That might not be appropriate, as the former has the structure of a colon-separated list, and any GUI/TUI interface might want to reflect that visually/functionally. My patch treats it as an opaque string. With the patch, one can in a network-manager-openvpn VPN connection add an entry of the form data-ciphers = WHATEVER to the .data field of the VPN connection, and WHATEVER will be passed on to OpenVPN's --data-ciphers argument. I'll try to have this patch upstreamed, but in the meantime it might be appropriate for inclusion into Debian so as not to break people's NM-managed VPN connections upon upgrading OpenVPN. PS: Simon, you incidate that you are having trouble due to being unfamiliar with Debian packaging. Do let me know if you'd like me to provide a precompiled package with the patch included. [1] https://github.com/OpenVPN/openvpn/blob/0dbcaba4f301c21e68a5cd032a4b56eb75c17c37/Changes.rst Best, Gard
From: Gard Spreemann <[email protected]> Date: Tue, 21 Jun 2022 11:20:25 +0200 Subject: Add support for OpenVPN's --data-ciphers --- properties/import-export.c | 11 +++++++++++ properties/tests/test-import-export.c | 12 ++++++++++++ shared/nm-service-defines.h | 1 + shared/utils.h | 1 + src/nm-openvpn-service.c | 3 +++ 5 files changed, 28 insertions(+) diff --git a/properties/import-export.c b/properties/import-export.c index 51049de..2ab3bf3 100644 --- a/properties/import-export.c +++ b/properties/import-export.c @@ -1344,6 +1344,15 @@ do_import (const char *path, const char *contents, gsize contents_len, GError ** continue; } + if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_DATA_CIPHERS)) { + if (!args_params_check_nargs_n (params, 1, &line_error)) + goto handle_line_error; + if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error)) + goto handle_line_error; + setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, params[1]); + continue; + } + if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_CIPHER)) { if (!args_params_check_nargs_n (params, 1, &line_error)) goto handle_line_error; @@ -2103,6 +2112,8 @@ do_export_create (NMConnection *connection, const char *path, GError **error) args_write_line_setting_value (f, NMV_OVPN_TAG_CIPHER, s_vpn, NM_OPENVPN_KEY_CIPHER); + args_write_line_setting_value (f, NMV_OVPN_TAG_DATA_CIPHERS, s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS); + args_write_line_setting_value (f, NMV_OVPN_TAG_TLS_CIPHER, s_vpn, NM_OPENVPN_KEY_TLS_CIPHER); args_write_line_setting_value_int (f, NMV_OVPN_TAG_KEYSIZE, s_vpn, NM_OPENVPN_KEY_KEYSIZE); diff --git a/properties/tests/test-import-export.c b/properties/tests/test-import-export.c index cefb2b1..369b61e 100644 --- a/properties/tests/test-import-export.c +++ b/properties/tests/test-import-export.c @@ -226,6 +226,7 @@ test_password_import (void) _check_item (s_vpn, NM_OPENVPN_KEY_TA, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, "AES-256-CBC"); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -319,6 +320,7 @@ test_tls_import (void) _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -366,6 +368,7 @@ test_tls_import_2 (void) _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -410,6 +413,7 @@ test_tls_import_3 (void) _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -458,6 +462,7 @@ test_tls_import_4 (void) _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -529,6 +534,7 @@ test_tls_inline_import (void) _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -581,6 +587,7 @@ test_pkcs12_import (void) _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -622,6 +629,7 @@ test_pkcs12_with_ca_import (void) _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -690,6 +698,7 @@ test_static_key_import (gconstpointer test_data) _check_item (s_vpn, NM_OPENVPN_KEY_TA, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, "10.8.0.2"); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, "10.8.0.1"); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -801,6 +810,7 @@ test_proxy_http_import (void) _check_item (s_vpn, NM_OPENVPN_KEY_TA, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, "AES-256-CBC"); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -865,6 +875,7 @@ test_proxy_http_with_auth_import (void) _check_item (s_vpn, NM_OPENVPN_KEY_TA, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, "AES-256-CBC"); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); @@ -903,6 +914,7 @@ test_proxy_socks_import (void) _check_item (s_vpn, NM_OPENVPN_KEY_TA, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, "AES-256-CBC"); + _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL); _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL); diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h index 44a83f6..37abdea 100644 --- a/shared/nm-service-defines.h +++ b/shared/nm-service-defines.h @@ -40,6 +40,7 @@ #define NM_OPENVPN_KEY_CONNECT_TIMEOUT "connect-timeout" #define NM_OPENVPN_KEY_CRL_VERIFY_FILE "crl-verify-file" #define NM_OPENVPN_KEY_CRL_VERIFY_DIR "crl-verify-dir" +#define NM_OPENVPN_KEY_DATA_CIPHERS "data-ciphers" #define NM_OPENVPN_KEY_DEV "dev" #define NM_OPENVPN_KEY_DEV_TYPE "dev-type" #define NM_OPENVPN_KEY_EXTRA_CERTS "extra-certs" diff --git a/shared/utils.h b/shared/utils.h index 69c4957..550a9d5 100644 --- a/shared/utils.h +++ b/shared/utils.h @@ -36,6 +36,7 @@ #define NMV_OVPN_TAG_COMPRESS "compress" #define NMV_OVPN_TAG_CONNECT_TIMEOUT "connect-timeout" #define NMV_OVPN_TAG_CRL_VERIFY "crl-verify" +#define NMV_OVPN_TAG_DATA_CIPHERS "data-ciphers" #define NMV_OVPN_TAG_DEV "dev" #define NMV_OVPN_TAG_DEV_TYPE "dev-type" #define NMV_OVPN_TAG_EXTRA_CERTS "extra-certs" diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c index af57227..029bb3c 100644 --- a/src/nm-openvpn-service.c +++ b/src/nm-openvpn-service.c @@ -150,6 +150,7 @@ static const ValidProperty valid_properties[] = { { NM_OPENVPN_KEY_CONNECTION_TYPE, G_TYPE_STRING, 0, 0, FALSE }, { NM_OPENVPN_KEY_CRL_VERIFY_FILE, G_TYPE_STRING, 0, 0, FALSE }, { NM_OPENVPN_KEY_CRL_VERIFY_DIR, G_TYPE_STRING, 0, 0, FALSE }, + { NM_OPENVPN_KEY_DATA_CIPHERS, G_TYPE_STRING, 0, 0, FALSE }, { NM_OPENVPN_KEY_EXTRA_CERTS, G_TYPE_STRING, 0, 0, FALSE }, { NM_OPENVPN_KEY_FLOAT, G_TYPE_BOOLEAN, 0, 0, FALSE }, { NM_OPENVPN_KEY_NCP_DISABLE, G_TYPE_BOOLEAN, 0, 0, FALSE }, @@ -1683,6 +1684,8 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_CIPHER, "--cipher"); + args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, "--data-ciphers"); + args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_TLS_CIPHER, "--tls-cipher"); tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_KEYSIZE);
signature.asc
Description: PGP signature
