Re: openvpn with networkmanager
Hello, Adam Massmann writes: > Hi Ben, > > Benjamin Slade writes: > >> >> What is a recommended/working way of using OpenVPN on GuixSD? > > I do not know what the recommended way of working with > openvpn is, but I do have a working way. Attached is a bash > script that takes a wireless interface as an argument and > starts up a vpn, adjusting dns to avoid dns leaks (you will > need to modify to add the dns for your setup). So if I have > a wifi connection called "interface" I just run > ```vpn-launcher-example.sh interface``` to start my vpn > session, and then ```vpn-killer-example.sh interface``` > to cleanup the connection after I have finished > openvpn. Also depending on your setup you might need to > either run as root, or sprinkle sudos before the nmcli > calls. > > This works well for me, but I strongly doubt it is the > recommended way using openvpn. If anyone has a better way > I'd also love to hear it. > > Best, > Adam Thanks Adam, it seems a good workaround that I hadn't thought about. Avenues I have explored so far are: 1. Purely config based. Example: --8<---cut here---start->8--- client proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/client.crt key /etc/openvpn/client.key comp-lzo #t persist-key #t persist-tun #t verb 3 remote-cert-tls server nobind resolv-retry infinite remote someserver.net auth-user-pass script-security 2 # calling of built-in executables and user-defined scripts. # Accept DNS changes from the server # TODO: Need to package "resolvconf" # The following script comes from # https://github.com/masterkorp/openvpn-update-resolv-conf/blob/master/update-resolv-conf.sh #up /etc/openvpn/update-resolv-conf.sh #down /etc/openvpn/update-resolv-conf.sh --8<---cut here---end--->8--- As one can see, the solution here would be to have some external script called which task would be to update /etc/resolv.conf so that DNS work. Another problem is that the /etc/resolv.conf file is managed by NetworkManager, so any changes could be lost or reset by it at times. 2. Define a openvpn service as part of your GuixSD config, such as: --8<---cut here---end--->8--- (openvpn-client-service #:config (openvpn-client-configuration (remote (list (openvpn-remote-configuration (name "someserver.net") (port )) --8<---cut here---end--->8--- Some problems with this second option: a. It's on by default (I'd prefer it off -- must be easy but I'm not very knowledgeable about services yet) b. It doesn't address the DNS question. 3. I've tried using the tools provided by network-manager, and apparently only 'nmcli' proposes creating a VPN connection. It seems the parameters it accepts are insufficient to define completely the setup (I didn't see a parameter to store the remote server for example), so I'm not sure how it's supposed to work. Anyway, after creating the connection, I tried activating it, only to get the error: Error: Failed to activate 'vpn-wlp0s20f0u1' (718af83f-9553-4805-9140-4dfd28e46a07) connection: The VPN service 'org.freedesktop.NetworkManager.openvpn' was not installed. I'll try your solution next. Thank you! Maxim
Re: openvpn with networkmanager
Hi On 2018-09-18 05:55, Benjamin Slade wrote: On 2018-09-13T02:54:52-0600, Ludovic Courtès wrote: > I think it would be nice to add a commented example to this section of > the manual, like we have for many other services. I think this would be very useful. With an example it should be much more straightforward to figure out how to use this in practice. Does anyone have a working config they could share? A month has almost passed. It seems nobody used this yet. It seems you will have to experiment yourself. :-) Cheers Swedebugia
Re: openvpn with networkmanager
On 2018-09-13T02:54:52-0600, Ludovic Courtès wrote: > I think it would be nice to add a commented example to this section of > the manual, like we have for many other services. I think this would be very useful. With an example it should be much more straightforward to figure out how to use this in practice. Does anyone have a working config they could share? —Ben -- Benjamin Slade - https://babbagefiles.xyz `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19)) '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org ) `(Choose Linux ,(Choose Freedom) . https://linux.com )
Re: openvpn with networkmanager
Hi, Benjamin Slade skribis: > > On GuixSD, we have an openvpn service, see > > https://guix.info/manual/en/VPN-Services.html#VPN-Services. Once > > configured, you can always start and stop it with "herd start > > openvpn-client" and "herd stop openvpn-client". > > Thanks, Julien. Unfortunately, I don't find that manual page overly > illuminating in terms of how to actually set this up. I think it would be nice to add a commented example to this section of the manual, like we have for many other services. Thanks, Ludo’.
Re: openvpn with networkmanager
> On GuixSD, we have an openvpn service, see > https://guix.info/manual/en/VPN-Services.html#VPN-Services. Once > configured, you can always start and stop it with "herd start > openvpn-client" and "herd stop openvpn-client". Thanks, Julien. Unfortunately, I don't find that manual page overly illuminating in terms of how to actually set this up. Does anyone have an example configuration available anywhere, particularly one shows how to set up multiple VPNs? I.e. one which allows for different VPNs to be configured (and switched to, whether via herd or otherwise)? thanks, —Ben -- Benjamin Slade - https://babbagefiles.xyz `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19)) '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org ) `(Choose Linux ,(Choose Freedom) . https://linux.com )
Re: openvpn with networkmanager
Hi Julien, Julien Lepiller writes: > > On GuixSD, we have an openvpn service, see > https://guix.info/manual/en/VPN-Services.html#VPN-Services. Once > configured, you can always start and stop it with "herd start > openvpn-client" and "herd stop openvpn-client". Thanks for the link, I look forward to trying out the "Guix-y" way (it's so nice to have my whole OS setup defined in guix!) when I get some time to configure.
Re: openvpn with networkmanager
Le 2018-09-10 18:05, Adam Massmann a écrit : Hi Ben, Benjamin Slade writes: What is a recommended/working way of using OpenVPN on GuixSD? I do not know what the recommended way of working with openvpn is, but I do have a working way. Attached is a bash script that takes a wireless interface as an argument and starts up a vpn, adjusting dns to avoid dns leaks (you will need to modify to add the dns for your setup). So if I have a wifi connection called "interface" I just run ```vpn-launcher-example.sh interface``` to start my vpn session, and then ```vpn-killer-example.sh interface``` to cleanup the connection after I have finished openvpn. Also depending on your setup you might need to either run as root, or sprinkle sudos before the nmcli calls. This works well for me, but I strongly doubt it is the recommended way using openvpn. If anyone has a better way I'd also love to hear it. Best, Adam On GuixSD, we have an openvpn service, see https://guix.info/manual/en/VPN-Services.html#VPN-Services. Once configured, you can always start and stop it with "herd start openvpn-client" and "herd stop openvpn-client".
Re: openvpn with networkmanager
Thanks, Adam, I'll have to try this. It's hard to know how much of the issues with NetworkManager+VPNs is a GuixSD-specific issue and how much is just NetworkManager (on my Arch machine, I have to connect to openvpn 'by hand', it won't connect through NetworkManager; but on my Bedrock/pieces-from-a-bunch-of-different-distros machine, OpenVPN 'just works' directly in NetworkManager). —Ben On 2018-09-10T10:05:56-0600, Adam Massmann wrote: > Hi Ben, > Benjamin Slade writes: > > > > What is a recommended/working way of using OpenVPN on GuixSD? > I do not know what the recommended way of working with > openvpn is, but I do have a working way. Attached is a bash > script that takes a wireless interface as an argument and > starts up a vpn, adjusting dns to avoid dns leaks (you will > need to modify to add the dns for your setup). So if I have > a wifi connection called "interface" I just run > ```vpn-launcher-example.sh interface``` to start my vpn > session, and then ```vpn-killer-example.sh interface``` > to cleanup the connection after I have finished > openvpn. Also depending on your setup you might need to > either run as root, or sprinkle sudos before the nmcli > calls. > This works well for me, but I strongly doubt it is the > recommended way using openvpn. If anyone has a better way > I'd also love to hear it. > Best, > Adam -- Benjamin Slade - https://babbagefiles.xyz `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19)) '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org ) `(Choose Linux ,(Choose Freedom) . https://linux.com )
Re: openvpn with networkmanager
Hi Ben, Benjamin Slade writes: > > What is a recommended/working way of using OpenVPN on GuixSD? I do not know what the recommended way of working with openvpn is, but I do have a working way. Attached is a bash script that takes a wireless interface as an argument and starts up a vpn, adjusting dns to avoid dns leaks (you will need to modify to add the dns for your setup). So if I have a wifi connection called "interface" I just run ```vpn-launcher-example.sh interface``` to start my vpn session, and then ```vpn-killer-example.sh interface``` to cleanup the connection after I have finished openvpn. Also depending on your setup you might need to either run as root, or sprinkle sudos before the nmcli calls. This works well for me, but I strongly doubt it is the recommended way using openvpn. If anyone has a better way I'd also love to hear it. Best, Adam vpn-launcher-example.sh Description: Bourne shell script vpn-killer-example.sh Description: Bourne shell script
Re: openvpn with networkmanager
Hi Ludo', > IIRC, NM has a tool to import OpenVPN config files, though it only > understands a subset of the syntax; you have to run it as root: > sudo nmcli connection import type openvpn file /path/to/whatever.ovpn > Then I think something was broken with VPN support in NM, though I > forgot the details… I was able to add an .ovpn openvpn file (the gui nm-connection-editor also seems to work), and it shows up in the nm-applet, but when I try to connect to it as a regular user nothing happens. (Though I've used NM with VPN successfully on another distro.) What is a recommended/working way of using OpenVPN on GuixSD? cheers, —Ben -- Benjamin Slade - https://babbagefiles.xyz `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19)) '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org ) `(Choose Linux ,(Choose Freedom) . https://linux.com )
Re: openvpn with networkmanager
Hi Benjamin, Benjamin Slade skribis: > I have the following definition in my config.scm, which I call in > defining the operating system: > > > (define %slade-desktop-services > (modify-services %desktop-services > (network-manager-service-type config => > (network-manager-configuration > (inherit config) > (vpn-plugins (list > network-manager-openvpn)) > > > This does indeed enable the OpenVPN module of NetworkManager, but > NetworkManager doesn't automatically read in the *.opvn files in > /etc/openvpn (which is probably expected), but moreover as an ordinary > user I'm not allowed to create them. Is the best thing to login as root > and add these to NetworkManager? IIRC, NM has a tool to import OpenVPN config files, though it only understands a subset of the syntax; you have to run it as root: sudo nmcli connection import type openvpn file /path/to/whatever.ovpn Then I think something was broken with VPN support in NM, though I forgot the details… HTH, Ludo’.
openvpn with networkmanager
I have the following definition in my config.scm, which I call in defining the operating system: (define %slade-desktop-services (modify-services %desktop-services (network-manager-service-type config => (network-manager-configuration (inherit config) (vpn-plugins (list network-manager-openvpn)) This does indeed enable the OpenVPN module of NetworkManager, but NetworkManager doesn't automatically read in the *.opvn files in /etc/openvpn (which is probably expected), but moreover as an ordinary user I'm not allowed to create them. Is the best thing to login as root and add these to NetworkManager? -- Benjamin Slade - https://babbagefiles.xyz `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19)) '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org ) `(Choose Linux ,(Choose Freedom) . https://linux.com )