Re: IPv6 in network-manager-openvpn

2013-12-23 Thread Nicolas Iooss 
Hello,

I've been quite busy last week so it took me some time to update my Network
Manager setup to the latest git revision, reproduce the bug, investigate,
and change the patches. Tonight I've added 3 comments to
https://bugzilla.gnome.org/show_bug.cgi?id=682620: the coredump backtrace
of the assertion failure I get, an analysis of what's going wrong in NM and
a patch which updates
0001-service-pass-IPv6-related-information-to-NM.patch. I've tested this
new patch with my OpenVPN server and it is working fine: IPv6 "Internal
Point-to-Point Address" (NM_VPN_PLUGIN_IP6_CONFIG_PTP) seems to be useless
here.

By the way, OpenConnect VPN plugin may have the same bug because
https://git.gnome.org/browse/network-manager-openconnect/tree/src/nm-openconnect-service-openconnect-helper.c?id=80493c029d21712f68c4c1372f2a98cb8450a045#n599
also
uses NM_VPN_PLUGIN_IP6_CONFIG_PTP, but I don't know what's better between
removing code in every VPN plugin (like I did) or patching NetworkManager
to ignore this option which is not supported by libnl.

Regards,

Nicolas

PS: my patches are also available on GitHub,
https://github.com/fishilico/network-manager-openvpn/commits/master


2013/12/18 Tore Anderson :
> * Tore Anderson
>
>> I'm working on setting up a test VPN server where I can reproduce it and
>> generate a backtrace to share (I don't dare to do that towards my
>> employer's VPN server).
>
> Ok, so now I have a dual-stacked OpenVPN test server running and I've
> reproduced the problem there. It's all F20 RPMs, except that Nicolas
> Iooss' patches was applied on top of NetworkManager-openvpn[-gnome].
>
> I've attached the backtrace that ABRT grabbed after the crash happened.
>
> In case you or anyone else want to reproduce it, the test server is
> greed.fud.no (87.238.35.145, 2a02:c0:1001:100::145), port 1194/tcp, LZO
> compression enabled. It pushes two routes: 10.20.30.0/24 and
> 2001:db8:1::/64. 10.20.30.40 and 2001:db8:1::1 should respond to pings
> via the tunnel. Use the sample certificates included with OpenVPN - also
> available at http://fud.no/nm-openvpn-ipv6/ along with the server's
> config file. Prebuilt F20 RPMs of NetworkManager-openvpn[-gnome] with
> the IPv6 patches applied are also found there.
>
> Tpre
>
> ___
> networkmanager-list mailing list
> networkmanager-list@gnome.org
> https://mail.gnome.org/mailman/listinfo/networkmanager-list
>
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

IPv6 in network-manager-openvpn

2013-08-26 Thread Nicolas Iooss 
Hello,

A few weeks ago I ran into a bug in NetworkManager: even though OpenVPN now
supports IPv6 in tunnels, the OpenVPN plugin of NetworkManager doesn't
support it. I found bug 682620 (
https://bugzilla.gnome.org/show_bug.cgi?id=682620) and I've implemented
some of the missing features with the help of network-manager-openconnect
commits. My patches are attached to this email, can someone kindly review
them and tell me what may be wrong with them? As I'm new with
NetworkManager, I think there must be some mistakes in my code.

The patches are working well in my testing environment with NetworkManager
0.9.8 but with the development revision, NetworkManager complains about
"invalid IP6 config received!" in src/vpn-manager/nm-vpn-connection.c on
line 1034. As I understand things, a "!" is missing on line 1031 (
http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/vpn-manager/nm-vpn-connection.c?id=320a9d16a3067df32f5ad8a2bb3770104ec359b1#n1031),
but this is strange as this means no IPv6 VPN should work with current
development revision... Does anyone know how OpenConnect plugin can work
with such code?

Thanks,

Nicolas
(IooNag on irc.freenode.net)


0001-service-pass-IPv6-related-information-to-NM.patch
Description: Binary data


0002-properties-expose-IPv6-capability-to-the-UI.patch
Description: Binary data
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: IPv6 in network-manager-openvpn

2013-08-22 Thread Nicolas Iooss 
Thanks for testing my patches!


> I noticed that the default route also gets redirected to the tunnel
> device even though the server does not push this route. So internet
> connectivity is broken unless I explicitly enable the "use this
> connection for resources on its network" setting. However I believe this
> bug occurs with IPv4 as well, so I don't think it is something wrong
> with your patches per se in this regard.


>
As I understand things after reading
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage:
(a) With IPv4, OpenVPN server issues an push "redirect-gateway def1"
command which tells the client to configure a default route via what is in
the route-gateway option. This option is retrieved by OpenVPN plugin using
environment variable "route_vpn_gateway" but the first push command is lost
and that's why NetworkManager provides a checkbox to allow the user to
choose whether this VPN connection may be used as default route or not.
(b) With IPv6, push "redirect-gateway def1" command doesn't do anything and
there is nothing like "route_vpn_gateway". A simple workaround consists in
pushing a route to 2000::/3 but there should be another way for an OpenVPN
server to push IPv6 default routes to its clients.

Right now, NetworkManager is acting in IPv6 like in IPv4: it creates a
default route unless "use this connection only for resources on its
network" is checked. For OpenVPN I think NM should never create a default
route as the server pushes what is needed, but for other VPN the situation is
certainly different. To be compatible with every VPN plugin, I've written a
patch in bug 706332 which would allow the IPv6 internal gateway associated
with a connection to be NULL, which is different from "::" (this latest
value meaning "configure a default route without any gateway").

Best,

Nicolas
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: IPv6 in network-manager-openvpn

2013-08-22 Thread Nicolas Iooss 
2013/8/21 Dan Winship

> On 08/19/2013 12:47 PM, Nicolas Iooss wrote:
> > The patches are working well in my testing environment with
> > NetworkManager 0.9.8 but with the development revision I've got few
> > issues such as https://bugzilla.gnome.org/show_bug.cgi?id=706286. Now NM
> > crashes on a segmentation fault
> > at
> http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/nm-policy.c#n788as
> > nm_vpn_connection_get_ip6_internal_gateway returns NULL for my VPN
>
> Right. Does the attached patch fix it?
>

 Your patch fixed the segmentation fault but now NetworkManager sets up a
default route via the VPN even if the OpenVPN server has not pushed any.
More precisely, with NetworkManager OpenVPN plugin, "ip -6 route" shows
"default dev tun0  proto static  metric 1024" whereas executing openvpn in
command line doesn't add this default route. Moreover this route doesn't
work as the next hop needs to be defined to be able to route packets in an
OpenVPN tunnel. To fix this behavior, I opened a bug a few days ago which
makes get_best_ip6_config no longer returns VPN connections which don't
have any internal gateway :
https://bugzilla.gnome.org/show_bug.cgi?id=706332.

In fact I don't know how to make an OpenVPN server route the IPv6 internet
but by pushing to clients a route to 2000::/3 as described on
http://tomsalmon.eu/2013/04/openvpn-ipv6-with-tun-device/ (last line of the
config file), as there is no IPv6 equivalent of OpenVPN setting
"route_vpn_gateway" (which is what NM uses as IPv4 internal gateway). This
is why I think that a VPN plugin which doesn't set the "IPv6 internal
gateway" connection parameter shouldn't be considered as a connection
providing a default route to the Internet (and this is what I implemented
in the patch for bug #706332).

Nicolas
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

IPv6 in network-manager-openvpn

2013-08-19 Thread Nicolas Iooss 
Hello,

A few weeks ago I ran into a bug in NetworkManager: even though OpenVPN now
supports IPv6 in tunnels, the OpenVPN plugin of NetworkManager doesn't
support it. I found bug 682620 (
https://bugzilla.gnome.org/show_bug.cgi?id=682620) and I've implemented
some of the missing features with the help of network-manager-openconnect
commits (basically the IPv6 payload part, not the IPv6 endpoint one). My
patches are attached to this email. Can someone review them and tell me
what may be wrong with them? As I'm new with NetworkManager, I think there
must be some mistakes in my code.

The patches are working well in my testing environment with NetworkManager
0.9.8 but with the development revision I've got few issues such as
https://bugzilla.gnome.org/show_bug.cgi?id=706286. Now NM crashes on a
segmentation fault at
http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/nm-policy.c#n788
as
nm_vpn_connection_get_ip6_internal_gateway returns NULL for my VPN (there
are IPv6 unique local addresses on my OpenVPN server, without routing) so
there is still work to be done before further testing. I'll certainly fill
a bug report tomorrow but right now I can provide some logs and a coredump
backtrace, after this message.

Thanks,

Nicolas


/var/log/daemon.log:

NetworkManager[30420]:  (tun0): carrier is OFF
nm-openvpn[30512]:
/usr/lib/networkmanager/nm-openvpn-service-openvpn-helper tun0 1500 1544
10.55.62.6 10.55.62.5 init
NetworkManager[30420]:  (tun0): new Tun device (driver: 'unknown'
ifindex: 5)
NetworkManager[30420]:  (tun0): exported as
/org/freedesktop/NetworkManager/Devices/3
NetworkManager[30420]:  VPN connection 'Iosenag' (IP Config Get)
reply received.
NetworkManager[30420]:  VPN connection 'Iosenag' (IP4 Config Get)
reply received.
NetworkManager[30420]:  VPN connection 'Iosenag' (IP6 Config Get)
reply received.
NetworkManager[30420]:  VPN Gateway: 31.7.184.34
NetworkManager[30420]:  Tunnel Device: tun0
NetworkManager[30420]:  IPv4 configuration:
NetworkManager[30420]:Internal Gateway: 10.55.62.5
NetworkManager[30420]:Internal Address: 10.55.62.6
NetworkManager[30420]:Internal Prefix: 32
NetworkManager[30420]:Internal Point-to-Point Address: 10.55.62.5
nm-openvpn[30512]: Initialization Sequence Completed
NetworkManager[30420]:Maximum Segment Size (MSS): 0
NetworkManager[30420]:Static Route: 10.55.62.1/32   Next Hop:
10.55.62.1
NetworkManager[30420]:Forbid Default Route: no
NetworkManager[30420]:Internal DNS: 10.55.62.1
NetworkManager[30420]:Internal DNS: 208.67.222.222
NetworkManager[30420]:DNS Domain: '(none)'
NetworkManager[30420]:  IPv6 configuration:
NetworkManager[30420]:Internal Address: fd10:0:55:62::1000
NetworkManager[30420]:Internal Prefix: 64
NetworkManager[30420]:Internal Point-to-Point Address:
fd10:0:55:62::1
NetworkManager[30420]:Maximum Segment Size (MSS): 0
NetworkManager[30420]:Forbid Default Route: no
NetworkManager[30420]:DNS Domain: '(none)'
NetworkManager[30420]:  (tun0): link connected
NetworkManager[30420]:  [1376927563.222516]
[platform/nm-linux-platform.c:1018] add_object(): Netlink error: Unspecific
failure
NetworkManager[30420]:  VPN connection 'Iosenag' (IP Config Get)
complete.
NetworkManager[30420]:  [1376927563.225071]
[platform/nm-linux-platform.c:1018] add_object(): Netlink error: Unspecific
failure
NetworkManager[30420]:  [1376927563.225281]
[platform/nm-linux-platform.c:1018] add_object(): Netlink error: Unspecific
failure
NetworkManager[30420]:  [1376927563.225294] [nm-policy.c:617]
update_ip4_routing(): Failed to set default route.
NetworkManager[30420]:  Policy set 'Iosenag' (tun0) as default for
IPv4 routing and DNS.
systemd[1]: NetworkManager.service: main process exited, code=dumped,
status=11/SEGV
systemd[1]: Unit NetworkManager.service entered failed state.


Coredump backtrace (using "systemd-coredumpctl gdb 30420"):
TIME PID   UID   GID SIG EXE
lun. 2013-08-19 17:52:43 CEST  30420 0 0  11
/usr/bin/NetworkManager
GNU gdb (GDB) 7.6
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
...
Reading symbols from /usr/bin/NetworkManager...done.
[New LWP 30420]
[New LWP 30421]
[New LWP 30510]
[New LWP 30422]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

warning: no loadable sections found in added symbol-file system-supplied
DSO at 0x6fb5d0c9
Core was generated by `