Re: Setting openVPN options

[Bin Li]

On Mon, Feb 20, 2012 at 3:36 AM, Volker Kuhlmann
 wrote:
> Hi,
>
> Network manager dies trying to establish an openVPN connection because
> it uses the wrong openVPN options. How can I change the openVPN options
> used by NM? I need to add some and remove some.
Which option? Some options could be set in nm-connection-editor.

> And is it possible to get the output from openVPN properly? What it
> writes to syslog is no where near sufficient and basically not useful
> for debugging this sort of problem.
http://live.gnome.org/NetworkManager/Debugging
Hope it helpful.

> Thanks,
>
> Volker
>
> --
> Volker Kuhlmann
> http://volker.dnsalias.net/     Please do not CC list postings to me.
> ___
> networkmanager-list mailing list
> networkmanager-list@gnome.org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Setting openVPN options

[Volker Kuhlmann]

Hi,

Network manager dies trying to establish an openVPN connection because
it uses the wrong openVPN options. How can I change the openVPN options
used by NM? I need to add some and remove some.

And is it possible to get the output from openVPN properly? What it
writes to syslog is no where near sufficient and basically not useful
for debugging this sort of problem.

Thanks,

Volker

-- 
Volker Kuhlmann
http://volker.dnsalias.net/ Please do not CC list postings to me.
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

multiple remotes and remote-random in openvpn

[Nikulin Maksim]

Hello!
I've made a patch to support subj. in NM. Multiple hosts just separated by 
commas and/or spaces in gateway_entry. I think it's still suitable for 
including into the project, though may be the "NM way" is to use GtkTree and 
other forms for each new host.
wbr.

rr.patch
Description: Unix manual page
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

OpenVPN connection through GSM device

[Francesco Andrisani]

Hi,
i'm able to start an OpenVPN connection using Network Manager.
It work fine if i start it through ethernet connection (previously
activate)...but it work bad if i start VPN through GSM/GPRS device
connection (previously activate).

I'm able to start, but after a bit time (about some minutes) it go down.

Below the fragment of Network Manager (DEBUG mode) logs:

Nov 16 15:35:13 myWorkstation NetworkManager[2033]:  Starting VPN
service 'openvpn'...
Nov 16 15:35:13 myWorkstation NetworkManager[2033]:  VPN service
'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 2125
Nov 16 15:35:13 myWorkstation kernel: tun: Universal TUN/TAP device driver,
1.6
Nov 16 15:35:13 myWorkstation kernel: tun: (C) 1999-2004 Max Krasnyansky <
m...@qualcomm.com>
Nov 16 15:35:13 myWorkstation NetworkManager[2033]:  VPN service
'openvpn' appeared; activating connections
Nov 16 15:35:13 myWorkstation NetworkManager[2033]: 
[1321457713.828958] [nm-vpn-connection.c:902] get_secrets():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/VPN) requesting VPN secrets pass #1
Nov 16 15:35:13 myWorkstation NetworkManager[2033]: 
[1321457713.831977] [nm-agent-manager.c:1100]
nm_agent_manager_get_secrets(): Secrets requested for connection
/org/freedesktop/NetworkManager/Set)
Nov 16 15:35:13 myWorkstation NetworkManager[2033]: 
[1321457713.832486] [nm-settings-connection.c:850]
nm_settings_connection_get_secrets():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:2) secrets requ'
Nov 16 15:35:13 myWorkstation NetworkManager[2033]: 
[1321457713.841727] [nm-agent-manager.c:1015] get_start(): (0xf81f8/vpn)
system settings secrets sufficient
Nov 16 15:35:13 myWorkstation NetworkManager[2033]: 
[1321457713.842228] [nm-settings-connection.c:706] agent_secrets_done_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:2) existing secrets returned
Nov 16 15:35:13 myWorkstation NetworkManager[2033]: 
[1321457713.842587] [nm-settings-connection.c:712] agent_secrets_done_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:2) secrets request completed
Nov 16 15:35:13 myWorkstation NetworkManager[2033]: 
[1321457713.847864] [nm-settings-connection.c:751] agent_secrets_done_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:2) new agent secrets processd
Nov 16 15:35:13 myWorkstation NetworkManager[2033]: 
[1321457713.848273] [nm-vpn-connection.c:870] get_secrets_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/VPN) asking service if additional
secrets ard
Nov 16 15:35:13 myWorkstation NetworkManager[2033]:  VPN plugin state
changed: 1
Nov 16 15:35:14 myWorkstation NetworkManager[2033]: 
[1321457714.22935] [nm-vpn-connection.c:840] plugin_need_secrets_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/VPN) service indicated no additional d
Nov 16 15:35:14 myWorkstation NetworkManager[2033]:  VPN plugin state
changed: 3
Nov 16 15:35:14 myWorkstation NetworkManager[2033]:  VPN connection
'VPN' (Connect) reply received.
Nov 16 15:35:14 myWorkstation nm-openvpn[2127]: OpenVPN 2.1.3
arm-unknown-linux-gnueabi [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6]
[eurephia] built on Oct 22 2010
Nov 16 15:35:14 myWorkstation nm-openvpn[2127]: WARNING: No server
certificate verification method has been enabled.  See
http://openvpn.net/howto.html#mitm for more info.
Nov 16 15:35:14 myWorkstation nm-openvpn[2127]: NOTE: the current
--script-security setting may allow this configuration to call user-defined
scripts
Nov 16 15:35:14 myWorkstation nm-openvpn[2127]: WARNING: file
'/etc/openvpn/certs/x-key.pem' is group or others accessible
Nov 16 15:35:14 myWorkstation nm-openvpn[2127]: /usr/bin/openssl-vulnkey -q
-b 2048 -m 
Nov 16 15:35:16 myWorkstation nm-openvpn[2127]: LZO compression initialized
Nov 16 15:35:16 myWorkstation nm-openvpn[2127]: UDPv4 link local: [undef]
Nov 16 15:35:16 myWorkstation nm-openvpn[2127]: UDPv4 link remote:
[AF_INET]xx.xx.xxx.xxx:1194
Nov 16 15:35:44 myWorkstation nm-openvpn[2127]: [serverVpnPrdItaly] Peer
Connection Initiated with [AF_INET]91.213.153.15:1194
Nov 16 15:35:49 myWorkstation NetworkManager[2033]: 
[1321457749.191751] [nm-netlink-monitor.c:117] link_msg_handler(): netlink
link message: iface idx 7 flags 0x1090
Nov 16 15:35:49 myWorkstation nm-openvpn[2127]: TUN/TAP device tun0 opened
Nov 16 15:35:49 myWorkstation nm-openvpn[2127]:
/usr/libexec/nm-openvpn-service-openvpn-helper tun0 1500 1542 10.9.0.101
10.9.0.1 init
Nov 16 15:35:49 myWorkstation NetworkManager[2033]:  VPN connection
'VPN' (IP Config Get) reply received.
Nov 16 15:35:49 myWorkstation NetworkManager[2033]:  VPN Gateway:
xx.xx.xxx.xxx
Nov 16 15:35:49 myWorkstation NetworkManager[2033]:  Internal
Gateway: 10.9.0.1
Nov 16 15:35:49 myWorkstation NetworkManager[2033]:  Tunnel Device:
tun0
Nov 16 15:35:49 myWorkstation NetworkManager[2033]:  Internal IP4
Address: 10.9.0.101
Nov 16 15:35:49 myWorkstation NetworkManager[2033]:  Internal IP4
Prefix: 32
Nov 16 15:35:49 myWorkstation NetworkManager[2033]:  Internal IP4
P

Re: OpenVpn plugin NeedSecret

[Francesco Andrisani]

[SOLVED]

I've solved the problem. Thanks a lot to Dan for his support.

I've added all secrets into
/etc/NetworkManager/system-connection/VPNconn...below the correct structure:

[connection]
id=VPNconn
uuid=355653c0-34d3-4777-ad25-f9a498b7ef8e
type=vpn
autoconnect=FALSE

[ipv4]
method=auto

[vpn]
name=openvpn
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
remote=xx..xx.it
proto-tcp=no
reneg-seconds=0
port=1194
ca=/etc/openvpn/certs/cacert.crt
cert=/etc/openvpn/certs/x.pem
key=/etc/openvpn/certs/xx-key.pem
comp-lzo=yes


[ipv6]
method=ignore

Reagards

On Thu, Nov 3, 2011 at 4:43 PM, Dan Williams  wrote:

> On Thu, 2011-11-03 at 16:03 +0100, Francesco Andrisani wrote:
> > Thanks a lot. But i'm not able to know all parameter to intert into
> > my /etc/NetworkManager/system-connections/VPNconnection.
> >
> > For example keyfile, certficate, ecc
> >
> > Please can you tell me how to find these informations (all
> > parameters)?
>
> At the moment the best way to do this is to edit the connection with
> nm-connection-editor; otherwise it's a bit byzantine but the list of
> acceptable parameters is here:
>
>
> http://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.h
>
> and the values that these keys can contain are in the code, but it's
> probably non-trivial to pull them out.  I can see where documenting  the
> acceptable values in the header there would be a nice thing to do.
> Otherwise, if you have a config file you're importing from that would
> work, or I can help you figure out what to use if you can describe your
> VPN setup more.  Or nm-connection-editor.
>
> Dan
>
>
> > Thanks and regards
> >
> > On Thu, Nov 3, 2011 at 3:51 PM, Dan Williams  wrote:
> > On Thu, 2011-11-03 at 10:26 +0100, Francesco Andrisani wrote:
> > > Anothe DEBUG info:
> > >
> > > debian:/etc/NetworkManager# /usr/libexec/nm-openvpn-service
> > --debug
> > > ** Message: nm-openvpn-service (version 0.9.0) starting...
> > > ** Message: real_need_secrets: connection
> > > -
> > > connection
> > > name : "connection"
> > > id : "VPNconnection" (s)
> > > uuid : "355653c0-34d3-4777-ad25-f9a498b7ef8e" (s)
> > > type : "vpn" (s)
> > > permissions : [] (sd)
> > > autoconnect : FALSE (s)
> > > timestamp : 0 (sd)
> > > read-only : FALSE (sd)
> > >
> > >
> > > ipv4
> > > name : "ipv4"
> > > method : "auto" (s)
> > > dns : [] (s)
> > > dns-search : [] (sd)
> > > addresses : [] (s)
> > > routes : [] (s)
> > > ignore-auto-routes : FALSE (sd)
> > > ignore-auto-dns : FALSE (sd)
> > > dhcp-client-id : NULL (sd)
> > > dhcp-send-hostname : TRUE (sd)
> > > dhcp-hostname : NULL (sd)
> > > never-default : FALSE (sd)
> > > may-fail : FALSE (sd)
> > >
> > >
> > > ipv6
> > > name : "ipv6"
> > > method : "ignore" (s)
> > > dns : [] (s)
> > > dns-search : [] (sd)
> > > addresses : [] (s)
> > > routes : [] (s)
> > > ignore-auto-routes : FALSE (sd)
> > > ignore-auto-dns : FALSE (sd)
> > > never-default : FALSE (sd)
> > > may-fail : TRUE (sd)
> > >
> > >
> > > vpn
> > > name : "vpn"
> > > service-type :
> > "org.freedesktop.NetworkManager.openvpn" (s)
> > > user-name : NULL (sd)
> > > data : [ { 'name': openvpn }, ] (s)
> > > secrets : [ ] (s)
> >
> >
> > So here's the problem; the [vpn] setting isn't completely
> > specified.
> > Did you import this connection from an openvpn config file?
> >  Unless this
> > was changed at some point (or there's a bug in the editor)
> > this
> > connection was never valid sinc

Re: OpenVpn plugin NeedSecret

[Dan Williams]

On Thu, 2011-11-03 at 16:03 +0100, Francesco Andrisani wrote:
> Thanks a lot. But i'm not able to know all parameter to intert into
> my /etc/NetworkManager/system-connections/VPNconnection.
> 
> For example keyfile, certficate, ecc
> 
> Please can you tell me how to find these informations (all
> parameters)?

At the moment the best way to do this is to edit the connection with
nm-connection-editor; otherwise it's a bit byzantine but the list of
acceptable parameters is here:

http://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.h

and the values that these keys can contain are in the code, but it's
probably non-trivial to pull them out.  I can see where documenting  the
acceptable values in the header there would be a nice thing to do.
Otherwise, if you have a config file you're importing from that would
work, or I can help you figure out what to use if you can describe your
VPN setup more.  Or nm-connection-editor.

Dan


> Thanks and regards
> 
> On Thu, Nov 3, 2011 at 3:51 PM, Dan Williams  wrote:
> On Thu, 2011-11-03 at 10:26 +0100, Francesco Andrisani wrote:
> > Anothe DEBUG info:
> >
> > debian:/etc/NetworkManager# /usr/libexec/nm-openvpn-service
> --debug
> > ** Message: nm-openvpn-service (version 0.9.0) starting...
> > ** Message: real_need_secrets: connection
> > -
> > connection
> > name : "connection"
> > id : "VPNconnection" (s)
> > uuid : "355653c0-34d3-4777-ad25-f9a498b7ef8e" (s)
> > type : "vpn" (s)
> > permissions : [] (sd)
> > autoconnect : FALSE (s)
> > timestamp : 0 (sd)
> > read-only : FALSE (sd)
> >
> >
> > ipv4
> > name : "ipv4"
> > method : "auto" (s)
> > dns : [] (s)
> > dns-search : [] (sd)
> > addresses : [] (s)
> > routes : [] (s)
> > ignore-auto-routes : FALSE (sd)
> > ignore-auto-dns : FALSE (sd)
> > dhcp-client-id : NULL (sd)
> > dhcp-send-hostname : TRUE (sd)
> > dhcp-hostname : NULL (sd)
> > never-default : FALSE (sd)
> > may-fail : FALSE (sd)
> >
> >
> > ipv6
> > name : "ipv6"
> > method : "ignore" (s)
> > dns : [] (s)
> > dns-search : [] (sd)
> > addresses : [] (s)
> > routes : [] (s)
> > ignore-auto-routes : FALSE (sd)
> > ignore-auto-dns : FALSE (sd)
> > never-default : FALSE (sd)
> > may-fail : TRUE (sd)
> >
> >
>     > vpn
> > name : "vpn"
> > service-type :
> "org.freedesktop.NetworkManager.openvpn" (s)
> > user-name : NULL (sd)
> > data : [ { 'name': openvpn }, ] (s)
> > secrets : [ ] (s)
> 
> 
> So here's the problem; the [vpn] setting isn't completely
> specified.
> Did you import this connection from an openvpn config file?
>  Unless this
> was changed at some point (or there's a bug in the editor)
> this
> connection was never valid since it doesn't have the required
> connection
> type field and a few other things.  Here's what it *should*
> look like:
> 
> [vpn]
> service-type=org.freedesktop.NetworkManager.openvpn
> connection-type=password
> password-flags=3
> remote=ovpn.mycompany.com
> cipher=AES-256-CBC
> proto-tcp=yes
> reneg-seconds=0
>     port=443
> username=dcbw
> ca=/home/dcbw/MyCA.pem
> 
> or something along those lines.  If you imported it from a
> config file,
> can you try doing that again?  If it still looks like this,
> can you send
> me the config file so I can see what's going wrong?
> 
> Dan
> 
> > Regards
> >
> >
> > On Thu, Nov 3, 2011 at 10:12 AM, Francesco Andrisani
> >  wrote:
> > OK.
> >
> > So i've installed ope

Re: OpenVpn plugin NeedSecret

[Francesco Andrisani]

Hi,
then...below my new (NetworkManager-openvpn) confg file and client.conf
(openvpn) config file:

debian# cat /etc/NetworkManager/system-connections/VPNconnection
[connection]
id=VPNconnection
uuid=355653c0-34d3-4777-ad25-f9a498b7ef8e
type=vpn
autoconnect=FALSE

[ipv4]
method=auto

[vpn]
name=openvpn
service-type=org.freedesktop.NetworkManager.openvpn
remote=openvpn.xxx.x.it
proto-udp=yes
reneg-seconds=0
port=1194
ca=/etc/openvpn/certs/cacert.crt
cert=/etc/openvpn/certs/-vpn.pem
key=/etc/openvpn/certs/x-vpn-key.pem

[ipv6]
method=ignore

debian# cat /etc/openvpn/client.conf
client
dev tun
proto udp
# This is the remote ip address and port of the VPN Server
remote openvpn.xxx.xx.it
resolv-retry infinite
ping 10
ping-restart 60
nobind
persist-key
persist-tun
ca certs/cacert.crt
cert certs/-vpn.pem
key certs/xx-vpn-key.pem
verb 3
comp-lzo
explicit-exit-notify 2
log-append /var/log/openvpn.log

Now...after your changes, if i try to start vpn from NetworkManager i can
see these logs:

Nov  3 16:26:54 debian NetworkManager[2899]:  Starting VPN service
'openvpn'...
Nov  3 16:26:54 debian NetworkManager[2899]:  VPN service 'openvpn'
started (org.freedesktop.NetworkManager.openvpn), PID 3296
Nov  3 16:26:54 debian NetworkManager[2899]:  VPN service 'openvpn'
appeared; activating connections
Nov  3 16:26:54 debian NetworkManager[2899]:  [1320337614.716383]
[nm-vpn-connection.c:902] get_secrets():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) requesting VPN secrets
pass #1
Nov  3 16:26:54 debian NetworkManager[2899]:  [1320337614.716961]
[nm-agent-manager.c:1100] nm_agent_manager_get_secrets(): Secrets requested
for connection /org/freedesktop/NetworkManager/Settings/5 (vpn)
Nov  3 16:26:54 debian NetworkManager[2899]:  [1320337614.717110]
[nm-settings-connection.c:850] nm_settings_connection_get_secrets():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:3) secrets requested flags
0x8000 hint '(null)'
Nov  3 16:26:54 debian NetworkManager[2899]:  [1320337614.720913]
[nm-agent-manager.c:1015] get_start(): (0xfcba0/vpn) system settings
secrets sufficient
Nov  3 16:26:54 debian NetworkManager[2899]:  [1320337614.721055]
[nm-settings-connection.c:706] agent_secrets_done_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:3) existing secrets returned
Nov  3 16:26:54 debian NetworkManager[2899]:  [1320337614.721154]
[nm-settings-connection.c:712] agent_secrets_done_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:3) secrets request completed
Nov  3 16:26:54 debian NetworkManager[2899]:  [1320337614.733265]
[nm-settings-connection.c:751] agent_secrets_done_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:3) new agent secrets processed
Nov  3 16:26:54 debian NetworkManager[2899]:  [1320337614.733906]
[nm-vpn-connection.c:870] get_secrets_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) asking service if
additional secrets are required
Nov  3 16:26:54 debian NetworkManager[2899]:  VPN plugin state
changed: 1
Nov  3 16:26:54 debian NetworkManager[2899]:  Policy set
'MyConnection' (eth0) as default for IPv4 routing and DNS.
Nov  3 16:27:00 debian NetworkManager[2899]:  VPN service 'openvpn'
disappeared
Nov  3 16:27:02 debian NetworkManager[2899]:  [1320337622.2972]
[nm-vpn-service.c:267] ensure_killed(): waiting for VPN service pid 3296 to
exit
Nov  3 16:27:02 debian NetworkManager[2899]:  [1320337622.3592]
[nm-vpn-service.c:269] ensure_killed(): VPN service pid 3296 cleaned up

Thanks and Regards

On Thu, Nov 3, 2011 at 4:03 PM, Francesco Andrisani <
francesco.andris...@acotel.com> wrote:

> Thanks a lot. But i'm not able to know all parameter to intert into my
> /etc/NetworkManager/system-connections/VPNconnection.
>
> For example keyfile, certficate, ecc
>
> Please can you tell me how to find these informations (all parameters)?
>
> Thanks and regards
>
>
> On Thu, Nov 3, 2011 at 3:51 PM, Dan Williams  wrote:
>
>> On Thu, 2011-11-03 at 10:26 +0100, Francesco Andrisani wrote:
>> > Anothe DEBUG info:
>> >
>> > debian:/etc/NetworkManager# /usr/libexec/nm-openvpn-service --debug
>> > ** Message: nm-openvpn-service (version 0.9.0) starting...
>> > ** Message: real_need_secrets: connection
>> > -
>> > connection
>> > name : "connection"
>> > id : "VPNconnection" (s)
>> > uuid : "355653c0-34d3-4777-ad25-f9a498b7ef8e" (s)
>> > type : "vpn" (s)
>> > permissions : [] (sd)
>> > autoconnect : FALSE (s)
>> > timestamp : 0 (sd)
>> > read-only : FALSE (sd)
>> >
>> >
>> > ipv4
>> > name : "ipv4"
>> > method : "auto" (s)
>> > dns : [] (s)
>> &g

Re: OpenVpn plugin NeedSecret

[Francesco Andrisani]

Thanks a lot. But i'm not able to know all parameter to intert into my
/etc/NetworkManager/system-connections/VPNconnection.

For example keyfile, certficate, ecc

Please can you tell me how to find these informations (all parameters)?

Thanks and regards

On Thu, Nov 3, 2011 at 3:51 PM, Dan Williams  wrote:

> On Thu, 2011-11-03 at 10:26 +0100, Francesco Andrisani wrote:
> > Anothe DEBUG info:
> >
> > debian:/etc/NetworkManager# /usr/libexec/nm-openvpn-service --debug
> > ** Message: nm-openvpn-service (version 0.9.0) starting...
> > ** Message: real_need_secrets: connection
> > -
> > connection
> > name : "connection"
> > id : "VPNconnection" (s)
> > uuid : "355653c0-34d3-4777-ad25-f9a498b7ef8e" (s)
> > type : "vpn" (s)
> > permissions : [] (sd)
> > autoconnect : FALSE (s)
> > timestamp : 0 (sd)
> > read-only : FALSE (sd)
> >
> >
> > ipv4
> > name : "ipv4"
> > method : "auto" (s)
> > dns : [] (s)
> > dns-search : [] (sd)
> > addresses : [] (s)
> > routes : [] (s)
> > ignore-auto-routes : FALSE (sd)
> > ignore-auto-dns : FALSE (sd)
> > dhcp-client-id : NULL (sd)
> > dhcp-send-hostname : TRUE (sd)
> > dhcp-hostname : NULL (sd)
> > never-default : FALSE (sd)
> > may-fail : FALSE (sd)
> >
> >
> > ipv6
> > name : "ipv6"
> > method : "ignore" (s)
> > dns : [] (s)
> > dns-search : [] (sd)
> > addresses : [] (s)
> >     routes : [] (s)
> > ignore-auto-routes : FALSE (sd)
> > ignore-auto-dns : FALSE (sd)
> > never-default : FALSE (sd)
> > may-fail : TRUE (sd)
> >
> >
> > vpn
> > name : "vpn"
> > service-type : "org.freedesktop.NetworkManager.openvpn" (s)
> > user-name : NULL (sd)
> > data : [ { 'name': openvpn }, ] (s)
> > secrets : [ ] (s)
>
> So here's the problem; the [vpn] setting isn't completely specified.
> Did you import this connection from an openvpn config file?  Unless this
> was changed at some point (or there's a bug in the editor) this
> connection was never valid since it doesn't have the required connection
> type field and a few other things.  Here's what it *should* look like:
>
> [vpn]
> service-type=org.freedesktop.NetworkManager.openvpn
> connection-type=password
> password-flags=3
> remote=ovpn.mycompany.com
> cipher=AES-256-CBC
> proto-tcp=yes
> reneg-seconds=0
> port=443
> username=dcbw
> ca=/home/dcbw/MyCA.pem
>
> or something along those lines.  If you imported it from a config file,
> can you try doing that again?  If it still looks like this, can you send
> me the config file so I can see what's going wrong?
>
> Dan
>
> > Regards
> >
> >
> > On Thu, Nov 3, 2011 at 10:12 AM, Francesco Andrisani
> >  wrote:
> > OK.
> >
> > So i've installed openvpn client on my workstation with
> > certificate authentication and...it work fine.
> > About NetworkManager-openvpn i've installed (from sources)
> > 0.9.0 version, the same of NetworkManager (it also installed
> > from sources).
> >
> > A clarification...i use the system without X server (no gnome,
> > no kde).
> > Below my NetworkManager and NetworkManager-openvpn
> > configuration files.
> >
> > debian:/etc/NetworkManager# cat
> > system-connections/VPNconnection
> > [connection]
> > id=VPNconnection
> > uuid=355653c0-34d3-4777-ad25-f9a498b7ef8e
> > type=vpn
> > autoconnect=FALSE
> >
> > [ipv4]
> > method=auto
> >
> > [vpn]
> > name=openvpn
> > service-type=org.freedesktop.NetworkManager.openvpn
> >
> > [ipv6]
> > method=ignore
> >
> > I've no secrets specified here, Is it correct? I've no
> > password for start opevpn client manually. Only certificate
> > authentication.
> >
> > debian:/etc/NetworkManager# cat VPN/nm-openvpn-service.name
> > [VPN Connection]
> > name=openvpn
> > service=org.freedesktop.NetworkManager.openvpn
> > program=/usr/libexec/nm-openvpn-service
> >
> > Regards
&

Re: OpenVpn plugin NeedSecret

[Dan Williams]

On Thu, 2011-11-03 at 10:26 +0100, Francesco Andrisani wrote:
> Anothe DEBUG info:
> 
> debian:/etc/NetworkManager# /usr/libexec/nm-openvpn-service --debug
> ** Message: nm-openvpn-service (version 0.9.0) starting...
> ** Message: real_need_secrets: connection
> -
> connection
> name : "connection"
> id : "VPNconnection" (s)
> uuid : "355653c0-34d3-4777-ad25-f9a498b7ef8e" (s)
> type : "vpn" (s)
> permissions : [] (sd)
> autoconnect : FALSE (s)
> timestamp : 0 (sd)
> read-only : FALSE (sd)
> 
> 
> ipv4
> name : "ipv4"
> method : "auto" (s)
> dns : [] (s)
> dns-search : [] (sd)
> addresses : [] (s)
> routes : [] (s)
> ignore-auto-routes : FALSE (sd)
> ignore-auto-dns : FALSE (sd)
> dhcp-client-id : NULL (sd)
> dhcp-send-hostname : TRUE (sd)
> dhcp-hostname : NULL (sd)
> never-default : FALSE (sd)
> may-fail : FALSE (sd)
> 
> 
> ipv6
> name : "ipv6"
> method : "ignore" (s)
> dns : [] (s)
> dns-search : [] (sd)
> addresses : [] (s)
> routes : [] (s)
> ignore-auto-routes : FALSE (sd)
> ignore-auto-dns : FALSE (sd)
> never-default : FALSE (sd)
> may-fail : TRUE (sd)
> 
> 
> vpn
> name : "vpn"
> service-type : "org.freedesktop.NetworkManager.openvpn" (s)
> user-name : NULL (sd)
> data : [ { 'name': openvpn }, ] (s)
> secrets : [ ] (s)

So here's the problem; the [vpn] setting isn't completely specified.
Did you import this connection from an openvpn config file?  Unless this
was changed at some point (or there's a bug in the editor) this
connection was never valid since it doesn't have the required connection
type field and a few other things.  Here's what it *should* look like:

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=password
password-flags=3
remote=ovpn.mycompany.com
cipher=AES-256-CBC
proto-tcp=yes
reneg-seconds=0
port=443
username=dcbw
ca=/home/dcbw/MyCA.pem

or something along those lines.  If you imported it from a config file,
can you try doing that again?  If it still looks like this, can you send
me the config file so I can see what's going wrong?

Dan

> Regards
> 
> 
> On Thu, Nov 3, 2011 at 10:12 AM, Francesco Andrisani
>  wrote:
> OK.
> 
> So i've installed openvpn client on my workstation with
> certificate authentication and...it work fine.
> About NetworkManager-openvpn i've installed (from sources)
> 0.9.0 version, the same of NetworkManager (it also installed
> from sources).
> 
> A clarification...i use the system without X server (no gnome,
> no kde).
> Below my NetworkManager and NetworkManager-openvpn
> configuration files. 
> 
> debian:/etc/NetworkManager# cat
> system-connections/VPNconnection 
> [connection]
> id=VPNconnection
> uuid=355653c0-34d3-4777-ad25-f9a498b7ef8e
> type=vpn
> autoconnect=FALSE
> 
> [ipv4]
> method=auto
>     
> [vpn]
> name=openvpn
>     service-type=org.freedesktop.NetworkManager.openvpn
> 
> [ipv6]
>     method=ignore
> 
> I've no secrets specified here, Is it correct? I've no
> password for start opevpn client manually. Only certificate
> authentication.
> 
> debian:/etc/NetworkManager# cat VPN/nm-openvpn-service.name 
> [VPN Connection]
> name=openvpn
> service=org.freedesktop.NetworkManager.openvpn
> program=/usr/libexec/nm-openvpn-service
> 
> Regards
> 
> 
> 
> On Thu, Nov 3, 2011 at 2:25 AM, Dan Williams 
> wrote:
> On Wed, 2011-11-02 at 10:21 +0100, Francesco Andrisani
> wrote:
> > (355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection)
> plugin
> > NeedSecrets
> > request #1 failed: dbus-glib-error-quark Invalid
>     connection type.
> 
> 
> This part is the problem.  Any chance you could paste
> in your vpn
> connection file
> from /etc/NetworkManager/system-connections for us to
> look at?  Remove any passwords and  out any
> sensit

Re: OpenVpn plugin NeedSecret

[Francesco Andrisani]

Anothe DEBUG info:

debian:/etc/NetworkManager# /usr/libexec/nm-openvpn-service --debug
** Message: nm-openvpn-service (version 0.9.0) starting...
** Message: real_need_secrets: connection
-
connection
name : "connection"
id : "VPNconnection" (s)
uuid : "355653c0-34d3-4777-ad25-f9a498b7ef8e" (s)
type : "vpn" (s)
permissions : [] (sd)
autoconnect : FALSE (s)
timestamp : 0 (sd)
read-only : FALSE (sd)


ipv4
name : "ipv4"
method : "auto" (s)
dns : [] (s)
dns-search : [] (sd)
addresses : [] (s)
routes : [] (s)
ignore-auto-routes : FALSE (sd)
ignore-auto-dns : FALSE (sd)
dhcp-client-id : NULL (sd)
dhcp-send-hostname : TRUE (sd)
dhcp-hostname : NULL (sd)
never-default : FALSE (sd)
may-fail : FALSE (sd)


ipv6
name : "ipv6"
method : "ignore" (s)
dns : [] (s)
dns-search : [] (sd)
addresses : [] (s)
routes : [] (s)
ignore-auto-routes : FALSE (sd)
ignore-auto-dns : FALSE (sd)
never-default : FALSE (sd)
may-fail : TRUE (sd)


vpn
name : "vpn"
service-type : "org.freedesktop.NetworkManager.openvpn" (s)
user-name : NULL (sd)
data : [ { 'name': openvpn }, ] (s)
secrets : [ ] (s)

Regards


On Thu, Nov 3, 2011 at 10:12 AM, Francesco Andrisani <
francesco.andris...@acotel.com> wrote:

> OK.
>
> So i've installed openvpn client on my workstation with certificate
> authentication and...it work fine.
> About NetworkManager-openvpn i've installed (from sources) 0.9.0 version,
> the same of NetworkManager (it also installed from sources).
>
> A clarification...i use the system without X server (no gnome, no kde).
> Below my NetworkManager and NetworkManager-openvpn configuration files.
>
> debian:/etc/NetworkManager# cat system-connections/VPNconnection
> [connection]
> id=VPNconnection
> uuid=355653c0-34d3-4777-ad25-f9a498b7ef8e
> type=vpn
> autoconnect=FALSE
>
> [ipv4]
> method=auto
>
> [vpn]
> name=openvpn
> service-type=org.freedesktop.NetworkManager.openvpn
>
> [ipv6]
> method=ignore
>
> I've no secrets specified here, Is it correct? I've no password for start
> opevpn client manually. Only certificate authentication.
>
> debian:/etc/NetworkManager# cat VPN/nm-openvpn-service.name
> [VPN Connection]
> name=openvpn
> service=org.freedesktop.NetworkManager.openvpn
> program=/usr/libexec/nm-openvpn-service
>
> Regards
>
>
>
> On Thu, Nov 3, 2011 at 2:25 AM, Dan Williams  wrote:
>
>> On Wed, 2011-11-02 at 10:21 +0100, Francesco Andrisani wrote:
>> > (355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) plugin
>> > NeedSecrets
>> > request #1 failed: dbus-glib-error-quark Invalid connection type.
>>
>> This part is the problem.  Any chance you could paste in your vpn
>> connection file from /etc/NetworkManager/system-connections for us to
>> look at?  Remove any passwords and  out any sensitive information
>> before doing so.
>>
>> Any idea what version of NetworkManager-openvpn you've got installed?
>>
>> Dan
>>
>>
>>
>
>
> --
> 
> *Francesco Andrisani*
> mailto:francesco.andris...@acotel.com
> *Acotel Spa*
> http://www.acotel.com
> Via della Valle dei Fontanili, 29
> 00168 Roma
> Tel +390661141200
> Fax +39066149936
> 
>
> Le informazioni contenute nella comunicazione che precede possono essere
> riservate e sono, comunque, destinate esclusivamente alla persona o
> all’ente sopraindicati. La diffusione, distribuzione e/o copiatura non
> autorizzata del documento trasmesso da parte di qualsiasi soggetto è
> proibita. La sicurezza e la correttezza dei messaggi di posta elettronica
> non possono essere garantite. Se avete ricevuto questo messaggio per
> errore, Vi preghiamo di contattarci immediatamente. Grazie.
>
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any transmission. If you
> receive this message in error, please immediately delete it and all copies
> of it from your system, destroy any hard copies of it and notify the
> sender. You must not, directly or indirectly, use, disclose, distribute,
> print, or copy any part of this message if you are not the intended
> recipient. Thanks
>
>


-- 

*Francesco Andrisani*
mailto:francesco.andris...@acotel.com
*Acotel Spa*
http://www.acotel.c

Re: OpenVpn plugin NeedSecret

[Francesco Andrisani]

OK.

So i've installed openvpn client on my workstation with certificate
authentication and...it work fine.
About NetworkManager-openvpn i've installed (from sources) 0.9.0 version,
the same of NetworkManager (it also installed from sources).

A clarification...i use the system without X server (no gnome, no kde).
Below my NetworkManager and NetworkManager-openvpn configuration files.

debian:/etc/NetworkManager# cat system-connections/VPNconnection
[connection]
id=VPNconnection
uuid=355653c0-34d3-4777-ad25-f9a498b7ef8e
type=vpn
autoconnect=FALSE

[ipv4]
method=auto

[vpn]
name=openvpn
service-type=org.freedesktop.NetworkManager.openvpn

[ipv6]
method=ignore

I've no secrets specified here, Is it correct? I've no password for start
opevpn client manually. Only certificate authentication.

debian:/etc/NetworkManager# cat VPN/nm-openvpn-service.name
[VPN Connection]
name=openvpn
service=org.freedesktop.NetworkManager.openvpn
program=/usr/libexec/nm-openvpn-service

Regards


On Thu, Nov 3, 2011 at 2:25 AM, Dan Williams  wrote:

> On Wed, 2011-11-02 at 10:21 +0100, Francesco Andrisani wrote:
> > (355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) plugin
> > NeedSecrets
> > request #1 failed: dbus-glib-error-quark Invalid connection type.
>
> This part is the problem.  Any chance you could paste in your vpn
> connection file from /etc/NetworkManager/system-connections for us to
> look at?  Remove any passwords and  out any sensitive information
> before doing so.
>
> Any idea what version of NetworkManager-openvpn you've got installed?
>
> Dan
>
>
>


-- 

*Francesco Andrisani*
mailto:francesco.andris...@acotel.com
*Acotel Spa*
http://www.acotel.com
Via della Valle dei Fontanili, 29
00168 Roma
Tel +390661141200
Fax +39066149936


Le informazioni contenute nella comunicazione che precede possono essere
riservate e sono, comunque, destinate esclusivamente alla persona o
all’ente sopraindicati. La diffusione, distribuzione e/o copiatura non
autorizzata del documento trasmesso da parte di qualsiasi soggetto è
proibita. La sicurezza e la correttezza dei messaggi di posta elettronica
non possono essere garantite. Se avete ricevuto questo messaggio per
errore, Vi preghiamo di contattarci immediatamente. Grazie.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any transmission. If you
receive this message in error, please immediately delete it and all copies
of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. Thanks
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVpn plugin NeedSecret

[Dan Williams]

On Wed, 2011-11-02 at 10:21 +0100, Francesco Andrisani wrote:
> (355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) plugin
> NeedSecrets
> request #1 failed: dbus-glib-error-quark Invalid connection type. 

This part is the problem.  Any chance you could paste in your vpn
connection file from /etc/NetworkManager/system-connections for us to
look at?  Remove any passwords and  out any sensitive information
before doing so.

Any idea what version of NetworkManager-openvpn you've got installed?

Dan


___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVpn plugin NeedSecret

[Francesco Andrisani]

Hi,
sorry for delay.
Below the piace of log with log-legel DEBUG:

NetworkManager[3054]:  Starting VPN service 'openvpn'...
NetworkManager[3054]:  VPN service 'openvpn' started
(org.freedesktop.NetworkManager.openvpn), PID 3089
NetworkManager[3054]:  VPN service 'openvpn' appeared; activating
connections
NetworkManager[3054]:  [1320230029.479049] [nm-vpn-connection.c:902]
get_secrets(): (355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection)
requesting VPN secrets pass #1
NetworkManager[3054]:  [1320230029.481972] [nm-agent-manager.c:1100]
nm_agent_manager_get_secrets(): Secrets requested for connection
/org/freedesktop/NetworkManager/Settings/0 (vpn)
NetworkManager[3054]:  [1320230029.485727]
[nm-settings-connection.c:850] nm_settings_connection_get_secrets():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:2) secrets requested flags
0x8000 hint '(null)'
NetworkManager[3054]:  VPN plugin state changed: 1
NetworkManager[3054]:  [1320230029.491319] [nm-agent-manager.c:1015]
get_start(): (0xe1c10/vpn) system settings secrets sufficient
NetworkManager[3054]:  [1320230029.492466]
[nm-settings-connection.c:706] agent_secrets_done_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:2) existing secrets returned
NetworkManager[3054]:  [1320230029.492907]
[nm-settings-connection.c:712] agent_secrets_done_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:2) secrets request completed
NetworkManager[3054]:  [1320230029.497663]
[nm-settings-connection.c:751] agent_secrets_done_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/vpn:2) new agent secrets processed
NetworkManager[3054]:  [1320230029.498118] [nm-vpn-connection.c:870]
get_secrets_cb(): (355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection)
asking service if additional secrets are required
NetworkManager[3054]:  [1320230029.511927] [nm-vpn-connection.c:823]
plugin_need_secrets_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) plugin NeedSecrets
request #1 failed: dbus-glib-error-quark Invalid connection type.
NetworkManager[3054]:  Policy set 'MyConnection' (eth0) as default
for IPv4 routing and DNS.
NetworkManager[3054]:  VPN service 'openvpn' disappeared
NetworkManager[3054]:  [1320230037.2325] [nm-vpn-service.c:267]
ensure_killed(): waiting for VPN service pid 3089 to exit
NetworkManager[3054]:  [1320230037.2932] [nm-vpn-service.c:269]
ensure_killed(): VPN service pid 3089 cleaned up

Thank you

On Mon, Oct 31, 2011 at 11:28 PM, Dan Williams  wrote:

> On Fri, 2011-10-28 at 18:34 +0200, Francesco Andrisani wrote:
> > Hi,
> > i'm newbie of Network manager, so sorry for any errors.
> >
> > I'm an Debian User. I've downloaded and conpiled Networkmanager-0.9.0
> > with ModemManager 0.5 and NetworkManager-openvpn-0.9.0 plugin.
> > Network manager work fine. I'm able with my custom python script to
> > use ethernet and gsm at modem.
> >
> > My problem is when i try to start Openvpn (using NM) throught ethernet
> > device.
> > I continuosly see into NM logs:
> >
> > Oct 28 17:16:46 sheevaplug-debian NetworkManager[2327]: 
> > Starting VPN service 'openvpn'...
> > Oct 28 17:16:46 sheevaplug-debian NetworkManager[2327]:  VPN
> > service 'openvpn' started (org.freedesktop.NetworkManager.openvpn),
> > PID 2416
> > tun: Universal TUN/TAP device driver, 1.6
> > tun: (C) 1999-2004 Max Krasnyansky 
> > Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]:  VPN
> > service 'openvpn' appeared; activating connections
> > Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]:  VPN
> > plugin state changed: 1
> > Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]: 
> > [1319822207.127668] [nm-vpn-connection.c:823]
> > plugin_need_secrets_cb():
> > (355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) plugin
> > NeedSecret.
> > Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]:  Policy
> > set 'MyConnection' (eth0) as default for IPv4 routing and DNS.
> > Oct 28 17:16:52 sheevaplug-debian NetworkManager[2327]:  VPN
> > service 'openvpn' disappeared
>
> The error message appears to be somewhat cut off; can you grab the full
> message from [nm-vpn-connection.c:823] plugin_need_secrets_cb() for us?
> That will have more information about where the problem may lie.
>
> It should be something like:
>
> (355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) plugin NeedSecrets
> request 1 failed:  
>
> Dan
>
>


-- 

*Francesco Andrisani*
mailto:francesco.andris...@acotel.com
*Acotel Spa*
http://www.acotel.com
Via della Valle dei Fontanili, 29
00168 Roma
Tel +390661141200
Fax +39066149936


Le informazioni contenute nel

Re: OpenVpn plugin NeedSecret

[Dan Williams]

On Fri, 2011-10-28 at 18:34 +0200, Francesco Andrisani wrote:
> Hi,
> i'm newbie of Network manager, so sorry for any errors.
> 
> I'm an Debian User. I've downloaded and conpiled Networkmanager-0.9.0
> with ModemManager 0.5 and NetworkManager-openvpn-0.9.0 plugin.
> Network manager work fine. I'm able with my custom python script to
> use ethernet and gsm at modem.
> 
> My problem is when i try to start Openvpn (using NM) throught ethernet
> device.
> I continuosly see into NM logs:
> 
> Oct 28 17:16:46 sheevaplug-debian NetworkManager[2327]: 
> Starting VPN service 'openvpn'...
> Oct 28 17:16:46 sheevaplug-debian NetworkManager[2327]:  VPN
> service 'openvpn' started (org.freedesktop.NetworkManager.openvpn),
> PID 2416
> tun: Universal TUN/TAP device driver, 1.6
> tun: (C) 1999-2004 Max Krasnyansky 
> Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]:  VPN
> service 'openvpn' appeared; activating connections
> Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]:  VPN
> plugin state changed: 1
> Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]: 
> [1319822207.127668] [nm-vpn-connection.c:823]
> plugin_need_secrets_cb():
> (355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) plugin
> NeedSecret.
> Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]:  Policy
> set 'MyConnection' (eth0) as default for IPv4 routing and DNS.
> Oct 28 17:16:52 sheevaplug-debian NetworkManager[2327]:  VPN
> service 'openvpn' disappeared

The error message appears to be somewhat cut off; can you grab the full
message from [nm-vpn-connection.c:823] plugin_need_secrets_cb() for us?
That will have more information about where the problem may lie.

It should be something like:

(355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) plugin NeedSecrets
request 1 failed:  

Dan

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

OpenVpn plugin NeedSecret

[Francesco Andrisani]

Hi,
i'm newbie of Network manager, so sorry for any errors.

I'm an Debian User. I've downloaded and conpiled Networkmanager-0.9.0 with
ModemManager 0.5 and NetworkManager-openvpn-0.9.0 plugin.
Network manager work fine. I'm able with my custom python script to use
ethernet and gsm at modem.

My problem is when i try to start Openvpn (using NM) throught ethernet
device.
I continuosly see into NM logs:

Oct 28 17:16:46 sheevaplug-debian NetworkManager[2327]:  Starting VPN
service 'openvpn'...
Oct 28 17:16:46 sheevaplug-debian NetworkManager[2327]:  VPN service
'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 2416
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky 
Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]:  VPN service
'openvpn' appeared; activating connections
Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]:  VPN plugin
state changed: 1
*Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]: 
[1319822207.127668] [nm-vpn-connection.c:823] plugin_need_secrets_cb():
(355653c0-34d3-4777-ad25-f9a498b7ef8e/VPNconnection) plugin NeedSecret.*
Oct 28 17:16:47 sheevaplug-debian NetworkManager[2327]:  Policy set
'MyConnection' (eth0) as default for IPv4 routing and DNS.
Oct 28 17:16:52 sheevaplug-debian NetworkManager[2327]:  VPN service
'openvpn' disappeared

I've added at_console user permission into config file of d-bus...but i'm
not able to solve it.

Please can someone hel me please??

Regards
-- 

*Francesco Andrisani*
mailto:francesco.andris...@acotel.com
*Acotel Spa*
http://www.acotel.com
Via della Valle dei Fontanili, 29
00168 Roma
Tel +390661141200
Fax +39066149936


Le informazioni contenute nella comunicazione che precede possono essere
riservate e sono, comunque, destinate esclusivamente alla persona o all’ente
sopraindicati. La diffusione, distribuzione e/o copiatura non autorizzata
del documento trasmesso da parte di qualsiasi soggetto è proibita. La
sicurezza e la correttezza dei messaggi di posta elettronica non possono
essere garantite. Se avete ricevuto questo messaggio per errore, Vi
preghiamo di contattarci immediatamente. Grazie.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any transmission. If you
receive this message in error, please immediately delete it and all copies
of it from your system, destroy any hard copies of it and notify the sender.
You must not, directly or indirectly, use, disclose, distribute, print, or
copy any part of this message if you are not the intended recipient. Thanks
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

usb stick and openvpn

[Luca Orlandi]

Hello,
I've finally determined that networkmanager cannot connect through my
usb stick (Onda MT833UP) while the network-manager-openvpn-gnome package is
installed.

I'm using ubuntu 11.04 (2.6.38-8-generic).
Any suggestion?
Thank you

-Luca <http://about.me/lrkwz>
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Howto debug OpenVPN connection?

[Dan Williams]

On Tue, 2011-06-21 at 10:08 -0400, Eric B. wrote:
> On 06/21/2011 01:10 AM, Dan Williams wrote:
> >> Thanks for the quick response.  Am running Fedora 14 and have
> >> NetworkManager-openvpn-0.8.1-1.fc14.i686 installed.
> >>
> >> When I try your suggestions, I get the following messages (non-root
> >> account):
> >>
> >> [eric@eric-laptop ~]$ killall -TERM
> >> nm-openvpn-servicenm-openvpn-service: no process found
> >
> > That's fine, seems the service isn't running which is normal if the VPN is 
> > disconnected.
> 
> Exactly.  As expected as well.
> 
> >
> >> [eric@eric-laptop ~]$ /usr/libexec/nm-openvpn-service --debug --persist
> >> ** (process:8434): WARNING **:   constructor(): Connection
> >> ":1.134" is not allowed to own the service
> >> "org.freedesktop.NetworkManager.openvpn" due to security policies in the
> >> configuration file
> >
> > Oops; you need to run it as root via something like:
> >
> > sudo /usr/libexec/nm-openvpn-service --debug --persist
> 
> I had tried that as well.  But got nothing new in terms of debug info, 
> so I thought that that running as root was not the solution and there 
> was another way to generate more debug info
> 
> [eric@eric-laptop ~]$ sudo /usr/libexec/nm-openvpn-service --debug --persist
> [sudo] password for eric:
> 
> ** (process:2901): CRITICAL **: crypto_get_private_key_data: assertion 
> `password != NULL' failed
> 
> ** (process:2901): CRITICAL **: crypto_get_private_key_data: assertion 
> `password != NULL' failed
> ** Message:   openvpn started with pid 2909
> 
> 
> 
> Is there something else I can do?

Yeah, one more thing (as root):

NM_OPENVPN_DEBUG=1 /usr/libexec/nm-openvpn-service --persist

Dan

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Need help configuring an OpenVPN connection

[Eric B.]

Hi,

I am new to creating client IPSec tunnels in Linux.  I am running Fedora 
14 with openvpn-2.1.1-2.fc13.i686 and 
NetworkManager-openvpn-0.8.1-1.fc14.i686 installed.


I am looking to configured my FC14 box as an IPSEC client to connect to 
my office VPN.  I do not know what server the office VPN is using.  All 
I know are the specs that they have given me.  I also have a working 
example of it running in Windows using TheGreenBow client.


I have been given the following files:
ericb.p12
ericb.pem
ericb.key
(and password for the key/p12 files)

I know the following settings (from looking at the functinoal TGB client 
and someone who has gotten it to work with ipsecuritas in Mac):


Gateway IP
Network Addr/CIDR: 10.9.40.0/22
Phase 1:
 - Lifetime 1800
 - DH Group: 1024(2)
 - Encryption: AES 128
 - Authen: SHA-1
 - Exchange: Main

Phase 2:
 - PFS Group: 1024(2)
 - Encryption: AES 128
 - Authen: HMAC SHA-1

NAT-T: force



Can anyone please help me with getting this configuration to work?  I 
have attempted to set up the tunnel using the NetworkManager plugin, but 
it just seems to hang.  I have tried both with UDP and forced TCP and I 
just get timeouts:
Jun 21 10:07:56 eric-laptop NetworkManager[1267]:  VPN connection 
'VpnMtl' (IP Config Get) timeout exceeded.



Ideally, I'd like to get this working via the NM, but if it has to be 
done at command line level, i would be happy with that as well.


Thanks for any help that you can provide!

Eric

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Howto debug OpenVPN connection?

[Eric B.]

On 06/21/2011 01:10 AM, Dan Williams wrote:

Thanks for the quick response.  Am running Fedora 14 and have
NetworkManager-openvpn-0.8.1-1.fc14.i686 installed.

When I try your suggestions, I get the following messages (non-root
account):

[eric@eric-laptop ~]$ killall -TERM
nm-openvpn-servicenm-openvpn-service: no process found


That's fine, seems the service isn't running which is normal if the VPN is 
disconnected.


Exactly.  As expected as well.




[eric@eric-laptop ~]$ /usr/libexec/nm-openvpn-service --debug --persist
** (process:8434): WARNING **:   constructor(): Connection
":1.134" is not allowed to own the service
"org.freedesktop.NetworkManager.openvpn" due to security policies in the
configuration file


Oops; you need to run it as root via something like:

sudo /usr/libexec/nm-openvpn-service --debug --persist


I had tried that as well.  But got nothing new in terms of debug info, 
so I thought that that running as root was not the solution and there 
was another way to generate more debug info


[eric@eric-laptop ~]$ sudo /usr/libexec/nm-openvpn-service --debug --persist
[sudo] password for eric:

** (process:2901): CRITICAL **: crypto_get_private_key_data: assertion 
`password != NULL' failed


** (process:2901): CRITICAL **: crypto_get_private_key_data: assertion 
`password != NULL' failed

** Message:   openvpn started with pid 2909



Is there something else I can do?

Thanks,

Eric



___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Howto debug OpenVPN connection?

[Dan Williams]

On Tue, 2011-06-21 at 00:58 -0400, Eric B. wrote:
> On 06/21/2011 12:53 AM, Dan Williams wrote:
> > On Mon, 2011-06-20 at 23:35 -0400, Eric B. wrote:
> >> Hi,
> >>
> >> I am fairly new to the NetworkManager, and am trying to understand how
> >> to enable additional debug information for a failing OpenVPN connection.
> >>
> >> I've installed the OpenVPN plugin, but I am not getting enough
> >> information in /var/log/messages and would like to see if there is a way
> >> to enable additional information.  Is there some configuration flag
> >> somewhere that I can enable for this?
> >
> > killall -TERM nm-openvpn-service
> > /path/to/nm-openvpn-service --debug --persist
> >
> > that works for newer versions of nm-openvpn (like 0.8.1 and later); for
> > earlier versions you may need to:
> >
> > killall -TERM nm-openvpn-service
> > OPENVPN_DEBUG=1 /path/to/nm-openvpn-service --persist
> >
> > where of course /path/to/ gets replaced with where that binary lives;
> > for non-Debian systems it's usually /usr/libexec otherwise I'm not sure
> > where it lives.
> >
> > Dan
> 
> 
> Thanks for the quick response.  Am running Fedora 14 and have 
> NetworkManager-openvpn-0.8.1-1.fc14.i686 installed.
> 
> When I try your suggestions, I get the following messages (non-root 
> account):
> 
> [eric@eric-laptop ~]$ killall -TERM 
> nm-openvpn-servicenm-openvpn-service: no process found

That's fine, seems the service isn't running which is normal if the VPN is 
disconnected.

> [eric@eric-laptop ~]$ /usr/libexec/nm-openvpn-service --debug --persist
> ** (process:8434): WARNING **:   constructor(): Connection 
> ":1.134" is not allowed to own the service 
> "org.freedesktop.NetworkManager.openvpn" due to security policies in the 
> configuration file

Oops; you need to run it as root via something like:

sudo /usr/libexec/nm-openvpn-service --debug --persist

Dan

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Howto debug OpenVPN connection?

[Eric B.]

On 06/21/2011 12:53 AM, Dan Williams wrote:

On Mon, 2011-06-20 at 23:35 -0400, Eric B. wrote:

Hi,

I am fairly new to the NetworkManager, and am trying to understand how
to enable additional debug information for a failing OpenVPN connection.

I've installed the OpenVPN plugin, but I am not getting enough
information in /var/log/messages and would like to see if there is a way
to enable additional information.  Is there some configuration flag
somewhere that I can enable for this?


killall -TERM nm-openvpn-service
/path/to/nm-openvpn-service --debug --persist

that works for newer versions of nm-openvpn (like 0.8.1 and later); for
earlier versions you may need to:

killall -TERM nm-openvpn-service
OPENVPN_DEBUG=1 /path/to/nm-openvpn-service --persist

where of course /path/to/ gets replaced with where that binary lives;
for non-Debian systems it's usually /usr/libexec otherwise I'm not sure
where it lives.

Dan



Thanks for the quick response.  Am running Fedora 14 and have 
NetworkManager-openvpn-0.8.1-1.fc14.i686 installed.


When I try your suggestions, I get the following messages (non-root 
account):


[eric@eric-laptop ~]$ killall -TERM 
nm-openvpn-servicenm-openvpn-service: no process found


[eric@eric-laptop ~]$ /usr/libexec/nm-openvpn-service --debug --persist
** (process:8434): WARNING **:   constructor(): Connection 
":1.134" is not allowed to own the service 
"org.freedesktop.NetworkManager.openvpn" due to security policies in the 
configuration file



Any suggestions / ideas?

Thanks,

Eric

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Howto debug OpenVPN connection?

[Dan Williams]

On Mon, 2011-06-20 at 23:35 -0400, Eric B. wrote:
> Hi,
> 
> I am fairly new to the NetworkManager, and am trying to understand how 
> to enable additional debug information for a failing OpenVPN connection.
> 
> I've installed the OpenVPN plugin, but I am not getting enough 
> information in /var/log/messages and would like to see if there is a way 
> to enable additional information.  Is there some configuration flag 
> somewhere that I can enable for this?

killall -TERM nm-openvpn-service
/path/to/nm-openvpn-service --debug --persist

that works for newer versions of nm-openvpn (like 0.8.1 and later); for
earlier versions you may need to:

killall -TERM nm-openvpn-service
OPENVPN_DEBUG=1 /path/to/nm-openvpn-service --persist

where of course /path/to/ gets replaced with where that binary lives;
for non-Debian systems it's usually /usr/libexec otherwise I'm not sure
where it lives.

Dan

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Howto debug OpenVPN connection?

[Eric B.]

Hi,

I am fairly new to the NetworkManager, and am trying to understand how 
to enable additional debug information for a failing OpenVPN connection.


I've installed the OpenVPN plugin, but I am not getting enough 
information in /var/log/messages and would like to see if there is a way 
to enable additional information.  Is there some configuration flag 
somewhere that I can enable for this?


Thanks!

Eric

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: [PATCH] adding RSA-MD4 for HMAC encryption in nm-openvpn

[Dan Williams]

On Fri, 2011-05-20 at 12:22 +0200, Olivier Lambert wrote:
> Hi everyone,
> 
> (sorry, repost, but I forgot previously the syntax [PATCH] in subject)

Thanks, applied to 0.8 and git master.

Dan

> I need to connect to a corporate OpenVPN server. This VPN use RSA-MD4
> on HMAC.. But this option doesn't exist in the nm GUI !
> 
> So, here is a fix (it was tested by me, and it works like a charm).
> 
> diff --git a/properties/auth-helpers.c b/properties/auth-helpers.c
> index 357a5dd..322688e 100644
> --- a/properties/auth-helpers.c
> +++ b/properties/auth-helpers.c
> @@ -1077,6 +1077,7 @@ populate_hmacauth_combo (GtkComboBox *box, const char 
> *hm
>const char **item;
>static const char *items[] = {
>NM_OPENVPN_AUTH_NONE,
> +   NM_OPENVPN_AUTH_MD4,
>NM_OPENVPN_AUTH_MD5,
>NM_OPENVPN_AUTH_SHA1,
>NM_OPENVPN_AUTH_SHA224,
> @@ -1102,6 +1103,8 @@ populate_hmacauth_combo (GtkComboBox *box, const char 
> *hm
> 
>if (!strcmp (*item, NM_OPENVPN_AUTH_NONE))
>name = _("None");
> +   else if (!strcmp (*item, NM_OPENVPN_AUTH_MD4))
> +   name = _("RSA-MD4");
>else if (!strcmp (*item, NM_OPENVPN_AUTH_MD5))
>        name = _("MD-5");
>else if (!strcmp (*item, NM_OPENVPN_AUTH_SHA1))
> diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
> index f3c25ce..0762e89 100644
> --- a/src/nm-openvpn-service.c
> +++ b/src/nm-openvpn-service.c
> @@ -605,6 +605,7 @@ validate_auth (const char *auth)
>  {
>if (auth) {
>if (   !strcmp (auth, NM_OPENVPN_AUTH_NONE)
> +   || !strcmp (auth, NM_OPENVPN_AUTH_MD4)
>|| !strcmp (auth, NM_OPENVPN_AUTH_MD5)
>        || !strcmp (auth, NM_OPENVPN_AUTH_SHA1)
>    || !strcmp (auth, NM_OPENVPN_AUTH_SHA224)
> diff --git a/src/nm-openvpn-service.h b/src/nm-openvpn-service.h
> index d503f4e..bc245b0 100644
> --- a/src/nm-openvpn-service.h
> +++ b/src/nm-openvpn-service.h
> @@ -77,6 +77,7 @@
>  #define NM_OPENVPN_KEY_RENEG_SECONDS "reneg-seconds"
> 
>  #define NM_OPENVPN_AUTH_NONE "none"
> +#define NM_OPENVPN_AUTH_MD4  "RSA-MD4"
>  #define NM_OPENVPN_AUTH_MD5  "MD5"
>  #define NM_OPENVPN_AUTH_SHA1 "SHA1"
>  #define NM_OPENVPN_AUTH_SHA224 "SHA224"
> ___
> networkmanager-list mailing list
> networkmanager-list@gnome.org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list


___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

System wide openvpn connection with password-tls

[Gabriel Gomiz]

Hi to all

I'm using Network Manager 0.8.4 (Fedora 14) and I'm trying to setup an openvpn 
system-wide
connection. The connection needs to be TLS with password because our OpenVPN 
server is configured
that way.

The problem is that I need that username and password pair will be asked to the 
user via a gui
dialog at the moment of connection. Is that possible with Network Manager 0.8.4 
???

(Please cc me as I'm not subscribed to the list)

My keyfile:

[connection]
id=VPN
uuid=21d0f17c-5bd0-4e5a-8f52-5244240e83bf
type=vpn
autoconnect=false
timestamp=1306710584

[ipv4]
method=auto
dns=***.***.***.**;***.***.***.***.*;
ignore-auto-dns=true
never-default=true

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=password-tls
ca=/etc/pki/tls/certs/ca.crt
ta=/etc/pki/tls/private/ta.key
remote=**
username=**
ta-dir=1
cert=/etc/pki/tls/certs/***.crt
comp-lzo=yes
key=/etc/pki/tls/private/*.key

[vpn-secrets]
cert-pass=**
password=*

Many thanks in advance...!

-- 
  .^.Lic. Gabriel Gomiz - Red Hat Certified Engineer (RHCE)
  /V\Jefe de Sistemas - Administrador Red y Servidores
 // \\   Gerencia de Sistemas - Cooperativa Obrera Ltda.
/(   )\  Tel (0291) 456-0084
 ^^-^^   s/Window[$s]/LINUX!!/g or die;


___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

[PATCH] adding RSA-MD4 for HMAC encryption in nm-openvpn

[Olivier Lambert]

Hi everyone,

(sorry, repost, but I forgot previously the syntax [PATCH] in subject)

I need to connect to a corporate OpenVPN server. This VPN use RSA-MD4
on HMAC.. But this option doesn't exist in the nm GUI !

So, here is a fix (it was tested by me, and it works like a charm).

diff --git a/properties/auth-helpers.c b/properties/auth-helpers.c
index 357a5dd..322688e 100644
--- a/properties/auth-helpers.c
+++ b/properties/auth-helpers.c
@@ -1077,6 +1077,7 @@ populate_hmacauth_combo (GtkComboBox *box, const char *hm
   const char **item;
   static const char *items[] = {
   NM_OPENVPN_AUTH_NONE,
+   NM_OPENVPN_AUTH_MD4,
   NM_OPENVPN_AUTH_MD5,
   NM_OPENVPN_AUTH_SHA1,
   NM_OPENVPN_AUTH_SHA224,
@@ -1102,6 +1103,8 @@ populate_hmacauth_combo (GtkComboBox *box, const char *hm

   if (!strcmp (*item, NM_OPENVPN_AUTH_NONE))
   name = _("None");
+   else if (!strcmp (*item, NM_OPENVPN_AUTH_MD4))
+   name = _("RSA-MD4");
   else if (!strcmp (*item, NM_OPENVPN_AUTH_MD5))
   name = _("MD-5");
   else if (!strcmp (*item, NM_OPENVPN_AUTH_SHA1))
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index f3c25ce..0762e89 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -605,6 +605,7 @@ validate_auth (const char *auth)
 {
   if (auth) {
   if (   !strcmp (auth, NM_OPENVPN_AUTH_NONE)
+   || !strcmp (auth, NM_OPENVPN_AUTH_MD4)
   || !strcmp (auth, NM_OPENVPN_AUTH_MD5)
   || !strcmp (auth, NM_OPENVPN_AUTH_SHA1)
   || !strcmp (auth, NM_OPENVPN_AUTH_SHA224)
diff --git a/src/nm-openvpn-service.h b/src/nm-openvpn-service.h
index d503f4e..bc245b0 100644
--- a/src/nm-openvpn-service.h
+++ b/src/nm-openvpn-service.h
@@ -77,6 +77,7 @@
 #define NM_OPENVPN_KEY_RENEG_SECONDS "reneg-seconds"

 #define NM_OPENVPN_AUTH_NONE "none"
+#define NM_OPENVPN_AUTH_MD4  "RSA-MD4"
 #define NM_OPENVPN_AUTH_MD5  "MD5"
 #define NM_OPENVPN_AUTH_SHA1 "SHA1"
 #define NM_OPENVPN_AUTH_SHA224 "SHA224"
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

patch for adding RSA-MD4 on HMAC auth, for OpenVPN

[Olivier Lambert]

Hi everyone,

I need to connect to a corporate OpenVPN server. This VPN use RSA-MD4
on HMAC.. But this option doesn't exist in the nm GUI !

So, here is a fix (it was tested by me, and it works like a charm).

diff --git a/properties/auth-helpers.c b/properties/auth-helpers.c
index 357a5dd..322688e 100644
--- a/properties/auth-helpers.c
+++ b/properties/auth-helpers.c
@@ -1077,6 +1077,7 @@ populate_hmacauth_combo (GtkComboBox *box, const char *hm
const char **item;
static const char *items[] = {
NM_OPENVPN_AUTH_NONE,
+   NM_OPENVPN_AUTH_MD4,
NM_OPENVPN_AUTH_MD5,
NM_OPENVPN_AUTH_SHA1,
NM_OPENVPN_AUTH_SHA224,
@@ -1102,6 +1103,8 @@ populate_hmacauth_combo (GtkComboBox *box, const char *hm

if (!strcmp (*item, NM_OPENVPN_AUTH_NONE))
name = _("None");
+   else if (!strcmp (*item, NM_OPENVPN_AUTH_MD4))
+   name = _("RSA-MD4");
else if (!strcmp (*item, NM_OPENVPN_AUTH_MD5))
name = _("MD-5");
else if (!strcmp (*item, NM_OPENVPN_AUTH_SHA1))
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index f3c25ce..0762e89 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -605,6 +605,7 @@ validate_auth (const char *auth)
 {
if (auth) {
if (   !strcmp (auth, NM_OPENVPN_AUTH_NONE)
+   || !strcmp (auth, NM_OPENVPN_AUTH_MD4)
|| !strcmp (auth, NM_OPENVPN_AUTH_MD5)
|| !strcmp (auth, NM_OPENVPN_AUTH_SHA1)
|| !strcmp (auth, NM_OPENVPN_AUTH_SHA224)
diff --git a/src/nm-openvpn-service.h b/src/nm-openvpn-service.h
index d503f4e..bc245b0 100644
--- a/src/nm-openvpn-service.h
+++ b/src/nm-openvpn-service.h
@@ -77,6 +77,7 @@
 #define NM_OPENVPN_KEY_RENEG_SECONDS "reneg-seconds"

 #define NM_OPENVPN_AUTH_NONE "none"
+#define NM_OPENVPN_AUTH_MD4  "RSA-MD4"
 #define NM_OPENVPN_AUTH_MD5  "MD5"
 #define NM_OPENVPN_AUTH_SHA1 "SHA1"
 #define NM_OPENVPN_AUTH_SHA224 "SHA224"
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Automatically restart OpenVPN Service

[Kaushal Shriyan]

Hi,

is there a way to automatically restart the openvpn session while i switch
to and fro from Wireless to Wired Network on Ubuntu Desktop 10.10 ?

Thanks

Kaushal
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Help with OpenVPN Connection

[José Queiroz]

Hi,

I'm trying to setup an OpenVPN connection, but I think I'm missing some
point, because I'm stuck.

The server side is setup (afaik) and ready, and I already managed to get a
manual connection working.

Now, I want to setup NM-OpenVPN also, but all I'm getting are "Failed to
update VPN secrets: 3 Secret no-secret was empty" errors.

I'm using Kubuntu 10.04, package versions:

network-manager: 0.8.1+git.20101009t040337.01fa170-0ubuntu1~nmt1~lucid1
network-manager-openvpn: 0.8-0ubuntu3
network-manager-openvpn-kde: 0.9~svn1137272-0ubuntu2~lucid1~ppa1

The connection uses only PEM Certificates (by the way, may I use a PKCS12
certificate on it?), no connection passwords, except the key file password.
I'm using the same certificate files used in the manual connection, so
they're OK.

I need some directions to get this working.

Thanks.
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Network Monitor and http-proxy for OpenVPN

[Dan Williams]

On Tue, 2011-02-15 at 19:53 +0100, Matej Kovacic wrote:
> Hi,
> 
> I am using 3G mobile connection, and have limited traffic. Traffic over
> some treshold (for instance 1 Gb a month) is very very expensive.
> 
> Which means there would be great to have some network traffic monitor
> for a specific connection. Something like:
> http://netramon.sourceforge.net/eng/help.html
> 
> Idea is to have per-connection traffic monitor, which could be enabled
> or disabled. When enabled, it would measure amount of traffic for a
> specific time interval. When limit will be approaching, it would start
> notifying user about the limit. When limit is reached, it would
> disconnect connection.
> 
> And there is another thing. I am using OpenVPN connection in a proyxed
> network. To came out of a network, I have to use http-proxy setting in
> OpenVPN client.
> 
> Unfortunately NetworkManager does not support http-proxy yet:
> https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/117991

Incorrect, NM-openvpn has supported http-proxy *and* SOCKS proxy
features since August 19 2010.  These features are in
NetworkManager-openvpn 0.8.2 and later.  So the version of NM-openvpn
you're using in Ubuntu may not yet support it, but Ubuntu does not
always use the latest versions.

Dan

commit fe98554f02a198437d4cad87d0bf31bcf8d3b44b
Author: Dan Williams 
Date:   Thu Aug 19 00:13:30 2010 -0500

core/ui: add SOCKS proxy support (bgo #440031)

commit 2eee51aedace28af0f39349baee130f4121428e7
Author: Dan Williams 
Date:   Wed Aug 18 22:16:45 2010 -0500

core/ui: add HTTP Proxy support (bgo #440031)

Based off patches by:
Tomas Kovacik 
Florian Klink 


___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Network Monitor and http-proxy for OpenVPN

[Matej Kovacic]

Hi,

I am using 3G mobile connection, and have limited traffic. Traffic over
some treshold (for instance 1 Gb a month) is very very expensive.

Which means there would be great to have some network traffic monitor
for a specific connection. Something like:
http://netramon.sourceforge.net/eng/help.html

Idea is to have per-connection traffic monitor, which could be enabled
or disabled. When enabled, it would measure amount of traffic for a
specific time interval. When limit will be approaching, it would start
notifying user about the limit. When limit is reached, it would
disconnect connection.

And there is another thing. I am using OpenVPN connection in a proyxed
network. To came out of a network, I have to use http-proxy setting in
OpenVPN client.

Unfortunately NetworkManager does not support http-proxy yet:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/117991

However, there has been patch written which does the job, but for
unknown reason, it is not implemented in official NM version:
https://launchpad.net/~nail-nodomain/+archive/ppa

Could developers comment on this please?

Regards,

Matej
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Correctly write resolv.conf when using OpenVPN plugin

[Dan Williams]

On Sat, 2010-12-25 at 00:27 +0300, Pentarh Udi wrote:
> I decided to use OpenVPN plugin of NetworkManager instead of of openvn
> CLI binary and I begin to expect name resolving problems.
> 
> Original bug was posted
> in https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/651007
> 
> People there suggested to write to this mailing list, so...
> 
> Problem is  in very slow name resolution when connecting to OpenVPN
> peer and obtaining DNS servers from there by directive
> 
> push "dhcp-option DNS x.x.x.x"
> 
> While investigating this issue I found that NM append obtained DNS
> servers to existing resolv.conf. So libc uses not only DNS servers
> from OpenVPN peer, but original DNS servers too. 
> 
> It should be noticed that original DNS servers WILL LIKELY be
> unreacable after establishing VPN connection.
> 
> In my case resolv.conf BEFORE openvpn connection is:
> 
> -
> nameserver 212.48.193.37
> nameserver 192.168.100.1
> -
> 
> And after is:
> -
> # Generated by NetworkManager
> nameserver 88.85.66.222
> nameserver 78.140.128.205
> nameserver 213.158.7.2
> # NOTE: the libc resolver may not support more than 3 nameservers.
> # The nameservers listed below may not be recognized.
> nameserver 212.48.193.37
> nameserver 192.168.100.1
> 
> 
> In this case last three servers are invalid as they are not reachable
> after VPN connection, so name resolve becomes totally slow after
> openvpn connection because libc tries to get DNS answer from all
> servers:
> 
> --
> 
> r...@pentarh-netbook:/var/log# tcpdump -i tun0 -n port 53
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
> 22:33:46.803557 IP 10.20.10.6.55426 > 213.158.7.2.53: 32890+ A?
> mail.google.com. (33)
> 22:33:51.807076 IP 10.20.10.6.58861 > 212.48.193.37.53: 32890+ A?
> mail.google.com. (33)
> 22:33:55.521957 IP 10.20.10.6.60601 > 213.158.7.2.53: 49670+ A?
> www.google.com. (32)
> 22:34:00.527135 IP 10.20.10.6.57982 > 212.48.193.37.53: 49670+ A?
> www.google.com. (32)
> 22:34:09.760264 IP 10.20.10.6.39286 > 88.85.66.222.53: 27804+ A?
> pagead2.googleadservices.com. (46)
> 22:34:09.946468 IP 88.85.66.222.53 > 10.20.10.6.39286: 27804 5/4/4
> CNAME pagead.l.google.com., A 209.85.149.167, A 209.85.149.164, A
> 209.85.149.165, A 209.85.149.166 (276)
> 22:34:11.505444 IP 10.20.10.6.45653 > 213.158.7.2.53: 41142+ A?
> chatenabled.mail.google.com. (45)
> --
> 
> As you can see, libc tries to resolve mail.google.com from old
> unreachable servers and gets the answer from correct DNS after 20
> seconds (!!!) of first query.
> 
> This should be fixed, it makes OpenVPN plugin for NM unusable.
> 
> The workaround of this issue may be providing static routes to
> original DNS IP, but i cant do that in NM openvpn plugin
> configuration, this option is inactive.

As you pointed out, it depends on routing whether the original servers
are available or not.  And if you check the "Only use this connection
for resources on its network" then any non-VPN traffic will still go
over the wifi or ethernet or 3G device, not over the VPN, and likely the
original DNS servers will be used.

However, libc queries the DNS servers *in order listed*, so it's odd
that anything would be trying to query the older servers at all.  Note
that libc does *not* refresh DNS information when resolv.conf changes,
so if an application does not call res_init() before it makes DNS
lookups, it may be using old information.  This is a well-known glibc
design choice that upstream glibc has declined to change.  THe solution
is to run a local caching nameserver that supports split DNS, thus any
queries for VPN-specific nameservers can go to the VPN, and everythign
else can go to your normal nameservers.

So in the end, there are some things NM could do here.  If the original
nameservers are on subnets that are now owned by the VPN, NM probably
shouldn't put those in resolv.conf.  But on the other hand, it's a bug
in applications to be using old DNS information, which is only fixed in
the application by using res_init(), or by using a local caching
nameserver.

NM 0.8.2 and later has native support for dnsmasq as a local caching
nameserver.

Dan


___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Correctly write resolv.conf when using OpenVPN plugin

[Pentarh Udi]

I decided to use OpenVPN plugin of NetworkManager instead of of openvn CLI
binary and I begin to expect name resolving problems.

Original bug was posted in
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/651007

People there suggested to write to this mailing list, so...

Problem is  in very slow name resolution when connecting to OpenVPN peer and
obtaining DNS servers from there by directive

push "dhcp-option DNS x.x.x.x"

While investigating this issue I found that NM append obtained DNS servers
to existing resolv.conf. So libc uses not only DNS servers from OpenVPN
peer, but original DNS servers too.

It should be noticed that original DNS servers WILL LIKELY be unreacable
after establishing VPN connection.

In my case resolv.conf BEFORE openvpn connection is:

-
nameserver 212.48.193.37
nameserver 192.168.100.1
-

And after is:
-
# Generated by NetworkManager
nameserver 88.85.66.222
nameserver 78.140.128.205
nameserver 213.158.7.2
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 212.48.193.37
nameserver 192.168.100.1


In this case last three servers are invalid as they are not reachable after
VPN connection, so name resolve becomes totally slow after openvpn
connection because libc tries to get DNS answer from all servers:

--

r...@pentarh-netbook:/var/log# tcpdump -i tun0 -n port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
22:33:46.803557 IP 10.20.10.6.55426 > 213.158.7.2.53: 32890+ A?
mail.google.com. (33)
22:33:51.807076 IP 10.20.10.6.58861 > 212.48.193.37.53: 32890+ A?
mail.google.com. (33)
22:33:55.521957 IP 10.20.10.6.60601 > 213.158.7.2.53: 49670+ A?
www.google.com. (32)
22:34:00.527135 IP 10.20.10.6.57982 > 212.48.193.37.53: 49670+ A?
www.google.com. (32)
22:34:09.760264 IP 10.20.10.6.39286 > 88.85.66.222.53: 27804+ A?
pagead2.googleadservices.com. (46)
22:34:09.946468 IP 88.85.66.222.53 > 10.20.10.6.39286: 27804 5/4/4 CNAME
pagead.l.google.com., A 209.85.149.167, A 209.85.149.164, A 209.85.149.165,
A 209.85.149.166 (276)
22:34:11.505444 IP 10.20.10.6.45653 > 213.158.7.2.53: 41142+ A?
chatenabled.mail.google.com. (45)
--

As you can see, libc tries to resolve mail.google.com from old unreachable
servers and gets the answer from correct DNS after 20 seconds (!!!) of first
query.

This should be fixed, it makes OpenVPN plugin for NM unusable.

The workaround of this issue may be providing static routes to original DNS
IP, but i cant do that in NM openvpn plugin configuration, this option is
inactive.
-- 
Regards, Pentarh Udi
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: [PATCH] Add checkbox to pass the --float option in OpenVPN

[Carlos Alberto Lopez Perez]

On 11/02/2010 06:32 PM, Carlos Alberto Lopez Perez wrote:
> Hello,
> 
> I am missing an option to pass the "--float" parameter to OpenVPN from
> network-manager-openvpn so I cooked a small patch that adds a checkbox
> under advanced options.
> 
> "--float" when specified with "--remote" allows an OpenVPN session to
> initially connect to a peer at a known address, however if packets arrive
> from a new address and pass all authentication tests, the new address will
> take control of the session.  This is useful when you are connecting to a
> peer which holds a dynamic address such as a dial-in user or DHCP client.
> 
> Could you merge it upstream?
> 
> Thanks in advance!
> 
> Regards.
> 
> 
> 
> ___
> networkmanager-list mailing list
> networkmanager-list@gnome.org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list


Hello,

Any chance of merging this upstream? Thanks!



signature.asc
Description: OpenPGP digital signature
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

[PATCH] Add checkbox to pass the --float option in OpenVPN

[Carlos Alberto Lopez Perez]

Hello,

I am missing an option to pass the "--float" parameter to OpenVPN from
network-manager-openvpn so I cooked a small patch that adds a checkbox
under advanced options.

"--float" when specified with "--remote" allows an OpenVPN session to
initially connect to a peer at a known address, however if packets arrive
from a new address and pass all authentication tests, the new address will
take control of the session.  This is useful when you are connecting to a
peer which holds a dynamic address such as a dial-in user or DHCP client.

Could you merge it upstream?

Thanks in advance!

Regards.
From bf1d3f07b35e83ac4a54ce06bf8bd580c972f483 Mon Sep 17 00:00:00 2001
From: Carlos Alberto Lopez Perez 
Date: Tue, 2 Nov 2010 18:04:59 +0100
Subject: [PATCH] Add checkbox to pass the --float option in OpenVPN

 *  Essentially, --float tells OpenVPN to accept authenticated packets from
any address, not only the address which was specified in the --remote
option. This allows remote peer to change its IP address and/or port
number. This is useful when you are connecting to a peer which holds
a dynamic address such as a dial-in user or DHCP client.
---
 properties/auth-helpers.c  |   11 +++
 properties/nm-openvpn-dialog.glade |   14 ++
 src/nm-openvpn-service.c       |5 +
 src/nm-openvpn-service.h   |1 +
 4 files changed, 31 insertions(+), 0 deletions(-)

diff --git a/properties/auth-helpers.c b/properties/auth-helpers.c
index 631be2b..09b7a0e 100644
--- a/properties/auth-helpers.c
+++ b/properties/auth-helpers.c
@@ -841,6 +841,7 @@ static const char *advanced_keys[] = {
 	NM_OPENVPN_KEY_PORT,
 	NM_OPENVPN_KEY_COMP_LZO,
 	NM_OPENVPN_KEY_MSSFIX,
+	NM_OPENVPN_KEY_FLOAT,
 	NM_OPENVPN_KEY_TUNNEL_MTU,
 	NM_OPENVPN_KEY_FRAGMENT_SIZE,
 	NM_OPENVPN_KEY_TAP_DEV,
@@ -1389,6 +1390,12 @@ advanced_dialog_new (GHashTable *hash, const char *contype)
 		gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (widget), TRUE);
 	}
 
+	value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_FLOAT);
+		if (value && !strcmp (value, "yes")) {
+			widget = glade_xml_get_widget (xml, "float_checkbutton");
+			gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON (widget), TRUE);
+	}
+
 	value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_PROTO_TCP);
 	if (value && !strcmp (value, "yes")) {
 		widget = glade_xml_get_widget (xml, "tcp_checkbutton");
@@ -1581,6 +1588,10 @@ advanced_dialog_new_hash_from_dialog (GtkWidget *dialog, GError **error)
 	if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON (widget)))
 		g_hash_table_insert (hash, g_strdup (NM_OPENVPN_KEY_MSSFIX), g_strdup ("yes"));
 
+	widget = glade_xml_get_widget (xml, "float_checkbutton");
+	if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON (widget)))
+		g_hash_table_insert (hash, g_strdup (NM_OPENVPN_KEY_FLOAT), g_strdup ("yes"));
+
 	widget = glade_xml_get_widget (xml, "tcp_checkbutton");
 	if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON (widget)))
 		g_hash_table_insert (hash, g_strdup (NM_OPENVPN_KEY_PROTO_TCP), g_strdup ("yes"));
diff --git a/properties/nm-openvpn-dialog.glade b/properties/nm-openvpn-dialog.glade
index 78cc383..1f9e5d9 100644
--- a/properties/nm-openvpn-dialog.glade
+++ b/properties/nm-openvpn-dialog.glade
@@ -1107,6 +1107,20 @@
 7
   
 
+
+  
+Accept authenticated packets from any address (_Float)
+True
+True
+False
+True
+True
+  
+  
+    False
+    8
+  
+
   
     
 
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index 8ac0d26..bb3326f 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -99,6 +99,7 @@ static ValidProperty valid_properties[] = {
 	{ NM_OPENVPN_KEY_CIPHER,   G_TYPE_STRING, 0, 0, FALSE },
 	{ NM_OPENVPN_KEY_COMP_LZO, G_TYPE_BOOLEAN, 0, 0, FALSE },
 	{ NM_OPENVPN_KEY_CONNECTION_TYPE,  G_TYPE_STRING, 0, 0, FALSE },
+	{ NM_OPENVPN_KEY_FLOAT,G_TYPE_BOOLEAN, 0, 0, FALSE },
 	{ NM_OPENVPN_KEY_FRAGMENT_SIZE,G_TYPE_INT, 0, G_MAXINT, FALSE },
 	{ NM_OPENVPN_KEY_KEY,  G_TYPE_STRING, 0, 0, FALSE },
 	{ NM_OPENVPN_KEY_LOCAL_IP, G_TYPE_STRING, 0, 0, TRUE },
@@ -802,6 +803,10 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
 	if (tmp && !strcmp (tmp, "yes"))
 		add_openvpn_arg (args, "--comp-lzo");
 
+	tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_FLOAT);
+	if (tmp && !strcmp (tmp, "yes"))
+		add_openvpn_arg (args, "--float");
+
 	add_openvpn_arg (a

Re: Patch for nm-openvpn: fix incompatible change of NMVpnPluginUiInterface

[Dan Williams]

On Wed, 2010-10-20 at 13:32 +0800, cee1 wrote:
> Hi Dan,
> 
> 
> I found these changes have already in repo, but:
>   nm-openvpn: applied and then
> reverted: 
> http://git.gnome.org/browse/network-manager-openvpn/commit/?id=fd508820f42448e43b921d9e1e3353ba11ba3a17
>   nm-pptp: in master branch but hasn't synchronized to NM_0_8

Yeah, I need to revert the revert before 0.8.2 on all the VPN plugins.

Dan

> 2010/10/13 cee1 
> Found the same problem for nm-pptp, attachment is the patch.
> 
> 2010/10/12 cee1 
> 
> 
> Hi Dan,
> 
> 
> From NM0.8.1 to 0.8.2, two members of
> "NMVpnPluginUiInterface" renamed.
> File properties/nm-openvpn.c of nm-openvpn should
> upgrade for this.
> 
> 
> -- 
> Regards,
> 
> - cee1
> 
> 


___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Patch for nm-openvpn: fix incompatible change of NMVpnPluginUiInterface

[cee1]

Hi Dan,

I found these changes have already in repo, but:
  nm-openvpn: applied and then reverted:
http://git.gnome.org/browse/network-manager-openvpn/commit/?id=fd508820f42448e43b921d9e1e3353ba11ba3a17
  nm-pptp: in master
branch<http://git.gnome.org/browse/network-manager-pptp/commit/?id=738426ebc4b3bf0bd40e02a093df814ff570a920>
but
hasn't synchronized to NM_0_8

2010/10/13 cee1 

> Found the same problem for nm-pptp, attachment is the patch.
>
> 2010/10/12 cee1 
>
> Hi Dan,
>>
>> From NM0.8.1 to 0.8.2, two members of "NMVpnPluginUiInterface" renamed.
>> File 
>> properties/nm-openvpn.c<http://git.gnome.org/browse/network-manager-openvpn/tree/properties/nm-openvpn.c#n778>
>>  of
>> nm-openvpn should upgrade for this.
>>
>

-- 
Regards,

- cee1
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Patch for nm-openvpn: fix incompatible change of NMVpnPluginUiInterface

[cee1]

Found the same problem for nm-pptp, attachment is the patch.

2010/10/12 cee1 

> Hi Dan,
>
> From NM0.8.1 to 0.8.2, two members of "NMVpnPluginUiInterface" renamed.
> File 
> properties/nm-openvpn.c<http://git.gnome.org/browse/network-manager-openvpn/tree/properties/nm-openvpn.c#n778>
>  of
> nm-openvpn should upgrade for this.
>


-- 
Regards,

- cee1


0001-nm-pptp.c-fix-for-new-NMVpnPluginUiInterface.patch
Description: Binary data
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Patch for nm-openvpn: fix incompatible change of NMVpnPluginUiInterface

[cee1]

Hi Dan,

>From NM0.8.1 to 0.8.2, two members of "NMVpnPluginUiInterface" renamed.
File 
properties/nm-openvpn.c<http://git.gnome.org/browse/network-manager-openvpn/tree/properties/nm-openvpn.c#n778>
of
nm-openvpn should upgrade for this.


-- 
Regards,

- cee1


0001-nm-openvpn.c-fix-for-new-NMVpnPluginUiInterface.patch
Description: Binary data
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN is stopped when wireless goes down

[Ma Begaj]

2010/9/29 Dan Williams :
> On Sat, 2010-09-04 at 21:24 +0200, Gregory Auzanneau wrote:
>> Hello all,
>>
>> Since some days, I experience a lot of renegociation on my WIFI network
>> card.
>> Each time, a renegociation occured, OpenVPN is disconnected and need to
>> be reactivated manually.
>>
>> Is there a way to keep OpenVPN started and reconnect when connection
>> came back ?
>
> Not yet, it's an often-requested enhancement and we need to make this
> happen.
>

I solved it with a dispatcher script which starts openvpn connection
with "nmcli" if eth0 is up.
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN is stopped when wireless goes down

[Dan Williams]

On Sat, 2010-09-04 at 21:24 +0200, Gregory Auzanneau wrote:
> Hello all,
> 
> Since some days, I experience a lot of renegociation on my WIFI network 
> card.
> Each time, a renegociation occured, OpenVPN is disconnected and need to 
> be reactivated manually.
> 
> Is there a way to keep OpenVPN started and reconnect when connection 
> came back ?

Not yet, it's an often-requested enhancement and we need to make this
happen.

Dan


___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Support for inline certs and keys for openvpn

[Jonathan Petersson]

Hi all,

In newer versions of OpenVPN there's support added for including the
certificates and keys inline in the configuration-file.

Is there any logical support in network-manager-openvpn today to
support this or any plans of adding it?

Thanks
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

OpenVPN is stopped when wireless goes down

[Gregory Auzanneau]

Hello all,

Since some days, I experience a lot of renegociation on my WIFI network 
card.
Each time, a renegociation occured, OpenVPN is disconnected and need to 
be reactivated manually.


Is there a way to keep OpenVPN started and reconnect when connection 
came back ?



Thank you all for the good work with network-manager, keep up with it !  :)

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: 0.8 / OpenVPN certificate selection broken

[scar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dan Williams @ 08/04/2010 12:05 AM:
>> In what format is your private key?  Can you share the top few lines of
>> it?  I'm not sure what version of NM-openvpn 10.04 shipped, but there
>> have been a number of fixes in the past 6 months in this area.  It looks
>> like 10.04 contains code from Feb 2010, which does not have these fixes.
> 

the private key is saved in PEM format, here are the top lines:

- -BEGIN RSA PRIVATE KEY-
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,CFF55EC1C0093EDD

the version of network-manager-openvpn installed is 0.8-0ubuntu3

-BEGIN PGP SIGNATURE-

iEYEAREIAAYFAkxZrEYACgkQXhfCJNu98qBR8gCfUbRKIkHEo4EVuJTx/eXV3aMW
04YAoOv/3ZAQEJc0EyKy2NWix3ergBRB
=R7fp
-END PGP SIGNATURE-

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: 0.8 / OpenVPN certificate selection broken

[Dan Williams]

On Fri, 2010-07-30 at 23:05 -0700, scar wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> hello all,
> 
> i have v0.8 installed in ubuntu 10.04 (0.8-0ubuntu3) and i am trying to
> create an OpenVPN connection but something very weird is going on with
> the certificate selection boxes.
> 
> i originally setup the VPN connection on debian lenny, which uses NM
> 0.6.6, and it works great.  i created the CA and all of the server and
> client certificates and private keys there too, using tinyca 0.7.5-2.
> 
> now i have copied over the CA and my user cert and private key to this
> box with NM 0.8 and attempting to setup the same VPN connection.  after
> filling in all of the required info, and selecting the certificates, i
> clicked Apply button.  i also restarted network-manager.  the VPN
> connection did not show up in the list of available connections
> (left-click on NM icon).  the computer needed to be restarted because of
> some updates and, after it rebooted, the VPN connection did show up in
> the list of available connections.  however, it did not work "because
> there are no valid VPN secrets"
> 
> when i go back to check the VPN's setting, the certificates have been
> changed. for example, the User Certificate is now set to my ~/sbin
> directory.  when i click on that to try and change it to the correct
> certificate file, i am unable to select the file (clicking on the file
> does nothing).  when i click the Open button, it seems to open a random
> folder.  if i go back to try to pick the certificate, i can.  after
> getting the right files selected again, i click apply and then
> immediately go back to edit the VPN connection, and the certificates
> have been changed again to different directories or files.  very weird.

In what format is your private key?  Can you share the top few lines of
it?  I'm not sure what version of NM-openvpn 10.04 shipped, but there
have been a number of fixes in the past 6 months in this area.  It looks
like 10.04 contains code from Feb 2010, which does not have these fixes.

Dan

> i also tried to delete the VPN connection and recreate it, no luck.
> 
> i also tried to export the VPN connection from the debian computer and
> import it on the ubuntu computer.  when i try that, NM on the ubuntu
> computer says:
> 
> The file 'VPN.pcf' could not be read or does not contain recognized VPN
> connection information
> 
> Error: unknown OpenVPN file extension.
> 
> -BEGIN PGP SIGNATURE-
> 
> iEYEAREIAAYFAkxTvR8ACgkQXhfCJNu98qC4EgCfSWu/a2omzd0TrWDx255vlAbt
> p3EAoPP12yyB9bp2aLjUwhQ3ovaHm+AO
> =zyOI
> -END PGP SIGNATURE-
> 
> ___
> networkmanager-list mailing list
> networkmanager-list@gnome.org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list


___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

0.8 / OpenVPN certificate selection broken

[scar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

hello all,

i have v0.8 installed in ubuntu 10.04 (0.8-0ubuntu3) and i am trying to
create an OpenVPN connection but something very weird is going on with
the certificate selection boxes.

i originally setup the VPN connection on debian lenny, which uses NM
0.6.6, and it works great.  i created the CA and all of the server and
client certificates and private keys there too, using tinyca 0.7.5-2.

now i have copied over the CA and my user cert and private key to this
box with NM 0.8 and attempting to setup the same VPN connection.  after
filling in all of the required info, and selecting the certificates, i
clicked Apply button.  i also restarted network-manager.  the VPN
connection did not show up in the list of available connections
(left-click on NM icon).  the computer needed to be restarted because of
some updates and, after it rebooted, the VPN connection did show up in
the list of available connections.  however, it did not work "because
there are no valid VPN secrets"

when i go back to check the VPN's setting, the certificates have been
changed. for example, the User Certificate is now set to my ~/sbin
directory.  when i click on that to try and change it to the correct
certificate file, i am unable to select the file (clicking on the file
does nothing).  when i click the Open button, it seems to open a random
folder.  if i go back to try to pick the certificate, i can.  after
getting the right files selected again, i click apply and then
immediately go back to edit the VPN connection, and the certificates
have been changed again to different directories or files.  very weird.

i also tried to delete the VPN connection and recreate it, no luck.

i also tried to export the VPN connection from the debian computer and
import it on the ubuntu computer.  when i try that, NM on the ubuntu
computer says:

The file 'VPN.pcf' could not be read or does not contain recognized VPN
connection information

Error: unknown OpenVPN file extension.

-BEGIN PGP SIGNATURE-

iEYEAREIAAYFAkxTvR8ACgkQXhfCJNu98qC4EgCfSWu/a2omzd0TrWDx255vlAbt
p3EAoPP12yyB9bp2aLjUwhQ3ovaHm+AO
=zyOI
-END PGP SIGNATURE-

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: complex openvpn - can nm just launch?

[Dan Williams]

On Thu, 2010-04-15 at 11:13 +0200, Robert Vogelgesang wrote:
> On Wed, Apr 14, 2010 at 02:15:31PM -0700, Dan Williams wrote:
> > On Fri, 2010-04-09 at 09:43 +0200, Robert Vogelgesang wrote:
> > > Dan,
> > > 
> > > On Thu, Apr 08, 2010 at 05:15:54PM -0700, Dan Williams wrote:
> > > > On Tue, 2010-04-06 at 22:01 +, Alessandro Bono wrote:
> > > > > On Tue, 06 Apr 2010 09:25:44 -0700, Dan Williams wrote:
> > > > > 
> > > > > > On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
> > > > > >> I have an openvpn config file that works fine with openvpn.  
> > > > > >> (ubuntu
> > > > > >> lucid beta)  As far as I can tell there is no way to create a like
> > > > > >> config in the nm openvpn editor.  I can make one somewhat similar 
> > > > > >> and
> > > > > >> export, but it doesn't look enough like mine to work.
> > > > > > 
> > > > > > Which options?
> > > > > 
> > > > > Hi Dan
> > > > > 
> > > > > this is my (short) list of missing options/features 
> > > > > 
> > > > > - support for external dhcp on the server side, normally I configure 
> > > > > openvpn server to push only data that I can't provide via dhcp 
> > > > > server. So 
> > > > > ip/mask/dns is taken from dhcp and additional route from openvpn
> > > > > This configuration works perfectly for windows machine, on certain 
> > > > > customer I have a dedicated openvpn only for me because I can't use 
> > > > > "normal" openvpn configuration :-(
> > > > 
> > > > Yeah, we need support for this internally.  Right now we pretty much
> > > > assume a tunnel approach, not TAP.  It's not that hard to fix that I
> > > > guess; but in general the real fix for this would be helped by some of
> > > > the activation changes that I'd like to do to fix the PPPoE issues that
> > > > people currently have.
> > > 
> > > I'd like to see this feature, too.  Could you please elaborate on what
> > > has to be done to support this?
> 
> Sorry, I forgot to mention that I'd like to use this in a Fedora 12
> environment.  Therefore I'd prefer to start with the source RPMs
> for the current Fedora 12 update packages; or is there anything
> that requires an update to the current GIT branches?

I actually have f12-updates-testing based on current git, since F12's
versions were so old (2009/09).  So you might as well start with
those :)  F12 periodically gets updated to very recent snapshots anyway.

> In case I should use the GIT versions:  The relevant GIT branches
> for Fedora 12 would be the master branches of NetworkManager and
> network-manager-openvpn, correct?

This is the very recent build for updates-testing:

https://admin.fedoraproject.org/updates/NetworkManager-0.8.0-6.git20100408.fc12,ModemManager-0.3-9.git20100409.fc12

So if you like you could base your work off that, or use git master.

> 
> > 
> > 1) add an "method" item to NetworkManagerVPN.h:
> > 
> > /* string: IP4 configuration method */
> > #define NM_VPN_PLUGIN_IP4_CONFIG_METHOD "method"
> > 
> > /* Values for NM_VPN_PLUGIN_IP4_CONFIG_METHOD */
> > #define NM_VPN_PLUGIN_IP4_CONFIG_METHOD_DHCP "dhcp"
> > #define NM_VPN_PLUGIN_IP4_CONFIG_METHOD_STATIC "static"
> 
> Hmm, should "static" mean "parameters provided by static configuration
> on the client side", or "parameters provided by the peer via VPN
> protocol data", or both?

Since these key/value pairs only come from teh VPN plugin, they always
mean "parameters provided by the peer via VPN protocol data".  The user
overrides are figured in later (the "merge_ip4_config" function in
nm_vpn_connection_ip4_config_get() handles this).

> > 
> > if the plugin doesn't send 'method' in the config dict, or the item is a
> > zero-length string, 'static' is assumed.
> > 
> > 2) In the openvpn plugin, if we're supposed to use DHCP (is tap always
> > used with DHCP, or are there cases where it's not?) then we add the
> > NM_VPN_PLUGIN_IP4_CONFIG_METHOD item to the returned IP4 config struct
> > with the value "dhcp".
> 
> Openvpn has the "server-bridge" directive, which defines a pool of
> IP addresses that the openvpn server assigns to its clients on tap
> devices; so tap does not

Re: complex openvpn - can nm just launch?

[Robert Vogelgesang]

On Wed, Apr 14, 2010 at 02:15:31PM -0700, Dan Williams wrote:
> On Fri, 2010-04-09 at 09:43 +0200, Robert Vogelgesang wrote:
> > Dan,
> > 
> > On Thu, Apr 08, 2010 at 05:15:54PM -0700, Dan Williams wrote:
> > > On Tue, 2010-04-06 at 22:01 +, Alessandro Bono wrote:
> > > > On Tue, 06 Apr 2010 09:25:44 -0700, Dan Williams wrote:
> > > > 
> > > > > On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
> > > > >> I have an openvpn config file that works fine with openvpn.  (ubuntu
> > > > >> lucid beta)  As far as I can tell there is no way to create a like
> > > > >> config in the nm openvpn editor.  I can make one somewhat similar and
> > > > >> export, but it doesn't look enough like mine to work.
> > > > > 
> > > > > Which options?
> > > > 
> > > > Hi Dan
> > > > 
> > > > this is my (short) list of missing options/features 
> > > > 
> > > > - support for external dhcp on the server side, normally I configure 
> > > > openvpn server to push only data that I can't provide via dhcp server. 
> > > > So 
> > > > ip/mask/dns is taken from dhcp and additional route from openvpn
> > > > This configuration works perfectly for windows machine, on certain 
> > > > customer I have a dedicated openvpn only for me because I can't use 
> > > > "normal" openvpn configuration :-(
> > > 
> > > Yeah, we need support for this internally.  Right now we pretty much
> > > assume a tunnel approach, not TAP.  It's not that hard to fix that I
> > > guess; but in general the real fix for this would be helped by some of
> > > the activation changes that I'd like to do to fix the PPPoE issues that
> > > people currently have.
> > 
> > I'd like to see this feature, too.  Could you please elaborate on what
> > has to be done to support this?

Sorry, I forgot to mention that I'd like to use this in a Fedora 12
environment.  Therefore I'd prefer to start with the source RPMs
for the current Fedora 12 update packages; or is there anything
that requires an update to the current GIT branches?

In case I should use the GIT versions:  The relevant GIT branches
for Fedora 12 would be the master branches of NetworkManager and
network-manager-openvpn, correct?


> 
> 1) add an "method" item to NetworkManagerVPN.h:
> 
> /* string: IP4 configuration method */
> #define NM_VPN_PLUGIN_IP4_CONFIG_METHOD "method"
> 
> /* Values for NM_VPN_PLUGIN_IP4_CONFIG_METHOD */
> #define NM_VPN_PLUGIN_IP4_CONFIG_METHOD_DHCP "dhcp"
> #define NM_VPN_PLUGIN_IP4_CONFIG_METHOD_STATIC "static"

Hmm, should "static" mean "parameters provided by static configuration
on the client side", or "parameters provided by the peer via VPN
protocol data", or both?

> 
> if the plugin doesn't send 'method' in the config dict, or the item is a
> zero-length string, 'static' is assumed.
> 
> 2) In the openvpn plugin, if we're supposed to use DHCP (is tap always
> used with DHCP, or are there cases where it's not?) then we add the
> NM_VPN_PLUGIN_IP4_CONFIG_METHOD item to the returned IP4 config struct
> with the value "dhcp".

Openvpn has the "server-bridge" directive, which defines a pool of
IP addresses that the openvpn server assigns to its clients on tap
devices; so tap does not always mean DHCP.  I'll look and see how we
could / should handle this.

Robert

> 
> 3) Then we need to modify nm_vpn_connection_ip4_config_get() and split
> it into two functions, one for DHCP and one for static.  Take the stuff
> at the bottom of that function (everything below print_vpn_config()) and
> put that into a separate function that gets called by both the static
> and dhcp processing bits.  So you'll have something like:
> 
> nm_vpn_connection_ip4_config_get()
> {
>const char *method = "static";
> 
>/* remove the timeout since the plugin replied */
>g_source_remove (priv->ipconfig_timeout);
>priv->ipconfig_timeout = 0;
> 
>val = g_hash_table_lookup (config_hash, NM_VPN_PLUGIN_IP4_CONFIG_METHOD);
>if (val && G_VALUE_HOLDS_STRING (val))
>method = g_value_get_string (val);
> 
>if (!method || !strcmp (method, NM_VPN_PLUGIN_IP4_CONFIG_METHOD_STATIC)) {
>   if (handle_static_ip4_config (connection, config_hash))
>   return;
>} else if (method && !strcmp (method, 
> NM_VPN_PLUGIN_IP4_CONFIG_METHOD_DHCP)) {
>   if 

Re: complex openvpn - can nm just launch?

[Dan Williams]

On Fri, 2010-04-09 at 09:43 +0200, Robert Vogelgesang wrote:
> Dan,
> 
> On Thu, Apr 08, 2010 at 05:15:54PM -0700, Dan Williams wrote:
> > On Tue, 2010-04-06 at 22:01 +, Alessandro Bono wrote:
> > > On Tue, 06 Apr 2010 09:25:44 -0700, Dan Williams wrote:
> > > 
> > > > On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
> > > >> I have an openvpn config file that works fine with openvpn.  (ubuntu
> > > >> lucid beta)  As far as I can tell there is no way to create a like
> > > >> config in the nm openvpn editor.  I can make one somewhat similar and
> > > >> export, but it doesn't look enough like mine to work.
> > > > 
> > > > Which options?
> > > 
> > > Hi Dan
> > > 
> > > this is my (short) list of missing options/features 
> > > 
> > > - support for external dhcp on the server side, normally I configure 
> > > openvpn server to push only data that I can't provide via dhcp server. So 
> > > ip/mask/dns is taken from dhcp and additional route from openvpn
> > > This configuration works perfectly for windows machine, on certain 
> > > customer I have a dedicated openvpn only for me because I can't use 
> > > "normal" openvpn configuration :-(
> > 
> > Yeah, we need support for this internally.  Right now we pretty much
> > assume a tunnel approach, not TAP.  It's not that hard to fix that I
> > guess; but in general the real fix for this would be helped by some of
> > the activation changes that I'd like to do to fix the PPPoE issues that
> > people currently have.
> 
> I'd like to see this feature, too.  Could you please elaborate on what
> has to be done to support this?

1) add an "method" item to NetworkManagerVPN.h:

/* string: IP4 configuration method */
#define NM_VPN_PLUGIN_IP4_CONFIG_METHOD "method"

/* Values for NM_VPN_PLUGIN_IP4_CONFIG_METHOD */
#define NM_VPN_PLUGIN_IP4_CONFIG_METHOD_DHCP "dhcp"
#define NM_VPN_PLUGIN_IP4_CONFIG_METHOD_STATIC "static"

if the plugin doesn't send 'method' in the config dict, or the item is a
zero-length string, 'static' is assumed.

2) In the openvpn plugin, if we're supposed to use DHCP (is tap always
used with DHCP, or are there cases where it's not?) then we add the
NM_VPN_PLUGIN_IP4_CONFIG_METHOD item to the returned IP4 config struct
with the value "dhcp".

3) Then we need to modify nm_vpn_connection_ip4_config_get() and split
it into two functions, one for DHCP and one for static.  Take the stuff
at the bottom of that function (everything below print_vpn_config()) and
put that into a separate function that gets called by both the static
and dhcp processing bits.  So you'll have something like:

nm_vpn_connection_ip4_config_get()
{
   const char *method = "static";

   /* remove the timeout since the plugin replied */
   g_source_remove (priv->ipconfig_timeout);
   priv->ipconfig_timeout = 0;

   val = g_hash_table_lookup (config_hash, NM_VPN_PLUGIN_IP4_CONFIG_METHOD);
   if (val && G_VALUE_HOLDS_STRING (val))
   method = g_value_get_string (val);

   if (!method || !strcmp (method, NM_VPN_PLUGIN_IP4_CONFIG_METHOD_STATIC)) {
  if (handle_static_ip4_config (connection, config_hash))
  return;
   } else if (method && !strcmp (method, NM_VPN_PLUGIN_IP4_CONFIG_METHOD_DHCP)) 
{
  if (handle_dhcp_ip4_config (connection, config_hash))
  return;
   } else
   nm_log_err (LOGD_VPN, "unknown vpn IP4 method '%s', method);

/* same error stuff as at the bottom of the function now */

}

For the DHCP4 bits, we'll want to build up the NMIP4Config object as
much as possible and cache that in priv->ip4_config while DHCP is
completing.  We'll need to add a few things to teh NMVPNConnection
object's private data, like:

NMDHCPManager * dhcp_manager;
NMDHCPClient *  dhcp4_client;
gulong  dhcp4_state_sigid;
gulong  dhcp4_timeout_sigid;

(see nm-device.c for DHCP stuff).

When the NMVPNConnection is initialized, lets grab a reference to the
DHCP manager in nm_vpn_connection_init():

priv->dhcp_manager = nm_dhcp_manager_get ();

and then in handle_dhcp_ip4_config() we'll do something like:

static gboolean
handle_dhcp_ip4_config (NMVPNConnection *vpn, GHashTable *config)
{
NMVPNConnectionPrivate *priv = NM_VPN_CONNECTION_GET_PRIVATE (vpn);
NMSettingConnection *s_con;
NMSettingIP4Config *s_ip4;
const char *uuid;

ip4_config, see nm_vpn_connection_ip4_config_get() for
 how to do this>

s_con = NM_SETT

Re: complex openvpn - can nm just launch?

[Robert Vogelgesang]

Dan,

On Thu, Apr 08, 2010 at 05:15:54PM -0700, Dan Williams wrote:
> On Tue, 2010-04-06 at 22:01 +, Alessandro Bono wrote:
> > On Tue, 06 Apr 2010 09:25:44 -0700, Dan Williams wrote:
> > 
> > > On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
> > >> I have an openvpn config file that works fine with openvpn.  (ubuntu
> > >> lucid beta)  As far as I can tell there is no way to create a like
> > >> config in the nm openvpn editor.  I can make one somewhat similar and
> > >> export, but it doesn't look enough like mine to work.
> > > 
> > > Which options?
> > 
> > Hi Dan
> > 
> > this is my (short) list of missing options/features 
> > 
> > - support for external dhcp on the server side, normally I configure 
> > openvpn server to push only data that I can't provide via dhcp server. So 
> > ip/mask/dns is taken from dhcp and additional route from openvpn
> > This configuration works perfectly for windows machine, on certain 
> > customer I have a dedicated openvpn only for me because I can't use 
> > "normal" openvpn configuration :-(
> 
> Yeah, we need support for this internally.  Right now we pretty much
> assume a tunnel approach, not TAP.  It's not that hard to fix that I
> guess; but in general the real fix for this would be helped by some of
> the activation changes that I'd like to do to fix the PPPoE issues that
> people currently have.

I'd like to see this feature, too.  Could you please elaborate on what
has to be done to support this?

If it's not too much work, I'd give it a try over the next few
weekends (I'd like to use this feature mid-May ;-)).

Robert

> 
> > - support for multiple remote server 
> 
> Yeah; the trick there is going to be pulling out the IP of the current
> server and using that to update the routing table, since we have to add
> a host route to the VPN server over the underlying hardware interface.
> Maybe that already works just fine for multi-server case, not sure.
> 
> Dan
> 
> > 
> > > 
> > > Dan
> > > 
> > >> I've tried importing/exporting a tweaking, but the wizard thing just
> > >> isn't flexible enough.  (the xml-ization aka 'registry-ization' of just
> > >> standard config files seems to bite me in various aspects of computing)
> > >> 
> > >> I'd like to launch openvpn with my config file from nm.  Is there a
> > >> way? Short of that is there a way to make dbus or whatever think of I
> > >> have network without launching from nm?
> > >> 
> > >> Thanks!
> > >> -Scott
> > >> 
> > >> ___ NetworkManager-list
> > >> mailing list
> > >> NetworkManager-list@gnome.org
> > >> http://mail.gnome.org/mailman/listinfo/networkmanager-list
> > 
> > 
> > 
> > 
> > 
> 
> 
> ___
> networkmanager-list mailing list
> networkmanager-list@gnome.org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list
___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: complex openvpn - can nm just launch?

[Alessandro Bono]

On Thu, 2010-04-08 at 17:15 -0700, Dan Williams wrote:
> On Tue, 2010-04-06 at 22:01 +, Alessandro Bono wrote:
> > On Tue, 06 Apr 2010 09:25:44 -0700, Dan Williams wrote:
> > 
> > > On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
> > >> I have an openvpn config file that works fine with openvpn.  (ubuntu
> > >> lucid beta)  As far as I can tell there is no way to create a like
> > >> config in the nm openvpn editor.  I can make one somewhat similar and
> > >> export, but it doesn't look enough like mine to work.
> > > 
> > > Which options?
> > 
> > Hi Dan
> > 
> > this is my (short) list of missing options/features 
> > 
> > - support for external dhcp on the server side, normally I configure 
> > openvpn server to push only data that I can't provide via dhcp server. So 
> > ip/mask/dns is taken from dhcp and additional route from openvpn
> > This configuration works perfectly for windows machine, on certain 
> > customer I have a dedicated openvpn only for me because I can't use 
> > "normal" openvpn configuration :-(
> 
> Yeah, we need support for this internally.  Right now we pretty much
> assume a tunnel approach, not TAP.  It's not that hard to fix that I
> guess; but in general the real fix for this would be helped by some of
> the activation changes that I'd like to do to fix the PPPoE issues that
> people currently have.
> 
> > - support for multiple remote server 
> 
> Yeah; the trick there is going to be pulling out the IP of the current
> server and using that to update the routing table, since we have to add
> a host route to the VPN server over the underlying hardware interface.
> Maybe that already works just fine for multi-server case, not sure.

I was talking about one openvpn server with multiple ip, with openvpn
you can use "remote" several times or even better support for
, but also multiple vpn concurrently is an interesting case

> 
> Dan
> 
> > 
> > > 
> > > Dan
> > > 
> > >> I've tried importing/exporting a tweaking, but the wizard thing just
> > >> isn't flexible enough.  (the xml-ization aka 'registry-ization' of just
> > >> standard config files seems to bite me in various aspects of computing)
> > >> 
> > >> I'd like to launch openvpn with my config file from nm.  Is there a
> > >> way? Short of that is there a way to make dbus or whatever think of I
> > >> have network without launching from nm?
> > >> 
> > >> Thanks!
> > >> -Scott
> > >> 
> > >> ___ NetworkManager-list
> > >> mailing list
> > >> NetworkManager-list@gnome.org
> > >> http://mail.gnome.org/mailman/listinfo/networkmanager-list
> > 
> > 
> > 
> > 
> > 
> 
> 


-- 
Cordiali Saluti
Alessandro Bono

___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: complex openvpn - can nm just launch?

[Dan Williams]

On Tue, 2010-04-06 at 22:01 +, Alessandro Bono wrote:
> On Tue, 06 Apr 2010 09:25:44 -0700, Dan Williams wrote:
> 
> > On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
> >> I have an openvpn config file that works fine with openvpn.  (ubuntu
> >> lucid beta)  As far as I can tell there is no way to create a like
> >> config in the nm openvpn editor.  I can make one somewhat similar and
> >> export, but it doesn't look enough like mine to work.
> > 
> > Which options?
> 
> Hi Dan
> 
> this is my (short) list of missing options/features 
> 
> - support for external dhcp on the server side, normally I configure 
> openvpn server to push only data that I can't provide via dhcp server. So 
> ip/mask/dns is taken from dhcp and additional route from openvpn
> This configuration works perfectly for windows machine, on certain 
> customer I have a dedicated openvpn only for me because I can't use 
> "normal" openvpn configuration :-(

Yeah, we need support for this internally.  Right now we pretty much
assume a tunnel approach, not TAP.  It's not that hard to fix that I
guess; but in general the real fix for this would be helped by some of
the activation changes that I'd like to do to fix the PPPoE issues that
people currently have.

> - support for multiple remote server 

Yeah; the trick there is going to be pulling out the IP of the current
server and using that to update the routing table, since we have to add
a host route to the VPN server over the underlying hardware interface.
Maybe that already works just fine for multi-server case, not sure.

Dan

> 
> > 
> > Dan
> > 
> >> I've tried importing/exporting a tweaking, but the wizard thing just
> >> isn't flexible enough.  (the xml-ization aka 'registry-ization' of just
> >> standard config files seems to bite me in various aspects of computing)
> >> 
> >> I'd like to launch openvpn with my config file from nm.  Is there a
> >> way? Short of that is there a way to make dbus or whatever think of I
> >> have network without launching from nm?
> >> 
> >> Thanks!
> >> -Scott
> >> 
> >> ___ NetworkManager-list
> >> mailing list
> >> NetworkManager-list@gnome.org
> >> http://mail.gnome.org/mailman/listinfo/networkmanager-list
> 
> 
> 
> 
> 


___
networkmanager-list mailing list
networkmanager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: complex openvpn - can nm just launch?

[Alessandro Bono]

On Tue, 06 Apr 2010 09:25:44 -0700, Dan Williams wrote:

> On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
>> I have an openvpn config file that works fine with openvpn.  (ubuntu
>> lucid beta)  As far as I can tell there is no way to create a like
>> config in the nm openvpn editor.  I can make one somewhat similar and
>> export, but it doesn't look enough like mine to work.
> 
> Which options?

Hi Dan

this is my (short) list of missing options/features 

- support for external dhcp on the server side, normally I configure 
openvpn server to push only data that I can't provide via dhcp server. So 
ip/mask/dns is taken from dhcp and additional route from openvpn
This configuration works perfectly for windows machine, on certain 
customer I have a dedicated openvpn only for me because I can't use 
"normal" openvpn configuration :-(

- support for multiple remote server 


> 
> Dan
> 
>> I've tried importing/exporting a tweaking, but the wizard thing just
>> isn't flexible enough.  (the xml-ization aka 'registry-ization' of just
>> standard config files seems to bite me in various aspects of computing)
>> 
>> I'd like to launch openvpn with my config file from nm.  Is there a
>> way? Short of that is there a way to make dbus or whatever think of I
>> have network without launching from nm?
>> 
>> Thanks!
>> -Scott
>> 
>> ___ NetworkManager-list
>> mailing list
>> NetworkManager-list@gnome.org
>> http://mail.gnome.org/mailman/listinfo/networkmanager-list





-- 
Cordiali saluti

Alessandro Bono

___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: complex openvpn - can nm just launch?

[Dan Williams]

On Tue, 2010-04-06 at 14:31 -0600, Scott Serr wrote:
> On 04/06/2010 12:10 PM, Dan Williams wrote:
> > On Tue, 2010-04-06 at 11:28 -0600, Scott Serr wrote:
> >
> >> On 04/06/2010 10:25 AM, Dan Williams wrote:
> >>  
> >>> On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
> >>>
> >>>    
> >>>> I have an openvpn config file that works fine with openvpn.  (ubuntu
> >>>> lucid beta)  As far as I can tell there is no way to create a like
> >>>> config in the nm openvpn editor.  I can make one somewhat similar and
> >>>> export, but it doesn't look enough like mine to work.
> >>>>
> >>>>  
> >>> Which options?
> >>>
> >>> Dan
> >>>
> >>>
> >> I suspect there will always be a new option to chase.
> >>  
> > Probably, but at some point we reach the set of options that 95% of
> > people use.  There are seriously so many options with openvpn that it's
> > not funny, and the program is completely incapable of auto-negotiating
> > them, which is also not funny.  It's downright sad.
> >
> >
> >> Here is mine:
> >>
> >> dev tun
> >> remote 127.0.0.1 41927 tcp-client
> >> proto tcp-client
> >> ifconfig 192.168.56.2 192.168.56.1
> >> route 0.0.0.0 128.0.0.0
> >> route 128.0.0.0 128.0.0.0
> >> socket-flags TCP_NODELAY
> >> ping 10
> >> dhcp-option DNS 192.168.56.1
> >>
> >> There is no encryption, data is sent in cleartext.  This is appropriate
> >> for use with Azilink on Android phones.
> >>  
> > The only thing I can see that's not yet supported is the "no encryption"
> > part, which (not to be pedantic) isn't really a VPN.  But I suppose
> > that's something we can add.
> >
> > Dan
> >
> >
> 
> Thanks for the info Dan.
> 
> On Ubuntu Lucid Beta, there are some issues saving other options.  I was 
> going to attempt to hack up the xml and take out the key/user/pass.  Do 
> you think this would work?

The routes and the DNS option would go into the IPv4 tab, which may not
actually get imported by the current import code.

This is basically like a static key connection, except without the key.

> I wonder how easy it would be to have an "ad-hoc" sort of connection in 
> nm.  Where nm would not care about much other that running a start and 
> stop script and telling dbus networking is up.

That doesn't really work automatically, for the most part, and it's also
a security issue since openvpn runs as 'root' and you're basically
giving it unfiltered commands which will also get run as root.

In the end, it's not that hard to support additional options, but we
need people willing to write the patches.  I can't do everything at once
of course, and while others (Huzaifa for example) have been very good
about picking issues out of bugzilla and fixing them, this isn't one
that's been reported before and thus we haven't looked at it yet...

Random question though, what exactly is Azilink and what are you using
it for?

Dan

> For Azilink users:
> If you wish to use dbus-aware apps like Empathy, I've been successful 
> now with "/etc/init.d/network-manager stop".
> 


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: complex openvpn - can nm just launch?

[Scott Serr]

On 04/06/2010 12:10 PM, Dan Williams wrote:

On Tue, 2010-04-06 at 11:28 -0600, Scott Serr wrote:
   

On 04/06/2010 10:25 AM, Dan Williams wrote:
 

On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:

   

I have an openvpn config file that works fine with openvpn.  (ubuntu
lucid beta)  As far as I can tell there is no way to create a like
config in the nm openvpn editor.  I can make one somewhat similar and
export, but it doesn't look enough like mine to work.

 

Which options?

Dan

   

I suspect there will always be a new option to chase.
 

Probably, but at some point we reach the set of options that 95% of
people use.  There are seriously so many options with openvpn that it's
not funny, and the program is completely incapable of auto-negotiating
them, which is also not funny.  It's downright sad.

   

Here is mine:

dev tun
remote 127.0.0.1 41927 tcp-client
proto tcp-client
ifconfig 192.168.56.2 192.168.56.1
route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0
socket-flags TCP_NODELAY
ping 10
dhcp-option DNS 192.168.56.1

There is no encryption, data is sent in cleartext.  This is appropriate
for use with Azilink on Android phones.
 

The only thing I can see that's not yet supported is the "no encryption"
part, which (not to be pedantic) isn't really a VPN.  But I suppose
that's something we can add.

Dan

   


Thanks for the info Dan.

On Ubuntu Lucid Beta, there are some issues saving other options.  I was 
going to attempt to hack up the xml and take out the key/user/pass.  Do 
you think this would work?


I wonder how easy it would be to have an "ad-hoc" sort of connection in 
nm.  Where nm would not care about much other that running a start and 
stop script and telling dbus networking is up.


For Azilink users:
If you wish to use dbus-aware apps like Empathy, I've been successful 
now with "/etc/init.d/network-manager stop".


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: complex openvpn - can nm just launch?

[Dan Williams]

On Tue, 2010-04-06 at 11:28 -0600, Scott Serr wrote:
> On 04/06/2010 10:25 AM, Dan Williams wrote:
> > On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
> >
> >> I have an openvpn config file that works fine with openvpn.  (ubuntu
> >> lucid beta)  As far as I can tell there is no way to create a like
> >> config in the nm openvpn editor.  I can make one somewhat similar and
> >> export, but it doesn't look enough like mine to work.
> >>  
> > Which options?
> >
> > Dan
> >
> 
> I suspect there will always be a new option to chase.

Probably, but at some point we reach the set of options that 95% of
people use.  There are seriously so many options with openvpn that it's
not funny, and the program is completely incapable of auto-negotiating
them, which is also not funny.  It's downright sad.

> Here is mine:
> 
> dev tun
> remote 127.0.0.1 41927 tcp-client
> proto tcp-client
> ifconfig 192.168.56.2 192.168.56.1
> route 0.0.0.0 128.0.0.0
> route 128.0.0.0 128.0.0.0
> socket-flags TCP_NODELAY
> ping 10
> dhcp-option DNS 192.168.56.1
> 
> There is no encryption, data is sent in cleartext.  This is appropriate 
> for use with Azilink on Android phones.

The only thing I can see that's not yet supported is the "no encryption"
part, which (not to be pedantic) isn't really a VPN.  But I suppose
that's something we can add.

Dan



___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: complex openvpn - can nm just launch?

[Scott Serr]

On 04/06/2010 10:25 AM, Dan Williams wrote:

On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
   

I have an openvpn config file that works fine with openvpn.  (ubuntu
lucid beta)  As far as I can tell there is no way to create a like
config in the nm openvpn editor.  I can make one somewhat similar and
export, but it doesn't look enough like mine to work.
 

Which options?

Dan
   


I suspect there will always be a new option to chase.

Here is mine:

dev tun
remote 127.0.0.1 41927 tcp-client
proto tcp-client
ifconfig 192.168.56.2 192.168.56.1
route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0
socket-flags TCP_NODELAY
ping 10
dhcp-option DNS 192.168.56.1

There is no encryption, data is sent in cleartext.  This is appropriate 
for use with Azilink on Android phones.


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: complex openvpn - can nm just launch?

[Dan Williams]

On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
> I have an openvpn config file that works fine with openvpn.  (ubuntu 
> lucid beta)  As far as I can tell there is no way to create a like 
> config in the nm openvpn editor.  I can make one somewhat similar and 
> export, but it doesn't look enough like mine to work.

Which options?

Dan

> I've tried importing/exporting a tweaking, but the wizard thing just 
> isn't flexible enough.  (the xml-ization aka 'registry-ization' of just 
> standard config files seems to bite me in various aspects of computing)
> 
> I'd like to launch openvpn with my config file from nm.  Is there a way?
> Short of that is there a way to make dbus or whatever think of I have 
> network without launching from nm?
> 
> Thanks!
> -Scott
> 
> ___
> NetworkManager-list mailing list
> NetworkManager-list@gnome.org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

complex openvpn - can nm just launch?

[Scott Serr]

I have an openvpn config file that works fine with openvpn.  (ubuntu 
lucid beta)  As far as I can tell there is no way to create a like 
config in the nm openvpn editor.  I can make one somewhat similar and 
export, but it doesn't look enough like mine to work.


I've tried importing/exporting a tweaking, but the wizard thing just 
isn't flexible enough.  (the xml-ization aka 'registry-ization' of just 
standard config files seems to bite me in various aspects of computing)


I'd like to launch openvpn with my config file from nm.  Is there a way?
Short of that is there a way to make dbus or whatever think of I have 
network without launching from nm?


Thanks!
-Scott

___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN config problem

[Karel Kozlik]

Andrey Borzenkov napsal(a):

On Friday 19 of February 2010 11:09:37 Karel Kozlik wrote:

Hi,

Dan Williams napsal(a):

On Thu, 2010-02-18 at 11:24 +0100, Karel Kozlik wrote:

Hi Dan,

Dan Williams napsal(a):

On Wed, 2010-02-17 at 10:36 +0100, Karel Kozlik wrote:

Hi,
could someone help me vith openVPN configuration in Network
Manager? Actualy when I click to VPN connection in NM, it does
nothing. /var/log/syslog contain following lines:

I see the message "VPN connection 'my-vpn' failed to connect:
'No VPN secrets!'", but I believe the secrets are configured
correctly.

Is your private key by any chance *un*encrypted?  The VPN service
plugin currently requires encrypted private keys (which are more
secure anyway) and it could fail like this in that case.

Do you mean password protected key? My key was not.

I tried create password protected key and changed the connectio
type to "x509 with password" and filled the password into
setttings. It still not worked. But when I changed the key to my
old one (unecrypted) and left the connection type to "x509 with
password" it connected.

There are a few different passwords here.  There's the "private key
password", which is used to unlock your private key for TLS
connections, and then there's also the "user password", which is
used for password-based authentication that openvpn supports. 
Somewhat confusingly, you can stack these methods in openvpn,

which is what the "TLS with password" thing is.

But that's not what you want.  Your connection appears to be TLS
only, so you only need to choose "x509" there like you were
before.  I'm assuming that knetworkmanager is smart enough to ask
you for your private key password when nm-openvpn-service needs
it.  So try flipping back to just "x509" and see where that gets
you.

I just tryied and it ends with error:

Feb 19 09:01:36 kk-nb NetworkManager: 
nm_vpn_connection_connect_cb(): VPN connection 'kufr' failed to
connect: 'No VPN secrets!'.

It does not matter if I use my unecrypted key or password protected
key. Knetworkmanager even do not ask me for the private key
password.

Could it be a bug in knetworkmanager?



I am currently working on a similar problem using kvpnc plugin. Could 
you please provide


- your ~/.kde4/share/config/networkmanagementrc
- ~/.kde4/share/apps/networkmanagement/connections/{UUID}


files attached

- start knetworkmanager in terminal (do kquitapp knetworkmanager to 
terminate running version), try to connect and provide output


only these rows imediately after start knetworkmanager:

QLayout: Attempting to add QLayout "" to InterfaceConnectionItem "", 
which already has a layout
QLayout: Attempting to add QLayout "" to InterfaceConnectionItem "", 
which already has a layout
QLayout: Attempting to add QLayout "" to InterfaceConnectionItem "", 
which already has a layout
QLayout: Attempting to add QLayout "" to InterfaceConnectionItem "", 
which already has a layout
QLayout: Attempting to add QLayout "" to InterfaceConnectionItem "", 
which already has a layout


and these when I try to connect:

QDBusObjectPath: invalid path "any"
QDBusObjectPath: invalid path "any"

It does not seem to be useful.




of course obfuscate any sensitive data. Also, are you using kwallet or 
plain text to store secrets?


I do not use any secrets except the key which is in plain text in 
separate file.


thanks,
Karel



thank you!

-andrey



thanks,
Karel


Dan


  But I am not sure if the connection procedure finished. The
  openvpn

daemon is running, tap interface exists, I can ping remote server
interface (via vpn) and default route is set to VPN tap interface.
But status of the connection in knetworkmanager did not changed.
So I cannot disconnect from it. I also cannot ping any another
host except those on my LAN segment and the remote VPN server.
The packets should be routed throught VPN connection to another
nodes, but they are not. However it works if I connect purely
with openvpn (not useing NM).

Any idea what could be worng? Including my syslog.

thanks,
Karel



Feb 18 11:19:21 kk-nb NetworkManager:   Starting VPN service
'org.freedesktop.NetworkManager.openvpn'...
Feb 18 11:19:21 kk-nb NetworkManager:   VPN service
'org.freedesktop.NetworkManager.openvpn' started
(org.freedesktop.NetworkManager.openvpn), PID 24258


Feb 18 11:19:21 kk-nb NetworkManager:   VPN service
'org.freedesktop.NetworkManager.openvpn' just appeared, activating
connections
Feb 18 11:19:21 kk-nb NetworkManager:   VPN plugin state
changed: 1
Feb 18 11:19:21 kk-nb nm-openvpn[24261]: OpenVPN 2.1_rc19
x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13
2009

Feb 18 11:19:21 kk-nb NetworkManager:   VPN plugin state
changed:

Re: OpenVPN config problem

[Andrey Borzenkov]

On Friday 19 of February 2010 11:09:37 Karel Kozlik wrote:
> Hi,
> 
> Dan Williams napsal(a):
> > On Thu, 2010-02-18 at 11:24 +0100, Karel Kozlik wrote:
> >> Hi Dan,
> >> 
> >> Dan Williams napsal(a):
> >>> On Wed, 2010-02-17 at 10:36 +0100, Karel Kozlik wrote:
> >>>> Hi,
> >>>> could someone help me vith openVPN configuration in Network
> >>>> Manager? Actualy when I click to VPN connection in NM, it does
> >>>> nothing. /var/log/syslog contain following lines:
> >>>> 
> >>>> I see the message "VPN connection 'my-vpn' failed to connect:
> >>>> 'No VPN secrets!'", but I believe the secrets are configured
> >>>> correctly.
> >>> 
> >>> Is your private key by any chance *un*encrypted?  The VPN service
> >>> plugin currently requires encrypted private keys (which are more
> >>> secure anyway) and it could fail like this in that case.
> >> 
> >> Do you mean password protected key? My key was not.
> >> 
> >> I tried create password protected key and changed the connectio
> >> type to "x509 with password" and filled the password into
> >> setttings. It still not worked. But when I changed the key to my
> >> old one (unecrypted) and left the connection type to "x509 with
> >> password" it connected.
> > 
> > There are a few different passwords here.  There's the "private key
> > password", which is used to unlock your private key for TLS
> > connections, and then there's also the "user password", which is
> > used for password-based authentication that openvpn supports. 
> > Somewhat confusingly, you can stack these methods in openvpn,
> > which is what the "TLS with password" thing is.
> > 
> > But that's not what you want.  Your connection appears to be TLS
> > only, so you only need to choose "x509" there like you were
> > before.  I'm assuming that knetworkmanager is smart enough to ask
> > you for your private key password when nm-openvpn-service needs
> > it.  So try flipping back to just "x509" and see where that gets
> > you.
> 
> I just tryied and it ends with error:
> 
> Feb 19 09:01:36 kk-nb NetworkManager: 
> nm_vpn_connection_connect_cb(): VPN connection 'kufr' failed to
> connect: 'No VPN secrets!'.
> 
> It does not matter if I use my unecrypted key or password protected
> key. Knetworkmanager even do not ask me for the private key
> password.
> 
> Could it be a bug in knetworkmanager?
> 

I am currently working on a similar problem using kvpnc plugin. Could 
you please provide

- your ~/.kde4/share/config/networkmanagementrc
- ~/.kde4/share/apps/networkmanagement/connections/{UUID}
- start knetworkmanager in terminal (do kquitapp knetworkmanager to 
terminate running version), try to connect and provide output

of course obfuscate any sensitive data. Also, are you using kwallet or 
plain text to store secrets?

thank you!

-andrey


> thanks,
> Karel
> 
> > Dan
> > 
> >>   But I am not sure if the connection procedure finished. The
> >>   openvpn
> >> 
> >> daemon is running, tap interface exists, I can ping remote server
> >> interface (via vpn) and default route is set to VPN tap interface.
> >> But status of the connection in knetworkmanager did not changed.
> >> So I cannot disconnect from it. I also cannot ping any another
> >> host except those on my LAN segment and the remote VPN server.
> >> The packets should be routed throught VPN connection to another
> >> nodes, but they are not. However it works if I connect purely
> >> with openvpn (not useing NM).
> >> 
> >> Any idea what could be worng? Including my syslog.
> >> 
> >> thanks,
> >> Karel
> >> 
> >> 
> >> 
> >> Feb 18 11:19:21 kk-nb NetworkManager:   Starting VPN service
> >> 'org.freedesktop.NetworkManager.openvpn'...
> >> Feb 18 11:19:21 kk-nb NetworkManager:   VPN service
> >> 'org.freedesktop.NetworkManager.openvpn' started
> >> (org.freedesktop.NetworkManager.openvpn), PID 24258
> >> 
> >> 
> >> Feb 18 11:19:21 kk-nb NetworkManager:   VPN service
> >> 'org.freedesktop.NetworkManager.openvpn' just appeared, activating
> >> connections
> >> Feb 18 11:19:21 kk-nb NetworkManager:   VPN plugin state
> >> changed: 1
> >> Feb 18 11:19:21 kk-nb nm-openvpn[24

Re: OpenVPN config problem

[Karel Kozlik]

Hi,

Dan Williams napsal(a):

On Thu, 2010-02-18 at 11:24 +0100, Karel Kozlik wrote:

Hi Dan,

Dan Williams napsal(a):

On Wed, 2010-02-17 at 10:36 +0100, Karel Kozlik wrote:

Hi,
could someone help me vith openVPN configuration in Network Manager? 
Actualy when I click to VPN connection in NM, it does nothing. 
/var/log/syslog contain following lines:


I see the message "VPN connection 'my-vpn' failed to connect: 'No VPN 
secrets!'", but I believe the secrets are configured correctly.

Is your private key by any chance *un*encrypted?  The VPN service plugin
currently requires encrypted private keys (which are more secure anyway)
and it could fail like this in that case.


Do you mean password protected key? My key was not.

I tried create password protected key and changed the connectio type to 
"x509 with password" and filled the password into setttings. It still 
not worked. But when I changed the key to my old one (unecrypted) and 
left the connection type to "x509 with password" it connected.


There are a few different passwords here.  There's the "private key
password", which is used to unlock your private key for TLS connections,
and then there's also the "user password", which is used for
password-based authentication that openvpn supports.  Somewhat
confusingly, you can stack these methods in openvpn, which is what the
"TLS with password" thing is.

But that's not what you want.  Your connection appears to be TLS only,
so you only need to choose "x509" there like you were before.  I'm
assuming that knetworkmanager is smart enough to ask you for your
private key password when nm-openvpn-service needs it.  So try flipping
back to just "x509" and see where that gets you.



I just tryied and it ends with error:

Feb 19 09:01:36 kk-nb NetworkManager:  
nm_vpn_connection_connect_cb(): VPN connection 'kufr' failed to connect: 
'No VPN secrets!'.


It does not matter if I use my unecrypted key or password protected key. 
Knetworkmanager even do not ask me for the private key password.


Could it be a bug in knetworkmanager?

thanks,
Karel



Dan

  But I am not sure if the connection procedure finished. The openvpn 
daemon is running, tap interface exists, I can ping remote server 
interface (via vpn) and default route is set to VPN tap interface. But 
status of the connection in knetworkmanager did not changed. So I cannot 
disconnect from it. I also cannot ping any another host except those on 
my LAN segment and the remote VPN server. The packets should be routed 
throught VPN connection to another nodes, but they are not. However it 
works if I connect purely with openvpn (not useing NM).


Any idea what could be worng? Including my syslog.

thanks,
Karel



Feb 18 11:19:21 kk-nb NetworkManager:   Starting VPN service 
'org.freedesktop.NetworkManager.openvpn'...
Feb 18 11:19:21 kk-nb NetworkManager:   VPN service 
'org.freedesktop.NetworkManager.openvpn' started 
(org.freedesktop.NetworkManager.openvpn), PID 24258 
 

Feb 18 11:19:21 kk-nb NetworkManager:   VPN service 
'org.freedesktop.NetworkManager.openvpn' just appeared, activating 
connections
Feb 18 11:19:21 kk-nb NetworkManager:   VPN plugin state changed: 
1
Feb 18 11:19:21 kk-nb nm-openvpn[24261]: OpenVPN 2.1_rc19 
x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13 2009 

Feb 18 11:19:21 kk-nb NetworkManager:   VPN plugin state changed: 
3
Feb 18 11:19:21 kk-nb NetworkManager:   VPN connection 'kufr' 
(Connect) reply received.
Feb 18 11:19:21 kk-nb nm-openvpn[24261]: WARNING: No server certificate 
verification method has been enabled.  See 
http://openvpn.net/howto.html#mitm for more info. 
 

Feb 18 11:19:21 kk-nb nm-openvpn[24261]: NOTE: the current 
--script-security setting may allow this configuration to call 
user-defined scripts 
 

Feb 18 11:19:21 kk-nb nm-openvpn[24261]: WARNING: file 
'/home/kk/.openvpn/kk-nb.key' is group or others accessible 

Feb 18 11:19:21 kk-nb nm-openvpn[24261]: /usr/bin/openssl-vulnkey -q -b 
1024 -m 
Feb 18 11:19:22 kk-nb nm-openvpn[24261]: UDPv4 link local: [undef] 

Feb 18 11:19:22 kk-nb nm-openvpn[24261]: UDPv4 link remote: 
194.228.84.159:28960 

Feb 18 11:19:22 kk-nb nm-openvpn[24261]: [ns.kufr.cz] Peer Connection 
Initiated with 194.228.84.159:28960
Feb 18 11:19:23 kk-nb NetworkManager:SCPlugin-Ifupdown: devices 
added (path: /sys/devices/virtual/net/tap0, iface: tap0)
Feb 18 11:19:23 kk-nb NetworkManager:SCPlugin-Ifupdown: device added 
(path: /sys/devices/virtual/net/tap0, iface: tap0): no ifupdown 
configuration found. 

Feb 18 11:19:23 kk-nb NetworkManager:   device_creator(): 
/sys/devices/virtual/net/tap0: couldn't determine device driver; ignoring...

Feb 18 11:19:23 kk-nb nm-openvpn[24261]: TUN/TAP device tap0 opened
Feb 18 11:19:23 kk-nb nm-openvpn[24261]: /sbin/ifconfig 

Re: OpenVPN config problem

[Dan Williams]

On Thu, 2010-02-18 at 11:24 +0100, Karel Kozlik wrote:
> Hi Dan,
> 
> Dan Williams napsal(a):
> > On Wed, 2010-02-17 at 10:36 +0100, Karel Kozlik wrote:
> >> Hi,
> >> could someone help me vith openVPN configuration in Network Manager? 
> >> Actualy when I click to VPN connection in NM, it does nothing. 
> >> /var/log/syslog contain following lines:
> >>
> >> I see the message "VPN connection 'my-vpn' failed to connect: 'No VPN 
> >> secrets!'", but I believe the secrets are configured correctly.
> > 
> > Is your private key by any chance *un*encrypted?  The VPN service plugin
> > currently requires encrypted private keys (which are more secure anyway)
> > and it could fail like this in that case.
> > 
> 
> Do you mean password protected key? My key was not.
> 
> I tried create password protected key and changed the connectio type to 
> "x509 with password" and filled the password into setttings. It still 
> not worked. But when I changed the key to my old one (unecrypted) and 
> left the connection type to "x509 with password" it connected.

There are a few different passwords here.  There's the "private key
password", which is used to unlock your private key for TLS connections,
and then there's also the "user password", which is used for
password-based authentication that openvpn supports.  Somewhat
confusingly, you can stack these methods in openvpn, which is what the
"TLS with password" thing is.

But that's not what you want.  Your connection appears to be TLS only,
so you only need to choose "x509" there like you were before.  I'm
assuming that knetworkmanager is smart enough to ask you for your
private key password when nm-openvpn-service needs it.  So try flipping
back to just "x509" and see where that gets you.

Dan

>   But I am not sure if the connection procedure finished. The openvpn 
> daemon is running, tap interface exists, I can ping remote server 
> interface (via vpn) and default route is set to VPN tap interface. But 
> status of the connection in knetworkmanager did not changed. So I cannot 
> disconnect from it. I also cannot ping any another host except those on 
> my LAN segment and the remote VPN server. The packets should be routed 
> throught VPN connection to another nodes, but they are not. However it 
> works if I connect purely with openvpn (not useing NM).
> 
> Any idea what could be worng? Including my syslog.
> 
> thanks,
> Karel
> 
> 
> 
> Feb 18 11:19:21 kk-nb NetworkManager:   Starting VPN service 
> 'org.freedesktop.NetworkManager.openvpn'...
> Feb 18 11:19:21 kk-nb NetworkManager:   VPN service 
> 'org.freedesktop.NetworkManager.openvpn' started 
> (org.freedesktop.NetworkManager.openvpn), PID 24258 
>  
> 
> Feb 18 11:19:21 kk-nb NetworkManager:   VPN service 
> 'org.freedesktop.NetworkManager.openvpn' just appeared, activating 
> connections
> Feb 18 11:19:21 kk-nb NetworkManager:   VPN plugin state changed: 
> 1
> Feb 18 11:19:21 kk-nb nm-openvpn[24261]: OpenVPN 2.1_rc19 
> x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13 2009 
> 
> Feb 18 11:19:21 kk-nb NetworkManager:   VPN plugin state changed: 
> 3
> Feb 18 11:19:21 kk-nb NetworkManager:   VPN connection 'kufr' 
> (Connect) reply received.
> Feb 18 11:19:21 kk-nb nm-openvpn[24261]: WARNING: No server certificate 
> verification method has been enabled.  See 
> http://openvpn.net/howto.html#mitm for more info. 
>  
> 
> Feb 18 11:19:21 kk-nb nm-openvpn[24261]: NOTE: the current 
> --script-security setting may allow this configuration to call 
> user-defined scripts 
>  
> 
> Feb 18 11:19:21 kk-nb nm-openvpn[24261]: WARNING: file 
> '/home/kk/.openvpn/kk-nb.key' is group or others accessible 
> 
> Feb 18 11:19:21 kk-nb nm-openvpn[24261]: /usr/bin/openssl-vulnkey -q -b 
> 1024 -m 
> Feb 18 11:19:22 kk-nb nm-openvpn[24261]: UDPv4 link local: [undef] 
> 
> Feb 18 11:19:22 kk-nb nm-openvpn[24261]: UDPv4 link remote: 
> 194.228.84.159:28960 
> 
> Feb 18 11:19:22 kk-nb nm-openvpn[24261]: [ns.kufr.cz] Peer Connection 
> Initiated with 194.228.84.159:28960
> Feb 18 11:19:23 kk-nb NetworkManager:SCPlugin-Ifupdown: devices 
> added (path: /sys/devices/virtual/net/tap0, iface: tap0)
> Feb 18 11:19:23 kk-nb NetworkManager:SCPlugin-Ifupdown: device added 
> (path: /sys/devices/virtual/net/tap0, iface: tap0): no ifupdown 
> configuration found. 
> 
> Feb 18 11:19:23 kk-nb NetworkManager:   device_creator(): 
> /sys/devices/virtual/net/tap0: couldn't determine device driver; ignoring...
> Feb 18 11:19:23 

Re: OpenVPN config problem

[Karel Kozlik]

Hi Dan,

Dan Williams napsal(a):

On Wed, 2010-02-17 at 10:36 +0100, Karel Kozlik wrote:

Hi,
could someone help me vith openVPN configuration in Network Manager? 
Actualy when I click to VPN connection in NM, it does nothing. 
/var/log/syslog contain following lines:


I see the message "VPN connection 'my-vpn' failed to connect: 'No VPN 
secrets!'", but I believe the secrets are configured correctly.


Is your private key by any chance *un*encrypted?  The VPN service plugin
currently requires encrypted private keys (which are more secure anyway)
and it could fail like this in that case.



Do you mean password protected key? My key was not.

I tried create password protected key and changed the connectio type to 
"x509 with password" and filled the password into setttings. It still 
not worked. But when I changed the key to my old one (unecrypted) and 
left the connection type to "x509 with password" it connected.


 But I am not sure if the connection procedure finished. The openvpn 
daemon is running, tap interface exists, I can ping remote server 
interface (via vpn) and default route is set to VPN tap interface. But 
status of the connection in knetworkmanager did not changed. So I cannot 
disconnect from it. I also cannot ping any another host except those on 
my LAN segment and the remote VPN server. The packets should be routed 
throught VPN connection to another nodes, but they are not. However it 
works if I connect purely with openvpn (not useing NM).


Any idea what could be worng? Including my syslog.

thanks,
Karel



Feb 18 11:19:21 kk-nb NetworkManager:   Starting VPN service 
'org.freedesktop.NetworkManager.openvpn'...
Feb 18 11:19:21 kk-nb NetworkManager:   VPN service 
'org.freedesktop.NetworkManager.openvpn' started 
(org.freedesktop.NetworkManager.openvpn), PID 24258 



Feb 18 11:19:21 kk-nb NetworkManager:   VPN service 
'org.freedesktop.NetworkManager.openvpn' just appeared, activating 
connections
Feb 18 11:19:21 kk-nb NetworkManager:   VPN plugin state changed: 
1
Feb 18 11:19:21 kk-nb nm-openvpn[24261]: OpenVPN 2.1_rc19 
x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13 2009 

Feb 18 11:19:21 kk-nb NetworkManager:   VPN plugin state changed: 
3
Feb 18 11:19:21 kk-nb NetworkManager:   VPN connection 'kufr' 
(Connect) reply received.
Feb 18 11:19:21 kk-nb nm-openvpn[24261]: WARNING: No server certificate 
verification method has been enabled.  See 
http://openvpn.net/howto.html#mitm for more info. 



Feb 18 11:19:21 kk-nb nm-openvpn[24261]: NOTE: the current 
--script-security setting may allow this configuration to call 
user-defined scripts 



Feb 18 11:19:21 kk-nb nm-openvpn[24261]: WARNING: file 
'/home/kk/.openvpn/kk-nb.key' is group or others accessible 

Feb 18 11:19:21 kk-nb nm-openvpn[24261]: /usr/bin/openssl-vulnkey -q -b 
1024 -m 
Feb 18 11:19:22 kk-nb nm-openvpn[24261]: UDPv4 link local: [undef] 

Feb 18 11:19:22 kk-nb nm-openvpn[24261]: UDPv4 link remote: 
194.228.84.159:28960 

Feb 18 11:19:22 kk-nb nm-openvpn[24261]: [ns.kufr.cz] Peer Connection 
Initiated with 194.228.84.159:28960
Feb 18 11:19:23 kk-nb NetworkManager:SCPlugin-Ifupdown: devices 
added (path: /sys/devices/virtual/net/tap0, iface: tap0)
Feb 18 11:19:23 kk-nb NetworkManager:SCPlugin-Ifupdown: device added 
(path: /sys/devices/virtual/net/tap0, iface: tap0): no ifupdown 
configuration found. 

Feb 18 11:19:23 kk-nb NetworkManager:   device_creator(): 
/sys/devices/virtual/net/tap0: couldn't determine device driver; ignoring...

Feb 18 11:19:23 kk-nb nm-openvpn[24261]: TUN/TAP device tap0 opened
Feb 18 11:19:23 kk-nb nm-openvpn[24261]: /sbin/ifconfig tap0 
44.177.215.7 netmask 255.255.255.240 mtu 1500 broadcast 44.177.215.15
Feb 18 11:19:23 kk-nb nm-openvpn[24261]: 
/usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper tap0 
1500 1573 44.177.215.7 255.255.255.240 init
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Joining mDNS multicast group 
on interface tap0.IPv4 with address 44.177.215.7.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: New relevant interface 
tap0.IPv4 for mDNS.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Registering new address record 
for 44.177.215.7 on tap0.IPv4.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Withdrawing address record for 
44.177.215.7 on tap0.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Leaving mDNS multicast group 
on interface tap0.IPv4 with address 44.177.215.7.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Interface tap0.IPv4 no longer 
relevant for mDNS.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Joining mDNS multicast group 
on interface tap0.IPv4 with address 44.177.215.7.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: New relevant interface 
tap0.IPv4 for mDNS.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Registering new address record 
for 44.177.215.7 on tap0.IPv4.
Feb 18 11:19:23 kk-nb NetworkManager:   VPN connection 'kufr' (I

Re: OpenVPN config problem

[Dan Williams]

On Wed, 2010-02-17 at 10:36 +0100, Karel Kozlik wrote:
> Hi,
> could someone help me vith openVPN configuration in Network Manager? 
> Actualy when I click to VPN connection in NM, it does nothing. 
> /var/log/syslog contain following lines:
> 
> I see the message "VPN connection 'my-vpn' failed to connect: 'No VPN 
> secrets!'", but I believe the secrets are configured correctly.

Is your private key by any chance *un*encrypted?  The VPN service plugin
currently requires encrypted private keys (which are more secure anyway)
and it could fail like this in that case.

Dan


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN Problem

[rh]

Dan Williams schrieb:
> On Tue, 2010-02-16 at 14:46 +0100, rh wrote:
>   
>> R.Hnat
>>
>>
>> Dan Williams schrieb: 
>> 
>>> On Sat, 2010-02-13 at 12:33 +0100, rh wrote:
>>>   
>>>   
>>>> Dan Williams schrieb: 
>>>> 
>>>> 
>>>>> On Thu, 2010-02-11 at 15:40 +0100, rh wrote:
>>>>>   
>>>>>   
>>>>>   
>>>>>> R.Hnat
>>>>>>
>>>>>>
>>>>>> Dan Williams schrieb: 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Tue, 2010-02-09 at 07:03 +0100, rh wrote:
>>>>>>>   
>>>>>>>   
>>>>>>>   
>>>>>>>   
>>>>>>>> Dan Williams schrieb: 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> On Sat, 2010-01-30 at 10:00 +0100, rh wrote:
>>>>>>>>>   
>>>>>>>>>   
>>>>>>>>>   
>>>>>>>>>   
>>>>>>>>>   
>>>>>>>>>> Dan Williams schrieb: 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>> On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>> I try to connect to an OpenVPN Server (Located on an IPCop) from my
>>>>>>>>>>>> Ubuntu Box. I have Configured Netmanager with all necessary 
>>>>>>>>>>>> parameters 
>>>>>>>>>>>> Parameters following an IPCop Howto. But there happens nothing 
>>>>>>>>>>>> when i
>>>>>>>>>>>> try to connect. There are not any Logmessages in /var/log/message, 
>>>>>>>>>>>> there
>>>>>>>>>>>> is no error message, simply no reaction. I have installed
>>>>>>>>>>>> Network-Manager and network-Manager-OpenVpn and the
>>>>>>>>>>>> Network-Manager-Applet. What could that be?
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> You'll need to reboot after installing a new VPN plugin package.  
>>>>>>>>>>> If you
>>>>>>>>>>> do that, does anything different happen?
>>>>>>>>>>>
>>>>>>>>>>> Dan
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>> No this does not change anything. It is just like network-manager
>>>>>>>>>> was'nt there. But i can see the process whith 'ps ax'. And i can 
>>>>>>>>>> start
>>>>>>>>>> the VPN using the 'openvpn' command from the commandline.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>     
>>>>>>>>> Have you config

OpenVPN config problem

[Karel Kozlik]

 Hi,
could someone help me vith openVPN configuration in Network Manager? 
Actualy when I click to VPN connection in NM, it does nothing. 
/var/log/syslog contain following lines:


Feb 17 10:11:13 kk-nb NetworkManager:   Starting VPN service 
'org.freedesktop.NetworkManager.openvpn'...
Feb 17 10:11:13 kk-nb NetworkManager:   VPN service 
'org.freedesktop.NetworkManager.openvpn' started 
(org.freedesktop.NetworkManager.openvpn), PID 12393
Feb 17 10:11:13 kk-nb NetworkManager:   VPN service 
'org.freedesktop.NetworkManager.openvpn' just appeared, activating 
connections

Feb 17 10:11:13 kk-nb NetworkManager:   VPN plugin state changed: 1
Feb 17 10:11:13 kk-nb NetworkManager:   VPN plugin state changed: 3
Feb 17 10:11:13 kk-nb NetworkManager:   VPN connection 'my-vpn' 
(Connect) reply received.
Feb 17 10:11:13 kk-nb NetworkManager:  
nm_vpn_connection_connect_cb(): VPN connection 'my-vpn' failed to 
connect: 'No VPN secrets!'.
Feb 17 10:11:13 kk-nb NetworkManager:  connection_state_changed(): 
Could not process the request because no VPN connection was active.
Feb 17 10:11:13 kk-nb NetworkManager:   (eth0): writing 
resolv.conf to /sbin/resolvconf
Feb 17 10:11:13 kk-nb NetworkManager:   Policy set 'eth0 - dhcp' 
(eth0) as default for routing and DNS.
Feb 17 10:11:26 kk-nb NetworkManager:  [1266397886.002812] 
ensure_killed(): waiting for vpn service pid 12393 to exit
Feb 17 10:11:26 kk-nb NetworkManager:  [1266397886.002989] 
ensure_killed(): vpn service pid 12393 cleaned up



I see the message "VPN connection 'my-vpn' failed to connect: 'No VPN 
secrets!'", but I believe the secrets are configured correctly.


Ypu can check my openvpn config file (that works and connect to vpn 
without problems) and screenshots of my NM configuration at 
http://www.kufr.cz/kk/bordel/vpn/


I am useing:
network-manager  0.8~a~git.20091013t193206.679d548-0ubuntu1
network-manager-openvpn  0.8~a~git.20091008t123607.7c184a9-0ubuntu1
plasma-widget-networkmanagement   0.9~svn1029786+ag1-0ubuntu1


thanks,
Karel


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN Problem

[rh]

Dan Williams schrieb:
> On Tue, 2010-02-16 at 14:46 +0100, rh wrote:
>   
>> R.Hnat
>>
>>
>> Dan Williams schrieb: 
>> 
>>> On Sat, 2010-02-13 at 12:33 +0100, rh wrote:
>>>   
>>>   
>>>> Dan Williams schrieb: 
>>>> 
>>>> 
>>>>> On Thu, 2010-02-11 at 15:40 +0100, rh wrote:
>>>>>   
>>>>>   
>>>>>   
>>>>>> R.Hnat
>>>>>>
>>>>>>
>>>>>> Dan Williams schrieb: 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Tue, 2010-02-09 at 07:03 +0100, rh wrote:
>>>>>>>   
>>>>>>>   
>>>>>>>   
>>>>>>>   
>>>>>>>> Dan Williams schrieb: 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> On Sat, 2010-01-30 at 10:00 +0100, rh wrote:
>>>>>>>>>   
>>>>>>>>>   
>>>>>>>>>   
>>>>>>>>>   
>>>>>>>>>   
>>>>>>>>>> Dan Williams schrieb: 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>> On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>> I try to connect to an OpenVPN Server (Located on an IPCop) from my
>>>>>>>>>>>> Ubuntu Box. I have Configured Netmanager with all necessary 
>>>>>>>>>>>> parameters 
>>>>>>>>>>>> Parameters following an IPCop Howto. But there happens nothing 
>>>>>>>>>>>> when i
>>>>>>>>>>>> try to connect. There are not any Logmessages in /var/log/message, 
>>>>>>>>>>>> there
>>>>>>>>>>>> is no error message, simply no reaction. I have installed
>>>>>>>>>>>> Network-Manager and network-Manager-OpenVpn and the
>>>>>>>>>>>> Network-Manager-Applet. What could that be?
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> You'll need to reboot after installing a new VPN plugin package.  
>>>>>>>>>>> If you
>>>>>>>>>>> do that, does anything different happen?
>>>>>>>>>>>
>>>>>>>>>>> Dan
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>>>   
>>>>>>>>>> No this does not change anything. It is just like network-manager
>>>>>>>>>> was'nt there. But i can see the process whith 'ps ax'. And i can 
>>>>>>>>>> start
>>>>>>>>>> the VPN using the 'openvpn' command from the commandline.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>     
>>>>>>>>> Have you config

Re: OpenVPN Problem

[Dan Williams]

On Tue, 2010-02-16 at 14:46 +0100, rh wrote:
> 
> R.Hnat
> 
> 
> Dan Williams schrieb: 
> > On Sat, 2010-02-13 at 12:33 +0100, rh wrote:
> >   
> > > Dan Williams schrieb: 
> > > 
> > > > On Thu, 2010-02-11 at 15:40 +0100, rh wrote:
> > > >   
> > > >   
> > > > > R.Hnat
> > > > > 
> > > > > 
> > > > > Dan Williams schrieb: 
> > > > > 
> > > > > 
> > > > > > On Tue, 2010-02-09 at 07:03 +0100, rh wrote:
> > > > > >   
> > > > > >   
> > > > > >   
> > > > > > > Dan Williams schrieb: 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > > On Sat, 2010-01-30 at 10:00 +0100, rh wrote:
> > > > > > > >   
> > > > > > > >   
> > > > > > > >   
> > > > > > > >   
> > > > > > > > > Dan Williams schrieb: 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > > On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
> > > > > > > > > >   
> > > > > > > > > >   
> > > > > > > > > >   
> > > > > > > > > >   
> > > > > > > > > >   
> > > > > > > > > > > I try to connect to an OpenVPN Server (Located on an 
> > > > > > > > > > > IPCop) from my
> > > > > > > > > > > Ubuntu Box. I have Configured Netmanager with all 
> > > > > > > > > > > necessary parameters 
> > > > > > > > > > > Parameters following an IPCop Howto. But there happens 
> > > > > > > > > > > nothing when i
> > > > > > > > > > > try to connect. There are not any Logmessages in 
> > > > > > > > > > > /var/log/message, there
> > > > > > > > > > > is no error message, simply no reaction. I have installed
> > > > > > > > > > > Network-Manager and network-Manager-OpenVpn and the
> > > > > > > > > > > Network-Manager-Applet. What could that be?
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > > 
> > > > > > > > > > You'll need to reboot after installing a new VPN plugin 
> > > > > > > > > > package.  If you
> > > > > > > > > > do that, does anything different happen?
> > > > > > > > > > 
> > > > > > > > > > Dan
> > > > > > > > > >   
> > > > > > > > > >   
> > > > > > > > > >   
> > > > > > > > > >   
> > > > > > > > > >   
> > > > > > > > > No this does not change anything. It is just like 
> > > > > > > > > network-manager
> > > > > > > > > was'nt there. But i can see the process whith 'ps ax'. And i 
> > > > > > > > > can start
> > > > > > > > > the VPN using the 'openvpn' command from the commandline.
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > >     
> > > > > > > > Have you configured the connection using nm-connection-editor 
> > > > > > > > in the VPN
> > > > > > > > tab?
> > > > > > > > 
> > > > > > > > Dan
> > > > > > > > 
> > > > > > > >   
&g

Re: OpenVPN Problem

[Dan Williams]

On Sat, 2010-02-13 at 12:33 +0100, rh wrote:
> 
> 
> Dan Williams schrieb: 
> > On Thu, 2010-02-11 at 15:40 +0100, rh wrote:
> >   
> > > R.Hnat
> > > 
> > > 
> > > Dan Williams schrieb: 
> > > 
> > > > On Tue, 2010-02-09 at 07:03 +0100, rh wrote:
> > > >   
> > > >   
> > > > > Dan Williams schrieb: 
> > > > > 
> > > > > 
> > > > > > On Sat, 2010-01-30 at 10:00 +0100, rh wrote:
> > > > > >   
> > > > > >   
> > > > > >   
> > > > > > > Dan Williams schrieb: 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > > On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
> > > > > > > >   
> > > > > > > >   
> > > > > > > >   
> > > > > > > >   
> > > > > > > > > I try to connect to an OpenVPN Server (Located on an IPCop) 
> > > > > > > > > from my
> > > > > > > > > Ubuntu Box. I have Configured Netmanager with all necessary 
> > > > > > > > > parameters 
> > > > > > > > > Parameters following an IPCop Howto. But there happens 
> > > > > > > > > nothing when i
> > > > > > > > > try to connect. There are not any Logmessages in 
> > > > > > > > > /var/log/message, there
> > > > > > > > > is no error message, simply no reaction. I have installed
> > > > > > > > > Network-Manager and network-Manager-OpenVpn and the
> > > > > > > > > Network-Manager-Applet. What could that be?
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > You'll need to reboot after installing a new VPN plugin 
> > > > > > > > package.  If you
> > > > > > > > do that, does anything different happen?
> > > > > > > > 
> > > > > > > > Dan
> > > > > > > >   
> > > > > > > >   
> > > > > > > >   
> > > > > > > >   
> > > > > > > No this does not change anything. It is just like network-manager
> > > > > > > was'nt there. But i can see the process whith 'ps ax'. And i can 
> > > > > > > start
> > > > > > > the VPN using the 'openvpn' command from the commandline.
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > Have you configured the connection using nm-connection-editor in 
> > > > > > the VPN
> > > > > > tab?
> > > > > > 
> > > > > > Dan
> > > > > > 
> > > > > >   
> > > > > >   
> > > > > >   
> > > > > Of course I have configured with nm-connection-editor .
> > > > > 
> > > > > 
> > > > Ok, and you're using the applet menu to start the openvpn connection?
> > > > If you do this, then choose your VPN from the applet, do you get any
> > > > messages?
> > > > 
> > > > killall -TERM nm-openvpn-service
> > > > OPENVPN_DEBUG=1 /usr/libexec/nm-openvpn-service
> > > > 
> > > > If that doesn't work, can you attach your ~/.xsession-errors file so we
> > > > can see if it's a problem on the GUI side?
> > > > 
> > > > Dan
> > > > 
> > > >   
> > > >   
> > > No there is no reaction.
> > > 
> > > r...@ligeti:~$ killall -TERM nm-openvpn-service
> > > nm-openvpn-service: no process found
> > > r...@ligeti:~$ OPENVPN_DEBUG=1 /usr/libexec/nm-openvpn-service
> > > bash: /usr/libexec/nm-openvpn-service: No such file or directory
> > > 
> > 
> > Oh sorry... Debian-based distros put it elsewhere.  Try this:
> > 
> > killall -TERM nm-openvpn-service
> > OPENVPN_DEBUG=1 /usr/lib/network-manager-openvpn/nm-openvpn-service
> > 
> > and then lets see what it prints out.  If it's not there, then
> > 
> > dpkg -L network-manager-openvpn | grep nm-openvpn-service
> > 
> > will tell you where the binary is located.
> > 
> > Dan
> > 
> >   
> 
> OPENVPN_DEBUG=1 /usr/lib/network-manager-openvpn/nm-openvpn-service does 
> nothing and has to be stopped with ^C.

It won't print anything until it's told to make a VPN connection by
NetworkManager.  So just to confirm, you run this command, and then
you're choosing your VPN connection from the menu to start it, right?
And you get no output?

And you're running them as root, right?

Can you provide /var/log/daemon.log for me after this failure has
occurred?

> And here is what dpkg... says:
> r...@ligeti:~$ dpkg -L network-manager-openvpn |grep nm-openvpn-service
> /usr/lib/network-manager-openvpn/nm-openvpn-service
> /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper
> /etc/dbus-1/system.d/nm-openvpn-service.conf
> /etc/NetworkManager/VPN/nm-openvpn-service.name
> 
> Might it be that the problem is that all these files are 'root-owned'
> and not executable from a simple user?

No, they are supposed to be root owned since they are security sensitive
and must launch privileged processes (your VPN).  Normally they are
spawned automatically by NetworkManager when needed, so the only time
they are really run by a user is for debugging.

Hopefully we can get to the bottom of this...

Dan


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN Problem

[rh]

Dan Williams schrieb:
> On Thu, 2010-02-11 at 15:40 +0100, rh wrote:
>   
>> R.Hnat
>>
>>
>> Dan Williams schrieb: 
>> 
>>> On Tue, 2010-02-09 at 07:03 +0100, rh wrote:
>>>   
>>>   
>>>> Dan Williams schrieb: 
>>>> 
>>>> 
>>>>> On Sat, 2010-01-30 at 10:00 +0100, rh wrote:
>>>>>   
>>>>>   
>>>>>   
>>>>>> Dan Williams schrieb: 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
>>>>>>>   
>>>>>>>   
>>>>>>>   
>>>>>>>   
>>>>>>>> I try to connect to an OpenVPN Server (Located on an IPCop) from my
>>>>>>>> Ubuntu Box. I have Configured Netmanager with all necessary parameters 
>>>>>>>> Parameters following an IPCop Howto. But there happens nothing when i
>>>>>>>> try to connect. There are not any Logmessages in /var/log/message, 
>>>>>>>> there
>>>>>>>> is no error message, simply no reaction. I have installed
>>>>>>>> Network-Manager and network-Manager-OpenVpn and the
>>>>>>>> Network-Manager-Applet. What could that be?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>> You'll need to reboot after installing a new VPN plugin package.  If you
>>>>>>> do that, does anything different happen?
>>>>>>>
>>>>>>> Dan
>>>>>>>   
>>>>>>>   
>>>>>>>   
>>>>>>>   
>>>>>> No this does not change anything. It is just like network-manager
>>>>>> was'nt there. But i can see the process whith 'ps ax'. And i can start
>>>>>> the VPN using the 'openvpn' command from the commandline.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> Have you configured the connection using nm-connection-editor in the VPN
>>>>> tab?
>>>>>
>>>>> Dan
>>>>>
>>>>>   
>>>>>   
>>>>>   
>>>> Of course I have configured with nm-connection-editor .
>>>> 
>>>> 
>>> Ok, and you're using the applet menu to start the openvpn connection?
>>> If you do this, then choose your VPN from the applet, do you get any
>>> messages?
>>>
>>> killall -TERM nm-openvpn-service
>>> OPENVPN_DEBUG=1 /usr/libexec/nm-openvpn-service
>>>
>>> If that doesn't work, can you attach your ~/.xsession-errors file so we
>>> can see if it's a problem on the GUI side?
>>>
>>> Dan
>>>
>>>   
>>>   
>> No there is no reaction.
>>
>> r...@ligeti:~$ killall -TERM nm-openvpn-service
>> nm-openvpn-service: no process found
>> r...@ligeti:~$ OPENVPN_DEBUG=1 /usr/libexec/nm-openvpn-service
>> bash: /usr/libexec/nm-openvpn-service: No such file or directory
>> 
>
> Oh sorry... Debian-based distros put it elsewhere.  Try this:
>
> killall -TERM nm-openvpn-service
> OPENVPN_DEBUG=1 /usr/lib/network-manager-openvpn/nm-openvpn-service
>
> and then lets see what it prints out.  If it's not there, then
>
> dpkg -L network-manager-openvpn | grep nm-openvpn-service
>
> will tell you where the binary is located.
>
> Dan
>
>   

OPENVPN_DEBUG=1 /usr/lib/network-manager-openvpn/nm-openvpn-service does 
nothing and has to be stopped with ^C.


And here is what dpkg... says:

r...@ligeti:~$ dpkg -L network-manager-openvpn |grep nm-openvpn-service
/usr/lib/network-manager-openvpn/nm-openvpn-service
/usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper
/etc/dbus-1/system.d/nm-openvpn-service.conf
/etc/NetworkManager/VPN/nm-openvpn-service.name


Might it be that the problem is that all these files are 'root-owned'
and not executable from a simple user?

Reinhard
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN Problem

[Dan Williams]

On Thu, 2010-02-11 at 15:40 +0100, rh wrote:
> 
> R.Hnat
> 
> 
> Dan Williams schrieb: 
> > On Tue, 2010-02-09 at 07:03 +0100, rh wrote:
> >   
> > > Dan Williams schrieb: 
> > > 
> > > > On Sat, 2010-01-30 at 10:00 +0100, rh wrote:
> > > >   
> > > >   
> > > > > Dan Williams schrieb: 
> > > > > 
> > > > > 
> > > > > > On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
> > > > > >   
> > > > > >   
> > > > > >   
> > > > > > > I try to connect to an OpenVPN Server (Located on an IPCop) from 
> > > > > > > my
> > > > > > > Ubuntu Box. I have Configured Netmanager with all necessary 
> > > > > > > parameters 
> > > > > > > Parameters following an IPCop Howto. But there happens nothing 
> > > > > > > when i
> > > > > > > try to connect. There are not any Logmessages in 
> > > > > > > /var/log/message, there
> > > > > > > is no error message, simply no reaction. I have installed
> > > > > > > Network-Manager and network-Manager-OpenVpn and the
> > > > > > > Network-Manager-Applet. What could that be?
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > You'll need to reboot after installing a new VPN plugin package.  
> > > > > > If you
> > > > > > do that, does anything different happen?
> > > > > > 
> > > > > > Dan
> > > > > >   
> > > > > >   
> > > > > >   
> > > > > No this does not change anything. It is just like network-manager
> > > > > was'nt there. But i can see the process whith 'ps ax'. And i can start
> > > > > the VPN using the 'openvpn' command from the commandline.
> > > > > 
> > > > > 
> > > > Have you configured the connection using nm-connection-editor in the VPN
> > > > tab?
> > > > 
> > > > Dan
> > > > 
> > > >   
> > > >   
> > > Of course I have configured with nm-connection-editor .
> > > 
> > 
> > Ok, and you're using the applet menu to start the openvpn connection?
> > If you do this, then choose your VPN from the applet, do you get any
> > messages?
> > 
> > killall -TERM nm-openvpn-service
> > OPENVPN_DEBUG=1 /usr/libexec/nm-openvpn-service
> > 
> > If that doesn't work, can you attach your ~/.xsession-errors file so we
> > can see if it's a problem on the GUI side?
> > 
> > Dan
> > 
> >   
> No there is no reaction.
> 
> r...@ligeti:~$ killall -TERM nm-openvpn-service
> nm-openvpn-service: no process found
> r...@ligeti:~$ OPENVPN_DEBUG=1 /usr/libexec/nm-openvpn-service
> bash: /usr/libexec/nm-openvpn-service: No such file or directory

Oh sorry... Debian-based distros put it elsewhere.  Try this:

killall -TERM nm-openvpn-service
OPENVPN_DEBUG=1 /usr/lib/network-manager-openvpn/nm-openvpn-service

and then lets see what it prints out.  If it's not there, then

dpkg -L network-manager-openvpn | grep nm-openvpn-service

will tell you where the binary is located.

Dan

> I attach xsession-errors.
> 
> Regards
> Reinhard
> plain text document attachment (.xsession-errors)
> /etc/gdm/Xsession: Beginning session setup...
> Setting IM through im-switch for locale=de_AT.
> Start IM through /home/rh/.xinput.d/de_AT linked to 
> /etc/X11/xinit/xinput.d/scim-bridge.
> Smart Common Input Method 1.4.9
> 
> Launching a SCIM daemon with Socket FrontEnd...
> Loading simple Config module ...
> Creating backend ...
> /usr/bin/xmodmap:  unable to open file '/usr/share/apps/kxkb/ubuntu.xmodmap' 
> for reading
> /usr/bin/xmodmap:  1 error encountered, aborting.
> Loading socket FrontEnd module ...
> Starting SCIM as daemon ...
> Launching a SCIM process with x11...
> Loading socket Config module ...
> Creating backend ...
> Loading x11 FrontEnd module ...
> Unable to create /home/rh/.dbus/session-bus
> GTK Panel of SCIM 1.4.9
> 
> Starting SCIM as daemon ...
> SCIM has been successfully launched.
> GNOME_KEYRING_SOCKET=/tmp/keyring-qGLfGJ/socket
> SSH_AUTH_SOCK=/tmp/keyring-qGLfGJ/socket.ssh
> 
> (gnome-settings-daemon:2355): GLib-CRITICAL **: g_propagate_erro

Re: OpenVPN Problem

[rh]

R.Hnat



Dan Williams schrieb:
> On Tue, 2010-02-09 at 07:03 +0100, rh wrote:
>   
>> Dan Williams schrieb: 
>> 
>>> On Sat, 2010-01-30 at 10:00 +0100, rh wrote:
>>>   
>>>   
>>>> Dan Williams schrieb: 
>>>> 
>>>> 
>>>>> On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
>>>>>   
>>>>>   
>>>>>   
>>>>>> I try to connect to an OpenVPN Server (Located on an IPCop) from my
>>>>>> Ubuntu Box. I have Configured Netmanager with all necessary parameters 
>>>>>> Parameters following an IPCop Howto. But there happens nothing when i
>>>>>> try to connect. There are not any Logmessages in /var/log/message, there
>>>>>> is no error message, simply no reaction. I have installed
>>>>>> Network-Manager and network-Manager-OpenVpn and the
>>>>>> Network-Manager-Applet. What could that be?
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> You'll need to reboot after installing a new VPN plugin package.  If you
>>>>> do that, does anything different happen?
>>>>>
>>>>> Dan
>>>>>   
>>>>>   
>>>>>   
>>>> No this does not change anything. It is just like network-manager
>>>> was'nt there. But i can see the process whith 'ps ax'. And i can start
>>>> the VPN using the 'openvpn' command from the commandline.
>>>> 
>>>> 
>>> Have you configured the connection using nm-connection-editor in the VPN
>>> tab?
>>>
>>> Dan
>>>
>>>   
>>>   
>> Of course I have configured with nm-connection-editor .
>> 
>
> Ok, and you're using the applet menu to start the openvpn connection?
> If you do this, then choose your VPN from the applet, do you get any
> messages?
>
> killall -TERM nm-openvpn-service
> OPENVPN_DEBUG=1 /usr/libexec/nm-openvpn-service
>
> If that doesn't work, can you attach your ~/.xsession-errors file so we
> can see if it's a problem on the GUI side?
>
> Dan
>
>   
No there is no reaction.

r...@ligeti:~$ killall -TERM nm-openvpn-service
nm-openvpn-service: no process found
r...@ligeti:~$ OPENVPN_DEBUG=1 /usr/libexec/nm-openvpn-service
bash: /usr/libexec/nm-openvpn-service: No such file or directory

I attach xsession-errors.

Regards
Reinhard
/etc/gdm/Xsession: Beginning session setup...
Setting IM through im-switch for locale=de_AT.
Start IM through /home/rh/.xinput.d/de_AT linked to 
/etc/X11/xinit/xinput.d/scim-bridge.
Smart Common Input Method 1.4.9

Launching a SCIM daemon with Socket FrontEnd...
Loading simple Config module ...
Creating backend ...
/usr/bin/xmodmap:  unable to open file '/usr/share/apps/kxkb/ubuntu.xmodmap' 
for reading
/usr/bin/xmodmap:  1 error encountered, aborting.
Loading socket FrontEnd module ...
Starting SCIM as daemon ...
Launching a SCIM process with x11...
Loading socket Config module ...
Creating backend ...
Loading x11 FrontEnd module ...
Unable to create /home/rh/.dbus/session-bus
GTK Panel of SCIM 1.4.9

Starting SCIM as daemon ...
SCIM has been successfully launched.
GNOME_KEYRING_SOCKET=/tmp/keyring-qGLfGJ/socket
SSH_AUTH_SOCK=/tmp/keyring-qGLfGJ/socket.ssh

(gnome-settings-daemon:2355): GLib-CRITICAL **: g_propagate_error: assertion 
`src != NULL' failed

(gnome-settings-daemon:2355): GLib-CRITICAL **: g_propagate_error: assertion 
`src != NULL' failed
Unable to find a synaptics device.
Checking for Xgl: not present. 
xset q doesn't reveal the location of the log file. Using fallback 
/var/log/Xorg.0.log 
Detected PCI ID for VGA: 
Checking for texture_from_pixmap: present. 
Checking for non power of two support: present. 
Checking for Composite extension: present. 
Checking screen 1Comparing resolution (1680x1050) to maximum 3D texture size 
(8192): Passed.
Checking for Software Rasterizer: Not present. 
Checking for nVidia: present. 
Checking for FBConfig: present. 
Checking for Xgl: not present. 
Initializing trackerd...
Tracker-Message: Checking XDG_DATA_HOME is writable and exists
Tracker-Message:   XDG_DATA_HOME is '(null)'
Tracker-Message:   XDG_DATA_HOME set to '/home/rh/.local/share'
Tracker-Message:   Path is OK
Tracker-Message: Setting IO priority
Tracker-Message: Setting up monitor for changes to config 
file:'/home/rh/.config/tracker/tracker.cfg'
Tracker-Message: Loading defaults into GKeyFile...
Tracker-Message: Legacy config option 'IndexEvolutionEmails' found
Tracker-Message:   This option has 

Re: OpenVPN Problem

[Dan Williams]

On Tue, 2010-02-09 at 07:03 +0100, rh wrote:
> 
> Dan Williams schrieb: 
> > On Sat, 2010-01-30 at 10:00 +0100, rh wrote:
> >   
> > > Dan Williams schrieb: 
> > > 
> > > > On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
> > > >   
> > > >   
> > > > > I try to connect to an OpenVPN Server (Located on an IPCop) from my
> > > > > Ubuntu Box. I have Configured Netmanager with all necessary 
> > > > > parameters 
> > > > > Parameters following an IPCop Howto. But there happens nothing when i
> > > > > try to connect. There are not any Logmessages in /var/log/message, 
> > > > > there
> > > > > is no error message, simply no reaction. I have installed
> > > > > Network-Manager and network-Manager-OpenVpn and the
> > > > > Network-Manager-Applet. What could that be?
> > > > > 
> > > > > 
> > > > You'll need to reboot after installing a new VPN plugin package.  If you
> > > > do that, does anything different happen?
> > > > 
> > > > Dan
> > > >   
> > > >   
> > > No this does not change anything. It is just like network-manager
> > > was'nt there. But i can see the process whith 'ps ax'. And i can start
> > > the VPN using the 'openvpn' command from the commandline.
> > > 
> > 
> > Have you configured the connection using nm-connection-editor in the VPN
> > tab?
> > 
> > Dan
> > 
> >   
> Of course I have configured with nm-connection-editor .

Ok, and you're using the applet menu to start the openvpn connection?
If you do this, then choose your VPN from the applet, do you get any
messages?

killall -TERM nm-openvpn-service
OPENVPN_DEBUG=1 /usr/libexec/nm-openvpn-service

If that doesn't work, can you attach your ~/.xsession-errors file so we
can see if it's a problem on the GUI side?

Dan


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN Problem

[rh]

Dan Williams schrieb:
> On Sat, 2010-01-30 at 10:00 +0100, rh wrote:
>   
>> Dan Williams schrieb: 
>> 
>>> On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
>>>   
>>>   
>>>> I try to connect to an OpenVPN Server (Located on an IPCop) from my
>>>> Ubuntu Box. I have Configured Netmanager with all necessary parameters 
>>>> Parameters following an IPCop Howto. But there happens nothing when i
>>>> try to connect. There are not any Logmessages in /var/log/message, there
>>>> is no error message, simply no reaction. I have installed
>>>> Network-Manager and network-Manager-OpenVpn and the
>>>> Network-Manager-Applet. What could that be?
>>>> 
>>>> 
>>> You'll need to reboot after installing a new VPN plugin package.  If you
>>> do that, does anything different happen?
>>>
>>> Dan
>>>   
>>>   
>> No this does not change anything. It is just like network-manager
>> was'nt there. But i can see the process whith 'ps ax'. And i can start
>> the VPN using the 'openvpn' command from the commandline.
>> 
>
> Have you configured the connection using nm-connection-editor in the VPN
> tab?
>
> Dan
>
>   
Of course I have configured with nm-connection-editor .
Reinhard
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN Problem

[Dan Williams]

On Sat, 2010-01-30 at 10:00 +0100, rh wrote:
> 
> Dan Williams schrieb: 
> > On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
> >   
> > > I try to connect to an OpenVPN Server (Located on an IPCop) from my
> > > Ubuntu Box. I have Configured Netmanager with all necessary parameters 
> > > Parameters following an IPCop Howto. But there happens nothing when i
> > > try to connect. There are not any Logmessages in /var/log/message, there
> > > is no error message, simply no reaction. I have installed
> > > Network-Manager and network-Manager-OpenVpn and the
> > > Network-Manager-Applet. What could that be?
> > > 
> > 
> > You'll need to reboot after installing a new VPN plugin package.  If you
> > do that, does anything different happen?
> > 
> > Dan
> >   
> No this does not change anything. It is just like network-manager
> was'nt there. But i can see the process whith 'ps ax'. And i can start
> the VPN using the 'openvpn' command from the commandline.

Have you configured the connection using nm-connection-editor in the VPN
tab?

Dan


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN Problem

[rh]

Dan Williams schrieb:
> On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
>   
>> I try to connect to an OpenVPN Server (Located on an IPCop) from my
>> Ubuntu Box. I have Configured Netmanager with all necessary parameters 
>> Parameters following an IPCop Howto. But there happens nothing when i
>> try to connect. There are not any Logmessages in /var/log/message, there
>> is no error message, simply no reaction. I have installed
>> Network-Manager and network-Manager-OpenVpn and the
>> Network-Manager-Applet. What could that be?
>> 
>
> You'll need to reboot after installing a new VPN plugin package.  If you
> do that, does anything different happen?
>
> Dan
>   
No this does not change anything. It is just like network-manager was'nt
there. But i can see the process whith 'ps ax'. And i can start the VPN
using the 'openvpn' command from the commandline.

Greetings
Reinhard
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN Problem

[Dan Williams]

On Fri, 2010-01-29 at 15:12 +0100, rh wrote:
> I try to connect to an OpenVPN Server (Located on an IPCop) from my
> Ubuntu Box. I have Configured Netmanager with all necessary parameters 
> Parameters following an IPCop Howto. But there happens nothing when i
> try to connect. There are not any Logmessages in /var/log/message, there
> is no error message, simply no reaction. I have installed
> Network-Manager and network-Manager-OpenVpn and the
> Network-Manager-Applet. What could that be?

You'll need to reboot after installing a new VPN plugin package.  If you
do that, does anything different happen?

Dan


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: OpenVPN Problem

[Mathieu Trudel-Lapierre]

Reinhard,

On Fri, Jan 29, 2010 at 9:12 AM, rh  wrote:
> try to connect. There are not any Logmessages in /var/log/message, there
> is no error message, simply no reaction. I have installed

Are there any messages in /var/log/syslog? Or do you mean this is the
file that you checked already?

/ Matt
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

OpenVPN Problem

[rh]

I try to connect to an OpenVPN Server (Located on an IPCop) from my
Ubuntu Box. I have Configured Netmanager with all necessary parameters 
Parameters following an IPCop Howto. But there happens nothing when i
try to connect. There are not any Logmessages in /var/log/message, there
is no error message, simply no reaction. I have installed
Network-Manager and network-Manager-OpenVpn and the
Network-Manager-Applet. What could that be?

Thanks in advance
Reinhard
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

[Patch] Enable pkcs12 auth for NetworkManager-openvpn

[Huzaifa Sidhpurwala]

Hi All,
I was working on https://bugzilla.gnome.org/show_bug.cgi?id=534219, which
enables pkcs12 key for nm-openvpn.
I have attached a patch to the bz, which seems to work for me.

Hope this patch is committed soon.

Thanks.

Regards,
Huzaifa Sidhpurwala.
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: PATCH: passwordless TLS openvpn fails to connect with "no VPN secrets"

[Dan Williams]

On Wed, 2010-01-20 at 21:26 -0300, Federico Heinz wrote:
> On 20/01/2010, Dan Williams wrote:
> > On Mon, 2009-12-21 at 02:10 -0300, Federico Heinz wrote:
> > > The openVPN plugin for NetworkManager fails to connect to a passwordless 
> > > TLS
> > > server, complaining of "no VPN secrets". This happened because the code
> > > assumes that only static-key servers use no secrets, which isn't true. 
> > > Only
> > > password and password+TLS require secrets.
> > > https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/453807
> > We'd need a bit more than that unfortunately.  First, openvpn assumes
> > that the TLS private key will have a password protecting it, in which
> > case the patch isn't required.
> 
> Indeed, this is true: if the key is password-protected, the connection
> succeeds.
> 
> > Second, if we do want to allow unencrypted private keys (a security hole)
> 
> The security hole is relative, and it depends on the details of how the key is
> stored. A password does not provide much security beyond that of storing the
> file in an ecryptfs-encrypted directory, for instance.
> 
> In any case, if you do decide that you don't want to enable non-encrypted 
> keys,
> then at least the program should fail with a more informative message. The
> current "No secrets" message is hard to decypher for a normal user, something
> along the lines of "Private key needs to be password-protected" would be much
> more helpful. Better yet, the UI should not let the enter a plain text key in
> the dialog, instead of allowing such a "misconfiguration" and then refusing to
> use it.
> 
> > then we'd need code to verify that the private key the user has picked is
> > indeed unencrypted before letting the UI enable the OK button.  Any chance
> > you'd be willing to work on that patch?  Most of the code to do that is 
> > lying
> > around since nm-applet needs to do the same thing for 802.1x TLS.
> 
> I might, but first I'd hate to do the work to have it later rejected because
> the guardians of the project decided to do it differently (not accepting
> plaintext keys at all, for instance). If there is a clear decision about what
> the desired behaviour is, I'll look into it.

Honestly I don't care.  I'm fine with some code in the NM-openvpn UI to
check the certificate file and determine if a private key password is
required or not.  I believe DER-format keys are always unencrypted
(because they simply don't have the ability to specify the information
necessary for decryption) but we can easily figure out of PEM format
keys are encrypted or not by looking for the DEK-Info and Proc-Type tags
in the OpenSSL header.  We need remember to scan more than 10K or so of
the file in case the private key is at the bottom of a bunch of
certificates.

Dan


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: PATCH: passwordless TLS openvpn fails to connect with "no VPN secrets"

[Federico Heinz]

On 20/01/2010, Dan Williams wrote:
> On Mon, 2009-12-21 at 02:10 -0300, Federico Heinz wrote:
> > The openVPN plugin for NetworkManager fails to connect to a passwordless TLS
> > server, complaining of "no VPN secrets". This happened because the code
> > assumes that only static-key servers use no secrets, which isn't true. Only
> > password and password+TLS require secrets.
> > https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/453807
> We'd need a bit more than that unfortunately.  First, openvpn assumes
> that the TLS private key will have a password protecting it, in which
> case the patch isn't required.

Indeed, this is true: if the key is password-protected, the connection
succeeds.

> Second, if we do want to allow unencrypted private keys (a security hole)

The security hole is relative, and it depends on the details of how the key is
stored. A password does not provide much security beyond that of storing the
file in an ecryptfs-encrypted directory, for instance.

In any case, if you do decide that you don't want to enable non-encrypted keys,
then at least the program should fail with a more informative message. The
current "No secrets" message is hard to decypher for a normal user, something
along the lines of "Private key needs to be password-protected" would be much
more helpful. Better yet, the UI should not let the enter a plain text key in
the dialog, instead of allowing such a "misconfiguration" and then refusing to
use it.

> then we'd need code to verify that the private key the user has picked is
> indeed unencrypted before letting the UI enable the OK button.  Any chance
> you'd be willing to work on that patch?  Most of the code to do that is lying
> around since nm-applet needs to do the same thing for 802.1x TLS.

I might, but first I'd hate to do the work to have it later rejected because
the guardians of the project decided to do it differently (not accepting
plaintext keys at all, for instance). If there is a clear decision about what
the desired behaviour is, I'll look into it.

Fede
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

RE: openvpn parameters

[Dan Williams]

On Tue, 2009-11-24 at 22:09 +, Joseph L. Casale wrote:
> >NM doesn't store OpenVPN config files--it actually constructs a
> >complete OpenVPN command line, with all the required options, every
> >time it starts the daemon.
> 
> Oh, that’s good to know...
> 
> >You'll need to set your OpenVPN options via the NM GUI. I don't
> >remember off the top of my head whether 'auth-user-pass' is actually
> >supported or not, though. If it's supported, you'll find a check-box
> >or control of some kind in the GUI settings.
> >
> >If that option isn't support by the NM OpenVPN plugin, you'll have to
> >file a bug report, or write a patch.
> 
> Yup, it's not there, I'll file a request...

You need to choose the "Password" or "Password/TLS" options in the GUI
or set the correct "connection type".  auth-user-pass isn't in GConf as
an explicit option, it's sent to openvpn or not sent based on the
connection type (one of TLS, Password, Password/TLS, or Static).

Dan


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: PATCH: passwordless TLS openvpn fails to connect with "no VPN secrets"

[Dan Williams]

On Mon, 2009-12-21 at 02:10 -0300, Federico Heinz wrote:
> The openVPN plugin for NetworkManager fails to connect to a passwordless TLS
> server, complaining of "no VPN secrets". This happened because the code 
> assumes
> that only static-key servers use no secrets, which isn't true. Only password
> and password+TLS require secrets.
> 
> https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/453807

We'd need a bit more than that unfortunately.  First, openvpn assumes
that the TLS private key will have a password protecting it, in which
case the patch isn't required.  Second, if we do want to allow
unencrypted private keys (a security hole) then we'd need code to verify
that the private key the user has picked is indeed unencrypted before
letting the UI enable the OK button.  Any chance you'd be willing to
work on that patch?  Most of the code to do that is lying around since
nm-applet needs to do the same thing for 802.1x TLS.

Dan


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: openvpn pkcs12 support

[Dan Williams]

On Wed, 2009-12-23 at 13:50 +0100, richard -rw- weinberger wrote:
> hi,
> 
> are there any plans to support pkcs12 certificates?
> technically nm only has to push "--pkcs12" instead of "--key",
> "--cert" and "--ca" to openvpn.

Yes, I've asked somebody to look into this.  I think there's a gnome
bugzilla bug about it as well.

Dan


___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

openvpn pkcs12 support

[richard -rw- weinberger]

hi,

are there any plans to support pkcs12 certificates?
technically nm only has to push "--pkcs12" instead of "--key",
"--cert" and "--ca" to openvpn.

thanks,
//richard

p.s: please cc me, i'm not subscribed.
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

PATCH: passwordless TLS openvpn fails to connect with "no VPN secrets"

[Federico Heinz]

The openVPN plugin for NetworkManager fails to connect to a passwordless TLS
server, complaining of "no VPN secrets". This happened because the code assumes
that only static-key servers use no secrets, which isn't true. Only password
and password+TLS require secrets.

https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/453807

The attached patch makes the problem go away.

Fede

--- network-manager-openvpn/src/nm-openvpn-service.c	2009-12-21 01:54:27.0 -0300
+++ network-manager-openvpn-0.8~a~git.20091008t123607.7c184a9/src/nm-openvpn-service.c	2009-12-20 13:36:24.0 -0300
@@ -1000,8 +1000,9 @@
 	if (!nm_openvpn_properties_validate (s_vpn, error))
 		return FALSE;
 
-	/* Static Key doesn't need secrets; the rest do */
-	if (strcmp (connection_type, NM_OPENVPN_CONTYPE_STATIC_KEY)) {
+	/* Only PASSWORD_* connection types need secrets */
+	if (   !strcmp (connection_type, NM_OPENVPN_CONTYPE_PASSWORD)
+		|| !strcmp (connection_type, NM_OPENVPN_CONTYPE_PASSWORD_TLS)) {
 		if (!nm_openvpn_secrets_validate (s_vpn, error))
 			return FALSE;
 	}
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: network-manager-openvpn

[Dan Williams]

On Wed, 2009-12-16 at 14:33 -0500, Matt Wilks wrote:
> > On Wed, 2009-12-16 at 12:43 PM, Dan Williams wrote:
> >> On Tue, 2009-12-15 at 11:08 -0500, Matt Wilks wrote:
> >> What prompted my initial query was the lack of support for,
> >> and  directives (supported in OpenVPN since 2.1-beta7, Nov
> >> 2005).  They allow you to specify the key files directly in the
> >> configuration file, making it a self-contained configuration for a
> >> connection using keys to authenticate.  NetworkManager also seemed to
> >> miss the fact that my config required both keys and a password; not
> >> hard to manually set but it wasn't caught by the import.
> >
> > I do believe those have been in the NM openvpn configuration for a
> > long time.  What specific version of NM-openvpn are you using?  I'm
> > certainly using a CA certificate right now to write this mail.  If you
> > pick "Certificates (TLS)" or "Passwords with Certificates" from the
> > dropdown you should be able to use the certificates and keys of your
> > choice.  This has been the case for at least a year and a half, since
> > before NM 0.7.x was released.
> 
> Keys are supported, but you have to specify them in the NetworkManager
> config through a file browser dialog.  The , etc directives I'm
> talking about go in the config file and you include the actual text of
> the key, something like:
> 
> 
> -BEGIN CERTIFICATE-
> asdlgkyladkhajf;lkawur;iolw789uafjdslkafjsd;fkj
> dflkajsdlfkaylkxcjfasmjelasjruklasfdjflkasdjrlk
> fasdlfka;wo347;afalk4nasdlfksaydlkaihf3a94rsldj
> -END CERTIFICATE-
> 
> 
> and so on with  and .  I have NM (and NM-openvpn) version 0.8
> on Ubuntu Karmic and it didn't work for me.

Aha, yes that is not yet supported; it wouldn't be too hard to grab the
data out of there and stuff it into its own file in ~/.pki or such; you
don't really want to be storing certificate data in GConf or elsewhere.

In the end, we need a certificate store like Windows or Mac OS X has,
but for now we'll need to use files I guess.

One caveat is to ensure that the user's private key is written out in
encrypted form if it's not already encrypted in the config.

Dan

> > The whitelisting is for security.  As a user, if you download a
> > configuration file and want to use it, what's to say it doesn't include
> > some options that make things less-secure or are malicious?  Depending
> > on the plugin you could send a config option for "run this script after
> > connection" and since the VPN plugins currently run as root, that script
> > gets run as root.  The configuration data cannot /necessarily/ be
> > trusted especially if it comes from the user session.  At the same time,
> > you don't want to /necessarily/ lock users out completely (that's the
> > discretion of the sysadmin if there is one).
> 
> Ah, this security concern settles it for me.  The reason that other
> clients can offer the config file management paradigm is that you must
> have admin privileges to run the program in the first place.  Not so
> with NM.
> 
> Thanks again for your time.  Much appreciated.
> 

___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: network-manager-openvpn

[Matt Wilks]

On Wed, 2009-12-16 at 12:43 PM, Dan Williams wrote:

On Tue, 2009-12-15 at 11:08 -0500, Matt Wilks wrote:
What prompted my initial query was the lack of support for,
and  directives (supported in OpenVPN since 2.1-beta7, Nov
2005).  They allow you to specify the key files directly in the
configuration file, making it a self-contained configuration for a
connection using keys to authenticate.  NetworkManager also seemed to
miss the fact that my config required both keys and a password; not
hard to manually set but it wasn't caught by the import.


I do believe those have been in the NM openvpn configuration for a
long time.  What specific version of NM-openvpn are you using?  I'm
certainly using a CA certificate right now to write this mail.  If you
pick "Certificates (TLS)" or "Passwords with Certificates" from the
dropdown you should be able to use the certificates and keys of your
choice.  This has been the case for at least a year and a half, since
before NM 0.7.x was released.


Keys are supported, but you have to specify them in the NetworkManager
config through a file browser dialog.  The , etc directives I'm
talking about go in the config file and you include the actual text of
the key, something like:


-BEGIN CERTIFICATE-
asdlgkyladkhajf;lkawur;iolw789uafjdslkafjsd;fkj
dflkajsdlfkaylkxcjfasmjelasjruklasfdjflkasdjrlk
fasdlfka;wo347;afalk4nasdlfksaydlkaihf3a94rsldj
-END CERTIFICATE-


and so on with  and .  I have NM (and NM-openvpn) version 0.8
on Ubuntu Karmic and it didn't work for me.


The whitelisting is for security.  As a user, if you download a
configuration file and want to use it, what's to say it doesn't include
some options that make things less-secure or are malicious?  Depending
on the plugin you could send a config option for "run this script after
connection" and since the VPN plugins currently run as root, that script
gets run as root.  The configuration data cannot /necessarily/ be
trusted especially if it comes from the user session.  At the same time,
you don't want to /necessarily/ lock users out completely (that's the
discretion of the sysadmin if there is one).


Ah, this security concern settles it for me.  The reason that other
clients can offer the config file management paradigm is that you must
have admin privileges to run the program in the first place.  Not so
with NM.

Thanks again for your time.  Much appreciated.

--
Matt Wilks   Colossians 2:6-7
University of TorontoInformation Security, I+TS
(416) 978-3328   m...@madhaus.cns.utoronto.ca
4 Bancroft Ave., Rm. 102 Toronto, ON  M5S 1C1
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: network-manager-openvpn

[Dan Williams]

On Tue, 2009-12-15 at 11:08 -0500, Matt Wilks wrote:
> On 09-12-14 06:09 PM, Dan Williams wrote:
> > On Mon, 2009-12-14 at 09:24 -0500, Matt Wilks wrote:
> >> This must have been discussed before on this list, but I'm curious the
> >> reasoning behind making network-manager-openvpn have its own GUI for
> >> configuration in the first place.  Why not offer functionality similar
> >> to the Windows/Mac clients that simply manage your connections via
> >> configuration files?  You'd get all the flexibility of OpenVPN with none
> >> of the overhead of constantly having to write patches to support /
> >> debate the inclusion of individual options.
> >
> > For a number of reasons;
> 
> Thanks for your response Dan, I appreciate you taking the time to do so.
> Allow me to make a few comments.
> 
> > 1) not everyone wants to use configuration files,
> > 2) not everyone is aware of (or cares about) the intricacies of
> > configuration options, some cannot be used with others, some require
> > others to be turned on,
> 
> Granted.  However, I would think that anyone who is attempting to
> connect to a work/school VPN is more likely to have a configuration file
> handed to them then a set of OpenVPN parameters.  That is how we do it
> with the VPN I am responsible for.

Again, the config file can be imported into NM, so the process you have
still works exactly the same way.

> > 3) GUI interfaces are often more approachable and do not preclude
> > advanced users from using config files anyway, and
> 
> I think you are making an incorrect distinction here between advanced
> and beginner users.  Using a config file does not necessarily mean that
> a user is advanced.  In our case, we distribute a config file precisely
> because so many of our users are not advanced and we don't want them
> having to fiddle around with options on various clients.
> 
> > 4) handling random config files is often problematic,
> 
> I'm not sure I understand why.  Using the model of OpenVPN-GUI or
> Tunnelblick (Windows and Mac GUIs respectively) however, you would just
> have NetworkManager monitor a directory for config files.  Could be a
> directory in the user's home (ala Tunnelblick) or a system directory
> (ala OpenVPN-GUI).  Even if the user were able to specify arbitrary
> configuration file locations, how is this any more problematic then the
> dialogs to specify the ca, key and user cert that currently exist in the
> NetworkManager GUI?

1) The config file is stored separately from the rest of the
configuration data like IP address, routing information, DNS, etc.  If
it's not available (user downloads it into ~/Downloads and then it gets
deleted when FF quits) then it's no longer available

2) root daemons accessing files in users' directories is often not
allowed by security software like SELinux or AppArmor, for good reason;
it's really hard to contain a binary and limit the attack points when
you have to allow the binary to read from all over the hard drive

3) it's a security risk on daemons that require a password in the config
file when not using stdin (ex vpnc)

4) using a config file can create temporary files that require cleanup
which doesn't always get done; if we do need to substitute certain
values (like we do with dhclient) then we need to create a temporary
config file that has to be cleaned up after the transaction is complete,
which is more housekeeping and more trouble.

> > 5) it wasnt' integrated into the consistent NetworkManager
> > configuration system.
> 
> I have to admit ignorance about the standards for configuring
> NetworkManager, but I imagine that they say something about storing
> configuration internally rather than referencing external files?

http://live.gnome.org/NetworkManagerConfiguration

The NM configuration system actually produces an abstraction over
various distro and desktop-specific configuration systems so taht you
can use your preferred configuration system.  For example, GConf,
KConfig, /etc/network/interfaces, keyfiles, ifcfg files, etc, all are
transformed into a standard format that clients can read and handle.
That allows you, from a client, to actually figure out what's going on
in a standard way instead of having to code logic for each and every
configuration system.

NM doesn't store config /internally/, but the user-settings and
system-settings services do use configuration systems like GConf or
system config files that you might consider to store the config
"internally", at least in a different format than the native config file
for openvpn.  That has some benefits; as the admin you can use tools,
behaviors, processes, and knowledge that you already have for your
distro&

Re: network-manager-openvpn

[Matt Wilks]

On 09-12-14 06:09 PM, Dan Williams wrote:

On Mon, 2009-12-14 at 09:24 -0500, Matt Wilks wrote:

This must have been discussed before on this list, but I'm curious the
reasoning behind making network-manager-openvpn have its own GUI for
configuration in the first place.  Why not offer functionality similar
to the Windows/Mac clients that simply manage your connections via
configuration files?  You'd get all the flexibility of OpenVPN with none
of the overhead of constantly having to write patches to support /
debate the inclusion of individual options.


For a number of reasons;


Thanks for your response Dan, I appreciate you taking the time to do so.
Allow me to make a few comments.


1) not everyone wants to use configuration files,
2) not everyone is aware of (or cares about) the intricacies of
configuration options, some cannot be used with others, some require
others to be turned on,


Granted.  However, I would think that anyone who is attempting to
connect to a work/school VPN is more likely to have a configuration file
handed to them then a set of OpenVPN parameters.  That is how we do it
with the VPN I am responsible for.


3) GUI interfaces are often more approachable and do not preclude
advanced users from using config files anyway, and


I think you are making an incorrect distinction here between advanced
and beginner users.  Using a config file does not necessarily mean that
a user is advanced.  In our case, we distribute a config file precisely
because so many of our users are not advanced and we don't want them
having to fiddle around with options on various clients.


4) handling random config files is often problematic,


I'm not sure I understand why.  Using the model of OpenVPN-GUI or
Tunnelblick (Windows and Mac GUIs respectively) however, you would just
have NetworkManager monitor a directory for config files.  Could be a
directory in the user's home (ala Tunnelblick) or a system directory
(ala OpenVPN-GUI).  Even if the user were able to specify arbitrary
configuration file locations, how is this any more problematic then the
dialogs to specify the ca, key and user cert that currently exist in the
NetworkManager GUI?


5) it wasnt' integrated into the consistent NetworkManager
configuration system.


I have to admit ignorance about the standards for configuring
NetworkManager, but I imagine that they say something about storing
configuration internally rather than referencing external files?


Now that we have good import/export capability for openvpn, it's not
actually that hard to use your own configs.  If there's options that
people use, we can also whitelist them and add them to import/export
even if they aren't shown in the GUI.


What prompted my initial query was the lack of support for , 
and  directives (supported in OpenVPN since 2.1-beta7, Nov 2005).
They allow you to specify the key files directly in the configuration
file, making it a self-contained configuration for a connection using
keys to authenticate.  NetworkManager also seemed to miss the fact that
my config required both keys and a password; not hard to manually set
but it wasn't caught by the import.


Just because there's a GUI doesn't preclude you from writing a config
file and importing it of course.


That's true, and apart from the missing config I mentioned above, I
found it to be a relatively painless process.  Kudos!  However I don't
see how this benefits the NetworkManager developers.  Writing a plugin
that used external config files would be a one-time job.  As it stands
now, each new option must be whitelisted and incorporated into the
plugin.

Again, thanks for taking the time to respond.  Much appreciated.

--
Matt Wilks   Colossians 2:6-7
University of TorontoInformation Security, I+TS
(416) 978-3328   m...@madhaus.cns.utoronto.ca
4 Bancroft Ave., Rm. 102 Toronto, ON  M5S 1C1
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: network-manager-openvpn

[Dan Williams]

On Mon, 2009-12-14 at 09:24 -0500, Matt Wilks wrote:
> >> Read slowly, im not talking about routes here, talking about all the
> >> openvpn parameters that are not yet configurable/importable with the
> >> current graphical interface. They could just be configured through or
> >> imported into a single listbox as described above.
> >
> > But that's *horrible* UI and not something I'd like to condone.  I'd
> > rather add the options on an as-needed basis to ensure we don't just
> > dump everything in, and find out that we overloaded the UI with 50
> > options that almost nobody uses.  Which I suspect is true for at least
> > half of openvpn's options, because they did absolutely no work in
> > consolidating them and asking the people who requested the options
> > what they were actually trying to accomplish to constrain the number
> > of switches that openvpn supports.  I'm interested in making it work
> > for 90 - 95% of use-cases, but I don't think we should be designing
> > for that last 5%, especially when it makes things nearly unusable for
> > the other 90.
> 
> This must have been discussed before on this list, but I'm curious the
> reasoning behind making network-manager-openvpn have its own GUI for
> configuration in the first place.  Why not offer functionality similar
> to the Windows/Mac clients that simply manage your connections via
> configuration files?  You'd get all the flexibility of OpenVPN with none
> of the overhead of constantly having to write patches to support /
> debate the inclusion of individual options.

For a number of reasons; 1) not everyone wants to use configuration
files, 2) not everyone is aware of (or cares about) the intricacies of
configuration options, some cannot be used with others, some require
others to be turned on, 3) GUI interfaces are often more approachable
and do not preclude advanced users from using config files anyway, and
4) handling random config files is often problematic, and 5) it wasnt'
integrated into the consistent NetworkManager configuration system.

Now that we have good import/export capability for openvpn, it's not
actually that hard to use your own configs.  If there's options that
people use, we can also whitelist them and add them to import/export
even if they aren't shown in the GUI.

Just because there's a GUI doesn't preclude you from writing a config
file and importing it of course.

Dan

___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: network-manager-openvpn

[Matt Wilks]

Read slowly, im not talking about routes here, talking about all the
openvpn parameters that are not yet configurable/importable with the
current graphical interface. They could just be configured through or
imported into a single listbox as described above.


But that's *horrible* UI and not something I'd like to condone.  I'd
rather add the options on an as-needed basis to ensure we don't just
dump everything in, and find out that we overloaded the UI with 50
options that almost nobody uses.  Which I suspect is true for at least
half of openvpn's options, because they did absolutely no work in
consolidating them and asking the people who requested the options
what they were actually trying to accomplish to constrain the number
of switches that openvpn supports.  I'm interested in making it work
for 90 - 95% of use-cases, but I don't think we should be designing
for that last 5%, especially when it makes things nearly unusable for
the other 90.


This must have been discussed before on this list, but I'm curious the
reasoning behind making network-manager-openvpn have its own GUI for
configuration in the first place.  Why not offer functionality similar
to the Windows/Mac clients that simply manage your connections via
configuration files?  You'd get all the flexibility of OpenVPN with none
of the overhead of constantly having to write patches to support /
debate the inclusion of individual options.

Matt
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

RE: openvpn parameters

[Joseph L. Casale]

>NM doesn't store OpenVPN config files--it actually constructs a
>complete OpenVPN command line, with all the required options, every
>time it starts the daemon.

Oh, that’s good to know...

>You'll need to set your OpenVPN options via the NM GUI. I don't
>remember off the top of my head whether 'auth-user-pass' is actually
>supported or not, though. If it's supported, you'll find a check-box
>or control of some kind in the GUI settings.
>
>If that option isn't support by the NM OpenVPN plugin, you'll have to
>file a bug report, or write a patch.

Yup, it's not there, I'll file a request...
Thanks,
jlc
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: openvpn parameters

[Ryan Lynch]

Hi, Joseph:

On Tue, Nov 24, 2009 at 14:23, Joseph L. Casale
 wrote:
> I need to add an auth-user-pass directive to my configuration, where does nm
> store the config files for OpenVPN connections?

NM doesn't store OpenVPN config files--it actually constructs a
complete OpenVPN command line, with all the required options, every
time it starts the daemon.

You'll need to set your OpenVPN options via the NM GUI. I don't
remember off the top of my head whether 'auth-user-pass' is actually
supported or not, though. If it's supported, you'll find a check-box
or control of some kind in the GUI settings.

If that option isn't support by the NM OpenVPN plugin, you'll have to
file a bug report, or write a patch.

-Ryan
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

openvpn parameters

[Joseph L. Casale]

I need to add an auth-user-pass directive to my configuration, where does nm
store the config files for OpenVPN connections?

Thanks!
jlc
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: nm-applet / vpnc / pptp / openvpn

[Dan Williams]

On Wed, 2009-11-18 at 15:23 +0100, Geronimo Wheeler wrote:
> Hi,
> 
> I've succesfullly installed Networkmanager and nm-applet with all the
> plugins under Gnome / Kde-4-3 using the instructions can be found at
> gentoo-wiki. It is working perfectly for wired and wireless LAN but
> not for any VPN (this part of the applet is grey
> 
> I was searching the archive and googled this thing but I cannot find a
> solution, so I decided to ask you :)
> 
> I suppose this is some problem with the dbus registration of the
> plugins, but I'm not sure

The plugins don't actually need any dbus registration to be found by the
applet.  All they do is drop a ".name" file in /etc/NetworkManager/VPN
so NM knows they are there.  But you'll need to restart NetworkManager
after installing a VPN plugin since it doesn't yet recognize new VPN
plugins on-the-fly.

Dan

> This is my versions
> 
> [I] sys-apps/dbus
>  Available versions:  1.2.3-r1 ~1.2.12 ~1.3.0 ~1.3.0-r1 {X debug
> doc selinux test}
>  Installed versions:  1.2.3-r1(16.09.48 2009-11-17)(X -debug -doc
> -selinux)
> 
> [I] net-misc/networkmanager
>  Available versions:  *0.6.5_p20070823 0.6.6 ~0.7.1-r3 0.7.1-r6
> ~0.7.1_p20090824 [M]**0.8.0_pre20090824 [M]**0.8.0_pre20091105 {avahi
> bluetooth connection-sharing crypt debug dhclient dhcpcd doc gnome
> gnutls nss resolvconf}
>  Installed versions:  0.7.1-r6(18.16.04 2009-10-19)(gnutls
> resolvconf -avahi -connection-sharing -dhclient -dhcpcd -doc -nss)
>  Homepage:
> http://www.gnome.org/projects/NetworkManager/
>  Description: Network configuration and management in an
> easy way. Desktop environment independent.
> 
> [D] net-misc/networkmanager-openvpn
>  Available versions:  ~0.3.2_p20070621 ~0.7.1-r1 {crypt debug doc
> gnome}
>  Installed versions:  0.7.1-r1(16.02.50 2009-11-17)(-gnome)
>  Homepage:
> http://www.gnome.org/projects/NetworkManager/
>  Description: NetworkManager OpenVPN plugin.
> 
> [D] net-misc/networkmanager-pptp
>  Available versions:  ~0.1.0_p20070726 ~0.7.0 ~0.7.1 {crypt debug
> doc gnome}
>  Installed versions:  0.7.1(16.03.03 2009-11-17)(-gnome)
>  Homepage:
> http://www.gnome.org/projects/NetworkManager/
>  Description: NetworkManager PPTP plugin.
> 
> [D] net-misc/networkmanager-vpnc
>  Available versions:  ~0.6.4_p20070621 ~0.7.0 ~0.7.1 {crypt debug
> doc gnome}
>  Installed versions:  0.7.1(16.03.15 2009-11-17)(-gnome)
>  Homepage:
> http://www.gnome.org/projects/NetworkManager/
>  Description: NetworkManager VPNC plugin.
> 
> Do you have any idea?
> 
> Thank you
> L:
> 
> ___
> NetworkManager-list mailing list
> NetworkManager-list@gnome.org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list

___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: nm-applet / vpnc / pptp / openvpn

[SpaceCake]

I think all the required components installed

[I] net-dialup/pptpclient
 Available versions:  1.7.1-r1!t 1.7.2-r1!t {tk}
 Installed versions:  1.7.2-r1!t(22.05.15 2009-10-12)(tk)
 Homepage:http://pptpclient.sourceforge.net/
 Description: Linux client for PPTP

I] net-misc/vpnc
 Available versions:  0.5.3 ~0.5.3_p449 {bindist hybrid-auth resolvconf}
 Installed versions:  0.5.3(01.26.42 2009-10-10)(hybrid-auth resolvconf
-bindist)
 Homepage:http://www.unix-ag.uni-kl.de/~massar/vpnc/
 Description: Free client for Cisco VPN routing software

My "distro" is Gentoo

Thanks
L:



2009/11/18 Trey Nolen 

>  It looks like you have the applets, but do you have the underlying
> programs that provide those features?
>
> For instance, for the nm-pptp applet to work, you need pptp to be
> installed.  In Debian and Ubuntu that packages is called pptp-linux. You
> didn't mention your distro, but I'm assuming it is not one of those two
> since they would have automatically installed the prerequisites.
>
> Similarly, there is a package called vpnc that is needed to make the
> nm-vpnc work and openvpn has to be installed for Network Manager to be able
> to control openvpn connections.
>
> Trey Nolen
>
>
>
> Geronimo Wheeler wrote:
>
> Hi,
>
> I've succesfullly installed Networkmanager and nm-applet with all the
> plugins under Gnome / Kde-4-3 using the instructions can be found at
> gentoo-wiki. It is working perfectly for wired and wireless LAN but not for
> any VPN (this part of the applet is grey
>
> I was searching the archive and googled this thing but I cannot find a
> solution, so I decided to ask you :)
>
> I suppose this is some problem with the dbus registration of the plugins,
> but I'm not sure
>
> This is my versions
>
> [I] sys-apps/dbus
>  Available versions:  1.2.3-r1 ~1.2.12 ~1.3.0 ~1.3.0-r1 {X debug doc
> selinux test}
>  Installed versions:  1.2.3-r1(16.09.48 2009-11-17)(X -debug -doc
> -selinux)
>
> [I] net-misc/networkmanager
>  Available versions:  *0.6.5_p20070823 0.6.6 ~0.7.1-r3 0.7.1-r6
> ~0.7.1_p20090824 [M]**0.8.0_pre20090824 [M]**0.8.0_pre20091105 {avahi
> bluetooth connection-sharing crypt debug dhclient dhcpcd doc gnome gnutls
> nss resolvconf}
>  Installed versions:  0.7.1-r6(18.16.04 2009-10-19)(gnutls resolvconf
> -avahi -connection-sharing -dhclient -dhcpcd -doc -nss)
>  Homepage:http://www.gnome.org/projects/NetworkManager/
>  Description: Network configuration and management in an easy
> way. Desktop environment independent.
>
> [D] net-misc/networkmanager-openvpn
>  Available versions:  ~0.3.2_p20070621 ~0.7.1-r1 {crypt debug doc
> gnome}
>  Installed versions:  0.7.1-r1(16.02.50 2009-11-17)(-gnome)
>  Homepage:http://www.gnome.org/projects/NetworkManager/
>  Description: NetworkManager OpenVPN plugin.
>
> [D] net-misc/networkmanager-pptp
>  Available versions:  ~0.1.0_p20070726 ~0.7.0 ~0.7.1 {crypt debug doc
> gnome}
>  Installed versions:  0.7.1(16.03.03 2009-11-17)(-gnome)
>  Homepage:http://www.gnome.org/projects/NetworkManager/
>  Description: NetworkManager PPTP plugin.
>
> [D] net-misc/networkmanager-vpnc
>  Available versions:  ~0.6.4_p20070621 ~0.7.0 ~0.7.1 {crypt debug doc
> gnome}
>  Installed versions:  0.7.1(16.03.15 2009-11-17)(-gnome)
>  Homepage:http://www.gnome.org/projects/NetworkManager/
>  Description: NetworkManager VPNC plugin.
>
> Do you have any idea?
>
> Thank you
> L:
>
> --
>
> ___
> NetworkManager-list mailing 
> listnetworkmanager-l...@gnome.orghttp://mail.gnome.org/mailman/listinfo/networkmanager-list
>
>
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

nm-applet / vpnc / pptp / openvpn

[Geronimo Wheeler]

Hi,

I've succesfullly installed Networkmanager and nm-applet with all the
plugins under Gnome / Kde-4-3 using the instructions can be found at
gentoo-wiki. It is working perfectly for wired and wireless LAN but not for
any VPN (this part of the applet is grey

I was searching the archive and googled this thing but I cannot find a
solution, so I decided to ask you :)

I suppose this is some problem with the dbus registration of the plugins,
but I'm not sure

This is my versions

[I] sys-apps/dbus
 Available versions:  1.2.3-r1 ~1.2.12 ~1.3.0 ~1.3.0-r1 {X debug doc
selinux test}
 Installed versions:  1.2.3-r1(16.09.48 2009-11-17)(X -debug -doc
-selinux)

[I] net-misc/networkmanager
 Available versions:  *0.6.5_p20070823 0.6.6 ~0.7.1-r3 0.7.1-r6
~0.7.1_p20090824 [M]**0.8.0_pre20090824 [M]**0.8.0_pre20091105 {avahi
bluetooth connection-sharing crypt debug dhclient dhcpcd doc gnome gnutls
nss resolvconf}
 Installed versions:  0.7.1-r6(18.16.04 2009-10-19)(gnutls resolvconf
-avahi -connection-sharing -dhclient -dhcpcd -doc -nss)
 Homepage:http://www.gnome.org/projects/NetworkManager/
 Description: Network configuration and management in an easy
way. Desktop environment independent.

[D] net-misc/networkmanager-openvpn
 Available versions:  ~0.3.2_p20070621 ~0.7.1-r1 {crypt debug doc gnome}
 Installed versions:  0.7.1-r1(16.02.50 2009-11-17)(-gnome)
 Homepage:http://www.gnome.org/projects/NetworkManager/
 Description: NetworkManager OpenVPN plugin.

[D] net-misc/networkmanager-pptp
 Available versions:  ~0.1.0_p20070726 ~0.7.0 ~0.7.1 {crypt debug doc
gnome}
 Installed versions:  0.7.1(16.03.03 2009-11-17)(-gnome)
 Homepage:http://www.gnome.org/projects/NetworkManager/
 Description: NetworkManager PPTP plugin.

[D] net-misc/networkmanager-vpnc
 Available versions:  ~0.6.4_p20070621 ~0.7.0 ~0.7.1 {crypt debug doc
gnome}
 Installed versions:  0.7.1(16.03.15 2009-11-17)(-gnome)
 Homepage:http://www.gnome.org/projects/NetworkManager/
 Description: NetworkManager VPNC plugin.

Do you have any idea?

Thank you
L:
___
NetworkManager-list mailing list
NetworkManager-list@gnome.org
http://mail.gnome.org/mailman/listinfo/networkmanager-list