Looking at the source code for nm-openvpn-service.c, before this bug was
introduced it doesn't appear that the crl-verify option was ever
implemented or used, as it is not found within the code. The only lines
that refer to crl-verify were introduced in Ubuntu 19.04, and consist of
the following:
This is a serious problem compromising the security of OpenVPN on Linux.
Every time I try to use crl-verify I get the following error:
nm-openvpn[3957]: Options error: --crl-verify fails with
'/var/lib/openvpn/chroot/[insert path to pem file selected here]': No
such file or directory (errno=2)
Well...it has been quite some time and this bug has received absolutely
*zero* attention from the Gnome Shell Gitlab here
https://gitlab.gnome.org/GNOME/gnome-shell/issues/123 escalated from the
Gnome Bugzilla tracker after Gnome shell development moved to Gitlab.
The issue is fully present in
Filed an upstream bug, at long last, in the Gnome bugtracker at
https://bugzilla.gnome.org/show_bug.cgi?id=793977
** Bug watch added: GNOME Bug Tracker #793977
https://bugzilla.gnome.org/show_bug.cgi?id=793977
** Also affects: network-manager via
Okay, so...why isn't this a priority bugfix? I love gnome, don't get me
wrong, but when I can't even autoconnect to my VPN like I did countless
times in the past few years running Ubuntu on Unity without compromising
the security of my system something is wrong. There needs to be an
option - and a
@bagl0312 I agree, there really should be some kind of GUI default way
to set negative DNS priority when setting up certain VPN connections.
The average user shouldn't experience a nasty surprise when DNS leaks
happen by default.
--
You received this bug notification because you are a member of
Okay, I will try this with a fresh install of Ubuntu 17.10 and provide
the necessary logs soon. I should be able to use the provided script
over ssh, thanks. The problem with GDM freezing on Wayland after system
resume/wakeup has been occurring ever since I ran the beta builds of
17.10, but it's
Public bug reported:
When using a Wayland gnome-session or Wayland ubuntu-session in Ubuntu
17.10, gnome-terminal (v3.24.2 is the version in the 17.10 repositories)
does not fill the screen at all when snapping the window to the right or
left side. There are large gaps on the right and bottom
Public bug reported:
It appears that using Xorg instead of Wayland is the only way to fix
this problem on Ubuntu 17.10. For some odd reason, whenever I wake my
computer from suspend (especially after an extended period of time
asleep) using Gnome in a Wayland session (gnome-session and stock
I'm not sure about split-horizon DNS, frankly I think that is a
different bug entirely. However, I have had no problems with DNS leaks
over my VPN connections whatsoever on Ubuntu 17.10. The bugfix I
personally requested from the NM-devs and backported to Ubuntu 17.04
(running NetworkManager
Literally just toggling that one option "Store password for all users"
in the VPN settings fixes the problem entirely. Use "sudo service
network-manager restart" and it connects flawlessly the first time. To
avoid the error loop on bootup specifically, just uncheck the box "Make
available to other
Yeah, I keep getting the "vpn-connection[...]: Failed to request VPN
secrets #3: No agents were available for this request." error message in
my syslog. I found, however, that THIS worked for me: All you have to do
is go Dash->VPN->VPN
Settings->connection_name_here->Identity->Password->"Store for
Debian package for network-manager-openvpn-gnome built for Ubuntu 17.04
attached.
** Attachment added: "network-manager-openvpn-gnome_1.2.6-2ubuntu2_amd64.deb"
Debian package for network-manager-openvpn built for Ubuntu 17.04
attached.
** Attachment added: "network-manager-openvpn_1.2.6-2ubuntu2_amd64.deb"
@Stephan the Penguin god has not forsaken us, my friend :D
So glad it works for you guys, thanks for the nice feedback! This issue bugged
me so much I sorta made it my mission haha. It's fantastic I finally got this
thing sorted out with some help from the Gnome NM devs :)
--
You received this
Please test with the new patch or patched .deb and follow the steps to
set negative ipv4 dns-priority. I (and lead NM-dev Thomas Haller
himself) believe this resolves the bug. Thanks, and I hope this helps
you all! :)
--
You received this bug notification because you are a member of Desktop
After setting the ipv4.dns-priority of the VPN connection to a negative number
and patching the source or installing the conveniently packaged .deb below, you
should not experience DNS leaks over NM-VPN.
(Output from extended test at https://dnsleaktest.com )
Test complete
Query round
I have successfully backported Thomas Haller's excellent upstream
solution as detailed in
https://bugzilla.gnome.org/show_bug.cgi?id=783569 This took some time as
things have changed quite a bit upstream, but the patch works on the
current zesty 17.04 1.4.4-1ubuntu3.1 network-manager! This is a
Hey all, so it seems like Thomas Haller at the bug thread
https://bugzilla.gnome.org/show_bug.cgi?id=783569 may have actually
fixed this issue upstream! Not sure how to backport the fix though, I
tried and didn't have any luck, so this may be up to the package
maintainers. I think this might
Unfortunately my patch is not a good solution for upstream application.
I agree with what Beniamino Galvani mentioned, that "it is wrong to
assume the connection is a VPN based on the link type, since you can
have non-VPN tun/tap/gre/gretap connections as well, and they are
affected by this
Actually I take that back. The issue is not fixed by the commit
referenced on https://bugzilla.gnome.org/show_bug.cgi?id=783569 as it is
already present in the current version of the network-manager. So we
still have a major problem folks.
--
You received this bug notification because you are a
My apologies, it seems like this issue could have already been addressed
upstream. See https://bugzilla.gnome.org/show_bug.cgi?id=783569
Anyway, I'll see if I can backport the fix provided there and whether or not it
works. Sorry guys :/
--
You received this bug notification because you are a
I have upstreamed the patch at
https://bugzilla.gnome.org/show_bug.cgi?id=783569 !
Hopefully this can be incorporated into future releases of network-manager :)
** Bug watch added: GNOME Bug Tracker #783569
https://bugzilla.gnome.org/show_bug.cgi?id=783569
--
You received this bug
No, it's not an upstream patch. My patch can be applied directly to the
current source on 17.04 obtained using 'apt-get source network-manager',
so that would be network-manager 1.4.4-1ubuntu3 from
http://us.archive.ubuntu.com/ubuntu zesty/main amd64 Packages
--
You received this bug
** Attachment added: "patched network-manager .deb for easy testing on Ubuntu
17.04"
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1624317/+attachment/4891741/+files/network-manager_1.4.4-1ubuntu4_amd64.deb
--
You received this bug notification because you are a member of
In reference to John Bedford's comment:
>bedfojo (commercial-johnbedford) wrote on 2017-06-06: #57
>Nicholas, thank you very much for your work on this patch.
>It works correctly for me: no DNS leak detected by either https://ipleak.net
>or >https://dnsleaktest.com for me, when both detected
** Patch removed: "patch for network-manager source"
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1624317/+attachment/4889747/+files/resolved-vpn-dns-leak-fix.patch
** Patch removed: "possible cisco network-manager-openconnect-fix"
Huh, weird, yeah it's quite possible it's a different issue entirely, or
a problem related to network-manager-openconnect. Because the routing-
only domain is clearly listed as DNS Domain ~. so systemd-resolved
should only send queries to the specified dns servers for the interface
vpn0.
Huh. No, actually my patch DID work. See the line under vpn0 that says
DNS Domain: ~.
So the correct bus call was made and all dns queries SHOULD be directed to the
link-specified listed DNS servers. Your problem actually appears to be that
there are no link-specified dns servers.
See the line
Tim, I have a question for you. When you connect through
network-manager-openconnect-gnome, and type
systemd-resolve --status, what is your link name called? Something like 'tun0'
or 'tap1' or the like?
Because I've been looking around at the openconnect wiki at
Jordi, Sure thing, glad I could help. :)
I wonder if somebody can figure out how to help Tim with
network-manager-openconnect. I tried adding two more conditions for cisco vpn
gre connections but apparently it didn't work or those aren't the kind of links
used. Not sure how to address that
Sorry to here that, I'm frankly not sure what to do about that then :/
At the very least the original patch fixes stuff for openvpn, which is good.
Perhaps someone else could figure out the cisco openconnect thing.
--
You received this bug notification because you are a member of Desktop
Anyone using Cisco PPTP/IPsec/openconnect VPN, please test the network
manager with the aforementioned patch or with the updated built .deb
provided here. The updated patch should address more types of VPN links.
Thanks!
** Attachment added: "updated patched .deb packaged network-manager for easy
Tim Shannon, from the comment about network-manager-openconnect-gnome, please
use this updated patch to build the network manager. I added conditions for the
cisco GRE and GRETAP link types, see
https://en.wikipedia.org/wiki/Generic_Routing_Encapsulation and
Yeah, apologies as I'm not sure what link type that openconnect uses /
how to identify an openconnect link. It would be a simple matter to add
a conditional for that in the file I patched, please try that. For now
my patch only addresses openvpn tap or tun links, but I'm sure it could
be expanded
>From the Debian man pages, it seems like this is not in fact a problem
of systemd itself, as it allows for domain routing exclusively for dns
servers on a single interface using the routing-only domain. My patch
effectively just tells the NetworkManager to make a systemd bus call
for the
I can confirm this works for multiple vpn connections and after wakeup from
system suspend on Ubuntu 17.04. I encourage you to install the patched .deb or
follow the instructions to build it from source and see for yourself. I'm
honestly so glad this fixes dns leaks for using openvpn through
** Patch added: "patch for network-manager source"
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624317/+attachment/4889747/+files/resolved-vpn-dns-leak-fix.patch
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to
The actual patch is attached above and can be applied to the source code
which you can build yourself. But for your convenience, I have attached
the .deb file below:
** Attachment added: "patched network manager .deb for easy fix installation on
Ubuntu 17.04"
Please note that this patch and fix only works for Ubuntu 17.04 which relies on
systemd-resolved as a DNS/DNSSEC stub resolver, as well as an LLMNR resolver.
You also need to be using a network-manager plugin like
network-manager-openvpn-gnome.
Install and configure an openvpn connection after
** Also affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
** Changed in: network-manager (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
Thanks for the confirmation Will, glad to see that it works. And yeah I
think this bug should be marked urgent because without the patch, my vpn
connection drops in the same manner every ten minutes or so. The
rationale behind not passing auth-nocache seems pretty clear to me based
on the openvpn
** Summary changed:
- Problem in network-manager-openvpn, openvpn fails during and after downloads.
+ Problem in nm-openvpn-service.c, openvpn connection fails after key
renegotiation because --auth-user-pass is passed with --auth-nocache.
--
You received this bug notification because you are
** Description changed:
So I've been using OpenVPN through the network-manager-openvpn package
integrated into the network manager GUI. I experienced an odd problem
where consistently, during or after downloading (in this case, I tested
by just downloading the kernel tarball from
Built patched package.
** Attachment added: "network-manager-openvpn_1.1.93-1ubuntu1.1_amd64.deb"
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1681295/+attachment/4859324/+files/network-manager-openvpn_1.1.93-1ubuntu1.1_amd64.deb
--
You received this bug
Additional generated built patched package network-manager-openvpn-gnome
** Attachment added: "network-manager-openvpn-gnome_1.1.93-1ubuntu1.1_amd64.deb"
Public bug reported:
So I've been using OpenVPN through the network-manager-openvpn package
integrated into the network manager GUI. I experienced an odd problem
where consistently, during or after downloading (in this case, I tested
by just downloading the kernel tarball from kernel.org
*** This bug is a duplicate of bug 1639776 ***
https://bugs.launchpad.net/bugs/1639776
Okay so I have found the issue pertaining to dns resolution on Ubuntu 16.04.2!
There is a critical bug in the package dnsmasq-base here:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1639776
The
Well, scratch that hope and consider me mistaken about Goth Queen's workaround.
It appears that manually setting a fixed DNS server DOES allow for successful
reconnect when the network manager is restarted (whereas before it wouldn't
reconnect period), but just like this bug
** No longer affects: linux (Ubuntu)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1677175
Title:
network-manager 1.2.6 won't connect to vpn and displays false
connected
Oops, Goth Queen actually provided a solution earlier, it was just difficult
for me to understand at the time. Enter whatever fixed DNS server you want and
set 'Automatic (DHCP) addresses only' under IPv4 Settings in network-manager
for the default network connection. So just manually entering
Okay so since resolvconf and dmasq are not cooperating, I have resorted to
using dnscrypt-proxy. Credit to QkiZ, the dnscrypt-proxy service works EVERY
TIME and ignores the (completely broken) DNS resolution of dnsmasq and
resolvconf. Even with the newest version of network-manager (1.2.6) on
I have downgraded both the network-manager and resolvconf package but I still
experience complete DNS resolution failure randomly, where restarting the
network manager has no effect and I cannot connect to the internet. The only
way to get DNS working again is to completely reboot the computer,
apport information
** Tags added: apport-collected xenial
** Description changed:
I have been having a rather serious and incredibly annoying problem on the
updated version of network-manager v1.2.6 on Ubuntu 16.04.2 LTS. Trying to
manually connect to my VPN provider using openvpn through
apport information
** Attachment added: "ProcEnviron.txt"
https://bugs.launchpad.net/bugs/1677175/+attachment/4850129/+files/ProcEnviron.txt
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
apport information
** Attachment added: "JournalErrors.txt"
https://bugs.launchpad.net/bugs/1677175/+attachment/4850128/+files/JournalErrors.txt
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager in Ubuntu.
Public bug reported:
I have been having a rather serious and incredibly annoying problem on the
updated version of network-manager v1.2.6 on Ubuntu 16.04.2 LTS. Trying to
manually connect to my VPN provider using openvpn through the network manager
fails literally any time except bootup. Every
57 matches
Mail list logo
