Re: NetworkManager and OpenVPN

[Dan Williams <dcbw redhat com>]

On Tue, 2008-12-16 at 13:13 -0800, Geoffrey Leach wrote:
> On 12/16/2008 07:37:17 AM, Dan Williams wrote:
> > On Mon, 2008-12-15 at 13:43 -0800, Geoffrey Leach wrote:
> > > On 12/15/2008 09:45:15 AM, Dan Williams wrote:
> > > > On Mon, 2008-12-15 at 09:25 -0800, Geoffrey Leach wrote:
> > > > > On 12/15/2008 07:44:08 AM, Dan Williams wrote:
> > > > > > On Sun, 2008-12-14 at 10:05 -0800, Geoffrey Leach wrote:
> > > > > > > Could someone outline (or provide a pointer to) the role
> > played
> > > > by 
> > > > > > > NetworkManager-openvpn (in v 0.7)? I notice that the 
> > openvpm
> > 
> > > > > > service
> > > > > > 
> > > > > > > dies on startup, although there appear to be no ill effects 
> > > > from
> > > > > > that.
> > > > > > 
> > > > > > You my be running an older version of openvpn (2.1 rc8 or
> > lower?) 
> > > > > > that
> > > > > > doesn't accept the --script-security argument.  Is that the
> > case?
> > > > > > 
> > > > > > Basically, NetworkManager-openvpn is the openvpn plugin to
> > allow
> > > > NM 
> > > > > > to
> > > > > > connect to OpenVPN VPN servers.  When you ask NM to activate
> > an
> > > > > > OpenVPN
> > > > > > connection, NM launches nm-openvpn-service which handles the
> > > > actual
> > > > > > connection task.
> > > > > > 
> > > > > > If --script-security isn't the problem, then we can try to
> > debug
> > > > this
> > > > > > further by just running '/usr/libexec/nm-openvpn-service' as 
> > > > root,
> > > > > > then
> > > > > > connecting from the NM applet menu.  That will spit out more 
> > > > debug
> > > > > > info,
> > > > > > which we can look at to find out what the problem is.
> > > > > 
> > > > > I'm running openvpn-2.1-0.28.rc9.fc10.i386
> > > > > 
> > > > > I'm happy to assist with any debugging.  FWIW,
> > wpa_supplicant.log
> > > > gets 
> > > > > CTRL-EVENT-SCAN-RESULTS on executing /usr/libexec/nm-openvpn-
> > > > service
> > > > as 
> > > > > root.  In that log, I see 
> > > > > Trying to associate with 00:18:4d:88:55:c2 (SSID='Netgear' 
> > > > freq=2462
> > > > 
> > > > > MHz)
> > > > > Associated with 00:18:4d:88:55:c2
> > > > > CTRL-EVENT-CONNECTED - Connection to 00:18:4d:88:55:c2 
> > completed
> > > > (auth) 
> > > > > [id=0 id_str=]
> > > > > CTRL-EVENT-SCAN-RESULTS
> > > > > ....
> > > > 
> > > > What's the output from running "/usr/libexec/nm-openvpn-service"
> > as
> > > > root, and then trying to connect with NM?  That program should
> > print
> > > > out
> > > > some information that we can use to debug further.
> > > 
> > > Hmmmm ... perhaps I don't get it.
> > > Stopped NM
> > > execute nm-openvpn-service
> > > Start NM
> > > 
> > > NM starts normally; no output. Should I be looking elsewhere?
> > 
> > Did you then activate the VPN connection from the applet menu?
> 
> Aaaaa Ha! No I did not. Can you point me to doc on how to configure?

How to configure an OpenVPN connection?  I thought you had one already,
otherwise maybe I mis-interpreted "NetworkManager-openvpn (in v 0.7)? I
notice that the openvpn service dies at startup".  Are you trying to
start the openvpn service as a system service at boot time instead?

Basically, you can use the NM openvpn plugin to let NM manage your VPN
connections, or if you really want you can use openvpn manually.
However, since NM does things asynchronously to avoid blocking other
stuff during startup, those other things will need a bit of logic to be
kicked in the head when the network changes.  Most things these days
(avahi and ntp are two exceptions) don't listen to netlink for interface
change events and dynamically reconfigure themselves or perform actions
based on those events.  If you're trying to get openvpn to start as a
system service (not using the NM openvpn integration bits), then it's
likely that you don't have a network connection yet by the time openvpn
starts up.

Dan