GNOME.org
 

Re: OpenVPN plugin problems--help debugging?

An addendum--I just figured out how to figure out the exec() string that NM is constructing to call OpenVPN. Here it is, broken out into directives for easier reading: 

/usr/sbin/openvpn
  --remote openvpn.mycompany.com
  --comp-lzo
  --nobind
  --dev tap
  --proto udp
  --port 11952
  --tls-auth /home/first.last/OpenVpn/config/tls.key 0
  --syslog nm-openvpn
  --up /usr/bin/nm-openvpn-service-openvpn-helper
  --up-restart
  --persist-key
  --persist-tun
  --management 127.0.0.1 1194
  --management-query-passwords
  --route-noexec
  --client
  --ns-cert-typeserver
  --ca /home/first.last/OpenVpn/config/ca.crt
  --cert /home/first.last/OpenVpn/config/local.crt
  --key /home/first.last/OpenVpn/config/local.key
  --auth-user-pass

I have my suspicions about this directive, in particular:

  --ns-cert-type server
My server-side certificates *do not* have the 'type' field set--this is intentional, and it's absolutely required to make certain configurations work under OpenVPN due to sloppy behavior in how the daemon interprets certain fields in the certs.
I tried adding just that directive to my working configuration, and it fails with a TLS error, so at this point I'm 99% sure that this is why NM can't start the connection.
Can anybody help shed some light on this? I haven't had a chance to search for similar complaints, yet, but I will get on that right now. 

-Ryan



Ryan B. Lynch wrote:

Hi,

I have a working OpenVPN client machine, that uses the following
configuration on which I'd like to be able to use NM's OpenVPN plugin
(instead of doing it from the command line).  I was able to configure
the new connection, but every time I try to actually use it from the
task-tray icon, it fails immediately (no delay at all) with this error
message in a popup:
"The VPN connection 'My Company, Inc (main)' failed because the VPN service stopped unexpectedly."
I would really appreciate it if anybody could advise me on how to go about troubleshooting this. I am pretty savvy at working with OpenVPN, having recently built a pretty sophisticated multi-server arrangment, but my OpenVPN knowledge is useless here since I can't even see the output of the what the heck the client VPN process is trying to do when it connects. Maybe if someone could educate me on how to do just that, it would take me in the right direction. Even if I could get NM to just dump the exec() string that it constructs in order to call OpenVPN, I could probably figure out why it's failing. At this point, though, I'm open to all suggestions. 


Here's NetworkManager's syslog output for several attempts (four, I
think) over about a half-hour:


Jun 21 13:18:58 caffeine NetworkManager: <info>  Starting VPN service
'org.freedesktop.NetworkManager.openvpn'...
Jun 21 13:18:58 caffeine NetworkManager: <info>  VPN service
'org.freedesktop.NetworkManager.openvpn' started
(org.freedesktop.NetworkManager.openvpn), PID 20778
Jun 21 13:18:58 caffeine NetworkManager: <info>  VPN service
'org.freedesktop.NetworkManager.openvpn' just appeared, activating
connections
Jun 21 13:18:58 caffeine NetworkManager: <info> VPN plugin state changed: 1 Jun 21 13:18:58 caffeine NetworkManager: <info> VPN plugin state changed: 3 
Jun 21 13:18:58 caffeine NetworkManager: <info>  VPN connection 'My
Company, Inc (main)' (Connect) reply received.
Jun 21 13:18:58 caffeine NetworkManager: <info> VPN plugin state changed: 6 
Jun 21 13:18:58 caffeine NetworkManager: <WARN>
connection_vpn_state_changed(): Could not process the request because no
VPN connection was active.
Jun 21 13:19:04 caffeine NetworkManager: <info> VPN plugin state changed: 3 
Jun 21 13:19:04 caffeine NetworkManager: <info>  VPN connection 'My
Company, Inc (main)' (Connect) reply received.
Jun 21 13:19:04 caffeine NetworkManager: <info> VPN plugin state changed: 6 
Jun 21 13:19:04 caffeine NetworkManager: <WARN>
connection_vpn_state_changed(): Could not process the request because no
VPN connection was active.
Jun 21 13:19:28 caffeine NetworkManager: <info>  Starting VPN service
'org.freedesktop.NetworkManager.openvpn'...
Jun 21 13:19:28 caffeine NetworkManager: <info>  VPN service
'org.freedesktop.NetworkManager.openvpn' started
(org.freedesktop.NetworkManager.openvpn), PID 20808
Jun 21 13:19:28 caffeine NetworkManager: <info>  VPN service
'org.freedesktop.NetworkManager.openvpn' just appeared, activating
connections
Jun 21 13:19:28 caffeine NetworkManager: <info> VPN plugin state changed: 3 
Jun 21 13:19:28 caffeine NetworkManager: <info>  VPN connection 'My
Company, Inc (main)' (Connect) reply received.
Jun 21 13:19:28 caffeine NetworkManager: <info> VPN plugin state changed: 6 
Jun 21 13:19:28 caffeine NetworkManager: <WARN>
connection_vpn_state_changed(): Could not process the request because no
VPN connection was active.
Jun 21 13:19:33 caffeine NetworkManager: <info> VPN plugin state changed: 3 
Jun 21 13:19:33 caffeine NetworkManager: <info>  VPN connection 'My
Company, Inc (main)' (Connect) reply received.
Jun 21 13:19:33 caffeine NetworkManager: <info> VPN plugin state changed: 6 
Jun 21 13:19:33 caffeine NetworkManager: <WARN>
connection_vpn_state_changed(): Could not process the request because no
VPN connection was active.
My original, working configuration file looks like this (paths are local to the directory "/etc/openvpn/"). I ran it by putting it in a file called 'mycompany.conf' in the directory '/etc/openvpn', and starting the 'openvpn' service: 

client
dev        tap
proto        udp
remote        openvpn.mycompany.com 11952
ca        ca.crt
cert        local.crt
key        local.key
tls-auth    tls.key
resolv-retry    infinite
nobind
auth-user-pass
persist-tun
persist-key
verb        5
comp-lzo    yes
tls-remote    "openvpn.mycompany.com"
And here's an export of the configuration I made through NetworkManager's GUI: 

[openvpn]
description=My Company, Inc (main)
connection-type=x509userpass
remote=openvpn.mycompany.com
port=11952
dev=tap
proto=udp
ca=/home/first.last/OpenVpn/config/ca.crt
cert=/home/first.last/OpenVpn/config/local.crt
key=/home/first.last/OpenVpn/config/local.key
comp-lzo=yes
shared-key=
local-ip=
remote-ip=
username=first last mycompany com
cipher=
ta=/home/first.last/OpenVpn/config/tls.key
ta_dir=
routes=
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]