RE: How to setup NM VPN ?

From: Dan Williams <dcbw redhat com>
To: Miguel Rozsas <marozsas hotmail com>
Cc: networkmanager-list <networkmanager-list gnome org>
Subject: RE: How to setup NM VPN ?
Date: Thu, 12 Feb 2009 16:08:17 -0500

On Thu, 2009-02-12 at 16:19 -0300, Miguel Rozsas wrote:
> Hi Dan, thank you ! 
> 
> You are right !
> What I did: (for any else which may have interest in this setup)
> 
> As you suggested I split/converted the mypkcs-file.p12 file in two
> pieces: user.pem and key.pem:
> [code]
> openssl pkcs12 -in mypkcs-file.p12 -out user.pem -nodes -clcerts
> -nokeys
> openssl pkcs12 -in mypkcs-file.p12 -out key.pem -nodes -nocerts
> [/code]

Ideally you wouldn't have to do that, we just need to do some work in
the NM-openvpn configuration dialog to detect that a PKCS#12 certificate
has been loaded, and disable the other certificate options since the
PKCS#12 file contains all 3 required things.

> and I had to setup the DNS by hand. NM did not updated the nameservers
> as informed by SW, using the defaults on IPV4 Settings tab. I had to
> change to "Automatic (VPN) addresses only to enable the DNS servers
> text field and I put the internal DNS servers for this VPN connection.
> The default router and IP address were set just fine.

DNS needs to be set up correctly on the OpenVPN server, which usually
gets passed through to the openvpn client using the "foreign-option"
environment variable.

If you've got a bit of time, could you dump the environment that openvpn
calls the helper script with so I can fix this bug?  Basically the
following:

a) mv /usr/libexec/nm-openvpn-service-openvpn-helper /usr/libexec/nm-openvpn-service-openvpn-helper-ORIG

b) edit /usr/libexec/nm-openvpn-service-openvpn-helper in your favorite text editor
#!/bin/sh
env > /tmp/openvpn.env
exec /usr/libexec/nm-openvpn-service-openvpn-helper-ORIG $@

c) chmod 755 /usr/libexec/nm-openvpn-service-openvpn-helper

d) Start your NM-openvpn connection as you normally would

e) email /tmp/openvpn.env to me directly since it may contain private
information

> Regardless the big problem related with SELinux in permissive mode,
> NM-vpn is working fine !
> 
> I hope others can find this post and setup their SW/Zerina VPN too.
> 
> Thank you very much for your help !
> 
> PS: There are any chances you have a fix to the SELinux issue ? I have
> tried "restorecon /home/miguel/tmp/user.pem" and no luck....
> 
> ______________________________________________________________________
It's not really easy to fix this, because normally root processes aren't
allowed to read user-level files; that's a *good* thing.  The real fix
for this is to get a real Certificate Store like Windows and Mac OS X
have had for years, have NM send openvpn a certificate ID #, and have
openvpn ask your Certificate Store for the certificate matching the ID #
NM gave it.

Dan

Follow-Ups:
- RE: How to setup NM VPN ?
  - From: Miguel Rozsas

References:
- How to setup NM VPN ?
  - From: Miguel Rozsas
- Re: How to setup NM VPN ?
  - From: Dan Williams
- RE: How to setup NM VPN ?
  - From: Miguel Rozsas

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]