Re: complex openvpn - can nm just launch?

From: Dan Williams <dcbw redhat com>
To: Scott Serr <serrjunk theserrs net>
Cc: networkmanager-list gnome org
Subject: Re: complex openvpn - can nm just launch?
Date: Tue, 06 Apr 2010 13:36:38 -0700

On Tue, 2010-04-06 at 14:31 -0600, Scott Serr wrote:
> On 04/06/2010 12:10 PM, Dan Williams wrote:
> > On Tue, 2010-04-06 at 11:28 -0600, Scott Serr wrote:
> >    
> >> On 04/06/2010 10:25 AM, Dan Williams wrote:
> >>      
> >>> On Tue, 2010-04-06 at 10:05 -0600, Scott Serr wrote:
> >>>
> >>>        
> >>>> I have an openvpn config file that works fine with openvpn.  (ubuntu
> >>>> lucid beta)  As far as I can tell there is no way to create a like
> >>>> config in the nm openvpn editor.  I can make one somewhat similar and
> >>>> export, but it doesn't look enough like mine to work.
> >>>>
> >>>>          
> >>> Which options?
> >>>
> >>> Dan
> >>>
> >>>        
> >> I suspect there will always be a new option to chase.
> >>      
> > Probably, but at some point we reach the set of options that 95% of
> > people use.  There are seriously so many options with openvpn that it's
> > not funny, and the program is completely incapable of auto-negotiating
> > them, which is also not funny.  It's downright sad.
> >
> >    
> >> Here is mine:
> >>
> >> dev tun
> >> remote 127.0.0.1 41927 tcp-client
> >> proto tcp-client
> >> ifconfig 192.168.56.2 192.168.56.1
> >> route 0.0.0.0 128.0.0.0
> >> route 128.0.0.0 128.0.0.0
> >> socket-flags TCP_NODELAY
> >> ping 10
> >> dhcp-option DNS 192.168.56.1
> >>
> >> There is no encryption, data is sent in cleartext.  This is appropriate
> >> for use with Azilink on Android phones.
> >>      
> > The only thing I can see that's not yet supported is the "no encryption"
> > part, which (not to be pedantic) isn't really a VPN.  But I suppose
> > that's something we can add.
> >
> > Dan
> >
> >    
> 
> Thanks for the info Dan.
> 
> On Ubuntu Lucid Beta, there are some issues saving other options.  I was 
> going to attempt to hack up the xml and take out the key/user/pass.  Do 
> you think this would work?

The routes and the DNS option would go into the IPv4 tab, which may not
actually get imported by the current import code.

This is basically like a static key connection, except without the key.

> I wonder how easy it would be to have an "ad-hoc" sort of connection in 
> nm.  Where nm would not care about much other that running a start and 
> stop script and telling dbus networking is up.

That doesn't really work automatically, for the most part, and it's also
a security issue since openvpn runs as 'root' and you're basically
giving it unfiltered commands which will also get run as root.

In the end, it's not that hard to support additional options, but we
need people willing to write the patches.  I can't do everything at once
of course, and while others (Huzaifa for example) have been very good
about picking issues out of bugzilla and fixing them, this isn't one
that's been reported before and thus we haven't looked at it yet...

Random question though, what exactly is Azilink and what are you using
it for?

Dan

> For Azilink users:
> If you wish to use dbus-aware apps like Empathy, I've been successful 
> now with "/etc/init.d/network-manager stop".
>

References:
- complex openvpn - can nm just launch?
  - From: Scott Serr
- Re: complex openvpn - can nm just launch?
  - From: Dan Williams
- Re: complex openvpn - can nm just launch?
  - From: Scott Serr
- Re: complex openvpn - can nm just launch?
  - From: Dan Williams
- Re: complex openvpn - can nm just launch?
  - From: Scott Serr

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]