Re: OpenVPN config problem

[Dan Williams <dcbw redhat com>]

On Thu, 2010-02-18 at 11:24 +0100, Karel Kozlik wrote:
> Hi Dan,
> 
> Dan Williams napsal(a):
> > On Wed, 2010-02-17 at 10:36 +0100, Karel Kozlik wrote:
> >> Hi,
> >> could someone help me vith openVPN configuration in Network Manager? 
> >> Actualy when I click to VPN connection in NM, it does nothing. 
> >> /var/log/syslog contain following lines:
> >>
> >> I see the message "VPN connection 'my-vpn' failed to connect: 'No VPN 
> >> secrets!'", but I believe the secrets are configured correctly.
> > 
> > Is your private key by any chance *un*encrypted?  The VPN service plugin
> > currently requires encrypted private keys (which are more secure anyway)
> > and it could fail like this in that case.
> > 
> 
> Do you mean password protected key? My key was not.
> 
> I tried create password protected key and changed the connectio type to 
> "x509 with password" and filled the password into setttings. It still 
> not worked. But when I changed the key to my old one (unecrypted) and 
> left the connection type to "x509 with password" it connected.

There are a few different passwords here.  There's the "private key
password", which is used to unlock your private key for TLS connections,
and then there's also the "user password", which is used for
password-based authentication that openvpn supports.  Somewhat
confusingly, you can stack these methods in openvpn, which is what the
"TLS with password" thing is.

But that's not what you want.  Your connection appears to be TLS only,
so you only need to choose "x509" there like you were before.  I'm
assuming that knetworkmanager is smart enough to ask you for your
private key password when nm-openvpn-service needs it.  So try flipping
back to just "x509" and see where that gets you.

Dan

>   But I am not sure if the connection procedure finished. The openvpn 
> daemon is running, tap interface exists, I can ping remote server 
> interface (via vpn) and default route is set to VPN tap interface. But 
> status of the connection in knetworkmanager did not changed. So I cannot 
> disconnect from it. I also cannot ping any another host except those on 
> my LAN segment and the remote VPN server. The packets should be routed 
> throught VPN connection to another nodes, but they are not. However it 
> works if I connect purely with openvpn (not useing NM).
> 
> Any idea what could be worng? Including my syslog.
> 
> thanks,
> Karel
> 
> 
> 
> Feb 18 11:19:21 kk-nb NetworkManager: <info>  Starting VPN service 
> 'org.freedesktop.NetworkManager.openvpn'...
> Feb 18 11:19:21 kk-nb NetworkManager: <info>  VPN service 
> 'org.freedesktop.NetworkManager.openvpn' started 
> (org.freedesktop.NetworkManager.openvpn), PID 24258 
>  
> 
> Feb 18 11:19:21 kk-nb NetworkManager: <info>  VPN service 
> 'org.freedesktop.NetworkManager.openvpn' just appeared, activating 
> connections
> Feb 18 11:19:21 kk-nb NetworkManager: <info>  VPN plugin state changed: 
> 1
> Feb 18 11:19:21 kk-nb nm-openvpn[24261]: OpenVPN 2.1_rc19 
> x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13 2009 
> 
> Feb 18 11:19:21 kk-nb NetworkManager: <info>  VPN plugin state changed: 
> 3
> Feb 18 11:19:21 kk-nb NetworkManager: <info>  VPN connection 'kufr' 
> (Connect) reply received.
> Feb 18 11:19:21 kk-nb nm-openvpn[24261]: WARNING: No server certificate 
> verification method has been enabled.  See 
> http://openvpn.net/howto.html#mitm for more info. 
>  
> 
> Feb 18 11:19:21 kk-nb nm-openvpn[24261]: NOTE: the current 
> --script-security setting may allow this configuration to call 
> user-defined scripts 
>  
> 
> Feb 18 11:19:21 kk-nb nm-openvpn[24261]: WARNING: file 
> '/home/kk/.openvpn/kk-nb.key' is group or others accessible 
> 
> Feb 18 11:19:21 kk-nb nm-openvpn[24261]: /usr/bin/openssl-vulnkey -q -b 
> 1024 -m <modulus omitted>
> Feb 18 11:19:22 kk-nb nm-openvpn[24261]: UDPv4 link local: [undef] 
> 
> Feb 18 11:19:22 kk-nb nm-openvpn[24261]: UDPv4 link remote: 
> 194.228.84.159:28960 
> 
> Feb 18 11:19:22 kk-nb nm-openvpn[24261]: [ns.kufr.cz] Peer Connection 
> Initiated with 194.228.84.159:28960
> Feb 18 11:19:23 kk-nb NetworkManager:    SCPlugin-Ifupdown: devices 
> added (path: /sys/devices/virtual/net/tap0, iface: tap0)
> Feb 18 11:19:23 kk-nb NetworkManager:    SCPlugin-Ifupdown: device added 
> (path: /sys/devices/virtual/net/tap0, iface: tap0): no ifupdown 
> configuration found. 
> 
> Feb 18 11:19:23 kk-nb NetworkManager: <WARN>  device_creator(): 
> /sys/devices/virtual/net/tap0: couldn't determine device driver; ignoring...
> Feb 18 11:19:23 kk-nb nm-openvpn[24261]: TUN/TAP device tap0 opened
> Feb 18 11:19:23 kk-nb nm-openvpn[24261]: /sbin/ifconfig tap0 
> 44.177.215.7 netmask 255.255.255.240 mtu 1500 broadcast 44.177.215.15
> Feb 18 11:19:23 kk-nb nm-openvpn[24261]: 
> /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper tap0 
> 1500 1573 44.177.215.7 255.255.255.240 init
> Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Joining mDNS multicast group 
> on interface tap0.IPv4 with address 44.177.215.7.
> Feb 18 11:19:23 kk-nb avahi-daemon[1002]: New relevant interface 
> tap0.IPv4 for mDNS.
> Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Registering new address record 
> for 44.177.215.7 on tap0.IPv4.
> Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Withdrawing address record for 
> 44.177.215.7 on tap0.
> Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Leaving mDNS multicast group 
> on interface tap0.IPv4 with address 44.177.215.7.
> Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Interface tap0.IPv4 no longer 
> relevant for mDNS.
> Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Joining mDNS multicast group 
> on interface tap0.IPv4 with address 44.177.215.7.
> Feb 18 11:19:23 kk-nb avahi-daemon[1002]: New relevant interface 
> tap0.IPv4 for mDNS.
> Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Registering new address record 
> for 44.177.215.7 on tap0.IPv4.
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  VPN connection 'kufr' (IP 
> Config Get) reply received.
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  VPN Gateway: 194.228.84.159
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  Tunnel Device: tap0
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  Internal IP4 Address: 
> 44.177.215.7
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  Internal IP4 Prefix: 28
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  Internal IP4 
> Point-to-Point Address: 0.0.0.0
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  Maximum Segment Size (MSS): 0
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  Internal IP4 DNS: 44.177.215.1
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  DNS Domain: 'kufr.cz'
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  Login Banner:
> Feb 18 11:19:23 kk-nb NetworkManager: <info> 
> -----------------------------------------
> Feb 18 11:19:23 kk-nb NetworkManager: <info>  (null)
> Feb 18 11:19:23 kk-nb NetworkManager: <info> 
> -----------------------------------------
> Feb 18 11:19:23 kk-nb nm-openvpn[24261]: Initialization Sequence Completed
> Feb 18 11:19:24 kk-nb NetworkManager: <info>  (tap0): writing 
> resolv.conf to /sbin/resolvconf
> Feb 18 11:19:25 kk-nb avahi-daemon[1002]: Registering new address record 
> for fe80::fc37:90ff:fea6:2395 on tap0.*.
> Feb 18 11:19:25 kk-nb dnsmasq[1414]: reading /var/run/dnsmasq/resolv.conf
> Feb 18 11:19:25 kk-nb dnsmasq[1414]: using nameserver 44.177.212.129#53
> Feb 18 11:19:25 kk-nb dnsmasq[1414]: using nameserver 44.177.215.1#53
> Feb 18 11:19:25 kk-nb NetworkManager: <info>  VPN connection 'kufr' (IP 
> Config Get) complete.
> Feb 18 11:19:25 kk-nb NetworkManager: <info>  (tap0): writing 
> resolv.conf to /sbin/resolvconf
> Feb 18 11:19:25 kk-nb NetworkManager: <info>  Policy set 'kufr' (tap0) 
> as default for routing and DNS.
> Feb 18 11:19:25 kk-nb NetworkManager: <info>  VPN plugin state changed: 4
> Feb 18 11:19:25 kk-nb nm-dispatcher.action: Script 
> '/etc/NetworkManager/dispatcher.d/01ifupdown' exited with error status 1.
> Feb 18 11:19:34 kk-nb kernel: [65664.790047] tap0: no IPv6 routers present
> 
> 
> 
> 
> 
> 
>