Re: OpenVPN config problem

From: Karel Kozlik <karel iptel org>
To: Andrey Borzenkov <arvidjaar gmail com>
Cc: networkmanager-list gnome org
Subject: Re: OpenVPN config problem
Date: Fri, 19 Feb 2010 13:55:39 +0100



Andrey Borzenkov napsal(a):

On Friday 19 of February 2010 11:09:37 Karel Kozlik wrote:

Hi,

Dan Williams napsal(a):

On Thu, 2010-02-18 at 11:24 +0100, Karel Kozlik wrote:

Hi Dan,

Dan Williams napsal(a):

On Wed, 2010-02-17 at 10:36 +0100, Karel Kozlik wrote:

Hi,
could someone help me vith openVPN configuration in Network
Manager? Actualy when I click to VPN connection in NM, it does
nothing. /var/log/syslog contain following lines:

I see the message "VPN connection 'my-vpn' failed to connect:
'No VPN secrets!'", but I believe the secrets are configured
correctly.

Is your private key by any chance *un*encrypted?  The VPN service
plugin currently requires encrypted private keys (which are more
secure anyway) and it could fail like this in that case.

Do you mean password protected key? My key was not.

I tried create password protected key and changed the connectio
type to "x509 with password" and filled the password into
setttings. It still not worked. But when I changed the key to my
old one (unecrypted) and left the connection type to "x509 with
password" it connected.

There are a few different passwords here.  There's the "private key
password", which is used to unlock your private key for TLS
connections, and then there's also the "user password", which is

used for password-based authentication that openvpn supports.Somewhat confusingly, you can stack these methods in openvpn,

which is what the "TLS with password" thing is.

But that's not what you want.  Your connection appears to be TLS
only, so you only need to choose "x509" there like you were
before.  I'm assuming that knetworkmanager is smart enough to ask
you for your private key password when nm-openvpn-service needs
it.  So try flipping back to just "x509" and see where that gets
you.

I just tryied and it ends with error:

Feb 19 09:01:36 kk-nb NetworkManager: <WARN>
nm_vpn_connection_connect_cb(): VPN connection 'kufr' failed to
connect: 'No VPN secrets!'.

It does not matter if I use my unecrypted key or password protected
key. Knetworkmanager even do not ask me for the private key
password.

Could it be a bug in knetworkmanager?

I am currently working on a similar problem using kvpnc plugin. Couldyou please provide


- your ~/.kde4/share/config/networkmanagementrc
- ~/.kde4/share/apps/networkmanagement/connections/{UUID}


files attached

- start knetworkmanager in terminal (do kquitapp knetworkmanager toterminate running version), try to connect and provide output


only these rows imediately after start knetworkmanager:

QLayout: Attempting to add QLayout "" to InterfaceConnectionItem "",which already has a layoutQLayout: Attempting to add QLayout "" to InterfaceConnectionItem "",which already has a layoutQLayout: Attempting to add QLayout "" to InterfaceConnectionItem "",which already has a layoutQLayout: Attempting to add QLayout "" to InterfaceConnectionItem "",which already has a layoutQLayout: Attempting to add QLayout "" to InterfaceConnectionItem "",which already has a layout


and these when I try to connect:

QDBusObjectPath: invalid path "any"
QDBusObjectPath: invalid path "any"

It does not seem to be useful.

of course obfuscate any sensitive data. Also, are you using kwallet orplain text to store secrets?

I do not use any secrets except the key which is in plain text inseparate file.


thanks,
Karel


thank you!

-andrey

thanks,
Karel

Dan

  But I am not sure if the connection procedure finished. The
  openvpn

daemon is running, tap interface exists, I can ping remote server
interface (via vpn) and default route is set to VPN tap interface.
But status of the connection in knetworkmanager did not changed.
So I cannot disconnect from it. I also cannot ping any another
host except those on my LAN segment and the remote VPN server.
The packets should be routed throught VPN connection to another
nodes, but they are not. However it works if I connect purely
with openvpn (not useing NM).

Any idea what could be worng? Including my syslog.

thanks,
Karel



Feb 18 11:19:21 kk-nb NetworkManager: <info>  Starting VPN service
'org.freedesktop.NetworkManager.openvpn'...
Feb 18 11:19:21 kk-nb NetworkManager: <info>  VPN service
'org.freedesktop.NetworkManager.openvpn' started
(org.freedesktop.NetworkManager.openvpn), PID 24258


Feb 18 11:19:21 kk-nb NetworkManager: <info>  VPN service
'org.freedesktop.NetworkManager.openvpn' just appeared, activating
connections
Feb 18 11:19:21 kk-nb NetworkManager: <info>  VPN plugin state
changed: 1
Feb 18 11:19:21 kk-nb nm-openvpn[24261]: OpenVPN 2.1_rc19
x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13
2009

Feb 18 11:19:21 kk-nb NetworkManager: <info>  VPN plugin state
changed: 3
Feb 18 11:19:21 kk-nb NetworkManager: <info>  VPN connection
'kufr' (Connect) reply received.
Feb 18 11:19:21 kk-nb nm-openvpn[24261]: WARNING: No server
certificate verification method has been enabled.  See
http://openvpn.net/howto.html#mitm for more info.


Feb 18 11:19:21 kk-nb nm-openvpn[24261]: NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts


Feb 18 11:19:21 kk-nb nm-openvpn[24261]: WARNING: file
'/home/kk/.openvpn/kk-nb.key' is group or others accessible

Feb 18 11:19:21 kk-nb nm-openvpn[24261]: /usr/bin/openssl-vulnkey
-q -b 1024 -m <modulus omitted>
Feb 18 11:19:22 kk-nb nm-openvpn[24261]: UDPv4 link local: [undef]

Feb 18 11:19:22 kk-nb nm-openvpn[24261]: UDPv4 link remote:
194.228.84.159:28960

Feb 18 11:19:22 kk-nb nm-openvpn[24261]: [ns.kufr.cz] Peer
Connection Initiated with 194.228.84.159:28960
Feb 18 11:19:23 kk-nb NetworkManager:    SCPlugin-Ifupdown:
devices added (path: /sys/devices/virtual/net/tap0, iface: tap0)
Feb 18 11:19:23 kk-nb NetworkManager:    SCPlugin-Ifupdown: device
added (path: /sys/devices/virtual/net/tap0, iface: tap0): no
ifupdown configuration found.

Feb 18 11:19:23 kk-nb NetworkManager: <WARN>  device_creator():
/sys/devices/virtual/net/tap0: couldn't determine device driver;
ignoring... Feb 18 11:19:23 kk-nb nm-openvpn[24261]: TUN/TAP
device tap0 opened Feb 18 11:19:23 kk-nb nm-openvpn[24261]:
/sbin/ifconfig tap0 44.177.215.7 netmask 255.255.255.240 mtu 1500
broadcast 44.177.215.15 Feb 18 11:19:23 kk-nb nm-openvpn[24261]:
/usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper
tap0 1500 1573 44.177.215.7 255.255.255.240 init
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Joining mDNS multicast
group on interface tap0.IPv4 with address 44.177.215.7.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: New relevant interface
tap0.IPv4 for mDNS.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Registering new address
record for 44.177.215.7 on tap0.IPv4.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Withdrawing address
record for 44.177.215.7 on tap0.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Leaving mDNS multicast
group on interface tap0.IPv4 with address 44.177.215.7.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Interface tap0.IPv4 no
longer relevant for mDNS.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Joining mDNS multicast
group on interface tap0.IPv4 with address 44.177.215.7.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: New relevant interface
tap0.IPv4 for mDNS.
Feb 18 11:19:23 kk-nb avahi-daemon[1002]: Registering new address
record for 44.177.215.7 on tap0.IPv4.
Feb 18 11:19:23 kk-nb NetworkManager: <info>  VPN connection
'kufr' (IP Config Get) reply received.
Feb 18 11:19:23 kk-nb NetworkManager: <info>  VPN Gateway:

194.228.84.159 Feb 18 11:19:23 kk-nb NetworkManager: <info>Tunnel Device: tap0 Feb 18 11:19:23 kk-nb NetworkManager: <info>Internal IP4 Address: 44.177.215.7

Feb 18 11:19:23 kk-nb NetworkManager: <info>  Internal IP4 Prefix:
28 Feb 18 11:19:23 kk-nb NetworkManager: <info>  Internal IP4
Point-to-Point Address: 0.0.0.0
Feb 18 11:19:23 kk-nb NetworkManager: <info>  Maximum Segment Size
(MSS): 0 Feb 18 11:19:23 kk-nb NetworkManager: <info>  Internal
IP4 DNS: 44.177.215.1 Feb 18 11:19:23 kk-nb NetworkManager:
<info>  DNS Domain: 'kufr.cz' Feb 18 11:19:23 kk-nb
NetworkManager: <info>  Login Banner: Feb 18 11:19:23 kk-nb
NetworkManager: <info>
-----------------------------------------
Feb 18 11:19:23 kk-nb NetworkManager: <info>  (null)
Feb 18 11:19:23 kk-nb NetworkManager: <info>
-----------------------------------------
Feb 18 11:19:23 kk-nb nm-openvpn[24261]: Initialization Sequence
Completed Feb 18 11:19:24 kk-nb NetworkManager: <info>  (tap0):
writing resolv.conf to /sbin/resolvconf
Feb 18 11:19:25 kk-nb avahi-daemon[1002]: Registering new address
record for fe80::fc37:90ff:fea6:2395 on tap0.*.
Feb 18 11:19:25 kk-nb dnsmasq[1414]: reading
/var/run/dnsmasq/resolv.conf Feb 18 11:19:25 kk-nb dnsmasq[1414]:
using nameserver 44.177.212.129#53 Feb 18 11:19:25 kk-nb
dnsmasq[1414]: using nameserver 44.177.215.1#53 Feb 18 11:19:25
kk-nb NetworkManager: <info>  VPN connection 'kufr' (IP Config
Get) complete.
Feb 18 11:19:25 kk-nb NetworkManager: <info>  (tap0): writing
resolv.conf to /sbin/resolvconf
Feb 18 11:19:25 kk-nb NetworkManager: <info>  Policy set 'kufr'
(tap0) as default for routing and DNS.
Feb 18 11:19:25 kk-nb NetworkManager: <info>  VPN plugin state
changed: 4 Feb 18 11:19:25 kk-nb nm-dispatcher.action: Script
'/etc/NetworkManager/dispatcher.d/01ifupdown' exited with error
status 1. Feb 18 11:19:34 kk-nb kernel: [65664.790047] tap0: no
IPv6 routers present

_______________________________________________
NetworkManager-list mailing list
NetworkManager-list gnome org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

[connection]
autoconnect=false
icon=network-server
id=kufr
timestamp=-4713,1,1,0,0,0
type=vpn
uuid={c8d4a3ab-1f78-4422-817f-f3e102f9e1cf}

[vpn]
Data=ca,/home/kk/.openvpn/ca.crt,cert,/home/kk/.openvpn/kk-nb.crt,comp-lzo,no,connection-type,tls,key,/home/kk/.openvpn/kk-nb-enc.key,port,28960,proto-tcp,no,remote,194.228.84.159,tap-dev,yes
PluginName=networkmanagement_openvpnui
ServiceType=org.freedesktop.NetworkManager.openvpn

[Connection_{1c2a0abe-a329-465d-8891-06ce45098db8}]
LastUsed=2010,1,7,17,51,5
Name=eth0 static
Type=802-3-ethernet

[Connection_{40fcd234-1edc-471e-9079-8b9f92768d4c}]
LastUsed=2010,1,30,12,39,1
Name=bluetone414141
Type=802-11-wireless

[Connection_{58cb64a0-c9bf-4304-9152-d099dfb0e1d4}]
LastUsed=2010,2,3,16,21,36
Name=Oskar
Type=gsm

[Connection_{989735cc-6b32-4502-9a61-56711795cfbc}]
LastUsed=2010,2,11,7,54,55
Name=AxessMV400
Type=802-11-wireless

[Connection_{9d91f92e-aa1a-484e-b567-50823051fd95}]
LastUsed=2010,2,18,8,53,50
Name=eth0 - dhcp
Type=802-3-ethernet

[Connection_{c26719e1-f79e-4029-b8b3-a0e87edfb498}]
LastUsed=2010,2,18,7,52,27
Name=bluetone424242
Type=802-11-wireless

[Connection_{c8d4a3ab-1f78-4422-817f-f3e102f9e1cf}]
Name=kufr
Type=vpn

[Connection_{e5ebae07-9e2d-4fc9-9283-d2167c4f6805}]
LastUsed=2010,1,30,18,47,19
Name=LOKO
Type=802-11-wireless

[General]
Autostart=false
Connections={9d91f92e-aa1a-484e-b567-50823051fd95},{40fcd234-1edc-471e-9079-8b9f92768d4c},{c26719e1-f79e-4029-b8b3-a0e87edfb498},{1c2a0abe-a329-465d-8891-06ce45098db8},{e5ebae07-9e2d-4fc9-9283-d2167c4f6805},{58cb64a0-c9bf-4304-9152-d099dfb0e1d4},{989735cc-6b32-4502-9a61-56711795cfbc},{c8d4a3ab-1f78-4422-817f-f3e102f9e1cf}

References:
- OpenVPN config problem
  - From: Karel Kozlik
- Re: OpenVPN config problem
  - From: Dan Williams
- Re: OpenVPN config problem
  - From: Karel Kozlik
- Re: OpenVPN config problem
  - From: Andrey Borzenkov

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]