Re: Setting openVPN options

From: Volker Kuhlmann <list0570 paradise net nz>
To: Dan Williams <dcbw redhat com>
Cc: networkmanager-list gnome org
Subject: Re: Setting openVPN options
Date: Sat, 25 Feb 2012 17:35:54 +1300

On Sat 25 Feb 2012 09:15:34 NZDT +1300, Dan Williams wrote:

> Are you using KDE or some other desktop environment?

Yes. The packages are

NetworkManager-0.9.1.90-4.8.1.x86_64
NetworkManager-kde4-libs-0.9.1git20111027-1.3.1.x86_64
NetworkManager-openvpn-0.9.0-2.1.2.x86_64
NetworkManager-openvpn-kde4-0.9.1git20111027-1.3.1.x86_64

The wlan part of NM and the KDE panel applet are very good - my only
gripe is that when I disconnect a wireless connection, the connection is
removed from the list of available configurations for quite some time
before it reappears - very irritating when I want to immediately
reconnect (essential for setting up connection details).

But the desktop should be irrelevant - any usable technology works with
gnome and kde equally well.

> > Back to the question: Is there any other way for me to set options with
> > which nm runs openvpn?
> 
> Other than the options that are provided in the UI, you can edit the
> configuration file in which the VPN connection settings are stored.
> Otherwise there is no other way; there is intentionally no text entry
> for arbitrary options, because openvpn runs as root, and that's a pretty
> big security risk to allow unprivileged users to enter whatever options
> they want that get read by a root-level daemon.  Even if/when we do
> switch to doing something like sandboxing the daemon, having a text edit
> box isn't great UI and isn't very helpful for users.  Instead, we take a
> more measured approach; if there's a setting that people need, we figure
> out how to add it to the UI in a logical and usable manner.

Sure there is a security issue to deal with, but given that NM asks for
a root password each time there's a change to the connection settings I
don't see any security *problem* here.

I have come to the conclusion that NM is not useful for openvpn here.
Certainly not for normal users, and power users don't need NM. Here's why
(enter this in your issue tracker, I meant to post this anyway):

* It doesn't get the job done, and there is no useful diagnostic output
of any kind. (syslog only has successful dis/connections and nothing
else, /var/log/NetworkManager only deals with itself, not with openvpn.)

Nothing I've seen yet comes close to the functionality of kinternet for
establishing connections (full diagnostic logs a click away, full
configurability, no need to subscribe to mailing lists to get it to work
- very fast to use).

* The VPN would obviously need to run over another connection. I didn't
see any hint that suggests NM is taking care of bringing up the
connection that VPN relies on first. Auto-connect would be useful,
failing that a list of connections to activate manually would be
required. I don't see that list being reliable.

* Routing rules would be not so trivial. For the transport connection
basic requirement is to reach DNS and VPN server. A default route would
be useful. For the VPN connection routes need to change again, default
route is essential and all routes that may go to the transport network
need to be reliably removed to ensure all traffic goes through VPN. It's
not happening.

There is also the case where a VPN may deliberately be set up for one
particular networking area only, with all other traffic not going
through the VPN. That's what the tickbox "set default route" is for
which I remember seeing in some network configuration GUI.

* NM starts openvpn with an openvpn option that causes the vpn to stop
dead halfway through the startup. Impossible to fix with NM.

* I want (so far) one security option in openvpn. Impossible to fix with
NM.

* The routes set up by NM/openvpn aren't quite right for what I need at
least for one connection. I was thinking of using up/down scripts to fix
that up. Impossible to do with NM. Maybe routes can be added with NM,
but they can't be deleted.

> Running nm-openvpn-service --persist --debug will run openvpn with
> "--verb 10" which will also show the verb3/verb4 output.  Is that nto
> working for you?

Sorry I was wrong twice. Yes it does work, and the debug output is from
openvpn (perhaps I didn't see it first because my openvpn wrapper script
wrote arguments and output to file). It does however not show the
arguments to openvpn, and that's pretty poor. For troubleshooting first
thing I want to know is how external programs are called.

I don't mind editing /etc/NetworkManager/system-connections/VPN_whatever
(as root!) but doing so serves no useful purpose. It still doesn't pass
options to openvpn, all it does is for nm to barf before even starting
openvpn.

pfsense (a professional firewall with BUI) has a text box for arbitrary
options too. And I haven't used it yet, there is a useful range of
options in the standard option part that just make it work.

You say a text box isn't good for users? But a useless piece of software
is more user-friendly? "Useless" being the adjective for a kettle that
doesn't boil water.

Chasing the options which someone might need is a losing proposition. I
doubt you can know in advance. What happens if openvpn changes? 12
months of "you're stuffed with NM"?

Bottom line is NM openvpn can't be made to work. I like it for wifi
though.

Thanks,

Volker

-- 
Volker Kuhlmann
http://volker.dnsalias.net/	Please do not CC list postings to me.

Follow-Ups:
- Re: Setting openVPN options
  - From: Lamarque V. Souza

References:
- Setting openVPN options
  - From: Volker Kuhlmann
- Re: Setting openVPN options
  - From: Bin Li
- Re: Setting openVPN options
  - From: Volker Kuhlmann
- Re: Setting openVPN options
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]