Re: Setting openVPN options

[Volker Kuhlmann <list0570 paradise net nz>]

On Sun 26 Feb 2012 05:38:58 NZDT +1300, Lamarque V. Souza wrote:

> 	Which openvpn version do you use?

openvpn-2.2.1-18.1.2.x86_64

openSUSE 12.1

> 	I am not aware of this problem (I am the responsible for Plasma NM, the 
> KDE applet for NetworkManager). I have just check it here and my wifi 
> connection stays in the plasmoid and the kcm (Manage Connections") lists after 
> I disconnect it.

For debugging all of this I intentionally disconnect the wifi connection
by clicking on the panel applet icon, which shows a connection summary
with  connection list on the left and the configured NM connections and
fond APs on the right. Click on the white X with the red round
background in the top right corner of each connection drops the
connection, and removes the wifi connections (all of them) from the
right side. It happens every single time. Immediately after that, an
iwlist wlan0 scan shows the closest AP (mine) immediately, but the AP
list on the right is not populated again for quite some time afterwards.
As the list is empty, one can't click on it to start the connection
again. It's often faster to turn off "enable wireless" and turn it on
again immediately.

Wifi driver is broadcom wl (apologies, not one I'd have chosen).

> > Sure there is a security issue to deal with, but given that NM asks for
> > a root password each time there's a change to the connection settings I
> > don't see any security *problem* here.
> 
> 	The problem is implemeting in NM all the checks to make sure the options 
> are safe. NM cannot just pass them to openvpn daemon.

Sorry, NM asks for the *root* password here. Safety checks no longer
exist.

It's ironic that the insistence on checks leads to a less-secure program
that is incapable of putting in the one security option I insist I have
in there. openvpn warns loudly if it's missing. Keyword MITM.

> 	auto-connect for VPN is not implemented in NM as far as I know. There 
> are some scripts from users in this mailing list to do just that. I have never 
> tested them though.

The autoconnect tickbox is still there for VPN. Even if it didn't work,
I'd be happy to be able to manually click on the connection name to get
it started.

> 	Not everybody wants to route all traffic through VPN. I use VPN to 
> access specific sites, not the whole Internet. In my case that would disrupt 
> my other connections since the VPN I access are local networks and have no 
> access to the Internet.

> 	That is my case. Well, I must admit that VPN routing in NM is not 
> obvious, sometimes I need to change settings in two or three different dialogs  
> to make it work as I want.

There are solid arguments for both those cases, so NM really should be
able to handle both. I don't see how I can get that fine a control over
routes in NM - but will happily read a howto.

> 	I can delete routes.

I'm all ears. What's the trick?

> > * NM starts openvpn with an openvpn option that causes the vpn to stop
> > dead halfway through the startup. Impossible to fix with NM.
> 
> 	Which option is that?

To be honest I'm reluctant to say, because it gains nothing. It's
pointless to deal with one particular option while ignoring the other 3.

I've cranked up kvpnc, which is pretty annoyingly buggy, but differs
from NM in one crucial point: it gets the job done. The alternative is
to manually create an openvpn config file (done that by now) and a
1-line script for convenience. Needs a root login (as does kvpnc), but
it's lightning fast to the alternatives.

Thanks,

Volker

-- 
Volker Kuhlmann
http://volker.dnsalias.net/	Please do not CC list postings to me.