Re: Headless VPN connections



On Tue, 2014-07-15 at 14:38 +0200, D.S. Ljungmark wrote:
Hi!

 I have a few (heh) headless boxes that use NetworkManager for
connectivity, and we'd like to keep it that way (without random hacks
and shellscripts, preferrably)

One of the things that we want is to set up a VPN connection, each box
should automatically reconnect to the VPN if doable, and try to stay
connected.

However, The documentation for this is. pretty lacking.

So, what I want to do is add a config file with the connection
specification for a VPN setup to the base OS of all machines, and have
them "just work" as much as possible.


Now:
  where can I find the documentation for the KeyFile config format? I
think I've seen something in the past, but I can't seem to re-find it.
(hidden on the wiki?)

There are different settings-plugins to store connections. "keyfile" is
the native NM one and the most powerful. E.g. VPN can only be stored in
keyfile format and is not supported by other setting plugins.

A general documentation about this is here:
https://wiki.gnome.org/Projects/NetworkManager/SystemSettings


But this does not tell you the exact meaning of the individual settings.
This is here:
https://developer.gnome.org/NetworkManager/0.9/ref-settings.html
See also: `man nm-settings`


The settings above are not 100% the same as the keyfile values, but
keyfile is very close to it. It should be easy to figure out how a
setting maps to keyfile. Btw. work is in progress, to document the
keyfile setting themselves.



... BUT... for VPN, the settings are opaque to NetworkManager and passed
on to the VPN plugin. So, to know the meaning of the [vpn] settings, you
have to look for their meaning in NetworkManager-openvpn... usually
these parameters correspond to command line options to openvpn. So see
`man openvpn`.

For [vpn]
https://developer.gnome.org/NetworkManager/0.9/ref-settings.html is a
bit confusing, because ref-settings.html mentions "data", which keyfile
plugin expands.
E.g. the VPN setting has the (opaque) dictionary "data" with key
"mssfix", but keyfile makes of it:

[vpn]
...
mssfix=yes





And:
  Is the below config file "correct" ? What is missing, and what should
I think about for maximum compability?

As far as NM is concerned, it is valid if NM can load it. It will tell
you in the log-file if it cannot. But since the VPN parameters are only
understood by the VPN plugin, that doesn't help you much.

---8<---
[connection]
id=vpn
uuid=c0ffee00-dead-dead-dead-c0ffeedecaff
type=vpn
autoconnect=true

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
remote=vpn.vpn.host.vpn
cert-pass-flags=0  # what does this do?

all password settings "XYZ" have an accompanying setting "XYZ-flags".
See: https://developer.gnome.org/NetworkManager/0.9/secrets-flags.html


mssfix=yes  # compat?
remote-cert-tls=server # WTF is this? Probably passed on to openvpn?

Yes. See `man openvpn`.

cert=/my/client.cert
key=/my/client.key
ca=/my/ca.cert


[ipv6]
method=auto # what does this do? dhcp?
[ipv4]
method=auto # dhcp?`Static ip?

https://developer.gnome.org/NetworkManager/0.9/ref-settings.html

---8<---


Maybe it is easier to create your setting with nm-applet.
Together with the NetworkManager-openvpn-gnome package (or whatever the
name on your distro) gives you UI support to edit openvpn connections
with UI. Configure your connection there until it works well for you.
Then look at what was saved to keyfile.


btw. might be useful to know which version of NM you are using, and
which distribution.


Thomas

Attachment: signature.asc
Description: This is a digitally signed message part



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]