On Tue, 2014-07-15 at 14:38 +0200, D.S. Ljungmark wrote:
Hi! I have a few (heh) headless boxes that use NetworkManager for connectivity, and we'd like to keep it that way (without random hacks and shellscripts, preferrably) One of the things that we want is to set up a VPN connection, each box should automatically reconnect to the VPN if doable, and try to stay connected. However, The documentation for this is. pretty lacking. So, what I want to do is add a config file with the connection specification for a VPN setup to the base OS of all machines, and have them "just work" as much as possible. Now: where can I find the documentation for the KeyFile config format? I think I've seen something in the past, but I can't seem to re-find it. (hidden on the wiki?)
There are different settings-plugins to store connections. "keyfile" is the native NM one and the most powerful. E.g. VPN can only be stored in keyfile format and is not supported by other setting plugins. A general documentation about this is here: https://wiki.gnome.org/Projects/NetworkManager/SystemSettings But this does not tell you the exact meaning of the individual settings. This is here: https://developer.gnome.org/NetworkManager/0.9/ref-settings.html See also: `man nm-settings` The settings above are not 100% the same as the keyfile values, but keyfile is very close to it. It should be easy to figure out how a setting maps to keyfile. Btw. work is in progress, to document the keyfile setting themselves. ... BUT... for VPN, the settings are opaque to NetworkManager and passed on to the VPN plugin. So, to know the meaning of the [vpn] settings, you have to look for their meaning in NetworkManager-openvpn... usually these parameters correspond to command line options to openvpn. So see `man openvpn`. For [vpn] https://developer.gnome.org/NetworkManager/0.9/ref-settings.html is a bit confusing, because ref-settings.html mentions "data", which keyfile plugin expands. E.g. the VPN setting has the (opaque) dictionary "data" with key "mssfix", but keyfile makes of it: [vpn] ... mssfix=yes
And: Is the below config file "correct" ? What is missing, and what should I think about for maximum compability?
As far as NM is concerned, it is valid if NM can load it. It will tell you in the log-file if it cannot. But since the VPN parameters are only understood by the VPN plugin, that doesn't help you much.
---8<--- [connection] id=vpn uuid=c0ffee00-dead-dead-dead-c0ffeedecaff type=vpn autoconnect=true [vpn] service-type=org.freedesktop.NetworkManager.openvpn connection-type=tls remote=vpn.vpn.host.vpn cert-pass-flags=0 # what does this do?
all password settings "XYZ" have an accompanying setting "XYZ-flags". See: https://developer.gnome.org/NetworkManager/0.9/secrets-flags.html
mssfix=yes # compat? remote-cert-tls=server # WTF is this? Probably passed on to openvpn?
Yes. See `man openvpn`.
cert=/my/client.cert key=/my/client.key ca=/my/ca.cert [ipv6] method=auto # what does this do? dhcp? [ipv4] method=auto # dhcp?`Static ip?
https://developer.gnome.org/NetworkManager/0.9/ref-settings.html
---8<---
Maybe it is easier to create your setting with nm-applet. Together with the NetworkManager-openvpn-gnome package (or whatever the name on your distro) gives you UI support to edit openvpn connections with UI. Configure your connection there until it works well for you. Then look at what was saved to keyfile. btw. might be useful to know which version of NM you are using, and which distribution. Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part