Re: Headless VPN connections

On Tue, 2014-07-15 at 14:38 +0200, D.S. Ljungmark wrote:

 I have a few (heh) headless boxes that use NetworkManager for
connectivity, and we'd like to keep it that way (without random hacks
and shellscripts, preferrably)

One of the things that we want is to set up a VPN connection, each box
should automatically reconnect to the VPN if doable, and try to stay

However, The documentation for this is. pretty lacking.

So, what I want to do is add a config file with the connection
specification for a VPN setup to the base OS of all machines, and have
them "just work" as much as possible.

  where can I find the documentation for the KeyFile config format? I
think I've seen something in the past, but I can't seem to re-find it.
(hidden on the wiki?)

There are different settings-plugins to store connections. "keyfile" is
the native NM one and the most powerful. E.g. VPN can only be stored in
keyfile format and is not supported by other setting plugins.

A general documentation about this is here:

But this does not tell you the exact meaning of the individual settings.
This is here:
See also: `man nm-settings`

The settings above are not 100% the same as the keyfile values, but
keyfile is very close to it. It should be easy to figure out how a
setting maps to keyfile. Btw. work is in progress, to document the
keyfile setting themselves.

... BUT... for VPN, the settings are opaque to NetworkManager and passed
on to the VPN plugin. So, to know the meaning of the [vpn] settings, you
have to look for their meaning in NetworkManager-openvpn... usually
these parameters correspond to command line options to openvpn. So see
`man openvpn`.

For [vpn] is a
bit confusing, because ref-settings.html mentions "data", which keyfile
plugin expands.
E.g. the VPN setting has the (opaque) dictionary "data" with key
"mssfix", but keyfile makes of it:


  Is the below config file "correct" ? What is missing, and what should
I think about for maximum compability?

As far as NM is concerned, it is valid if NM can load it. It will tell
you in the log-file if it cannot. But since the VPN parameters are only
understood by the VPN plugin, that doesn't help you much.


cert-pass-flags=0  # what does this do?

all password settings "XYZ" have an accompanying setting "XYZ-flags".

mssfix=yes  # compat?
remote-cert-tls=server # WTF is this? Probably passed on to openvpn?

Yes. See `man openvpn`.


method=auto # what does this do? dhcp?
method=auto # dhcp?`Static ip?


Maybe it is easier to create your setting with nm-applet.
Together with the NetworkManager-openvpn-gnome package (or whatever the
name on your distro) gives you UI support to edit openvpn connections
with UI. Configure your connection there until it works well for you.
Then look at what was saved to keyfile.

btw. might be useful to know which version of NM you are using, and
which distribution.


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]