On 15/07/14 15:20, Thomas Haller wrote:
On Tue, 2014-07-15 at 14:38 +0200, D.S. Ljungmark wrote:Hi! I have a few (heh) headless boxes that use NetworkManager for connectivity, and we'd like to keep it that way (without random hacks and shellscripts, preferrably) One of the things that we want is to set up a VPN connection, each box should automatically reconnect to the VPN if doable, and try to stay connected. However, The documentation for this is. pretty lacking. So, what I want to do is add a config file with the connection specification for a VPN setup to the base OS of all machines, and have them "just work" as much as possible. Now: where can I find the documentation for the KeyFile config format? I think I've seen something in the past, but I can't seem to re-find it. (hidden on the wiki?)There are different settings-plugins to store connections. "keyfile" is the native NM one and the most powerful. E.g. VPN can only be stored in keyfile format and is not supported by other setting plugins. A general documentation about this is here: https://wiki.gnome.org/Projects/NetworkManager/SystemSettings
Since we started "fresh" we only have keyfile format on the systems, so that's not a big problem.
But this does not tell you the exact meaning of the individual settings. This is here: https://developer.gnome.org/NetworkManager/0.9/ref-settings.html See also: `man nm-settings`
Thankyou, that's the manpage I was missing.
The settings above are not 100% the same as the keyfile values, but keyfile is very close to it. It should be easy to figure out how a setting maps to keyfile. Btw. work is in progress, to document the keyfile setting themselves. ... BUT... for VPN, the settings are opaque to NetworkManager and passed on to the VPN plugin. So, to know the meaning of the [vpn] settings, you have to look for their meaning in NetworkManager-openvpn... usually these parameters correspond to command line options to openvpn. So see `man openvpn`.
Aye, we have openVpn setup & working. but not integrated with NetworkManager, what we're hoping is to have NM manage all interfaces and VPN's and just have stuff "work" without having to manage it via various cron jobs to automatically restart things just in case. ( seriously, running curl http://vpn.vpn.vpn || service vpn restart is -not- optimal. But was what we used to have )
For [vpn] https://developer.gnome.org/NetworkManager/0.9/ref-settings.html is a bit confusing, because ref-settings.html mentions "data", which keyfile plugin expands. E.g. the VPN setting has the (opaque) dictionary "data" with key "mssfix", but keyfile makes of it: [vpn] ... mssfix=yes
Aha! that explains some of them for me, thanks!
And: Is the below config file "correct" ? What is missing, and what should I think about for maximum compability?As far as NM is concerned, it is valid if NM can load it. It will tell you in the log-file if it cannot. But since the VPN parameters are only understood by the VPN plugin, that doesn't help you much.---8<--- [connection] id=vpn uuid=c0ffee00-dead-dead-dead-c0ffeedecaff type=vpn autoconnect=true [vpn] service-type=org.freedesktop.NetworkManager.openvpn connection-type=tls remote=vpn.vpn.host.vpn cert-pass-flags=0 # what does this do?all password settings "XYZ" have an accompanying setting "XYZ-flags". See: https://developer.gnome.org/NetworkManager/0.9/secrets-flags.html
Then I need to have that at 0x4 I think. ( keys aren't locked/encrypted, so hopefully nothing else should be needed )
mssfix=yes # compat? remote-cert-tls=server # WTF is this? Probably passed on to openvpn?Yes. See `man openvpn`.cert=/my/client.cert key=/my/client.key ca=/my/ca.cert [ipv6] method=auto # what does this do? dhcp? [ipv4] method=auto # dhcp?`Static ip?https://developer.gnome.org/NetworkManager/0.9/ref-settings.html
Okay, thanks. That makes sense as decent defaults.
---8<---Maybe it is easier to create your setting with nm-applet. Together with the NetworkManager-openvpn-gnome package (or whatever the name on your distro) gives you UI support to edit openvpn connections with UI. Configure your connection there until it works well for you. Then look at what was saved to keyfile. btw. might be useful to know which version of NM you are using, and which distribution.
nmcli tool, version 0.9.10.0 os is forked off Debian experimental.
Thomas
Thanks a lot for the quick replies! //D.S. -- 8362 CB14 98AD 11EF CEB6 FA81 FCC3 7674 449E 3CFC
Attachment:
signature.asc
Description: OpenPGP digital signature