Re: Headless VPN connections



On Wed, 2014-07-16 at 10:51 +0200, D.S. Ljungmark wrote:
That sounds like a working method. I'm less worried about the
cleartext hole as the VPN is for internal and debugging use.

Dispatcher vs making the default connection persistent are about the
same, which method is better supported and gives better guarantees
that things work reliably?


I think both methods should be reliable (provided your dispatcher-script
behaves correctly).

connection.secondaries seams easier to me.


Thomas



On 16 Jul 2014 10:43, "Thomas Haller" <thaller redhat com> wrote:
        On Wed, 2014-07-16 at 10:30 +0200, D.S. Ljungmark wrote:
        > Ah. That means we have to deploy the primary connections as
        well.
        > Right now those are auto generated and not stored
        persistently.
        >
        > I'll try that, any thing else I can try?
        >
        > On 16 Jul 2014 10:24, "Thomas Haller" <thaller redhat com>
        wrote:
        >         On Wed, 2014-07-16 at 02:59 +0200, D.S. Ljungmark
        wrote:
        >         > So, I have now something that works.
        >         >
        >         > it can connect to vpn manually.
        >         >
        >         > Next up, how do I get autoconnect to work? I
        thought
        >         > "connection.autoconnect" was enough, but
        appearantly that's
        >         not the case.
        >         >
        >         > What am I missing? ipv4 + ipv6 network comes up
        normally as
        >         it should.
        >
        >
        >         [[ I did not test this myself, but I think... ]]
        >
        >         connection.autoconnect is ignored by VPN type
        connections.
        >
        >         What might work for you, is setting the
        >         "connection.secondaries" option
        >         of the parent ethernet/wifi-connection. One downside
        of this
        >         is that the
        >         parent connection is not part of the VPN-keyfile
        that you want
        >         to
        >         deploy.
        >
        >
        >         Thomas
        
        
        You could also use dispatcher scripts. See `man
        NetworkManager`.
        
        You need to enable NetworkManager-dispatcher service (not sure
        how that
        works on Debian. On Fedora you would `systemctl enable
        NetworkManager-dispatcher`. Maybe it already works).
        
        
        then ads a root-owned script -- with proper access rights(?)
        --
        to /etc/NetworkManager/dispatcher.d
        
        It can react on the status changes and call `nmcli connection
        up id
        my-vpn`.
        
        
        
        Downside: if for some reason the establishing of the VPN
        fails, users
        might communicate insecurely. And there is a short time after
        the parent
        interface connects, where the traffic does not yet go over the
        VPN.
        
        I think you could work around that, by setting
        never-default=no in the
        parent connection and/or not configuring any routes there
        (ignore-auto-routes?)... but then you must again deploy a
        parent
        connection...
        
        
        
        Thomas

Attachment: signature.asc
Description: This is a digitally signed message part



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]