Re: network-manager-openconnect and csd-wrapper

From: Vincent Fortier <th0ma7 gmail com>
To: Thomas Haller <thaller redhat com>, "networkmanager-list gnome org" <networkmanager-list gnome org>
Subject: Re: network-manager-openconnect and csd-wrapper
Date: Wed, 14 Sep 2016 16:22:19 +0000

That may solve all my issues, great!

I took a shot at it and it looks like nmcli limits to "some" of the of the values as otherwise I get an error message:
$ nmcli connection modify MYVPN vpn.enable_csd_trojan true vpn.csd_wrapper ~/csd/csd.sh
Erreur : propriété « enable_csd_trojan » non valide : « enable_csd_trojan » ne fait pas partie de [service-type, user-name, persistent, data, secrets, timeout].

Further looking into it (using nmcli connection edit MYVPN, print vpn) I found that vpn.data can be tailored somewhat "at will" so I was able to get the following into it (presuming I'm at the right spot?):
$ nmcli connection modify MYVPN vpn.data "key = ~/key/key.pfx, cert = ~/key/cert.pfx, username = myusername, remote = remoteserver, enable_csd_trojan = 1, csd_wrapper = ~/csd/csd.sh"

Now I think all is missing before testing is how can I emulate the "--os win" ?

Again, thnx in advance.

- vin

Le mer. 14 sept. 2016 à 09:03, Thomas Haller <thaller redhat com> a écrit :

On Wed, 2016-09-14 at 12:32 +0000, Vincent Fortier wrote:
> Hi all,
>
> Looking for help to solve a few issues/questions in regards to NM in
> conjunction with openconnect:
> 1) How can we pass --csd-wrapper=script to openconnect using NM?
> 2) The gui currently does not allow selecting ".pfx" files. Is it ok
> to force that by manually editing the relevant
> /etc/NetworkManager/system-connections/XYZ file?
> 3) is it possible to create an extensive openconnect connection
> directly using nmcli? (tried it but seemed to lack quite a few
> options available into the gui)

Hi,

regarding 3):

A connection is only the set of key-value pairs as you see it
in /etc/NetworkManager/system-connections/XYZ. As such, you can achieve
any supported configuration by editing the file directly (followed by
`nmcli connection reload`).
Similarly, `nmcli connection modify` allows you to modify every
setting. This is at certainly true for VPN, as nmcli is unaware what
the fields mean there.

So, yes, you can do it via nmcli. But that leaves you with the question
which properties are supported there.

There is no documentation for that. See the source code:

https://git.gnome.org/browse/network-manager-openconnect/tree/shared/nm-service-defines.h?id=0a801fb674aab47bd6b9da53c1d04a0e2f49cdab
https://git.gnome.org/browse/network-manager-openconnect/tree/src/nm-openconnect-service.c?id=0a801fb674aab47bd6b9da53c1d04a0e2f49cdab#n81

Thomas

References:
- network-manager-openconnect and csd-wrapper
  - From: Vincent Fortier
- Re: network-manager-openconnect and csd-wrapper
  - From: Thomas Haller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]