On Thu, 2018-02-22 at 11:43 -0500, David H. Durgee wrote:
Thomas Haller wrote:On Wed, 2018-02-21 at 12:03 -0500, David H. Durgee wrote:Thomas Haller wrote: I will consider debug logging after you have a chance to inspect the connection show and let me know if it looks sane or is missing a crucial element.Hi, the settings don't look wrong, but whether the settings are correct depends very much on your server configuratoin. Enable debug logging and see why the connection failed. Since NM does not support the <extra-certs> argument, you should investigate whether that argument is required in your setup. For example, (as you said, plain openvpn works) by running openvpn with the ovpn without the <extra-certs> option. best, ThomasPer your suggestion I tried using openvpn with the edited file and as expected it fails to connect. So the <extra-certs> appears to be required to initialize the connection. Now the question is how do I add them to the configuration? I manually added the contents of that element to a file ~/.certs/nm-openvpn/Ashburn-edited-extra-certs.pem along with the other elements, but that appears to be insufficient. I assume that I need to add the proper entry to /etc/NetworkManager/system-connections/Private Tunnel - Ashburn, but my question is what form does that entry take? In the [vpn] section I see various entries referencing the certificates, specifically: cert=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-cert.pem key=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-key.pem ca=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-ca.pem ta=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-tls-auth.pem So I assume I need a similar line for this one, but should it be "extra-certs=" or "ec=" there? I guess I could try both, but I would prefer to get it right the first time. Or is it perhaps something else entirely?
Hi, Editing the connection of NetworkManager with a new option that is not supported by nm-openvpn plugin does not make it work. nm-openvpn plugin does not support this option (yet). See https://git.gnome.org/browse/network-manager-openvpn/commit/?id=master especially https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=dd8868f8a020988a47b7d4d4b502a98531fdeee0 which constructs the command line arguments for openvpn binary. The proper solution is to add support for this option. Patches welcome. Possible work arounds are: - try to find a client configuration that does not require this option. Maybe reconfigure the server is feasable. - use openvpn directly, without NetworkManager - replace the openvpn binary with a wrapper shell script, that hacks this option. Something like (totally untested!) #!/bin/bash EXTRA_ARGS= if [[ echo "$@" | grep -q '--remote MY.REMOTE.THAT.I.RECOGNIZE' ]]; then EXTRA_ARGS="--extra-certs /path/to/extra/certs" fi exec /path/to/real/openvpn "$@" $EXTRA_ARGS best, Thomas
Attachment:
signature.asc
Description: This is a digitally signed message part