Re: Lack of new OpenVPN SAML interoperability

From: Thomas Haller <thaller redhat com>
To: Marcus Diniz <marcus secunit org>, gnome-network-list gnome org, networkmanager-list gnome org
Subject: Re: Lack of new OpenVPN SAML interoperability
Date: Mon, 02 Aug 2021 11:17:57 +0200

Hi,

On Sun, 2021-08-01 at 14:19 -0300, Marcus Diniz wrote:

Hello,

First of all, I'm sorry to copy both gnome-network-list and
networkmanager-list, because I didn't know or couldn't recognize
which one would be the proper one to mention this fact.

I've been trying to access my OpenVPN cloud account through the
'Import profile' wizard that comes with Gnome Network.

I simply go to Settings->Network, then on VPN panel I click on '+'
symbol, a new window appears, then I select 'Import from file...'.
Finally, after imported, when I try to connect, I receive the
following errors:


How you create a profile does not matter much. What matters, is the
actual settings in the profile (you see them with `nmcli connection
show "$PROFILE"`) and which versions of NetworkManager, nm-openpvn and
openvpn versions are used.

Aug  1 14:17:13 blackbox systemd[1]: NetworkManager-
dispatcher.service: Succeeded.
Aug  1 14:17:17 blackbox NetworkManager[1266]: <info>
 [1627838237.3179] audit: op="connection-activate" uuid="29cf64b5-
5104-4953-83e2-367bf0a140ed"
name="device_1_mdiniz@moneytrans_eu@secunit.openvpn.com_[Sao_Paulo]"
pid=2455 uid=1000 result="success"
Aug  1 14:17:17 blackbox NetworkManager[1266]: <info>
 [1627838237.3261] vpn-connection[0x559b36c6c510,29cf64b5-5104-4953-
83e2-
367bf0a140ed,"device_1_mdiniz@moneytrans_eu@secunit.openvpn.com_[Sao_
Paul: Started the VPN service, PID 42217
Aug  1 14:17:17 blackbox NetworkManager[1266]: <info>
 [1627838237.3367] vpn-connection[0x559b36c6c510,29cf64b5-5104-4953-
83e2-
367bf0a140ed,"device_1_mdiniz@moneytrans_eu@secunit.openvpn.com_[Sao_
Paul: Saw the service appear; activating connection
Aug  1 14:17:17 blackbox NetworkManager[1266]: <info>
 [1627838237.3699] vpn-connection[0x559b36c6c510,29cf64b5-5104-4953-
83e2-
367bf0a140ed,"device_1_mdiniz@moneytrans_eu@secunit.openvpn.com_[Sao_
Paul: VPN plugin: state changed: starting (3)
Aug  1 14:17:17 blackbox NetworkManager[1266]: <info>
 [1627838237.3705] vpn-connection[0x559b36c6c510,29cf64b5-5104-4953-
83e2-
367bf0a140ed,"device_1_mdiniz@moneytrans_eu@secunit.openvpn.com_[Sao_
Paul: VPN connection: (ConnectInteractive) reply received
Aug  1 14:17:17 blackbox nm-openvpn[42221]: OpenVPN 2.4.7 x86_64-pc-
linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO]
[AEAD] built on Jul 19 2021
Aug  1 14:17:17 blackbox nm-openvpn[42221]: library versions: OpenSSL
1.1.1f  31 Mar 2020, LZO 2.10
Aug  1 14:17:17 blackbox nm-openvpn[42221]: NOTE: the current --
script-security setting may allow this configuration to call user-
defined scripts
Aug  1 14:17:17 blackbox nm-openvpn[42221]: TCP/UDP: Preserving
recently used remote address: [AF_INET]209.14.3.201:1194
Aug  1 14:17:17 blackbox nm-openvpn[42221]: UDP link local: (not
bound)
Aug  1 14:17:17 blackbox nm-openvpn[42221]: UDP link remote:
[AF_INET]209.14.3.201:1194
Aug  1 14:17:17 blackbox nm-openvpn[42221]: NOTE: chroot will be
delayed because of --client, --pull, or --up-delay
Aug  1 14:17:17 blackbox nm-openvpn[42221]: NOTE: UID/GID downgrade
will be delayed because of --client, --pull, or --up-delay
Aug  1 14:17:17 blackbox nm-openvpn[42221]: [br-gru-dc2-
g1.cloud.openvpn.net] Peer Connection Initiated with
[AF_INET]209.14.3.201:1194
Aug  1 14:17:18 blackbox nm-openvpn[42221]: AUTH: Received control
message: AUTH_FAILED,SSO Auth Failed due to lack of client support
Aug  1 14:17:18 blackbox nm-openvpn[42221]: SIGUSR1[soft,auth-
failure] received, process restarting
Aug  1 14:17:23 blackbox NetworkManager[1266]: <info>
 [1627838243.8605] vpn-connection[0x559b36c6c510,29cf64b5-5104-4953-
83e2-
367bf0a140ed,"device_1_mdiniz@moneytrans_eu@secunit.openvpn.com_[Sao_
Paul: VPN plugin: requested secrets; state connect (4)
Aug  1 14:17:25 blackbox nm-openvpn[42221]: NOTE: the current --
script-security setting may allow this configuration to call user-
defined scripts
Aug  1 14:17:25 blackbox nm-openvpn[42221]: TCP/UDP: Preserving
recently used remote address: [AF_INET]209.14.3.201:1194
Aug  1 14:17:25 blackbox nm-openvpn[42221]: UDP link local: (not
bound)
Aug  1 14:17:25 blackbox nm-openvpn[42221]: UDP link remote:
[AF_INET]209.14.3.201:1194
Aug  1 14:17:25 blackbox nm-openvpn[42221]: [br-gru-dc2-
g1.cloud.openvpn.net] Peer Connection Initiated with
[AF_INET]209.14.3.201:1194
Aug  1 14:17:26 blackbox nm-openvpn[42221]: AUTH: Received control
message: AUTH_FAILED,SSO Auth Failed due to lack of client support
Aug  1 14:17:26 blackbox nm-openvpn[42221]: SIGUSR1[soft,auth-
failure] received, process restarting


While using openvpn3 package it works flawlessly.


NetworkManager-openvpn plugin does currently not support openvpn3 (I
think, and as you probably expirience here).

Is the problem here that openvpn client verions 2 cannot talk with an
openvpn3 peer?

I wonder, are there any plans to add openvpn3 support for the VPNs?


Things get done, when somebody sends patches. As such, there is no
"planning" for what gets done.

On the other hand, patches for improvements are always welcome.

In case of openvpn3 support however, that might be a large work. So
some "planning" (that is, discussion) about how to solve it might
indeed be necessary.

But a better answer to your question is: no, there is no plan and I am
not aware of anybody working on this. But I might simply not be aware
of that and it can change at any moment when somebody picks up the
work.



best,
Thomas

References:
- Lack of new OpenVPN SAML interoperability
  - From: Marcus Diniz

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]