GNOME.org
 

Re: Problem importing OpenVPN profile in Linux Mint 18.3 x64 cinnamon

Thomas Haller wrote:

On Thu, 2018-02-22 at 11:43 -0500, David H. Durgee wrote:

Thomas Haller wrote:

On Wed, 2018-02-21 at 12:03 -0500, David H. Durgee wrote:

Thomas Haller wrote:

I will consider debug logging after you have a chance to inspect
the
connection show and let me know if it looks sane or is missing a
crucial
element.

Hi,

the settings don't look wrong, but whether the settings  are
correct
depends very much on your server configuratoin. Enable debug
logging
and see why the connection failed.

Since NM does not support the <extra-certs> argument, you should
investigate whether that argument is required in your setup. For
example, (as you said, plain openvpn works) by running openvpn with
the
ovpn without the <extra-certs> option.


best,
Thomas

Per your suggestion I tried using openvpn with the edited file and
as
expected it fails to connect.  So the <extra-certs> appears to be
required to initialize the connection.  Now the question is how do I
add
them to the configuration?  I manually added the contents of that
element to a file ~/.certs/nm-openvpn/Ashburn-edited-extra-certs.pem
along with the other elements, but that appears to be insufficient.

I assume that I need to add the proper entry to
/etc/NetworkManager/system-connections/Private Tunnel - Ashburn, but
my
question is what form does that entry take?  In the [vpn] section I
see
various entries referencing the certificates, specifically:

cert=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-cert.pem
key=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-key.pem
ca=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-ca.pem
ta=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-tls-auth.pem

So I assume I need a similar line for this one, but should it be
"extra-certs=" or "ec=" there?  I guess I could try both, but I
would
prefer to get it right the first time.  Or is it perhaps something
else
entirely?

Hi,


Editing the connection of NetworkManager with a new option that is not
supported by nm-openvpn plugin does not make it work.
nm-openvpn plugin does not support this option (yet).

See
https://git.gnome.org/browse/network-manager-openvpn/commit/?id=master
especially 
https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=dd8868f8a020988a47b7d4d4b502a98531fdeee0
which constructs the command line arguments for openvpn binary.

The proper solution is to add support for this option. Patches welcome.
I doubt my programming skills are up to a patch for this.  Is this one on the list somewhere of addition options to be supported?  If not, can it be added?  In either case, any idea of when it might be available?  Is there a release schedule for the plugin? 
Possible work arounds are:

- try to find a client configuration that does not require this
   option. Maybe reconfigure the server is feasable.


Not in this case, this is not my server but a service provider.


- use openvpn directly, without NetworkManager
That is my current approach, I guess I can continue doing so while the option is added to the plugin. 


- replace the openvpn binary with a wrapper shell script, that hacks
   this option. Something like (totally untested!)


#!/bin/bash

EXTRA_ARGS=
if [[ echo "$@" | grep -q '--remote MY.REMOTE.THAT.I.RECOGNIZE' ]];
then
     EXTRA_ARGS="--extra-certs /path/to/extra/certs"
fi
exec /path/to/real/openvpn "$@" $EXTRA_ARGS


I guess that might work, but it is a bit messy.
Given that I only need to use the service when taking my laptop out of the office I believe I can live with continuing to use openvpn directly until the plugin supports the <extra-certs> option. I doubt that private tunnel is the only service using this option, so I suspect others are also encountering it and adding support to the plugin should be done at some point. 

Thanks again for your assistance in this matter.

Dave
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]