Ubuntu
network-manager-openvpn package

network-manager openvpn does not support static key

Bug #451533 reported by Akagi
54
This bug affects 12 people
Affects Status Importance Assigned to Milestone
NetworkManager-OpenVPN
Unknown
Unknown
network-manager-openvpn (Ubuntu)
Fix Released
Medium
Unassigned
Nominated for Karmic by Ronald
Nominated for Lucid by Ronald

Bug Description

Binary package hint: network-manager-openvpn

I want to use the NetworkManager applet with OpenVPN extension. Sadly this did not work.

I manually created a client.conf for OpenVPN. It is quiet simple:

remote xyz
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret home-net.key

openvpn client.conf work.

Now I imported these config file into the NetworkManagerOpenVPN plugin. The imported data seems correct to me. But every time I try to start the VPN connection I get the message, that the VPN connection cannot be established.

I use

Description: Ubuntu 9.04
Release: 9.04

Furthermore here an extract from the /var/log/daemon.log:

Oct 14 20:02:49 jupiter NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Oct 14 20:02:49 jupiter NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 4679
Oct 14 20:02:49 jupiter NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Oct 14 20:02:49 jupiter NetworkManager: <info> VPN plugin state changed: 1
Oct 14 20:02:49 jupiter NetworkManager: <info> VPN plugin state changed: 3
Oct 14 20:02:49 jupiter NetworkManager: <info> VPN connection 'Home' (Connect) reply received.
Oct 14 20:02:49 jupiter nm-openvpn[4684]: OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 9 2009
Oct 14 20:02:49 jupiter nm-openvpn[4684]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 14 20:02:49 jupiter nm-openvpn[4684]: /usr/sbin/openvpn-vulnkey -q /etc/openvpn/home-net.key
Oct 14 20:02:50 jupiter nm-openvpn[4684]: LZO compression initialized
Oct 14 20:02:50 jupiter nm-openvpn[4684]: TUN/TAP device tun0 opened
Oct 14 20:02:50 jupiter nm-openvpn[4684]: /sbin/ifconfig tun0 10.8.0.2 pointopoint 10.8.0.1 mtu 1500
Oct 14 20:02:50 jupiter nm-openvpn[4684]: /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper tun0 1500 1547 10.8.0.2 10.8.0.1 init
Oct 14 20:02:50 jupiter NetworkManager: <info> VPN plugin failed: 2
Oct 14 20:02:50 jupiter nm-openvpn[4684]: script failed: external program exited with error status: 1
Oct 14 20:02:50 jupiter nm-openvpn[4684]: Exiting
Oct 14 20:02:50 jupiter NetworkManager: <info> VPN plugin failed: 1
Oct 14 20:02:50 jupiter NetworkManager: <info> VPN plugin state changed: 6
Oct 14 20:02:50 jupiter NetworkManager: <info> VPN plugin state change reason: 0
Oct 14 20:02:50 jupiter NetworkManager: <WARN> connection_state_changed(): Could not process the request because no VPN connection was active.
Oct 14 20:02:50 jupiter NetworkManager: <info> Policy set 'Auto eth0' (eth0) as default for routing and DNS.
Oct 14 20:03:02 jupiter NetworkManager: <debug> [1255543383.001439] ensure_killed(): waiting for vpn service pid 4679 to exit
Oct 14 20:03:02 jupiter NetworkManager: <debug> [1255543383.001619] ensure_killed(): vpn service pid 4679 cleaned up

Best regards!

Revision history for this message
Ronald (ronald645) wrote :
Download full text (4.2 KiB)

I'm suffering from the *exact* same problem.
Specs:
- Default unmodified ubuntu kernel
- Firewall fully open on both sides, except on the server I do (to access other computers in my network):
     - sysctl net.ipv4.conf.all.forwarding=1
     - iptables -A POSTROUTING -o ra0 -j MASQUERADE -t nat

Server.conf:

>>><<<
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key 1
comp-lzo
>>><<<

Client.conf:

>>><<<
remote 8.8.8.8 # Yes, I changed it for this post :)
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key 0
comp-lzo
route 10.1.9.0 255.255.255.0
>>><<<

static.key and both config files are located in /etc/openvpn/
static.key is generated with: openvpn --genkey --secret static.key

Doing
- openvpn --config /etc/openvpn/server.conf on the server.
- openvpn --config /etc/openvpn/client.conf on the client.
Gives me a good openvpn connection allowing to access all my computer in my network.

However, when trying to use the openvpn plugin inside network-manager as a client stuff goes wrong. I generated a config file from network-manager (by allowing all users to use it):

>>><<<
[connection]
id=VPN-connection 1
uuid=ae53c3a0-7308-41c0-97b8-da1cb7bc8ac5
type=vpn
autoconnect=false
timestamp=0

[ipv4]
method=auto
routes1=10.1.9.0;24;0.0.0.0;0;
ignore-auto-routes=false
ignore-auto-dns=false
dhcp-send-hostname=false
never-default=false

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
local-ip=10.8.0.2
comp-lzo=yes
remote=8.8.8.8
connection-type=static-key
remote-ip=10.8.0.1
static-key=/etc/openvpn/static.key
>>><<<

This does not work, the log say:

Dec 25 15:15:54 Charlie NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Dec 25 15:15:54 Charlie NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7639
Dec 25 15:15:54 Charlie NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Dec 25 15:15:54 Charlie NetworkManager: <info> VPN plugin state changed: 3
Dec 25 15:15:54 Charlie NetworkManager: <info> VPN connection 'Thuis' (Connect) reply received.
Dec 25 15:15:54 Charlie nm-openvpn[7642]: OpenVPN 2.1_rc19 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 13 2009
Dec 25 15:15:54 Charlie nm-openvpn[7642]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 25 15:15:54 Charlie nm-openvpn[7642]: /usr/sbin/openvpn-vulnkey -q /home/ronald/.static.key
Dec 25 15:15:54 Charlie nm-openvpn[7642]: LZO compression initialized
Dec 25 15:15:54 Charlie nm-openvpn[7642]: TUN/TAP device tun0 opened
Dec 25 15:15:54 Charlie nm-openvpn[7642]: /sbin/ifconfig tun0 10.8.0.2 pointopoint 10.8.0.1 mtu 1500
Dec 25 15:15:54 Charlie nm-openvpn[7642]: /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper tun0 1500 1545 10.8.0.2 10.8.0.1 init
Dec 25 15:15:54 Charlie NetworkManager: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Dec 25 15:15:54 Charlie NetworkManager: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration ...

Read more...

Revision history for this message
Akagi (akagi010) wrote :

Under Ubuntu 9.10 Karmic it works now. There is (maybe) an issue with the timeout, but that is IMHO another error.

Revision history for this message
Ronald (ronald645) wrote :

No, I have 9.10 and is fully updated. What makes you say it works?

Revision history for this message
Akagi (akagi010) wrote :

I updated to Karmic two weeks ago. NetworkManager with OpenVPN plugin now works. From time to time there are failed attempts, but only one or two times. Then the VPN is stable.

The new issue I observed is that the VPN fails after (roughly) one hour, even if the VPN is not idling. I think I will file a new error for this issue.

Best Regards!

Revision history for this message
Ronald (ronald645) wrote :

Are you using the same config (static key) just like Akagi and me?

Revision history for this message
Id2ndR (id2ndr) wrote :

I have seen the two behaviors on Ubuntu 9.10 using NetworkManager:
- OpenVPN used with Certificat (TLS) works fine,
- OpenVPN used with a simple secret key doesn't works.

These two configurations are very different, and I can confirm the issue with a secret key.

Revision history for this message
Id2ndR (id2ndr) wrote :

As explain in the file /usr/share/doc/network-manager-openvpn/README of package network-manager-openvpn, there is no support for static key.

summary: - network-manager openvpn fails to connect
+ network-manager openvpn does not support static key
Revision history for this message
Id2ndR (id2ndr) wrote :

I think this bug is au duplicate of bug #193686

Revision history for this message
Ronald (ronald645) wrote :

Id2ndR wrote 7 hours ago: #7

As explain in the file /usr/share/doc/network-manager-openvpn/README of package network-manager-openvpn, there is no support for static key.

Huh? Okay, let's it does not support it, then why:
- Is there an option in it's GUI to configure it?
- Are you referring to a bug where the *static key* part is being debugged?

It doesn't make sense. It's simply broken, in the meantime I moved back to gentoo but I can still test it on my laptop. It's definitly broken, no doubt about that. And about the README you found, well... it's not the first time that the documentation represents the state of the actual code.

Revision history for this message
Id2ndR (id-2ndr) wrote : Re: [Bug 451533] Re: network-manager openvpn does not support static key

@Ronald:

- I agree with you that the GUI have the option so it should be implemented.
- I found the other bug later, after reading
http://live.gnome.org/NetworkManager/Debugging and trying to get more
information about the trouble (I got the error "didn't receive a VPN
Gateway from openvpn").

I think it just never had worked before.

Revision history for this message
fdanis (frederic-danis) wrote :

Hello,

This is related to Gnome BUG 606998 (https://bugzilla.gnome.org/show_bug.cgi?id=606998).
I tried it with Ubuntu 10.04 Lucid and was able to connect using a pre-shared key.

Hope this helps

Regards

Fred

Revision history for this message
Fredrik Wendt (fredrik-wendt) wrote :

Is this really valid by now?
I'm using a static key config. I did, however, use the UI to specify the path to the key.

Revision history for this message
Mathew Hodson (mhodson) wrote :

This was fixed upstream and should be fixed in Lucid and later.

---
network-manager-openvpn (0.8-0ubuntu1) lucid; urgency=low

  * upstream release 0.8
    - core: add tls-remote support (bgo #455142)
    - export: fix tls-auth export
    - import/export: handle 'port' and 'rport' correctly (bgo #604329) (LP: #443174)
    - build: disable .desktop file for now
    - core: handle remote VPN peer correctly in shared key mode too (bgo #606998)
  * bump build-depends to >= 0.8 to build with 0.8 final.
    - update debian/control
  * don't install nm-openvpn.desktop, it's not being built
    - update debian/network-manager-openvpn.install
  * don't install the associated mime-type icon either
    - update debian/network-manager-openvpn-gnome.install
 -- Mathieu Trudel <email address hidden> Fri, 19 Feb 2010 08:58:49 -0500

Changed in network-manager-openvpn (Ubuntu):
importance: Undecided → Medium
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.