Canonical System Image

OpenVPN not working with NM 1.2

Bug #1579222 reported by Pat McGowan
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Fix Released
Critical
Tony Espy
Canonical System Image 11 "OTA11"
network-manager (Ubuntu RTM)
Fix Released
Critical
Tony Espy

Bug Description

OpenVPN can be enabled, however when using to connect to the Canonical VPN, it fails.

This is a result of a failure to re-configure the device’s IP addresses and routing table as shown in the following extract from the device’s ( mako ) syslog:

14:32 vpn-connection[0x192f168,975b1a22-a63d-482c-beb7-5d7b5a64ca06,"<hostaname obfuscated>",28:(tun0)]: VPN plugin: state changed: started (4)
14:32 do-add-ip6-address[28: xxxx:xxx:xxxx:xxxx::xxx:425b]: failure 22 (Invalid argument)
14:32 do-add-ip6-route[28: xxxx:xx:xxxx::/44 50]: failure 113 (No route to host)
14:32 do-add-ip6-route[28: xxxx:xxx:xxxx::/47 50]: failure 113 (No route to host)
14:32 do-add-ip6-route[28: xxxx:xxx:xxxx::/47 50]: failure 113 (No route to host)
14:32 do-add-ip6-route[28: xxxx:xxx:xxxx::/48 50]: failure 113 (No route to host)

14:32 do-add-ip4-address[22: 192.168.1.18/24]: failure 17 (File exists)
14:32 do-add-ip4-route[22: xx.xxx.xx.xx/32 600]: failure 3 (No such process)
14:32 do-add-ip4-route[22: 0.0.0.0/0 600]: failure 3 (No such process)
14:32 default-route: failed to add default route 0.0.0.0/0 via 192.168.1.1 dev 22 metric 600 mss 0 src user with effective metric 600

14:32 do-add-ip6-address[22: xxxx::xxxx:xxxx:xxxx:xxxx]: failure 22 (Invalid argument)

14:32 vpn-connection[0x192f168,975b1a22-a63d-482c-beb7-5d7b5a64ca06,"<hostname obfuscated>",28:(tun0)]: VPN connection: (IP Config Get) complete

So, and add IPv6 IP address operation fails with EINVAL, and this causes a cascade of IPv6 route addition failures.

Next, and add IPv4 IP address operation fails with EEXISTS, and this also causes subsequent routing failures.

Finally, another add IPv6 address operation fails with EINVAL.

The first problem, the IPv6 EINVAL failure seems to be caused by the newer netlink logic in NM 1.2 including the peer_address instead of the base address in an IFA_ADDRESS attribute. Changing this code to use address causes the failures to disappear.

The second problem, the IPv5 EEXISTS failure looks like it was handled explicitly in the NM 0.9.10x code-base ( ie. if a netlink operation was nak'd due to EEXISTS, it was treated as SUCCESS ), but not in NM 1.2. The logic is in NM1.2 is a bit more involved, but I was able to patch the code to handle EEXISTS, and the IPv5 operations now succeed.

With this second patch in place, I'm to enable the Canonical VPN, the address and routing failures no longer occur, and I'm now able to access DNS and the internal network.

Note, there's a version (1.2.0-0ubuntu1~vivid1~awe5) of NM1.2 final in my PPA with the fixes mentioned applied:

https://launchpad.net/~awe/+archive/ubuntu/ppa/+packages

I now need to backport the fixes to the version of NM in the overlay PPA ( 1.1.93-0ubuntu1~vivid1 ). I also need to review the patches with upstream.

See original description

Related branches

lp:~awe/network-manager/lp1579222-fix-openvpn
Simon Fels: Needs Fixing
Diff: 142 lines (+80/-16)
4 files modified
debian/changelog (+10/-0)
debian/patches/default_powersave_on.patch (+39/-16)
debian/patches/lp1579222-fix-openvpn-platform-nl-logic.patch (+30/-0)
debian/patches/series (+1/-0)
Tony Espy (awe)
summary: - VPN not working with NM 1.2
+ OpenVPN not working with NM 1.2
Tony Espy (awe)
description: updated
Changed in network-manager (Ubuntu RTM):
status: New → Confirmed
assignee: nobody → Tony Espy (awe)
importance: Undecided → Critical
Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
status: Confirmed → In Progress
Revision history for this message
Tony Espy (awe) wrote :

Tested my patches on mako, arale and krillin and was able to configure and use the Canonical VPN on all three devices.

Note, as arale has a much newer kernel than the others, it doesn't appear to exhibit the issue with the IPv4 address already existing, however this may also just be timing related. I still see errors with adding one of the IPv6 addresses ( ie. the EINVAL case ), and after installing from the silo ( 77 ), this error goes away.

Test version available in silo 77:

https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/landing-077

Changed in network-manager (Ubuntu RTM):
status: Confirmed → In Progress
Revision history for this message
Pete Woods (pete-woods) wrote :

Tony, do we also need to include the latest version of network-manager-openvpn in the stable overlay? Could there be improvements in there that help with the latest network manager?

Revision history for this message
Pete Woods (pete-woods) wrote :

On the phone we currently have 0.9.10.0-1ubuntu1, but in xenial there is 1.1.93-1ubuntu1.

Given the exact version match with, NM, it makes me think they should be upgraded in step.

Revision history for this message
Pete Woods (pete-woods) wrote :

Indeed, the same also seems to apply to the pptp plugin.

Revision history for this message
Jim Hodapp (jhodapp) wrote :

@pete-woods: Indeed, we have a card in our current sprint that is for upgrading the network-manager-openvpn package to be in sync. However, I'll let Tony comment in greater detail if necessary.

Jean-Baptiste Lallement (jibel)
Changed in canonical-devices-system-image:
status: In Progress → Fix Committed
Tony Espy (awe)
Changed in network-manager (Ubuntu RTM):
status: In Progress → Fix Released
Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.