OpenVPN not working with NM 1.2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical System Image |
Fix Released
|
Critical
|
Tony Espy | ||
network-manager (Ubuntu RTM) |
Fix Released
|
Critical
|
Tony Espy |
Bug Description
OpenVPN can be enabled, however when using to connect to the Canonical VPN, it fails.
This is a result of a failure to re-configure the device’s IP addresses and routing table as shown in the following extract from the device’s ( mako ) syslog:
14:32 vpn-connection[
14:32 do-add-
14:32 do-add-
14:32 do-add-
14:32 do-add-
14:32 do-add-
14:32 do-add-
14:32 do-add-
14:32 do-add-
14:32 default-route: failed to add default route 0.0.0.0/0 via 192.168.1.1 dev 22 metric 600 mss 0 src user with effective metric 600
14:32 do-add-
14:32 vpn-connection[
So, and add IPv6 IP address operation fails with EINVAL, and this causes a cascade of IPv6 route addition failures.
Next, and add IPv4 IP address operation fails with EEXISTS, and this also causes subsequent routing failures.
Finally, another add IPv6 address operation fails with EINVAL.
The first problem, the IPv6 EINVAL failure seems to be caused by the newer netlink logic in NM 1.2 including the peer_address instead of the base address in an IFA_ADDRESS attribute. Changing this code to use address causes the failures to disappear.
The second problem, the IPv5 EEXISTS failure looks like it was handled explicitly in the NM 0.9.10x code-base ( ie. if a netlink operation was nak'd due to EEXISTS, it was treated as SUCCESS ), but not in NM 1.2. The logic is in NM1.2 is a bit more involved, but I was able to patch the code to handle EEXISTS, and the IPv5 operations now succeed.
With this second patch in place, I'm to enable the Canonical VPN, the address and routing failures no longer occur, and I'm now able to access DNS and the internal network.
Note, there's a version (1.2.0-
https:/
I now need to backport the fixes to the version of NM in the overlay PPA ( 1.1.93-
Related branches
- Simon Fels: Needs Fixing
-
Diff: 142 lines (+80/-16)4 files modifieddebian/changelog (+10/-0)
debian/patches/default_powersave_on.patch (+39/-16)
debian/patches/lp1579222-fix-openvpn-platform-nl-logic.patch (+30/-0)
debian/patches/series (+1/-0)
summary: |
- VPN not working with NM 1.2 + OpenVPN not working with NM 1.2 |
description: | updated |
Changed in network-manager (Ubuntu RTM): | |
status: | New → Confirmed |
assignee: | nobody → Tony Espy (awe) |
importance: | Undecided → Critical |
Changed in canonical-devices-system-image: | |
status: | Confirmed → In Progress |
Changed in canonical-devices-system-image: | |
status: | In Progress → Fix Committed |
Changed in network-manager (Ubuntu RTM): | |
status: | In Progress → Fix Released |
Changed in canonical-devices-system-image: | |
status: | Fix Committed → Fix Released |
Tested my patches on mako, arale and krillin and was able to configure and use the Canonical VPN on all three devices.
Note, as arale has a much newer kernel than the others, it doesn't appear to exhibit the issue with the IPv4 address already existing, however this may also just be timing related. I still see errors with adding one of the IPv6 addresses ( ie. the EINVAL case ), and after installing from the silo ( 77 ), this error goes away.
Test version available in silo 77:
https:/ /launchpad. net/~ci- train-ppa- service/ +archive/ ubuntu/ landing- 077