NetworkManager breaks OpenVPN configuration on connection

Bug #1754172 reported by Michał Sawicz on 2018-03-07
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
network-manager-openvpn (Ubuntu)
Undecided
Unassigned

Bug Description

A previously working OpenVPN configuration stopped connecting, with nm-openvpn complaining about wrong options:

mar 07 22:35:45 michal-laptop NetworkManager[3172]: <info> [1520458545.8258] audit: op="connection-activate" uuid="e3553582-0f39-404f-bd71-4dc6b92992de" name="Router.Michal" pid=6735 uid=1000 result="success"
mar 07 22:35:45 michal-laptop NetworkManager[3172]: <info> [1520458545.8337] vpn-connection[0x55e59e3be750,e3553582-0f39-404f-bd71-4dc6b92992de,"Router.Michal",0]: Started the VPN service, PID 26187
mar 07 22:35:45 michal-laptop NetworkManager[3172]: <info> [1520458545.8421] vpn-connection[0x55e59e3be750,e3553582-0f39-404f-bd71-4dc6b92992de,"Router.Michal",0]: Saw the service appear; activating connection
mar 07 22:35:45 michal-laptop NetworkManager[3172]: <info> [1520458545.8611] vpn-connection[0x55e59e3be750,e3553582-0f39-404f-bd71-4dc6b92992de,"Router.Michal",0]: VPN plugin: state changed: starting (3)
mar 07 22:35:45 michal-laptop NetworkManager[3172]: <info> [1520458545.8615] vpn-connection[0x55e59e3be750,e3553582-0f39-404f-bd71-4dc6b92992de,"Router.Michal",0]: VPN connection: (ConnectInteractive) reply received
mar 07 22:35:45 michal-laptop nm-openvpn[26190]: Options error: If you use one of --cert or --key, you must use them both
mar 07 22:35:45 michal-laptop nm-openvpn[26190]: Use --help for more information.
mar 07 22:35:45 michal-laptop NetworkManager[3172]: <warn> [1520458545.8648] vpn-connection[0x55e59e3be750,e3553582-0f39-404f-bd71-4dc6b92992de,"Router.Michal",0]: VPN plugin: failed: connect-failed (1)
mar 07 22:35:45 michal-laptop NetworkManager[3172]: <warn> [1520458545.8651] vpn-connection[0x55e59e3be750,e3553582-0f39-404f-bd71-4dc6b92992de,"Router.Michal",0]: VPN plugin: failed: connect-failed (1)
mar 07 22:35:45 michal-laptop NetworkManager[3172]: <info> [1520458545.8658] vpn-connection[0x55e59e3be750,e3553582-0f39-404f-bd71-4dc6b92992de,"Router.Michal",0]: VPN plugin: state changed: stopping (5)
mar 07 22:35:45 michal-laptop NetworkManager[3172]: <info> [1520458545.8660] vpn-connection[0x55e59e3be750,e3553582-0f39-404f-bd71-4dc6b92992de,"Router.Michal",0]: VPN plugin: state changed: stopped (6)
mar 07 22:35:45 michal-laptop NetworkManager[3172]: <info> [1520458545.8680] vpn-connection[0x55e59e3be750,e3553582-0f39-404f-bd71-4dc6b92992de,"Router.Michal",0]: VPN service disappeared

The config, however, includes correct ca/cert/key stanzas:

ca=<redacted>ca.crt
cert=<redacted>michal.crt
key=<redacted>michal.key

The attached screenshot shows a related breakage in the GUI, after making the correct certificate/key file selections, and saving the config, the config file gets broken indeed:

ca=<redacted>ca.crt
cert=<redacted>ca.crt
# no key entry at all

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: network-manager-openvpn 1.8.0-2
ProcVersionSignature: Ubuntu 4.15.0-10.11-generic 4.15.3
Uname: Linux 4.15.0-10-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.8-0ubuntu10
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Wed Mar 7 22:32:57 2018
SourcePackage: network-manager-openvpn
UpgradeStatus: Upgraded to bionic on 2018-02-07 (28 days ago)

Michał Sawicz (saviq) wrote :
Michał Sawicz (saviq) wrote :
Michał Sawicz (saviq) wrote :

Downgrading to the previous version fixes this issue:

 LANG=C apt policy network-manager-openvpn*
network-manager-openvpn:
  Installed: 1.2.10-0ubuntu2
  Candidate: 1.8.0-2
  Version table:
     1.8.0-2 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
 *** 1.2.10-0ubuntu2 100
        100 /var/lib/dpkg/status
network-manager-openvpn-gnome:
  Installed: 1.2.10-0ubuntu2
  Candidate: 1.8.0-2
  Version table:
     1.8.0-2 500
        500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
 *** 1.2.10-0ubuntu2 100
        100 /var/lib/dpkg/status

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Jeremy Bicha (jbicha) wrote :

Please check if 1.8.0-3 fixes this issue for you.

kailoran (kailoran) wrote :

I was having the same problem ("If you use one of --cert or --key, you must use them both" in syslog). Upgrading to 1.8.0-3 fixed the issue for me.

As a minor caveat, simply pointing to the private key file in the UI was not enough and I was getting:
nm-openvpn[5972]: OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
nm-openvpn[5972]: Cannot load private key file /home/tsniatowski/.cert/nm-openvpn/vpn-key.pem

Possibly something else needed tweaking, I fixed this by re-importing the .openvpn file I got and then the connection worked.

Jeremy Bicha (jbicha) wrote :

Thanks for the follow up. I'm marking this as fixed now.

Please feel free to report any other bug you find.

Changed in network-manager-openvpn (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers