Network Manager 0.7, openvpn, VPN Connection Failed

Bug #260291 reported by Erki Hallingu on 2008-08-22
98
This bug affects 13 people
Affects Status Importance Assigned to Milestone
network-manager-openvpn (Ubuntu)
High
ubutnu
openvpn (Ubuntu)
High
Unassigned

Bug Description

Binary package hint: network-manager-openvpn

Network Manager say's: "VPN Connection Failed" when trying to connect to OpenVPN server.

root@ubuntu:/var/log# lsb_release -rd
Description: Ubuntu intrepid (development branch)
Release: 8.10

root@ubuntu:/var/log# apt-cache policy network-manager-openvpn
network-manager-openvpn:
  Paigaldatud: 0.7~~svn20080818t061112-0ubuntu1
  Kandidaat: 0.7~~svn20080818t061112-0ubuntu1
  Version table:
 *** 0.7~~svn20080818t061112-0ubuntu1 0
        500 http://archive.ubuntu.com intrepid/universe Packages
        100 /var/lib/dpkg/status

syslog:
Aug 22 11:15:57 ubuntu nm-openvpn[15205]: [sap5.erki.net] Peer Connection Initiated with 194.106.127.132:1194
Aug 22 11:15:58 ubuntu nm-openvpn[15205]: TUN/TAP device tap0 opened
Aug 22 11:15:58 ubuntu nm-openvpn[15205]: /sbin/ifconfig tap0 10.8.0.7 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Aug 22 11:15:58 ubuntu nm-openvpn[15205]: /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper tap0 1500 1576 10.8.0.7 255.255.255.0 init
Aug 22 11:15:58 ubuntu nm-openvpn[15205]: openvpn_execve: external program may not be called due to setting of --script-security level
Aug 22 11:15:58 ubuntu nm-openvpn[15205]: script failed: external program fork failed
Aug 22 11:15:58 ubuntu nm-openvpn[15205]: Exiting
Aug 22 11:15:58 ubuntu NetworkManager: <info> VPN plugin state changed: 6
Aug 22 11:15:58 ubuntu NetworkManager: <WARN> connection_state_changed(): Could not process the request because no VPN connection was active.
Aug 22 11:16:03 ubuntu postfix/master[7159]: reload configuration /etc/postfix

seems to be a problem with --script-security.

When connecting to same server with openvpn manually the connection suceeds.

Related branches

Tore Anderson (toreanderson) wrote :

Part #2 of bug #259562 is a dup of this one, so I'm marking as confirmed and merging them.

Tore

Changed in network-manager-openvpn:
status: New → Confirmed
Alexander Sack (asac) wrote :

milestoning to get the server team (who maintains openvpn) on this plate.

Apparently the openvpn upgrade to 2.1~rc7 broke the script-security thing.

Anyone can take a look?

(see bug #259562)

Changed in openvpn:
importance: Undecided → High
milestone: none → intrepid-alpha-6
status: New → Confirmed
Alexander Sack (asac) wrote :

ok, zul confirmed that this is a openvpn issue (not a nm plugin one). next openvpn upload is supposed to fix this. closing nm part accordingly.

Changed in network-manager-openvpn:
status: Confirmed → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.1~rc9-3ubuntu1

---------------
openvpn (2.1~rc9-3ubuntu1) intrepid; urgency=low

  * debian/openvpn.init.d: Add "--script-security 2" by default for backwards compatibility
    (LP: #260291)

 -- Chuck Short <email address hidden> Mon, 25 Aug 2008 10:20:31 -0400

Changed in openvpn:
status: Confirmed → Fix Released
Alexander Sack (asac) wrote :

looks like the nm plugin needs a fix on its own. Thanks to M. Biebl for providing that patch.

diff --git a/openvpn/src/nm-openvpn-service.c b/vpn-daemons/openvpn/src/nm-openvpn-service.c
index 9d0c7d4..0df1178 100644
--- a/openvpn/src/nm-openvpn-service.c
+++ b/openvpn/src/nm-openvpn-service.c
@@ -611,6 +611,10 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
  add_openvpn_arg (args, "--syslog");
  add_openvpn_arg (args, "nm-openvpn");

+ // Override external script protection
+ add_openvpn_arg (args, "--script-security");
+ add_openvpn_arg (args, "2");
+
  /* Up script, called when connection has been established or has been restarted */
  add_openvpn_arg (args, "--up");
  add_openvpn_arg (args, NM_OPENVPN_HELPER_PATH);

Changed in network-manager-openvpn:
importance: Undecided → High
status: Invalid → In Progress
Tore Anderson (toreanderson) wrote :

You're right about that, at least it still doesn't work after the upgrade to openvpn 2.1~rc9-3ubuntu1. Still fails with the script-security error message.

Tore

COLIN Stéphane (bigbob-fun) wrote :
Download full text (8.4 KiB)

Hi,

Applying the pacth seem to fix the connection problem.

Here is the log :

Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXsmpServer: accept_ice_connection()
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Setting up new connection
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: New client '0x91c3ca0 []'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmStore: Adding object id /org/gnome/SessionManager/Client14 to store
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmManager: Client added: /org/gnome/SessionManager/Client14
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Initializing client 0x91c3ca0 []
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Client '0x91c3ca0 []' received RegisterClient(10ab341c573b3a0b42121999669372969000000053580016)
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmManager: Adding new client 10ab341c573b3a0b42121999669372969000000053580016 to session
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Sending RegisterClientReply to '0x91c3ca0 [10ab341c573b3a0b42121999669372969000000053580016]'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Set properties from client '0x91c3ca0 [10ab341c573b3a0b42121999669372969000000053580016]'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: CurrentDirectory = '/home/bigbob'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Set properties from client '0x91c3ca0 [10ab341c573b3a0b42121999669372969000000053580016]'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: ProcessID = '19160'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Set properties from client '0x91c3ca0 [10ab341c573b3a0b42121999669372969000000053580016]'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Program = 'nm-openvpn-auth-dialog'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Set properties from client '0x91c3ca0 [nm-openvpn-auth-dialog 10ab341c573b3a0b42121999669372969000000053580016]'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: CloneCommand = 'nm-openvpn-auth-dialog'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Set properties from client '0x91c3ca0 [nm-openvpn-auth-dialog 10ab341c573b3a0b42121999669372969000000053580016]'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: RestartCommand = 'nm-openvpn-auth-dialog' '--sm-client-id' '10ab341c573b3a0b42121999669372969000000053580016' '--screen' '0'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: Set properties from client '0x91c3ca0 [nm-openvpn-auth-dialog 10ab341c573b3a0b42121999669372969000000053580016]'
Aug 29 10:24:36 bigbob-virtual x-session-manager[5358]: DEBUG(+): GsmXSMPClient: UserID = 'bigbob'
Aug 29 10:24:36 bigbob-virt...

Read more...

David Tomaschik (matir) wrote :

I can confirm that the patch posted by Alexander Sack fixes the issue.

Erki Hallingu (erkiha) wrote :

Today's updates fixed the issue

Changed in network-manager-openvpn:
status: In Progress → Fix Released
Erki Hallingu (erkiha) on 2008-09-12
Changed in openvpn:
status: Fix Released → New
Erki Hallingu (erkiha) wrote :

2008-09-10 openvpn update fixed the issue, but after that came another update and openvpn is broken again.

Sep 12 10:42:51 ubuntu NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Sep 12 10:42:51 ubuntu NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 10127
Sep 12 10:42:52 ubuntu NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Sep 12 10:42:52 ubuntu NetworkManager: <info> VPN plugin state changed: 3
Sep 12 10:42:52 ubuntu NetworkManager: <info> VPN connection 'Siemens' (Connect) reply received.
Sep 12 10:42:52 ubuntu NetworkManager: <WARN> nm_vpn_connection_connect_cb(): VPN connection 'Siemens' failed to connect: 'No VPN configuration options.'.
Sep 12 10:43:04 ubuntu NetworkManager: <debug> [1221205384.024893] ensure_killed(): waiting for vpn service pid 10127 to exit
Sep 12 10:43:04 ubuntu NetworkManager: <debug> [1221205384.025178] ensure_killed(): vpn service pid 10127 cleaned up

Chuck Short (zulcss) on 2008-09-12
Changed in openvpn:
status: New → Fix Released
WillSmith (undertakingyou) wrote :

After earlier update network-manager-openvpn will not connect. Worked great until the update on the 12th, then it was broken. Output of /var/log/syslog:

Sep 16 23:52:19 will-laptop NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Sep 16 23:52:19 will-laptop NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7363
Sep 16 23:52:19 will-laptop NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Sep 16 23:52:19 will-laptop NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Sep 16 23:52:19 will-laptop NetworkManager: nm_vpn_connection_activate: assertion `nm_vpn_connection_get_vpn_state (connection) == NM_VPN_CONNECTION_STATE_PREPARE' failed
Sep 16 23:52:19 will-laptop NetworkManager: <info> VPN plugin state changed: 1
Sep 16 23:52:19 will-laptop NetworkManager: <info> VPN plugin state changed: 3
Sep 16 23:52:19 will-laptop nm-openvpn[7367]: Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: script-security (2.1_rc7)
Sep 16 23:52:19 will-laptop nm-openvpn[7367]: Use --help for more information.
Sep 16 23:52:19 will-laptop NetworkManager: <info> VPN connection '<name of my VPN>' (Connect) reply received.
Sep 16 23:52:19 will-laptop NetworkManager: <info> VPN plugin state changed: 6
Sep 16 23:52:19 will-laptop NetworkManager: <WARN> connection_state_changed(): Could not process the request because no VPN connection was active.
Sep 16 23:52:31 will-laptop NetworkManager: <debug> [1221630751.971864] ensure_killed(): waiting for vpn service pid 7363 to exit
Sep 16 23:52:31 will-laptop NetworkManager: <debug> [1221630751.972027] ensure_killed(): vpn service pid 7363 cleaned up

Thierry Carrez (ttx) wrote :

WillSmith: you should update openvpn to the latest version as well. network-manager-openvpn depends on "openvpn" while it should now depend on openvpn (>= 2.1~rc9), the one that supports the now-required --script-security option.

Thierry Carrez (ttx) wrote :

Erki: could you please open a separate bug ? the two issues don't seem to be connected. Just confirm between which versions it appeared and give more information on the "Siemens" configuration that seems to have no options. Thanks.

Erki Hallingu (erkiha) wrote :

Hi,
I discovered that my problem was indeed different. While experimenting with various settings, I had accidentally left "System setting" as checked. When clearing that checkmark, my connection starts working.

Why does this affect the connection? If I understood correctly, this means that by checking "System setting", the connection should by made without user login. But when I'm actually logged in, the connection should still be possible irrelevant of this setting?

erki

WillSmith (undertakingyou) wrote :

Thierry:
I updated openvpn to the rc9. The first try it did the same thing as before. But now it works. So, updating to openvpn 2.1~rc9 seems to fix the issue.

Ilya Brik (ibrik) wrote :

The same problem (openvpn_execve: external program may not be called due to setting of --script-security level)
in openvpn version 2.1~rc11-1ubuntu2.
So it seems the problem returns...

Tore Anderson (toreanderson) wrote :

Still works for me.

Tore

Ilya Brik (ibrik) wrote :

Indeed, my mistake. I've ran it with --script-security 2 option and everything is OK.
Apologizing for providing a wrong info.

I'm still having the problem that Erki Hallingu and WillSmith reported.

Nov 1 16:40:05 valentin-laptop NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Nov 1 16:40:05 valentin-laptop NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 10955
Nov 1 16:40:05 valentin-laptop NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Nov 1 16:40:05 valentin-laptop NetworkManager: <info> VPN plugin state changed: 1
Nov 1 16:40:05 valentin-laptop NetworkManager: <info> VPN plugin state changed: 3
Nov 1 16:40:05 valentin-laptop NetworkManager: <info> VPN connection 'VPN Connection Name' (Connect) reply received.
Nov 1 16:40:05 valentin-laptop NetworkManager: <WARN> nm_vpn_connection_connect_cb(): VPN connection 'VPN Connection Name' failed to connect: 'No VPN configuration options.'.
Nov 1 16:40:05 valentin-laptop NetworkManager: <WARN> connection_state_changed(): Could not process the request because no VPN connection was active.
Nov 1 16:40:05 valentin-laptop NetworkManager: <info> (eth1): writing resolv.conf to /sbin/resolvconf
Nov 1 16:40:05 valentin-laptop NetworkManager: <info> Policy set 'Auto AP' (eth1) as default for routing and DNS.

openvpn 2.1~rc11-1ubuntu2 on Intrepid.

René Oelke (rene.oelke) wrote :

I can confirm this bug. When i start a openvpn-connection with the network manager, the connection seems to be okay. But when i ping some hosts (by hostname) something seems to be wrong. I have attached the syslog output. In my openvpn configuration i use some resolv-scripts:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

It seems to be a special resolver problem. When i start the openvpn connection manually everything i okay:

# sudo openvpn --script-security 2 --config ./vpn/office.conf

ubutnu (ubutnu) on 2009-08-31
Changed in network-manager-openvpn (Ubuntu):
assignee: nobody → ubutnu (ubutnu)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments