network-manager-openvpn does not support all options supported by openvpn

Bug #364101 reported by Valentin Neacsu
238
This bug affects 48 people
Affects Status Importance Assigned to Milestone
NetworkManager-OpenVPN
Confirmed
Wishlist
network-manager-openvpn (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: network-manager-openvpn

This is my .ovpn config file that works on Windows and on Intrepid/Jaunty using the command line:
------ cut here ----
pull

tls-client

port 443
 #check

remote xx.xx.xx.xx #check

proto tcp-client
 #check

pkcs12 mycert.p12
 #converted to *.pem then was able to import them

reneg-sec 300

keysize 512

cipher BF-CBC
 #check
tls-cipher DHE-RSA-AES256-SHA

dev tap
 #check

verb 4

comp-lzo
 #check

link-mtu 1400

ping 15

---- end of config file ----

All the options marked with #check have a corresponding option within the network-manager-openvpn GUI. All those not marked have no way of being configured.

When trying to connect with only those options configured I get the following errors:
--- start of log file ----
Apr 20 15:00:16 valentin-laptop NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Apr 20 15:00:16 valentin-laptop NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 3965
Apr 20 15:00:16 valentin-laptop kernel: [64813.625564] tun: Universal TUN/TAP device driver, 1.6
Apr 20 15:00:16 valentin-laptop kernel: [64813.625570] tun: (C) 1999-2004 Max Krasnyansky <email address hidden>
Apr 20 15:00:16 valentin-laptop NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Apr 20 15:00:16 valentin-laptop NetworkManager: <info> VPN plugin state changed: 1
Apr 20 15:00:20 valentin-laptop nm-openvpn[3973]: OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 9 2009
Apr 20 15:00:20 valentin-laptop NetworkManager: <info> VPN plugin state changed: 3
Apr 20 15:00:20 valentin-laptop nm-openvpn[3973]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 20 15:00:20 valentin-laptop nm-openvpn[3973]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 20 15:00:20 valentin-laptop NetworkManager: <info> VPN connection 'Work OpenVPN' (Connect) reply received.
Apr 20 15:00:20 valentin-laptop nm-openvpn[3973]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 20 15:00:20 valentin-laptop nm-openvpn[3973]: WARNING: file '/home/valentin/Stuff/Downloads/openvpn/mycert.key.pem' is group or others accessible
Apr 20 15:00:20 valentin-laptop nm-openvpn[3973]: /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Apr 20 15:00:20 valentin-laptop nm-openvpn[3973]: LZO compression initialized
Apr 20 15:00:20 valentin-laptop nm-openvpn[3973]: Attempting to establish TCP connection with xx.xx.xx.xx:yyy [nonblock]
Apr 20 15:00:21 valentin-laptop nm-openvpn[3973]: TCP connection established with xx.xx.xx.xx:yyy
Apr 20 15:00:21 valentin-laptop nm-openvpn[3973]: TCPv4_CLIENT link local: [undef]
Apr 20 15:00:21 valentin-laptop nm-openvpn[3973]: TCPv4_CLIENT link remote: xx.xx.xx.xx:yyy
Apr 20 15:00:22 valentin-laptop nm-openvpn[3973]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1576', remote='link-mtu 1400'
Apr 20 15:00:22 valentin-laptop nm-openvpn[3973]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1356'
Apr 20 15:00:22 valentin-laptop nm-openvpn[3973]: WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 512'
Apr 20 15:00:22 valentin-laptop nm-openvpn[3973]: [some-random-hostname] Peer Connection Initiated with xx.xx.xx.xx:yyy
Apr 20 15:00:22 valentin-laptop nm-openvpn[3973]: Authenticate/Decrypt packet error: cipher final failed
Apr 20 15:00:22 valentin-laptop nm-openvpn[3973]: Fatal decryption error (process_incoming_link), restarting
Apr 20 15:00:22 valentin-laptop nm-openvpn[3973]: SIGUSR1[soft,decryption-error] received, process restarting
Apr 20 15:00:27 valentin-laptop nm-openvpn[3973]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Apr 20 15:00:27 valentin-laptop nm-openvpn[3973]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 20 15:00:27 valentin-laptop nm-openvpn[3973]: Re-using SSL/TLS context
---- end of log file ----

After trying to manually set the 3 options it complains about (link-mtu, tun-mtu, keysize) with gconf-editor the connection wouldn't even innitialize any more, saying that it doesn't support these options.

Was hoping that the "new and improved" NM in Jaunty would fix this bug, but this seems to not be the case.

Revision history for this message
Eric Carvalho (eric-carvalho) wrote :

Same problem.
My OpenVPN server uses a non-default keysize, so I can't use Network Manager to connect bacause there's no way to set keysize on GUI. The log says "WARNING: 'keysize' is used inconsistently".
Please add more options to the "OpenVPN Advanced Options" dialog.

Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Sergei Genchev (sgenchev) wrote :

 nm-openvpn does not support *most* of the openvpn options. Just compare number of checkboxes with the number of openvpn options in man page. Most of these unsupported options are obscure enough to not be reported but some - like these ones, pkcs12 support, multiple "remote" options, up/down scripts etc. - are painful enough for some people. There are multiple bugs saying "it does not support option X"
 How hard would it be to support "I have my working config file, use it" advanced option? This would make mm-openvpn usable for people who simply cannot use it now.

Revision history for this message
Matthew Twomey (mtwomey) wrote :

I am having the same issue. I occasionally use very simple openvpn tunnels across already encrypted links and in those specific cases I'd like to have encryption off and no authentication. Here is an example config file:

------ cut here ----
remote 192.168.0.101 1000
dev tun0
ifconfig 10.10.10.2 10.10.10.1
proto udp
ping 5
link-mtu 1366
up-delay
daemon
---- end of config file ----

There is no way to implement this presently in "network-manager-openvpn". I'd suggest something like this:

1. Allow an "expert option" to simply specify an openvpn config file to be used for the connection.

2. Include an "advanced" area where the user is allowed to edit the options that will be used (e.g. what follows '/usr/sbin/openvpn' while referencing variable from the rest of the configuration gui. For example:

Edit Command Line: --remote $Gateway $lzo --nobind --dev $tun_or_tap --proto $proto --port $port ...etc

The gui would dynamically build this command line while you edited and/or checked/unchecked options (similar to the way several IDEs do for a compiler/linker).

Revision history for this message
Mario B. (boonekamp-deactivatedaccount-deactivatedaccount) wrote :

Another vote for Sergeis suggestion. Please add an option like "I have my working config file, use it". I have a lot of connections to my customers with different settings. None of them do work with the NM-plugin. Sorry, but this plugin is a pain in the a** since the project started and there is no hope that the situation is getting better within the next years. An option to use an existing config file is the best workaround I've heard so far.

Revision history for this message
blackjam (blackjam) wrote :

I have the same experience. I have a ton of working .ovpn files, but almost none of them translates well into NM setting. In my opinion the greatest help would be to enable NM to run openvpn with supplied configuration file. In fact I only need a very simple wrapper around "sudo openvpn config.ovpn" with simple GUI and integration into NM.

Revision history for this message
Fabian (fhueske) wrote :

I'd like to support Sergeis request. An option to use a custom config file would be great.

Revision history for this message
Captain Chaos (launchpad-chaos) wrote :

Here's my vote for being able to use an existing OpenVPN config file. You can import one, but that fails if it's not a configuration network-manager-openvpn knows about.

I know I can easily start openvpn from the command line, but as long as I have that network icon there and it has VPN support it would be very nice to be able to use it to start my custom OpenVPN connections. It should not be too difficult to implement. It could be an option on the advanced settings panel.

Revision history for this message
thomasn80 (thomasn80) wrote :

Isn't there any way to add an option to NM OVPN? I need 'ns-cert-type server' to be able to connect to my workplace.

Revision history for this message
Florian (floeschie) wrote :

This bug effects me too… since I installted (K)Ubuntu Intrepid :-(

Revision history for this message
Githlar (githlar-deactivatedaccount) wrote :

This also affects me. In my instance, sometimes I need to use Azilink on my phone to tether when I can't get an internet connection. This requires both no encryption and no authentication. It's kind of frustrating, because some applications look at Network Manager's status and if there are no connections there it stays in offline mode. However, with the current configuration I use while tethering, there IS a connection, it's just not reported by Network Manager.

Revision history for this message
Darsey Litzenberger (dlitz) wrote :

One workaround is to open up gconf-editor, go to /system/networking/connections/#/vpn and add keys for the options you want.

Revision history for this message
txapelgorri (ibon) wrote :

Hi:

After reading the last post suggesting a workaround I try to add some keys with gconf-editor, for example "tls-remote", but didn't work witth Karmic and network-manager-openvpn version 0.8~rc1-0ubuntu1~nm1~karmic, installed from the PPA: http://ppa.launchpad.net/network-manager/ppa/ubuntu

This version of Network Manager ( > 0.8 ) is supposed to accept this kind of options with OpenVPN, as seen here: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/116256

Any suggestion around this issue?.

Cheers, Ibon.

Revision history for this message
3esmit (3esmit) wrote :

This bug is still around in Ubuntu 10.10.

I am affected due importing 'comp-lzo' setting.

To work around you need to change from
comp-lzo
to
comp-lzo yes

then it will work.

Revision history for this message
Алексей Капранов (Alex Kapranoff) (kkapp) wrote :

I need multiple remotes. An option to use existing openvpn config would be great.

Revision history for this message
Mehmet Atif Ergun (mehmetaergun) wrote :

Comment #8 also indicates a security vulnerability, doesn't it?

Revision history for this message
Mike Dawson (5gpy) wrote :

I google'd the heck out of this - couldn't find anything. Hack/workaround I used was:

mv /usr/sbin/openvpn /usr/sbin/openvpn.real

make a new shell script for /usr/sbin/openvpn

#!/bin/bash
/usr/sbin/openvpn.real <mycustomoptions_here> $@

Revision history for this message
Matt Lavin (matt-lavin) wrote :

I opened bug #1047362 to specifically request support using a .ovpn file directly for configuration, as described in comment #2.

Revision history for this message
Rebecca Menessec (aloishammer-deactivatedaccount) wrote :

I need to be able to add --explicit-exit-notify. This is a must with UDP connections. I find it bizarre that OpenVPN doesn't enable this by default. However, since it doesn't, NM really needs to be able to call the option explicitly.

Is there a solid reason why there isn't an "advanced options pass-through" ability?

Changed in network-manager-openvpn:
importance: Unknown → Wishlist
status: Unknown → New
Changed in network-manager-openvpn:
importance: Wishlist → Unknown
status: New → Unknown
Changed in network-manager-openvpn:
importance: Unknown → Wishlist
status: Unknown → New
Changed in network-manager-openvpn:
status: New → Confirmed
Revision history for this message
SiJux (1f-ubuntu) wrote :

Keysize still isn't configurable.

Robert wrote a path for Fedora: http://pkgs.fedoraproject.org/cgit/NetworkManager-openvpn.git/tree/keysize.patch?h=el6
Maybe the patch is usable for ubuntu, too?

Hope this helps to fix that.

Thank you.

Revision history for this message
Eduardo Leggiero (eduardoleggiero) wrote :

The --ping-restart option isn't supported too.

Revision history for this message
Stephane Lapie (stephane-lapie) wrote :

I would like to propose the following patch to handle the options in the configuration file (just tested it right now, and it does the job)

[vpn]
<...>
ping=10
ping-restart=60

As one can see, the process spawned has the proper arguments :
$ ps auxw | grep vpn
root 3752 0.0 0.0 28444 2728 ? S 22:16 0:00 /usr/sbin/openvpn --remote <...> --nobind --dev tun --proto udp --port 1194 --auth-nocache --ping-restart 60 --ping 10 --syslog nm-openvpn --script-security 2 --up /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --up-restart --persist-key --persist-tun --management 127.0.0.1 1194 --management-query-passwords --route-noexec --ifconfig-noexec --secret <...> --ifconfig 192.168.100.2 192.168.100.1

This alone of course won't fix the UI, but it's a start.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Adds "--ping" and "--ping-restart"" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Gilles Scokart (gscokart) wrote :

I'm using openvpn behind a proxy that doesn't work with the auto detection of the authentification method. I should force 'basic', but it is not present in the currently supported options.

Revision history for this message
Forest (foresto) wrote :

> Isn't there any way to add an option to NM OVPN? I need 'ns-cert-type server' to be able to connect to my workplace.

> Comment #8 also indicates a security vulnerability, doesn't it?

Yes, lack of ns-cert-type server support is indeed a security vulnerability. It affects sites that use a single CA to sign both client and server certificates. The risk is that anyone's client certificate can be used to impersonate the server; for example, to execute a man-in-the-middle attack.

One workaround would be to use the newer "--remote-cert-tls server" option instead, but that requires an X.509v3 extension in the server certificate, which some sites do not have.

Another workaround would be to use the "--verify-x509-name" option, but network-manager-openvpn does not support it.

Another workaround would be to use the "--tls-remote" option, but that one is deprecated, and network-manager-openvpn's support for it breaks if there is a space in the server certificate's Common Name field.

https://openvpn.net/index.php/open-source/documentation/howto.html#mitm

In short, NetworkManager's OpenVPN support is not merely weak; it is severely broken. This particular break (which is not the only one) puts users at risk by silently discarding important security precautions that are configured in the .ovpn files it "imports".

Revision history for this message
Forest (foresto) wrote :
Revision history for this message
Dorian Harmans (dojo86) wrote :

Here's a patch to enable use of the tls-cipher option in the connection files, in Xenial.
I adjusted the patch TJ wrote for Wily a while ago.

Mathew Hodson (mhodson)
Changed in network-manager-openvpn (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Paul Bransford (draeath) wrote :

It would be grand if one could just add arbitrary key/value pairs of arguments.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.