unable to import config with inlined ca, cert, key or tls-auth

Bug #606365 reported by Till Klampaeckel on 2010-07-16
654
This bug affects 138 people
Affects Status Importance Assigned to Milestone
NetworkManager-OpenVPN
Fix Released
Medium
network-manager-openvpn (Ubuntu)
High
Unassigned

Bug Description

Binary package hint: network-manager-openvpn-gnome

So a client of mine runs an OpenVPN setup. It exported a client.ovpn file but it fails to completely import this file using the network-manager (gnome) on Ubuntu 10.04.

When I import the file, it gives me the name ("client") and gateway ("vpn.example.org") on the initial screen. No other fields are populated even though the client.ovpn file also includes a user certificate, server certifikate and a private key.

When I go to advanced, some (most) of the settings obviously seem to import correct, others not at all. E.g. none of the TLS settings (key and key direction) are imported.

From what I understand I should be able to use this without any additional settings.

The following software is installed through aptitude:

 * openvpn (2.1.0)
 * openvpn-blacklist
 * network-manager-openvpn
 * network-manager-openvpn-gnome

Till Klampaeckel (till-php) wrote :

I wanted to share the configuration (dummy):

remote vpn.example.org
client
proto tcp
port 443
dev tun
ns-cert-type server
auth-user-pass
auth-retry interact
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----
FOO
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
FOO
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
FOO
-----END RSA PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
FOO
-----END OpenVPN Static key V1-----
</tls-auth>

So the quickfix here is that you can dissect the file and import it all once you figured out the corresponding dropdown/whatever in the network manager. So for example in the example above I needed to select "Passwords with certificates (TLS)" and enter another user/pass along with it, no password for the key and also the TLS key and direction in advanced.

One more note - the following settings seemed to get imported:
proto, port, comp-lzo, remote

The rest was ignored.

I hope this helps.

emilio (emiliomaggio) wrote :

I have the same problem in importing the ovpn file provided by my company system administrators

emilio (emiliomaggio) on 2010-09-03
Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
AlexConrad (aconrad-tlv) wrote :

Same problem for me under Ubuntu 10.04.

Running "sudo openvpn --config client.ovpn" works though.

Mitch Goldenberg (kgolden) wrote :

Same problem in Ubuntu 10.10.

Again, "sudo openvpn --config client.ovpn" works properly.

Till Klampaeckel (till-php) wrote :

Thanks for posting the workaround, it's definitively a small bug in network-manager-openvpn.

kapetr (kapetr) wrote :

I can confirm that in Ubuntu 10.10:

Specially: statements auth-user-pass and route are ignored.

So most config are not possible to import.
To set auth-user-pass manually in applet is trivial, but add e.g. 20 route statements via this interface is quite impossible.

See for example attached config for popular USA IP service with man routes.

BTW - in this example - OpenVPN do not addd route to host (--remote) via the old GW. I'm not sure, if it is not also a bug, but the config fails. It is necessary to add also this route statement:

route remote_host net_gateway

--kapetr

kapetr (kapetr) wrote :
Till Klampaeckel (till-php) wrote :

To add to this - the export feature is broken too.

I tried to rescue a couple profiles which I had done on another workstation for backup purposes, but it didn't work at all in 10.04.1.

lordbinky (lordbink) wrote :

I have the same issue in Ubuntu 11.04 where importing a .ovpn file isn't completely imported.

Justin (justin-wzy) wrote :

same issue in Oneiric

Stephan Fabel (sfabel) wrote :

This problem still exists in Precise.

Todd Howe (tehowe) wrote :

Can't hook up to my ISP's VPN. IT'S 2012

Todd Howe (tehowe) wrote :

Found a way to do this that works under GUI network-manager

http://howto.praqma.net/ubuntu/vpn/openvpn-access-server-client-on-ubuntu

lenzai (lenzai) wrote :

paqma.net website is down but the work around i still published at
http://askubuntu.com/questions/134918/setting-vpn-client

almost 2 years .... maybe we should write a bash to break down the ovpn into certificate files if this bug can't be fixed ?

exactt (giesbert) wrote :

2013... Ubuntu 12.10... still not working...

Claus Lensbøl (cmol) wrote :

Used the workaround from #14 and got it working, but without the fix I'm having the same issues.

kingtiger01 (mnovick1988) wrote :

Come on, were Weeks away from Raring(13.04) Quit Dropping the ball on things like this Ubuntu Team!

Parasit (parasit-go2) wrote :

2013... Ubuntu 13.04... still not working...
Eg. certs configuration are imported (#14 method) but still not connecting from GUI.

bagl0312 (bagl0312) wrote :

I confirm the same problem.
ovpn conf files produced by the openvpn/privatetunnel site:

https://www.privatetunnel.com/

are not imported correctly by the network-manager on ubuntu 13.04.
They instead work giving the command

openvpn --config xxx.ovpn

Carla Sella (carla-sella) wrote :

I am having the same problem importing a file for Watchguard on Saucy with all updates using network manager (today is July 20th 2013).
The "sudo openvpn --config client.ovpn" works properly.

Jakob (jmollerhoj) wrote :

same problem, ubuntu 13.10 here

bagl0312 (bagl0312) wrote :

Confirmed, same problem in 13.10
This bug is around since more than two years now :(

Bachi (m-bachmann) wrote :

Proud to be the first posting 2014. Wow. C'mon folks...

Giovanni Panozzo (giox069) wrote :

This is the more related upstream bug:

https://bugzilla.gnome.org/show_bug.cgi?id=633337

Please add your comments there explaining all problems importing .ovpn files (certs not imported, invalid TLS selection and other badly imported parameters).
Maybe someone will notice it one day... :(

Monty Cantsin (open-pop-star) wrote :

same in Trusy Tahr 14.04

Martin (getmartin) wrote :

Confirmed, same bug in 14.04.
Well, the workaround "sudo openvpn --config client.ovpn" is still working.

I am having issues with 14.04 lts openvpn client for gnome as well. I get the same freezing and not loading the config file issues. I had to revert back to 12.04 lts as this feature is needed in my line of work. Any fix available?

Simon Déziel (sdeziel) on 2014-05-23
summary: - client.ovpn file is not completely imported
+ unable to import config with inlined ca, cert, key or tls-auth
Changed in network-manager-openvpn:
importance: Undecided → Unknown
status: New → Unknown
Changed in network-manager-openvpn:
importance: Unknown → Medium
status: Unknown → Confirmed
Tomislav (hefest) wrote :

Same as #25 and #26.

Tomislav (hefest) wrote :

Actually, I'm not having luck with the workaround: it seems that DNS settings have not been updated to find recources in the VPN.

Solitaire (bill-s0l) wrote :

This bug affects me as well.

Anyone got a script working to automate the creation of the separate certificates and keys from inside the .ovpm file?
Would be a great workaround till this gets fixed

Frol (frolvlad) wrote :

2015... Nothing was done yet. Let's make some movements.

Here is the import function:
http://bazaar.launchpad.net/~network-manager/network-manager-openvpn/trunk/view/head:/properties/import-export.c#L268

and here are the lines of ca/cert/key tags parsing:
http://bazaar.launchpad.net/~network-manager/network-manager-openvpn/trunk/view/head:/properties/import-export.c#L563

My suggestion is to save inline ca/cert/key inside of a Network Manager configurations file encoded into base64 (again) with "inline:" prefix, e.g.:
[connection]
id=MyVPN
uuid=ac9d354e-03ef-4063-8c96-4a40bd17bea6
type=vpn

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
remote=myvpnhost.com
cert-pass-flags=0
tap-dev=no
proto-tcp=no
mssfix=no
ca=inline:<base64 coded>
cert=inline:<base64 coded>
key=inline:<base64 coded>

Another approach would be to parse as much information from *.ovpn file as we can, remove parsed parts, encode rest of the file into a base64 string, and save it into a Network Manager connection config file. This may help to deal with extra options like inline certificates, but may also cause unexpected configuration conflicts.

Ryan Hendry (ryanhendry123) wrote :

I am experiencing the same problem.

Mahdi Fattahi (mfat) wrote :

Can somebody please fix this?

Lars (stecklars-r) wrote :

Would be really nice if somebody could take a look at this and work on it. Thanks :)

seebk (seebk) wrote :

I have created a small python script to extract the embedded certificates and to rewrite the ovpn config to use separate key and cert files.

https://gist.github.com/seebk/bb94a7fd70d4cc454aaa

Maybe it helps to simplify the error prone manual setup until this bug is fixed.

zao (zao-d) wrote :

Hope this bug will be addressed - five years without a fix - is far too long...
:(

Nyr (nyr-nzone) wrote :

Come on, many of the latest OpenVPN implementations use in-line certificates by default... how can this bug be still there five years later?

Nicolas Diogo (nicolasdiogo) wrote :

Happy Birthday to this Bug !!!

Sarcasm apart - it is amazing that such an important piece of software is not been supported properly - particularly with the corporate market requesting it.

if the suggestion here:
https://bugzilla.gnome.org/show_bug.cgi?id=633337

is correct - that it is not possible to handle inline certificates & it will be necessary to manually edit the ovpn file.

could we have an article/wiki explaining the steps to do so?

or a small utility that could do this work?

Thanks,

Frol (frolvlad) wrote :

@Nicolas It is not the answer for *inlined* certificates. You can extract inline certificates into separate files, but it is not what people requested here.

Markus Majer (mpathy) wrote :

I thought I have another look, and wow, the bug is still existant.. Wow! Years!
Even though it is so easy to fix it, and there are already solutions present, it just have to get upstream.
Can somebody state what the problem is?
Its a quite enterprisey thing that doesnt work for years now, no wonder they still use RHEL everywhere.. :/

Markus Majer (mpathy) wrote :

Btw for those people who looking here for bugfixes, which they dont get, look at this:

Yes, there is:
http://howto.praqma.net/ubuntu/vpn/openvpn-access-server-client-on-ubuntu

And even a little python script who breaks it apart:
https://gist.github.com/seebk/bb94a7fd70d4cc454aaa

So, as you see, its would be so damn easy for the Network Manager to read these kind of files, which are very very common for OpenVPN, because you only have to provide ONE file.

Spayder26 (spayder26) wrote :

I just hit this bug. And this is how Ubuntu will never get enterprise acceptance.

Yavvsy (yavanna-spring) wrote :

Confirmed for 15.04: Still an issue for in-line *.ovpn files
still works with sudo openvpn --config client.ovpn

Off to do this manually, but... this IS an issue for larger deployments.

Frol (frolvlad) wrote :

Just FYI, this feature is already implemented in KDE (plasma-nm) - https://bugs.kde.org/show_bug.cgi?id=349282

Tanguy Herrmann (dolanor) wrote :

It seems we have a hero!
http://bazaar.launchpad.net/~network-manager/network-manager-openvpn/trunk/revision/559

For my use case (.ovpn file created by https://hub.docker.com/r/kylemanna/openvpn/ ), I guess I will still lack the TLS-AUTH file blob.
Maybe I'll add it myself if I have time.

But meanwhile I also created a tool for that at: https://github.com/dolanor/ovpnsplit
It is in go, and if you want binaries directly, here they are: https://github.com/dolanor/ovpnsplit/releases

Diego (gran-diego) wrote :

Will this ever be addressed?

Changed in network-manager-openvpn:
status: Confirmed → Fix Released
Andres G. Aragoneses (knocte) wrote :

> Changed in network-manager-openvpn:
> status: Confirmed → Fix Released

Great! Will 16.04 have this fix?

urusha (urusha) wrote :

16.04 now includes upstream fixed version. So it doesn't affect xenial anymore.

Bogdan Grosu (groenator) wrote :

I am using Ubuntu GNOME 16.4 beta 2, and the fix is not there. The file still cannot be imported....

Simon Déziel (sdeziel) wrote :

Bogdan, please make sure to have all the updates applied. Network-Manager and the OpenVPN plugin were refreshed post beta 2 so maybe this got implemented.

bagl0312 (bagl0312) wrote :

Confirmed: I cannot (yet) import a VPN configuration file on 16.04 (current release)

I need to get the packages from proposed repository to make things work.

Em qui, 14 de abr de 2016 às 11:11, bagl0312 <email address hidden>
escreveu:

> Confirmed: I cannot (yet) import a VPN configuration file on 16.04
> (current release)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/606365
>
> Title:
> unable to import config with inlined ca, cert, key or tls-auth
>
> Status in NetworkManager-OpenVPN:
> Fix Released
> Status in network-manager-openvpn package in Ubuntu:
> Confirmed
>
> Bug description:
> Binary package hint: network-manager-openvpn-gnome
>
> So a client of mine runs an OpenVPN setup. It exported a client.ovpn
> file but it fails to completely import this file using the network-
> manager (gnome) on Ubuntu 10.04.
>
> When I import the file, it gives me the name ("client") and gateway
> ("vpn.example.org") on the initial screen. No other fields are
> populated even though the client.ovpn file also includes a user
> certificate, server certifikate and a private key.
>
> When I go to advanced, some (most) of the settings obviously seem to
> import correct, others not at all. E.g. none of the TLS settings (key
> and key direction) are imported.
>
> From what I understand I should be able to use this without any
> additional settings.
>
> The following software is installed through aptitude:
>
> * openvpn (2.1.0)
> * openvpn-blacklist
> * network-manager-openvpn
> * network-manager-openvpn-gnome
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/network-manager-openvpn/+bug/606365/+subscriptions
>
--

Sent from my Android

Bogdan Grosu (groenator) wrote :

I'll try another update, maybe I miss something...

Patrick (patrick-w) wrote :

I'm running 16.04 release. This bug is still present. I tried updating all packages, still no joy. Where can I get this alleged fix? I've been tracking this bug for 6 years and I'm ready to throw my monitor out of the window.

Patrick (patrick-w) wrote :

Further to the above, here is the error message I receive. . .

The file 'client.ovpn' could not be read or does not contain recognised VPN connection information
Error: the plugin does not support import capability.

Kestrell (spam-spamburger) wrote :

Agree with Patrick.

5a54a (5a54a) wrote :

Had no problem importing pfSense ovpn file (with separate p12 and key files) in 15.10. Now in 16.04 LTS cannot import the same files anymore:

"Cannot import VPN connnection
The file 'pfsense-udp-1194-xxxx-xxxx-xx.ovpn' could not be read or does not contain recognized VPN connection information. Error: unknown error."

Mauro Gaspari (ilvipero) wrote :

I just want to confirm this issue, exactly the same 5a54a wrote. This is confirmed on ubuntu-mate 16.04 64bit.
Interesting enough, Kubuntu 16.05 64bit does not have this issue. There is some problem at times importing profiles in Kubuntu, but trying again a second time works well.

I also noticed a few more issues, confirmed on multiple OpenVPN profiles:

TCP Ports
if the port in the profile is selected to be TCP, network-manager does not recognize that, and it is needed to manually go in network manager and select TCP port. However same profiles work fine on windows OpenVPN GUI, also starting OpenVPN from command line on linux works fine.
remote xxxxxxxx tcp-client - This line in the configuration is relevant. network-manager-openvpn cannot interpret that (but works fine on anything else including cli). If I manually change the profile and split 2 lines, it works on network-manger-openvpn. something like this:
remote xxxxxxxx
tcp-client

SPLIT TUNNEL
if the profile is a split-tunnel configuration, network manager setting "use only for resources on this connection" in "ipv4 - routes" is not ticked. The connection tries to go full tunnel, and internet stops working. Also confirmed that on windows OpenVPN GUI this problem does not exist, and also starting OpenVPN from command line on linux works fine.

If separate bugs are requested, please let me know and I will do that.

sample of an OpenVPN profile (exported by PFSense appliance):
dev tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxxxxxxx tcp-client
lport 0
auth-user-pass
ca xxxxxxxx-ca.crt
tls-auth xxxxxxxx-tls.key 1
ns-cert-type server
comp-lzo
passtos

Best Regards
Mauro

Patrick (patrick-w) wrote :

Importing .ovpn files also worked as expected on Kubuntu 14.04

Zeth (adair-boder) wrote :

Ubuntu 16.04 here with the same issue. "Error: the plugin does not support import capability."

This worked in 14.04!

Patrick (patrick-w) wrote :

How did you have it working in Ubuntu 14.04??? This bug has been present for generations of Ubuntu.

Giovanni Panozzo (giox069) wrote :

In ubuntu 16.04 I'm able to import almost all my 6 .ovpn profiles with all inline certs.

But one profile fails.

The non-importable .ovpn profile works very well if used via commandline (sudo openvpn profile_001.ovpn) or in other vpn clients for OS X and windows.

The error I get on ubuntu mate for raspberry Pi 2 is:
-----
Cannot import VPN connection
The file 'profile_001.ovpn' could not be read or does not contain recognized VPN connection information

Error: the plugin does not support import capability.
------

The error I get on my core i5 desktop
---
Cannot import VPN connection
The file 'profile_001.ovpn' could not be read or does not contain recognized VPN connection information

Error: Key files contains line 'dev tun' which is not a key-value pair, group, or comment.
-----

I have found another user reporting the same issue here:
http://askubuntu.com/questions/760345/cannot-import-saved-openvpn-configuration-file-in-ubuntu-16-04-lts

Giovanni Panozzo (giox069) wrote :

A workaround for the problem of my previous post is to remove the line

float 1

from the .ovpn profile. It gets correctly imported on both ubuntu mate for RPi and Ubuntu 64 bit.

Another problem is the default route setup: routing should be decided by the VPN server and/or the .ovpn profile. But for some reason, the network manager subsystem by default puts the system default gateway to the tunnel interface.
You must manually check "Use this connection only for resources on its network" on the profile after importing the .ovpn profile. An extra manual configuration step which should not be done, because the configuration is already complete in .ovpn or from pushed server routes.
Also please consider that all other openvpn clients don't add this default route by default.

cudiaco (bigmakvoodoo) wrote :

Also running into this problem on 16.04

My unified profile looks like this:

client
remote x.x.x.x 8757
dev tun
proto udp
cipher AES-256-CBC
auth SHA256
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
tls-version-min 1.2
comp-lzo
key-direction 1
verb 3
route x.x.x.0 255.255.255.255 net_gateway
<ca>
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
xxxxx
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
xxxxxx
-----END RSA PRIVATE KEY-----
</key>

<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
xxxx
-----END OpenVPN Static key V1-----
</tls-auth>

Ubuntu should come with more VPN protocols installed by default, at the very least OpenVPN,

Torsten Harenberg (harenberg) wrote :

Running Ubuntu 16.04 Mate:

I was able to import a "old-style" config file (certificates NOT inline, but in seperate files) ONLY after removing all "#" remarks. Seems they are not recognized, neither at the beginning on a line nor somewhere in the middle, so resulting in parsing errors.

The same file imported nicely under Ubuntu 14.04. Only after upgrading the change was needed.

Torsten Harenberg (harenberg) wrote :

Update to #66: importing an "inline" .ovpn file worked now as well (after removing any # remarks). Empty lines did not give any trouble.

cudiaco (bigmakvoodoo) wrote :

I got it to import after removing the following line from the config:

route x.x.x.0 255.255.255.255 net_gateway

However it's a legitimate OpenVPN argument.

Kestrell (spam-spamburger) wrote :

I tried #66 & #68, I made sure there were no '#' in the .ovpn file and I don't have this line in the config:
route x.x.x.0 255.255.255.255 net_gateway

I still get the same error:
The file 'vpn.ovpn' could not be read or does not contain recognized VPN connection information

Error: the plugin does not support import capability.

cudiaco (bigmakvoodoo) wrote :

Kestrell,

Can you post your config file?

Kestrell (spam-spamburger) wrote :

Private Parts removed:

remote x.x.x.x x udp
remote x.x.x.x x udp
remote x.x.x.x x udp
key-direction 1
cipher AES-128-CBC
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry
;http-proxy x.x.x.x x
verb 4
reneg-sec 86400
echo vpnx ovpn0x
tun-mtu 1500
route-method exe
route-delay 2
redirect-gateway def1
comp-lzo no
explicit-exit-notify 2
fragment 1390
mssfix 1390
hand-window 30
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

Changed in network-manager-openvpn (Ubuntu):
importance: Undecided → Medium
importance: Medium → High
Denilson Sá (denilsonsa) wrote :

I tried grabbing the [proxpn.ovpn][1] file ([from this URL][2]) and importing it into network-manager-openvpn. Unfortunately, the "Save" button stays disabled with this message:

"Invalid setting IPv4 Settings: ipv4.routes: 1. route cannot be a default route"

Manually adding the VPN following the instructions from [this URL][3] works. But I expected to be able to quickly import the .opvn file instead.

[1]: http://www.proxpn.com/chromeos/proxpn.ovpn
[2]: https://support.proxpn.com/customer/en/portal/articles/2276335-proxpn-on-chromebook-chromium-os-
[3]: https://support.proxpn.com/customer/portal/articles/2120656-linux-install-instructions

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.