unable to import config with inlined ca, cert, key or tls-auth

Bug #606365 reported by Till Klampaeckel on 2010-07-16
764
This bug affects 163 people
Affects Status Importance Assigned to Milestone
NetworkManager-OpenVPN
Fix Released
Medium
plasma-nm
New
High
network-manager-openvpn (Ubuntu)
Medium
Unassigned
plasma-nm (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: network-manager-openvpn-gnome

So a client of mine runs an OpenVPN setup. It exported a client.ovpn file but it fails to completely import this file using the network-manager (gnome) on Ubuntu 10.04.

When I import the file, it gives me the name ("client") and gateway ("vpn.example.org") on the initial screen. No other fields are populated even though the client.ovpn file also includes a user certificate, server certifikate and a private key.

When I go to advanced, some (most) of the settings obviously seem to import correct, others not at all. E.g. none of the TLS settings (key and key direction) are imported.

From what I understand I should be able to use this without any additional settings.

The following software is installed through aptitude:

 * openvpn (2.1.0)
 * openvpn-blacklist
 * network-manager-openvpn
 * network-manager-openvpn-gnome

Till Klampaeckel (till-php) wrote :

I wanted to share the configuration (dummy):

remote vpn.example.org
client
proto tcp
port 443
dev tun
ns-cert-type server
auth-user-pass
auth-retry interact
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----
FOO
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
FOO
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
FOO
-----END RSA PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
FOO
-----END OpenVPN Static key V1-----
</tls-auth>

So the quickfix here is that you can dissect the file and import it all once you figured out the corresponding dropdown/whatever in the network manager. So for example in the example above I needed to select "Passwords with certificates (TLS)" and enter another user/pass along with it, no password for the key and also the TLS key and direction in advanced.

One more note - the following settings seemed to get imported:
proto, port, comp-lzo, remote

The rest was ignored.

I hope this helps.

emilio (emiliomaggio) wrote :

I have the same problem in importing the ovpn file provided by my company system administrators

emilio (emiliomaggio) on 2010-09-03
Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
AlexConrad (aconrad-tlv) wrote :

Same problem for me under Ubuntu 10.04.

Running "sudo openvpn --config client.ovpn" works though.

Mitch Goldenberg (kgolden) wrote :

Same problem in Ubuntu 10.10.

Again, "sudo openvpn --config client.ovpn" works properly.

Till Klampaeckel (till-php) wrote :

Thanks for posting the workaround, it's definitively a small bug in network-manager-openvpn.

kapetr (kapetr) wrote :

I can confirm that in Ubuntu 10.10:

Specially: statements auth-user-pass and route are ignored.

So most config are not possible to import.
To set auth-user-pass manually in applet is trivial, but add e.g. 20 route statements via this interface is quite impossible.

See for example attached config for popular USA IP service with man routes.

BTW - in this example - OpenVPN do not addd route to host (--remote) via the old GW. I'm not sure, if it is not also a bug, but the config fails. It is necessary to add also this route statement:

route remote_host net_gateway

--kapetr

kapetr (kapetr) wrote :
Till Klampaeckel (till-php) wrote :

To add to this - the export feature is broken too.

I tried to rescue a couple profiles which I had done on another workstation for backup purposes, but it didn't work at all in 10.04.1.

lordbinky (lordbink) wrote :

I have the same issue in Ubuntu 11.04 where importing a .ovpn file isn't completely imported.

Justin (justin-wzy) wrote :

same issue in Oneiric

Stephan Fabel (sfabel) wrote :

This problem still exists in Precise.

Todd Howe (tehowe) wrote :

Can't hook up to my ISP's VPN. IT'S 2012

Todd Howe (tehowe) wrote :

Found a way to do this that works under GUI network-manager

http://howto.praqma.net/ubuntu/vpn/openvpn-access-server-client-on-ubuntu

lenzai (lenzai) wrote :

paqma.net website is down but the work around i still published at
http://askubuntu.com/questions/134918/setting-vpn-client

almost 2 years .... maybe we should write a bash to break down the ovpn into certificate files if this bug can't be fixed ?

exactt (giesbert) wrote :

2013... Ubuntu 12.10... still not working...

Claus Lensbøl (cmol) wrote :

Used the workaround from #14 and got it working, but without the fix I'm having the same issues.

kingtiger01 (mnovick1988) wrote :

Come on, were Weeks away from Raring(13.04) Quit Dropping the ball on things like this Ubuntu Team!

Parasit (parasit-go2) wrote :

2013... Ubuntu 13.04... still not working...
Eg. certs configuration are imported (#14 method) but still not connecting from GUI.

bagl0312 (bagl0312) wrote :

I confirm the same problem.
ovpn conf files produced by the openvpn/privatetunnel site:

https://www.privatetunnel.com/

are not imported correctly by the network-manager on ubuntu 13.04.
They instead work giving the command

openvpn --config xxx.ovpn

Carla Sella (carla-sella) wrote :

I am having the same problem importing a file for Watchguard on Saucy with all updates using network manager (today is July 20th 2013).
The "sudo openvpn --config client.ovpn" works properly.

Jakob (johnthedon) wrote :

same problem, ubuntu 13.10 here

bagl0312 (bagl0312) wrote :

Confirmed, same problem in 13.10
This bug is around since more than two years now :(

Bachi (m-bachmann) wrote :

Proud to be the first posting 2014. Wow. C'mon folks...

Giovanni Panozzo (giox069) wrote :

This is the more related upstream bug:

https://bugzilla.gnome.org/show_bug.cgi?id=633337

Please add your comments there explaining all problems importing .ovpn files (certs not imported, invalid TLS selection and other badly imported parameters).
Maybe someone will notice it one day... :(

Monty Cantsin (open-pop-star) wrote :

same in Trusy Tahr 14.04

Martin (getmartin) wrote :

Confirmed, same bug in 14.04.
Well, the workaround "sudo openvpn --config client.ovpn" is still working.

I am having issues with 14.04 lts openvpn client for gnome as well. I get the same freezing and not loading the config file issues. I had to revert back to 12.04 lts as this feature is needed in my line of work. Any fix available?

Simon Déziel (sdeziel) on 2014-05-23
summary: - client.ovpn file is not completely imported
+ unable to import config with inlined ca, cert, key or tls-auth
Changed in network-manager-openvpn:
importance: Undecided → Unknown
status: New → Unknown
Changed in network-manager-openvpn:
importance: Unknown → Medium
status: Unknown → Confirmed
Tomislav (hefest) wrote :

Same as #25 and #26.

Tomislav (hefest) wrote :

Actually, I'm not having luck with the workaround: it seems that DNS settings have not been updated to find recources in the VPN.

Solitaire (bill-s0l) wrote :

This bug affects me as well.

Anyone got a script working to automate the creation of the separate certificates and keys from inside the .ovpm file?
Would be a great workaround till this gets fixed

Frol (frolvlad) wrote :

2015... Nothing was done yet. Let's make some movements.

Here is the import function:
http://bazaar.launchpad.net/~network-manager/network-manager-openvpn/trunk/view/head:/properties/import-export.c#L268

and here are the lines of ca/cert/key tags parsing:
http://bazaar.launchpad.net/~network-manager/network-manager-openvpn/trunk/view/head:/properties/import-export.c#L563

My suggestion is to save inline ca/cert/key inside of a Network Manager configurations file encoded into base64 (again) with "inline:" prefix, e.g.:
[connection]
id=MyVPN
uuid=ac9d354e-03ef-4063-8c96-4a40bd17bea6
type=vpn

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
remote=myvpnhost.com
cert-pass-flags=0
tap-dev=no
proto-tcp=no
mssfix=no
ca=inline:<base64 coded>
cert=inline:<base64 coded>
key=inline:<base64 coded>

Another approach would be to parse as much information from *.ovpn file as we can, remove parsed parts, encode rest of the file into a base64 string, and save it into a Network Manager connection config file. This may help to deal with extra options like inline certificates, but may also cause unexpected configuration conflicts.

Ryan Hendry (ryanhendry123) wrote :

I am experiencing the same problem.

Mahdi Fattahi (mfat) wrote :

Can somebody please fix this?

Lars (stecklars-r) wrote :

Would be really nice if somebody could take a look at this and work on it. Thanks :)

seebk (seebk) wrote :

I have created a small python script to extract the embedded certificates and to rewrite the ovpn config to use separate key and cert files.

https://gist.github.com/seebk/bb94a7fd70d4cc454aaa

Maybe it helps to simplify the error prone manual setup until this bug is fixed.

60 comments hidden view all 111 comments

The Connection Editor of the NetworkManager plasma applet is unable to import OpenVPN configuration files which contain inline certificates and keys.

Reproducible: Always

Steps to Reproduce:
1. Open the Connection Editor.
2. File -> Import VPN…
3. Select and open an OpenVPN configuration file (.ovpn) which contains inline certificates and/or keys. That is, the file specifies "[inline]" as the value of the ca, cert, key, and/or tls-auth fields, and then provides ASCII-armoured certificates and/or keys in <ca>, <cert>, <key>, and <tls-auth> elements at the end of the file.

Actual Results:
4. For every inline certificate/key in the configuration file, an error dialog appears indicating that the certificate/key could not be copied because the file [inline] could not be opened. For example:

Error copying file to /home/miller/.kde4/share/apps/networkmanagement/certificates/ukp-vpn_[inline]: Cannot open /tmp/[inline] for input

Expected Results:
4. The Connection Editor should recognize that "[inline]" is not a filename but rather a special value indicating that the certificate/key is contained within the OpenVPN configuration file itself. It should then read in and process that certificate/key.

Do you really use plasma-nm in version 0.9.3.4? I thought this has been fixed already. Any chance you can try at least 0.9.3.5 version where I did one more fix regarding OpenVPN import.

Yes, I'm running plasma-nm 0.9.3.4. I can't test 0.9.3.5 at the moment but can do so as soon as it's packaged for openSUSE 13.2.

That is not the syntax our import code expects. The import code expects no ca, cert, key or ts-auth tags with '[inline]' as value when certificates are embedded. It expects only <ca>, <cert> <key> and <tls-auth> tags in that case. Besides, using '[inline]' as value is redundant in this case.

It may not be the syntax the plasma-nm import code expects, but it's one that the OpenVPN command-line client supports. I've come across a few .ovpn files which use this syntax, and I've seen it recommended by OpenVPN experts such as Jan Just Keijser (see for example <http://openvpn-users.narkive.com/ZwzahkCv/embedding-key-cert-ca-into-client-config>).

It looks like this [inline] directive was never documented in the OpenVPN man pages. However, given that it's in use, it might still be a good idea for plasma-nm to handle this syntax.

Git commit 599afdacd744a2d7785274687438a23f21617c34 by Lamarque V. Souza.
Committed on 28/06/2015 at 23:26.
Pushed by lvsouza into branch 'master'.

Add support to import .ovpn files with syntax described in
http://openvpn-users.narkive.com/ZwzahkCv/embedding-key-cert-ca-into-client-config
FIXED-IN: 0.9.3.7

M +22 -5 vpn/openvpn/openvpn.cpp

http://commits.kde.org/plasma-nm/599afdacd744a2d7785274687438a23f21617c34

Git commit c6f0b9df0e1a78c4d54058136580104b5e5b22a7 by Lamarque V. Souza.
Committed on 29/06/2015 at 00:21.
Pushed by lvsouza into branch '0.9.3'.

Add support to import .ovpn files with syntax described in
http://openvpn-users.narkive.com/ZwzahkCv/embedding-key-cert-ca-into-client-config
FIXED-IN: 0.9.3.7

M +22 -5 vpn/openvpn/openvpn.cpp

http://commits.kde.org/plasma-nm/c6f0b9df0e1a78c4d54058136580104b5e5b22a7

65 comments hidden view all 111 comments
zao (zao-d) wrote :

Hope this bug will be addressed - five years without a fix - is far too long...
:(

Nyr (nyr7) wrote :

Come on, many of the latest OpenVPN implementations use in-line certificates by default... how can this bug be still there five years later?

Nicolas Diogo (nicolasdiogo) wrote :

Happy Birthday to this Bug !!!

Sarcasm apart - it is amazing that such an important piece of software is not been supported properly - particularly with the corporate market requesting it.

if the suggestion here:
https://bugzilla.gnome.org/show_bug.cgi?id=633337

is correct - that it is not possible to handle inline certificates & it will be necessary to manually edit the ovpn file.

could we have an article/wiki explaining the steps to do so?

or a small utility that could do this work?

Thanks,

Frol (frolvlad) wrote :

@Nicolas It is not the answer for *inlined* certificates. You can extract inline certificates into separate files, but it is not what people requested here.

Changed in network-manager-openvpn:
status: Confirmed → Fix Released
Changed in network-manager-openvpn (Ubuntu):
importance: Undecided → Medium
importance: Medium → High
31 comments hidden view all 111 comments
Denilson Sá (denilsonsa) wrote :

I tried grabbing the [proxpn.ovpn][1] file ([from this URL][2]) and importing it into network-manager-openvpn. Unfortunately, the "Save" button stays disabled with this message:

"Invalid setting IPv4 Settings: ipv4.routes: 1. route cannot be a default route"

Manually adding the VPN following the instructions from [this URL][3] works. But I expected to be able to quickly import the .opvn file instead.

[1]: http://www.proxpn.com/chromeos/proxpn.ovpn
[2]: https://support.proxpn.com/customer/en/portal/articles/2276335-proxpn-on-chromebook-chromium-os-
[3]: https://support.proxpn.com/customer/portal/articles/2120656-linux-install-instructions

Marcos Alano (mhalano) wrote :

@denilsonsa

The problem remains on proXPN file. You need to import and delete the routes (under 'IPv4 Settings' tab) after that open advanced settings and close to update and show the button.

Or you could comment all lines with 'route' and then import.

dasti (dasti) wrote :
Download full text (3.2 KiB)

Same error message as above I got the same message a
Error: Key files contains line 'dev tun' which is not a key-value pair, group, or comment.

- running Ubuntu mate 16.04.1 up to date
- configuration files are coming from pfsense (up to date) using the "archive" export that produce a .ovpn file (without keys) plus a .key and .p12 file as this network manager can not handle configurations files with inline keys and certificates

-------------------------
content of the .ovpn file
-------------------------
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194 udp
lport 0
verify-x509-name "NAMEOFTHEOPENVPNSERVERHERE" name
auth-user-pass
pkcs12 P12FILENAMEHERE.p12
tls-auth KEYFILENAMEHERE.key 1
ns-cert-type server
comp-lzo adaptive
--------------------------------
end of content of the .ovpn file
--------------------------------

1/
I tried commenting the problematic line but the error then pointed to the 2nd line and then the 3rd....

2/
This .ovpn file can be imported on Mint 17.3 but not in Ubuntu mate 16.04.1 nor Linux Mint 18

I imported it in Mint 17.3 and then exported a .conf file from the network manager.
I edited the .conf file so the correct path to the files.

----------------------------------------
content of the .conf file from Mint 17.3
----------------------------------------
client
remote XXX.XXX.XXX.XXX 1194
pkcs12 /PATH/TO/P12/FILE/P12FILENAME.p12
auth-user-pass
cipher AES-128-CBC
comp-lzo yes
dev tun
proto udp
tls-auth /PATH/TO/KEY/FILE/KEYFILENAME.key 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup
-----------------------------------------------
end of content of the .conf file from Mint 17.3
-----------------------------------------------

NOTE: informations seems to be the same as the .ovpn files but not in the same order

3/
The .conf file successfully imported into ubuntu mate 16.04.1 but the vpn wasn' t working.

4/
I compared visually the configuration of the the network manager in the 2 OS and changed what was different or missing in Mate (without looking at more explanations)
- username
- user password
- private key password
- advanced/security : HMAC authentication to 'sha1'

5/
tried it and it works

6/
here the conf file from ubuntu mate

--------------------------------------------------
content of the .conf file from Ubuntu mate 16.04.1
--------------------------------------------------
 client
 remote XXX.XXX.XXX.XXX 1194
 pkcs12 /PATH/TO/THE/P12/FILE/P12FILENAME.p12
 auth-user-pass
 cipher AES-128-CBC
 comp-lzo yes
 dev tun
 proto udp
 tls-auth /PATH/TO/THE/KEY/FILE/KEYFILENAME.key 1
 nobind
 auth-nocache
 script-security /home/david-stievenard/Desktop/testopenvpnDS/fw-qinhe-1-udp-1194-david.stievenard/forlaunchpad/fw-qinhe-1-udp-1194-david.stievenard-tls.key2
 persist-key
 persist-tun
 user nobody
 group nogroup
--------------------------------------------------
content of the .conf file from Ubuntu mate 16.04.1
--------------------------------------------------

NOTE: the only difference is that there is one space character in front of every line

NOTE2: Importing .ovpn files work...

Read more...

Simon Déziel (sdeziel) wrote :

@datsi, I noticed that the importer has trouble with "comp-lzo something". Using "comp-lzo" alone worked for me but I didn't test with inline cert nor PKCS12.

Simon Déziel (sdeziel) wrote :

I just tested with inlined ca, cert, key and tls-auth on Ubuntu Xenial. All of them are properly imported, the only problem is how to specify the tls-auth key direction if any.

With inlined style, <tls-auth> requires specifying the key direction with the "key-direction" parameter. The problem is the importer just ignores the "key-direction" parameter.

For what it's worth, an out-of-the-box OpenVPN 2.1.3 Access Server user-locked configuration file only needs 1 parameter changed to import with the "network-manager-openvpn-gnome" tool.

The line that says:
reneg-sec 604800

Comment that out.
# reneg-sec 604800

Imports without issue now.

1 comments hidden view all 111 comments
Sodki (henrique-rodrigues) wrote :

With Ubuntu 16.04, solution provided by #77 worked. Thanks, Micah.

Patrick (patrick-w) wrote :

Holy cow! Micah you cracked it for me too! Finally after all these years I can use OpenVPN without cli. Kudos to you.

Samuel Ausman (sgausman) wrote :

Can also confirm that solution specified in comment #77 worked for me on Ubuntu 16.04.1. Thank you Micah!

I've found that removing the #comments in the TA key helped.

D (360-dennis) wrote :

I'm sorry, but im a newbie, but how does this fix get into the ubuntu versions? Do we have to wait until network-manager-openvpn (Ubuntu) gets assigned?

Jeremy LaCroix (j-jlacroix) wrote :

This is working for me now. When I import into Network Manager, it literally tells me which line is the problem now, and whatever line that is, I comment it out and it works. Before, it would just tell me that there was an issue importing but it wasn't specific. But at least now, Network Manager helps me figure out the issue. I recently switched to Ubuntu GNOME, so I'm not sure if there's something specific with the GNOME implementation that displays specific errors, or if Network Manager has changed. At least it's working for me now, albeit with manual intervention being required.

In my opinion, the real issue at this point is that even though commenting out some lines helps, each line is valid and should be accepted. If I export an .ovpn file and use it via the command line, it works without issue (even without commenting out anything). In my view, if the config file is valid enough for OpenVPN itself, it should surely be valid for Network Manager. Perhaps the OpenVPN spec has updated and Network Manager hasn't been updated to match?

BloodyIron (bloodyiron) wrote :

I'm on ubuntu 16.10,

I have pfsense running my openVPN service, and I exported the client config to an ovpn file (inline).

When I get network-manager to import, I STILL get "the plugin does not support import capability".

This bug has been open for OVER 6 YEARS now. How about we get this conclusively fixed already??? I have to switch to Windows to VPN in, I can't get network-manager to use any of my VPN info, even if I manually enter it.

It's mind-blowing this still exists as a problem.

Martin Zbořil (buntubugzilla) wrote :

funnily enough, the bug is actually fixed, all what is needed is actually network-manager-openvpn-gnome (I tested it on version 1.1.93-1ubuntu1.1 in 16.04.2) installed and then the network settings configuration gui restarted so the new VPN shows up as openvpn, after that importing the configuration from ovpn file works..

D (360-dennis) wrote :

im on 16.04.2 too, but i still see the bug. the workaround #77 didnt help for me too..

BloodyIron (bloodyiron) wrote :

I was able to import my config after making the adjustment outlined here : https://askubuntu.com/a/816140

However now I am having issues with systemd and my tap device, I'm not sure it's correctly creating it as I'm doing bridging not tunneling on the server end :( (probably unrelated here though)

Also, please note that the above method for the import did not correctly import my key direction, I had to change that after importing, which is weird.

The error I get is:

"The file 'file.ovpn' could not be read or does not contain recognized VPN connection information

Error: Key file contains line 'dev tun' which is not a key-value pair, group, or comment."

If I edit the file and remove the line "comp-lzo adaptive" from the end of the file the import is successful.

tags: added: xenial
removed: network-manager openvpn
affects: network-manager-openvpn (Fedora) → plasma-nm
Changed in plasma-nm:
importance: Undecided → Unknown
status: New → Unknown
Robie Basak (racb) wrote :

The original bug as reported was a failure to import certain configuration files using network-mangaer-openvpn. This turned out to be due to the use of inlined key material (comment 24). network-manager-openvpn did not support this as a feature at the time, so was unable to parse this type of configuration file.

Support was since added (comment 46). This has been confirmed to work (comments 49, 63, 67, 68 etc). Therefore, this bug as reported has been fixed, so I'm setting it to Fix Released.

It may well be that this doesn't solve configuration imports for all users, as is clear from subsequent comments. But we track one issue per bug, since otherwise statements like "this bug is fixed" and "this bug is not fixed" become meaningless, developers cannot track what they are being asked to do, and users end up with wildly varying expectations that can never be met.

Note that a failure to import a configuration can be an entire class of bugs, not just one single bug. This bug's original reporter's problem turned out to be "doesn't work with inlined key material". Clearly that's not the only thing wrong here, as adding inlined key material support solved the problem for some, but not others. Of the remaining users here who still have import problems, there may yet be *multiple* underlying bugs. So please don't all pile on to a different bug thinking you're still all affected by the same issue.

If you'd like to see your problem fixed, and you'd like to help, then first please read "How to Report Bugs Effectively" (https://www.chiark.greenend.org.uk/~sgtatham/bugs.html) carefully. Take some time to work out exact steps to reproduce your problem, make sure that they really do reproduce, and then paste exact and detailed instructions on how to reproduce your problem into a new bug report. Don't assume that someone else's import failure problem is due to the same underlying bug as your import failure problem. Do link to bugs that you think may be related (such as this one). Don't worry about filing duplicates; in this kind of case it takes far more effort to untangle reports that turn out to have different root causes then it does to mark duplicate bugs if this becomes clear to developers later.

I hope this helps. I can't guarantee what will come next, but by filing actionable reports at least you'll be one step closer to real progress.

Changed in network-manager-openvpn (Ubuntu):
status: Confirmed → Fix Released
Mathew Hodson (mathew-hodson) wrote :

network-manager-openvpn was fixed in Xenial with https://launchpad.net/ubuntu/+source/network-manager-openvpn/1.1.93-1

Mathew Hodson (mathew-hodson) wrote :
Changed in plasma-nm (Ubuntu):
importance: Undecided → Medium
Changed in network-manager-openvpn (Ubuntu):
importance: High → Medium
Changed in plasma-nm (Ubuntu):
status: New → Fix Released
10 comments hidden view all 111 comments

Still reproducible for me with plsma-nm 5.10.4. I get the following error dialog when importing configuration files with inline certificates and agreeing with the prompt to copy the certificates to ~/.local:

Error copying certificate to /home/psy/.local/share/networkmanagement/certificates/ukp-vpn_[inline]: Cannot open /home/psy/vpn/UKP/[inline] for input

I should add that despite the error message, plasma-nm successfully extracted the certificates and copied them to ~.local/share/networkmanagement/certificates. So maybe the error message is spurious.

Hi. Hmmm QFile was not able to open the source file (/home/psy/vpn/UKP/[inline]). Does your user has permission to open that file for reading? That error message is shown only if QFile::copy returns false [1]

If the destination file already exists then QFile::copy returns false. That can be the problem too. In that case QFile::copy does not override the destination file. Probably we should ask the user if he/she wants to override it or keep the old one.

[1] http://doc.qt.io/qt-5/qfile.html#copy

OBS: since Plasma NM was not able to copy the file what it does is registering the source file's path (/home/psy/vpn/UKP/[inline]) in NetworkManager. Since NetworkManager run as root it probably has permission to read that file.

OBS2: Plasma NM run as normal user.

(In reply to Lamarque V. Souza from comment #9)
> Hi. Hmmm QFile was not able to open the source file
> (/home/psy/vpn/UKP/[inline]). Does your user has permission to open that
> file for reading? That error message is shown only if QFile::copy returns
> false [1]

That's because the file doesn't exist. As I already mentioned in the original report, plasma-nm is misinterpreting the [infile] header in the .ovpn file as a filename. It should not be trying to open any new files; the certificates should be read from the .ovpn file it already has open.

Does your file name has any space in it? If it does then you must use quotation mark in the .ovpn to delimitate the file name.

(In reply to Lamarque V. Souza from comment #11)
> Does your file name has any space in it? If it does then you must use
> quotation mark in the .ovpn to delimitate the file name.

I'm telling you for the third time, there is no filename in the .ovpn file. This bug report is about plasma-nm's failure to process .ovpn files which use the special identifier "[inline]" to indicate that the certificates and/or keys are included directly in the .ovpn file.

Changed in plasma-nm:
importance: Unknown → High
status: Unknown → New
14 comments hidden view all 111 comments
Andreas (andreas-8) wrote :

Just experienced this issue in Ubuntu 17.04. Manually configuring the key-direction as stated in #76 fixed it.

Mustafa (nexus38) wrote :

My ubuntu 16.04 has affected but #77 fixed it.

Feraali Sanger (amp-gold) wrote :

I was able to solve my problems on Ubuntu Mate 18.04 by using the command line (rather than the network manager gui) to import the .ovpn as follows:

User@Node-99:~/Downloads$ sudo nmcli connection import type openvpn file Miami.ovpn

Error: failed to import 'Miami.ovpn': configuration error: invalid 1th argument to “mssfix” where number expected (line 6).

What is good about the command line is that it is more verbose and will help you find which line in your .ovpn file is causing the error.

In my case I used a text editor to open the file Miami.ovpn and I commented out the offending line (It was line 6)

So I placed a # in front of the line and a space.

After doing that:

User@Node-99:~/Downloads$ sudo nmcli connection import type openvpn file Miami.ovpn
Connection 'Miami' (cb4d9379-9f35-4b03-b53d-3af05781e5aa) successfully added.

Problem solved. VPN able to connect now and it shows up as a choice inside of the Network manager.

13 comments hidden view all 111 comments

Still reproducible as discussed in Comment 7 and Comment 8 with plasma-nm 5.12.6. That is, importing an OpenVPN configuration file with inline certificates and keys throws up a spurious error dialog about being unable to open the nonexistent file named "[inline]". However, the certificates and keys get successfully copied anyway.

Does the import work when using nmcli (`nmcli connection import type openvpn file $FILENAME`)?

If nmcli works, I would think this is mostly caused by Plasma NM not using the NetworkManager OpenVPN code to import configuration files (bug #396530), but implements an own buggy version.

(In reply to Dennis Schridde from comment #14)
> Does the import work when using nmcli (`nmcli connection import type openvpn
> file $FILENAME`)?
>
> If nmcli works, I would think this is mostly caused by Plasma NM not using
> the NetworkManager OpenVPN code to import configuration files (bug #396530),
> but implements an own buggy version.

I'm now using plasma-nm 5.12.8. This version has the same behaviour as described for plasma-nm 5.12.6 in Comment 13: attempting to import an .ovpn file with inline certificates and keys results in a spurious error dialog, but the keys and certificates get successfully copied anyway.

I also tried using nmcli. This seems to work without any problems:

$ nmcli connection import type openvpn file ~/vpn/ukp-vpn.ovpn
Connection 'ukp-vpn' (c6cbabfe-f117-4af9-aca5-be9e8c88595c) successfully added.

When I open the NetworkManager plasma applet after doing this, I see the VPN connection listed there, with the keys and certificates copied into separate files under ~/.cert/nm-openvpn.

Displaying first 40 and last 40 comments. View all 111 comments or add a comment.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.