Bug 205894

Summary: OpenVPN plugin creates invalid connections
Product: [Unmaintained] Network Management Reporter: Cypher <cypher.switch>
Component: generalAssignee: Will Stephenson <wstephenson>
Status: RESOLVED FIXED    
Severity: normal CC: bruno, lamarque, vdboor
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Cypher 2009-09-01 16:34:19 UTC
Version:           0.9.svn1012598-93.2 (using KDE 4.3.0)
OS:                Linux
Installed from:    SuSE RPMs

The OpenVPN plugin for KNetworkManager4 does not connect. I cannot test with the NM plasmoid as it is not available in the OpenSuse KDE4 Factory repo. 

The log file indicates this:

Sep  1 16:25:38 laptop-02 NetworkManager: <WARN>  wait_for_connection_expired(): Connection (2) /org/freedesktop/NetworkManagerSettings/1 failed to activate (timeout): (0) Connection was not provided by any settings service

Normal connections (WiFi or cable) work perfectly.

OS: OpenSuse Linux 11.1 + KDE4 Factory repo
KDE: 4.3.0
NetworkManager: 0.7.0.r4359-15.2.2
NetworkManager OpenVPN Plugin: 0.7.0.r4274-1.21
KNetworkManager4: 0.9.svn1012598-93.2
KNetworkManager4 OpenVPN Plugin: 0.9.svn1012598-93.2
Comment 1 Bruno Friedmann 2009-09-13 20:13:37 UTC
I can confirm, if the gui as now all the option for openvpn, there's no connections or action launched by the knetworkmanager.

I've got just one line more that Cypher
<WARN> connection_get_setting_cb(): Invalid connection: 'NMSettingVPN' / 'user-name' invalid: 1 
( I don't need a username for the openvpn connection it's only certifcate based.

I'm using the packages package in opensuse-11.2-M7 ( kde 4.3.1 )
Comment 2 Bruno Friedmann 2009-09-13 20:14:55 UTC
NetworkManager-openvpn-kde4-0.9.svn1017841-1.2.i586
Comment 3 Bruno Friedmann 2009-09-13 20:33:57 UTC
And this mix for the 11.1 version
NetworkManager-gnome-0.7.0.r1053-11.1.1
NetworkManager-0.7.0.r4359-15.2.2
NetworkManager-glib-0.7.0.r4359-15.2.2
NetworkManager-pptp-0.7.0.r4274-2.9
NetworkManager-kde4-0.9.svn1021242-106.1
NetworkManager-kde4-lang-0.9.svn1021242-106.1
NetworkManager-openvpn-0.7.0.r4274-1.21
NetworkManager-pptp-gnome-0.7.0.r4274-2.9
NetworkManager-vpnc-0.7.0.r4274-1.23
NetworkManager-vpnc-kde4-0.9.svn1021242-106.1
NetworkManager-openvpn-kde4-0.9.svn1021242-106.1
NetworkManager-kde4-libs-0.9.svn1021242-106.1
Comment 4 Will Stephenson 2009-09-14 10:30:26 UTC
Bruno: thanks for the invalid connection log line.  KNM was indeed sending the empty username field, which NM rejects.  I am building a fix and will have it in the opensuse build service for testing today.
Comment 5 Will Stephenson 2009-09-14 11:17:23 UTC
SVN commit 1023218 by wstephens:

Don't send empty vpn usernames, NM rejects this.
CCBUG:205894


 M  +4 -2      vpndbus.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1023218
Comment 6 Bruno Friedmann 2009-09-14 11:20:08 UTC
Hi Will thanks for the commit.

I've seen another annoying / missing part .
In old nm we can specify use this connection only to this ip : 
and we give the ips of vpn and behind vpn network. 
Is this handle automagically now ? 


I would test tomorrow after the build would be made.
Comment 7 Will Stephenson 2009-09-15 09:22:44 UTC
Bruno: 

I think this changed in upstream NM.  There is no UI in the gnome applet to specify which IPs to use this VPN connection for.
Comment 8 Bruno Friedmann 2009-09-23 11:13:49 UTC
we have to use a openvpn connexion with no username/password just x509 certificates
Options needed are the following

here the configuration : ( there's no value for the ta-key cert and direction is wrong 2 instead of 1 )

tab required settings
gateway : vpn.ioda,net
Connect type : x509 certificates
CA file : ca_public.pem
Certificate : c-3po..pem
Key : c-3po.ukey.pm

tab optionnl settings
Gateway port : auto
use lzo compression checked
use tcp connection not-checked
use tap connection not-checked

tab optionnal security
Cipher : AES-256-CBC
Hmac : SHA-1

tab optionnal TLS settings ( you need to click on the right > in order to see it )
check : use additionnal tls authentification
key : ta-key.pem
Key direction : 1 ( for client , 0 is normally serveur ) no other value possible

here the resulted config file : which is incomplete

[connection]
autoconnect=false
icon=nm-vpn-connecting13
id=ioda-VPN
timestamp=-4713,1,1,0,0,0
type=vpn
uuid={3beb3f70-bcc3-436c-a13f-a487511f7665}

[vpn]
Data=auth,SHA1,ca,file:///home/bruno/.openvpn/ioda_ca.public.pem,cert,file:///home/bruno/.openvpn/c-3po.pem,cipher,AES-256-CBC,comp-lzo,yes,connection-type,tls,key,file:///home/bruno/.openvpn/c-3po.ukey.pem,proto-tcp,no,remote,vpn.ioda.net,ta-dir,2,tap-dev,no
PluginName=networkmanagement_openvpnui
ServiceType=org.freedesktop.NetworkManager.openvpn
UserName=



here the result in NetworkManager.log when we try to setup the connexion.

ep 23 07:53:48 c-3po NetworkManager: <info>  Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Sep 23 07:53:48 c-3po NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' started
(org.freedesktop.NetworkManager.openvpn), PID 32749
Sep 23 07:53:48 c-3po NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating
connections
Sep 23 07:53:48 c-3po NetworkManager: <info>  VPN plugin state changed: 3
Sep 23 07:53:48 c-3po NetworkManager: <info>  VPN connection 'sigeom-VPN' (Connect) reply received.
Sep 23 07:53:48 c-3po NetworkManager: <WARN>  nm_vpn_connection_connect_cb(): VPN connection 'sigeom-VPN' failed to connect:
'invalid integer property 'ta-dir' or out of range [0 -> 1]'.
Sep 23 07:53:48 c-3po NetworkManager: <WARN>  connection_state_changed(): Could not process the request because no VPN
connection was active.
Sep 23 07:53:48 c-3po NetworkManager: <debug> [1253685228.068716] run_netconfig(): Spawning '/sbin/netconfig modify --service
NetworkManager'
Sep 23 07:53:48 c-3po NetworkManager: <debug> [1253685228.085836] write_to_netconfig(): Writing to netconfig: INTERFACE='eth0'
Sep 23 07:53:48 c-3po NetworkManager: <debug> [1253685228.086139] write_to_netconfig(): Writing to netconfig:
DNSSEARCH='vellerat.ioda.net vellerat.ioda.net'
Sep 23 07:53:48 c-3po NetworkManager: <debug> [1253685228.086338] write_to_netconfig(): Writing to netconfig:
DNSSERVERS='192.168.105.129 213.251.137.104 213.251.136.104'
Sep 23 07:53:48 c-3po NetworkManager: <info>  Clearing nscd hosts cache.
Sep 23 07:53:48 c-3po NetworkManager: <info>  Policy set 'System eth0' (eth0) as default for routing and DNS.
Sep 23 07:54:00 c-3po NetworkManager: <debug> [1253685240.074873] ensure_killed(): waiting for vpn service pid 32749 to exit
Sep 23 07:54:00 c-3po NetworkManager: <debug> [1253685240.075062] ensure_killed(): vpn service pid 32749 cleaned up


here the list of used packages ( today updated )
NetworkManager-0.7.0.r4359-15.2.2
NetworkManager-glib-0.7.0.r4359-15.2.2
NetworkManager-pptp-0.7.0.r4274-2.9
NetworkManager-vpnc-kde4-0.9.svn1023237-108.1
NetworkManager-kde4-lang-0.9.svn1023237-108.1
cnetworkmanager-0.8.0.1-0.1.1
NetworkManager-openvpn-0.7.0.r4274-1.21
NetworkManager-pptp-gnome-0.7.0.r4274-2.9
NetworkManager-kde4-libs-0.9.svn1023237-108.1
NetworkManager-openvpn-kde4-0.9.svn1023237-108.1
NetworkManager-kde4-0.9.svn1023237-108.1
NetworkManager-vpnc-0.7.0.r4274-1.23

on a opensuse 11.1 with kde factory.

I will give it a try also on the 11.2 M7 test machine this afternoon.

We're also missing the use this connection only for networks :
(for examples) 192.168.192.0/24 as it was present in kde 3.5
Comment 9 Will Stephenson 2009-09-27 22:00:52 UTC
*** Bug 208354 has been marked as a duplicate of this bug. ***
Comment 10 Will Stephenson 2009-09-27 22:01:51 UTC
I fixed the invalid ta-dir value today at the following bug:
https://bugs.kde.org/show_bug.cgi?id=208354

"
SVN commit 1028493 by wstephens:

Store openvpn TLS Auth Key, which controls whether the direction is
restored on edit.
"
Comment 11 Cypher 2009-10-01 08:51:12 UTC
Hi,

I still have a problem, OpenSUSE 11.1 + KDE4.3.1 from factory repo. It seems to recognize the service, but the connection does not happen due to some VPN secret not found... I only use certificates for VPN.

Here you go, the logs
--
Oct  1 08:44:54 laptop-02 NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 4258
Oct  1 08:44:54 laptop-02 NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Oct  1 08:44:54 laptop-02 NetworkManager: <info>  VPN plugin state changed: 1
Oct  1 08:44:54 laptop-02 NetworkManager: <info>  VPN plugin state changed: 3
Oct  1 08:44:54 laptop-02 NetworkManager: <info>  VPN connection 'New VPN Connection' (Connect) reply received.
Oct  1 08:44:54 laptop-02 NetworkManager: <WARN>  nm_vpn_connection_connect_cb(): VPN connection 'New VPN Connection' failed to connect: 'No VPN secrets!'.
Oct  1 08:44:54 laptop-02 NetworkManager: <debug> [1254379494.529743] run_netconfig(): Spawning '/sbin/netconfig modify --service NetworkManager'
Oct  1 08:44:54 laptop-02 NetworkManager: <debug> [1254379494.533026] write_to_netconfig(): Writing to netconfig: INTERFACE='wlan0'
Oct  1 08:44:54 laptop-02 NetworkManager: <debug> [1254379494.533314] write_to_netconfig(): Writing to netconfig: DNSSEARCH='homelan.lan homelan.lan'
Oct  1 08:44:54 laptop-02 NetworkManager: <debug> [1254379494.533513] write_to_netconfig(): Writing to netconfig: DNSSERVERS='192.168.2.1'
Oct  1 08:44:54 laptop-02 NetworkManager: <info>  Clearing nscd hosts cache.
Oct  1 08:44:54 laptop-02 NetworkManager: <info>  Policy set 'ASTRA' (wlan0) as default for routing and DNS.
Oct  1 08:45:06 laptop-02 NetworkManager: <debug> [1254379506.545028] ensure_killed(): waiting for vpn service pid 4258 to exit
Oct  1 08:45:06 laptop-02 NetworkManager: <debug> [1254379506.545101] ensure_killed(): vpn service pid 4258 cleaned up
--
Comment 12 Will Stephenson 2009-10-01 12:29:27 UTC
Cypher: what if you delete and recreate the connection?  Are you using kwallet storage or kconfig?  if kwallet, look in the NetworkManagement folder in kwalletmanager under the uuid of the connection and see if there are any vpn secrets stored.  If kconfig, look in ~/.kde4/share/apps/networkmanagement/connections.
Comment 13 Cypher 2009-10-01 12:58:30 UTC
Will,

I tried to delete and recreate the connection, same error.

I use KWallet, and there is a VpnSecrets key, but it's empty.
Comment 14 Bruno Friedmann 2009-10-02 11:32:59 UTC
Hi Will, 
I'm working with the lastest opensuse 11.2 Factory repo
Have 
rpm -qav | grep -i network
yast2-network-2.18.49-1.1.i586
NetworkManager-openvpn-0.7.1-1.9.i586
libproxy0-networkmanager-0.3.0-1.4.i586
NetworkManager-glib-0.7.1_git20090811-2.2.i586
NetworkManager-kde4-libs-0.9.svn1028043-1.1.i586
NetworkManager-openvpn-kde4-0.9.svn1028043-1.1.i586
kdenetwork4-filesharing-4.3.1-3.1.i586
NetworkManager-kde4-0.9.svn1028043-1.1.i586
NetworkManager-0.7.1_git20090811-2.2.i586

When (even if deleted & recreated ) I try to start openvpn with the ta-key option

Oct  2 11:20:47 r2d2 NetworkManager: <info>  Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Oct  2 11:20:47 r2d2 NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 10449
Oct  2 11:20:47 r2d2 NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Oct  2 11:20:47 r2d2 NetworkManager: <info>  VPN plugin state changed: 1
Oct  2 11:20:47 r2d2 NetworkManager: <info>  VPN plugin state changed: 3
Oct  2 11:20:47 r2d2 NetworkManager: <info>  VPN connection 'ioda-vpn' (Connect) reply received.
Oct  2 11:20:47 r2d2 NetworkManager: <WARN>  nm_vpn_connection_connect_cb(): VPN connection 'ioda-vpn' failed to connect: 'invalid integer property 'ta-dir' or out of range [0 -> 1]'.
Oct  2 11:20:47 r2d2 NetworkManager: <WARN>  connection_state_changed(): Could not process the request because no VPN connection was active.
Oct  2 11:20:47 r2d2 NetworkManager: <debug> [1254475247.945201] run_netconfig(): Spawning '/sbin/netconfig modify --service NetworkManager'

If I reopen the connexion, settings are not keep.
Is this just a suse bug, as mainstream not backported ?
Comment 15 Will Stephenson 2009-10-23 15:48:33 UTC
SVN commit 1039472 by wstephens:

Fix HMAC auth key type mis-storage.
Fixes https://bugzilla.novell.com/show_bug.cgi?id=501829, and

BUG: 205894



 M  +1 -1      openvpnwidget.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1039472
Comment 16 Cypher 2009-11-19 10:45:35 UTC
I am sorry to tell you but... this is not solved in openSUSE 11.2 Final, fresh install.

My packages:

NetworkManager-pptp-0.7.1-2.3.i586
NetworkManager-pptp-kde4-0.9.svn1043876-2.1.i586
NetworkManager-openvpn-0.7.1-2.4.1.i586
kdenetwork4-filesharing-4.3.1-4.3.i586
NetworkManager-0.7.1_git20090811-4.2.i586
libproxy0-networkmanager-0.3.1-2.2.i586
NetworkManager-glib-0.7.1_git20090811-4.2.i586
NetworkManager-kde4-0.9.svn1043876-2.1.i586
NetworkManager-vpnc-0.7.1-2.3.i586
NetworkManager-openvpn-kde4-0.9.svn1043876-2.1.i586
NetworkManager-kde4-libs-0.9.svn1043876-2.1.i586
yast2-network-2.18.51-1.1.2.i586
NetworkManager-vpnc-kde4-0.9.svn1043876-2.1.i586


NetworkManager Log file:

Nov 19 10:39:05 laptop-02 NetworkManager: <info>  VPN plugin state changed: 3
Nov 19 10:39:05 laptop-02 NetworkManager: <info>  VPN connection 'VPN Connection' (Connect) reply received.
Nov 19 10:39:05 laptop-02 NetworkManager: <WARN>  nm_vpn_connection_connect_cb(): VPN connection 'VPN Connection' failed to connect: 'No VPN secrets!'.
Nov 19 10:39:05 laptop-02 NetworkManager: <WARN>  connection_state_changed(): Could not process the request because no VPN connection was active.
Nov 19 10:39:05 laptop-02 NetworkManager: <debug> [1258623545.255625] run_netconfig(): Spawning '/sbin/netconfig modify --service NetworkManager'
Nov 19 10:39:05 laptop-02 NetworkManager: <debug> [1258623545.259724] write_to_netconfig(): Writing to netconfig: DNSSEARCH='homelan.lan homelan.lan'#012
Nov 19 10:39:05 laptop-02 NetworkManager: <debug> [1258623545.259803] write_to_netconfig(): Writing to netconfig: DNSSERVERS='192.168.2.1'#012
Nov 19 10:39:05 laptop-02 NetworkManager: <info>  Clearing nscd hosts cache.
Nov 19 10:39:05 laptop-02 NetworkManager: <info>  Policy set 'ASTRA' (wlan0) as default for routing and DNS.
Nov 19 10:39:18 laptop-02 NetworkManager: <debug> [1258623558.002163] ensure_killed(): waiting for vpn service pid 4934 to exit
Nov 19 10:39:18 laptop-02 NetworkManager: <debug> [1258623558.002363] ensure_killed(): vpn service pid 4934 cleaned up


I must say that I am really disappointed. We use OpenVPN extensively in our business, and we cannot install a non-functioning distribution.

Can we expect a solution for 11.2 or is it better to switch to another distro ?
Comment 17 Cypher 2009-11-19 10:46:49 UTC
I shall add that we use X.509 without password, certificates only.
Comment 18 Cypher 2009-11-19 12:26:34 UTC
Some news from the battlefield !

If I use the option "X.509 with password", and if I specify some random junk for username and password, then it works, even though the certificates do not use passwords !

Glad to be able to use it finally, but this should definitely be solved in order to avoid people scratching their heads too much...
Comment 19 Will Stephenson 2009-11-19 19:02:32 UTC
Fixed in svn a couple of days ago and an opensuse update is on the way...
Comment 20 Bruno Friedmann 2009-11-19 20:04:42 UTC
Thanks Will :-) 

After that we can go more deeply to make broadband modem more usefull....
;-)
Comment 21 Bruno Friedmann 2011-01-05 16:54:48 UTC
Is that one really open ? 
Seems can be definitively closed ....
Comment 22 Lamarque V. Souza 2011-06-07 07:56:19 UTC
Reopen if this bug is still valid.