Bug 349282 - [OpenVPN] Can't import OpenVPN configuration files with inline certificates and key
Summary: [OpenVPN] Can't import OpenVPN configuration files with inline certificates a...
Status: REPORTED
Alias: None
Product: plasma-nm
Classification: Plasma
Component: editor (show other bugs)
Version: 5.12.6
Platform: OpenSUSE Linux
: NOR major with 40 votes (vote)
Target Milestone: ---
Assignee: Lukáš Tinkl
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-17 10:03 UTC by Tristan Miller
Modified: 2019-04-26 08:53 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In: 0.9.3.7


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tristan Miller 2015-06-17 10:03:22 UTC
The Connection Editor of the NetworkManager plasma applet is unable to import OpenVPN configuration files which contain inline certificates and keys.

Reproducible: Always

Steps to Reproduce:
1. Open the Connection Editor.
2. File -> Import VPN…
3. Select and open an OpenVPN configuration file (.ovpn) which contains inline certificates and/or keys.  That is, the file specifies "[inline]" as the value of the ca, cert, key, and/or tls-auth fields, and then provides ASCII-armoured certificates and/or keys in <ca>, <cert>, <key>, and <tls-auth> elements at the end of the file.

Actual Results:  
4. For every inline certificate/key in the configuration file, an error dialog appears indicating that the certificate/key could not be copied because the file [inline] could not be opened.  For example:

Error copying file to /home/miller/.kde4/share/apps/networkmanagement/certificates/ukp-vpn_[inline]: Cannot open /tmp/[inline] for input

Expected Results:  
4. The Connection Editor should recognize that "[inline]" is not a filename but rather a special value indicating that the certificate/key is contained within the OpenVPN configuration file itself.  It should then read in and process that certificate/key.
Comment 1 Jan Grulich 2015-06-19 07:51:58 UTC
Do you really use plasma-nm in version 0.9.3.4? I thought this has been fixed already. Any chance you can try at least 0.9.3.5 version where I did one more fix regarding OpenVPN import.
Comment 2 Tristan Miller 2015-06-19 08:22:53 UTC
Yes, I'm running plasma-nm 0.9.3.4.  I can't test 0.9.3.5 at the moment but can do so as soon as it's packaged for openSUSE 13.2.
Comment 3 Lamarque V. Souza 2015-06-28 15:16:13 UTC
That is not the syntax our import code expects. The import code expects no ca, cert, key or ts-auth tags with '[inline]' as value when certificates are embedded. It expects only <ca>, <cert> <key> and <tls-auth> tags in that case. Besides, using '[inline]' as value is redundant in this case.
Comment 4 Tristan Miller 2015-06-28 18:46:05 UTC
It may not be the syntax the plasma-nm import code expects, but it's one that the OpenVPN command-line client supports.  I've come across a few .ovpn files which use this syntax, and I've seen it recommended by OpenVPN experts such as Jan Just Keijser (see for example <http://openvpn-users.narkive.com/ZwzahkCv/embedding-key-cert-ca-into-client-config>).

It looks like this [inline] directive was never documented in the OpenVPN man pages.  However, given that it's in use, it might still be a good idea for plasma-nm to handle this syntax.
Comment 5 Lamarque V. Souza 2015-06-28 23:28:46 UTC
Git commit 599afdacd744a2d7785274687438a23f21617c34 by Lamarque V. Souza.
Committed on 28/06/2015 at 23:26.
Pushed by lvsouza into branch 'master'.

Add support to import .ovpn files with syntax described in
http://openvpn-users.narkive.com/ZwzahkCv/embedding-key-cert-ca-into-client-config
FIXED-IN: 0.9.3.7

M  +22   -5    vpn/openvpn/openvpn.cpp

http://commits.kde.org/plasma-nm/599afdacd744a2d7785274687438a23f21617c34
Comment 6 Lamarque V. Souza 2015-06-29 01:03:02 UTC
Git commit c6f0b9df0e1a78c4d54058136580104b5e5b22a7 by Lamarque V. Souza.
Committed on 29/06/2015 at 00:21.
Pushed by lvsouza into branch '0.9.3'.

Add support to import .ovpn files with syntax described in
http://openvpn-users.narkive.com/ZwzahkCv/embedding-key-cert-ca-into-client-config
FIXED-IN: 0.9.3.7

M  +22   -5    vpn/openvpn/openvpn.cpp

http://commits.kde.org/plasma-nm/c6f0b9df0e1a78c4d54058136580104b5e5b22a7
Comment 7 Tristan Miller 2017-08-20 13:19:02 UTC
Still reproducible for me with plsma-nm 5.10.4.  I get the following error dialog when importing configuration files with inline certificates and agreeing with the prompt to copy the certificates to ~/.local:

Error copying certificate to /home/psy/.local/share/networkmanagement/certificates/ukp-vpn_[inline]: Cannot open /home/psy/vpn/UKP/[inline] for input
Comment 8 Tristan Miller 2017-08-20 13:22:39 UTC
I should add that despite the error message, plasma-nm successfully extracted the certificates and copied them to ~.local/share/networkmanagement/certificates. So maybe the error message is spurious.
Comment 9 Lamarque V. Souza 2017-08-20 14:07:23 UTC
Hi. Hmmm QFile was not able to open the source file (/home/psy/vpn/UKP/[inline]). Does your user has permission to open that file for reading? That error message is shown only if QFile::copy returns false [1]

If the destination file already exists then QFile::copy returns false. That can be the problem too. In that case QFile::copy does not override the destination file. Probably we should ask the user if he/she wants to override it or keep the old one.

[1] http://doc.qt.io/qt-5/qfile.html#copy

OBS: since Plasma NM was not able to copy the file what it does is registering  the source file's path (/home/psy/vpn/UKP/[inline]) in NetworkManager. Since NetworkManager run as root it probably has permission to read that file.

OBS2: Plasma NM run as normal user.
Comment 10 Tristan Miller 2017-08-20 14:37:08 UTC
(In reply to Lamarque V. Souza from comment #9)
> Hi. Hmmm QFile was not able to open the source file
> (/home/psy/vpn/UKP/[inline]). Does your user has permission to open that
> file for reading? That error message is shown only if QFile::copy returns
> false [1]

That's because the file doesn't exist.  As I already mentioned in the original report, plasma-nm is misinterpreting the [infile] header in the .ovpn file as a filename.  It should not be trying to open any new files; the certificates should be read from the .ovpn file it already has open.
Comment 11 Lamarque V. Souza 2017-08-20 15:50:24 UTC
Does your file name has any space in it? If it does then you must use quotation mark in the .ovpn to delimitate the file name.
Comment 12 Tristan Miller 2017-08-20 18:16:50 UTC
(In reply to Lamarque V. Souza from comment #11)
> Does your file name has any space in it? If it does then you must use
> quotation mark in the .ovpn to delimitate the file name.

I'm telling you for the third time, there is no filename in the .ovpn file.  This bug report is about plasma-nm's failure to process .ovpn files which use the special identifier "[inline]" to indicate that the certificates and/or keys are included directly in the .ovpn file.
Comment 13 Tristan Miller 2018-10-24 07:13:16 UTC
Still reproducible as discussed in Comment 7 and Comment 8 with plasma-nm 5.12.6.  That is, importing an OpenVPN configuration file with inline certificates and keys throws up a spurious error dialog about being unable to open the nonexistent file named "[inline]".  However, the certificates and keys get successfully copied anyway.
Comment 14 Dennis Schridde 2018-12-28 13:56:18 UTC
Does the import work when using nmcli (`nmcli connection import type openvpn file $FILENAME`)?

If nmcli works, I would think this is mostly caused by Plasma NM not using the NetworkManager OpenVPN code to import configuration files (bug #396530), but implements an own buggy version.
Comment 15 Tristan Miller 2019-04-26 08:53:22 UTC
(In reply to Dennis Schridde from comment #14)
> Does the import work when using nmcli (`nmcli connection import type openvpn
> file $FILENAME`)?
> 
> If nmcli works, I would think this is mostly caused by Plasma NM not using
> the NetworkManager OpenVPN code to import configuration files (bug #396530),
> but implements an own buggy version.

I'm now using plasma-nm 5.12.8.  This version has the same behaviour as described for plasma-nm 5.12.6 in Comment 13: attempting to import an .ovpn file with inline certificates and keys results in a spurious error dialog, but the keys and certificates get successfully copied anyway.

I also tried using nmcli.  This seems to work without any problems:

$ nmcli connection import type openvpn file ~/vpn/ukp-vpn.ovpn 
Connection 'ukp-vpn' (c6cbabfe-f117-4af9-aca5-be9e8c88595c) successfully added.

When I open the NetworkManager plasma applet after doing this, I see the VPN connection listed there, with the keys and certificates copied into separate files under ~/.cert/nm-openvpn.