On Thu, 2009-02-12 at 16:19 -0300, Miguel Rozsas wrote: > Hi Dan, thank you ! > > You are right ! > What I did: (for any else which may have interest in this setup) > > As you suggested I split/converted the mypkcs-file.p12 file in two > pieces: user.pem and key.pem: > [code] > openssl pkcs12 -in mypkcs-file.p12 -out user.pem -nodes -clcerts > -nokeys > openssl pkcs12 -in mypkcs-file.p12 -out key.pem -nodes -nocerts > [/code]
Ideally you wouldn't have to do that, we just need to do some work in the NM-openvpn configuration dialog to detect that a PKCS#12 certificate has been loaded, and disable the other certificate options since the PKCS#12 file contains all 3 required things. > and I had to setup the DNS by hand. NM did not updated the nameservers > as informed by SW, using the defaults on IPV4 Settings tab. I had to > change to "Automatic (VPN) addresses only to enable the DNS servers > text field and I put the internal DNS servers for this VPN connection. > The default router and IP address were set just fine. DNS needs to be set up correctly on the OpenVPN server, which usually gets passed through to the openvpn client using the "foreign-option" environment variable. If you've got a bit of time, could you dump the environment that openvpn calls the helper script with so I can fix this bug? Basically the following: a) mv /usr/libexec/nm-openvpn-service-openvpn-helper /usr/libexec/nm-openvpn-service-openvpn-helper-ORIG b) edit /usr/libexec/nm-openvpn-service-openvpn-helper in your favorite text editor #!/bin/sh env > /tmp/openvpn.env exec /usr/libexec/nm-openvpn-service-openvpn-helper-ORIG $@ c) chmod 755 /usr/libexec/nm-openvpn-service-openvpn-helper d) Start your NM-openvpn connection as you normally would e) email /tmp/openvpn.env to me directly since it may contain private information > Regardless the big problem related with SELinux in permissive mode, > NM-vpn is working fine ! > > I hope others can find this post and setup their SW/Zerina VPN too. > > Thank you very much for your help ! > > PS: There are any chances you have a fix to the SELinux issue ? I have > tried "restorecon /home/miguel/tmp/user.pem" and no luck.... > > ______________________________________________________________________ It's not really easy to fix this, because normally root processes aren't allowed to read user-level files; that's a *good* thing. The real fix for this is to get a real Certificate Store like Windows and Mac OS X have had for years, have NM send openvpn a certificate ID #, and have openvpn ask your Certificate Store for the certificate matching the ID # NM gave it. Dan _______________________________________________ NetworkManager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
