Thomas Haller wrote:
On Tue, 2018-02-20 at 16:46 -0500, David H. Durgee wrote:
As I indicated in my last posting, I was going to try editing out
the
element that was being complained about in the error and see what
happens. I was able to successfully import the edited ovpn file
using
network connections.
Sidenote: import of a ovpn file is only a step to create the connection
profile in NetworkManager.
When you activate a VPN connection, what matters is how the connection
profile locks in NetworkManager, see for example
$ nmcli connection show "$VPN_PROFILE"
The settings in the profile matter, but it does not matter how the
profile was created originally (import ovpn file, or clicked in nm-
connection-editor, or nmcli).
I have attached the output of the connection show to this response.
Now that it is in my available connections, I attempted to activate
it.
Unfortunately, this failed. Looking in /var/log/syslog I found the
following:
...
Feb 20 16:21:48 Z560 nm-openvpn[21289]: TLS Error: TLS key
negotiation
failed to occur within 60 seconds (check your network connectivity)
Feb 20 16:21:48 Z560 nm-openvpn[21289]: TLS Error: TLS handshake
failed
Feb 20 16:21:48 Z560 nm-openvpn[21289]: SIGUSR1[soft,tls-error]
received, process restarting
Unclear, what is wrong.
What did you do about the unsupported extra-certs option? nm-openvpn
does not support that, so there is no immediate way how to specify
them. Is this option required for you to successfully establish the
connection?
I simply edited it out of the profile. I don't know if it is required
or optional.
You could enable debug logging, for example via
sudo nmcli general logging level TRACE domains ALL,VPN_PLUGIN
afterward, re-activate the VPN connection and look at journal.
Note that verbose logging of openvpn might reveal private sensitive
information. Take care before sending a logfile. See comment about rate
limiting of journal at
https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/contrib/fedora/rpm/NetworkManager.conf
Also, in the logfile you will see how NetworkManager's VPN plugin
invokes the openvpn binary and which parameters are passed to it. Are
those parameters making sense?
best,
Thomas
I will consider debug logging after you have a chance to inspect the
connection show and let me know if it looks sane or is missing a crucial
element.
Thank you for your assistance in this matter.
Dave
connection.id: Private Tunnel - Ashburn
connection.uuid: 03cba5d7-57df-4bd8-b5d3-24c3f24013d7
connection.interface-name: --
connection.type: vpn
connection.autoconnect: yes
connection.autoconnect-priority: 0
connection.timestamp: 0
connection.read-only: no
connection.permissions:
connection.zone: --
connection.master: --
connection.slave-type: --
connection.autoconnect-slaves: -1 (default)
connection.secondaries:
connection.gateway-ping-timeout: 0
connection.metered: unknown
connection.lldp: -1 (default)
ipv4.method: auto
ipv4.dns:
ipv4.dns-search:
ipv4.dns-options: (default)
ipv4.dns-priority: 0
ipv4.addresses:
ipv4.gateway: --
ipv4.routes:
ipv4.route-metric: -1
ipv4.ignore-auto-routes: no
ipv4.ignore-auto-dns: no
ipv4.dhcp-client-id: --
ipv4.dhcp-timeout: 0
ipv4.dhcp-send-hostname: yes
ipv4.dhcp-hostname: --
ipv4.dhcp-fqdn: --
ipv4.never-default: no
ipv4.may-fail: yes
ipv4.dad-timeout: -1 (default)
ipv6.method: auto
ipv6.dns:
ipv6.dns-search:
ipv6.dns-options: (default)
ipv6.dns-priority: 0
ipv6.addresses:
ipv6.gateway: --
ipv6.routes:
ipv6.route-metric: -1
ipv6.ignore-auto-routes: no
ipv6.ignore-auto-dns: no
ipv6.never-default: no
ipv6.may-fail: yes
ipv6.ip6-privacy: 0 (disabled)
ipv6.addr-gen-mode: stable-privacy
ipv6.dhcp-send-hostname: yes
ipv6.dhcp-hostname: --
vpn.service-type: org.freedesktop.NetworkManager.openvpn
vpn.user-name: --
vpn.data: ta =
/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-tls-auth.pem, ca =
/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-ca.pem, key =
/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-key.pem, dev = tun, cert =
/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-cert.pem, remote-cert-tls =
server, cert-pass-flags = 0, remote = us-va-ash-001.privatetunnel.com:1194:udp,
us-va-ash-001.privatetunnel.com:1194:udp,
us-va-ash-001.privatetunnel.com:443:tcp,
us-va-ash-001.privatetunnel.com:1194:udp,
us-va-ash-001.privatetunnel.com:1194:udp,
us-va-ash-001.privatetunnel.com:1194:udp,
us-va-ash-001.privatetunnel.com:1194:udp,
us-va-ash-001.privatetunnel.com:1194:udp, auth = SHA1, connection-type = tls,
ta-dir = 1
vpn.secrets: <hidden>
vpn.persistent: no
vpn.timeout: 0
_______________________________________________
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list