On Thu, 2018-02-22 at 11:43 -0500, David H. Durgee wrote:
> Thomas Haller wrote:
> > On Wed, 2018-02-21 at 12:03 -0500, David H. Durgee wrote:
> > > Thomas Haller wrote:
> > > 
> > > I will consider debug logging after you have a chance to inspect
> > > the
> > > connection show and let me know if it looks sane or is missing a
> > > crucial
> > > element.
> > 
> > Hi,
> > 
> > the settings don't look wrong, but whether the settings  are
> > correct
> > depends very much on your server configuratoin. Enable debug
> > logging
> > and see why the connection failed.
> > 
> > Since NM does not support the <extra-certs> argument, you should
> > investigate whether that argument is required in your setup. For
> > example, (as you said, plain openvpn works) by running openvpn with
> > the
> > ovpn without the <extra-certs> option.
> > 
> > 
> > best,
> > Thomas
> 
> Per your suggestion I tried using openvpn with the edited file and
> as 
> expected it fails to connect.  So the <extra-certs> appears to be 
> required to initialize the connection.  Now the question is how do I
> add 
> them to the configuration?  I manually added the contents of that 
> element to a file ~/.certs/nm-openvpn/Ashburn-edited-extra-certs.pem 
> along with the other elements, but that appears to be insufficient.
> 
> I assume that I need to add the proper entry to 
> /etc/NetworkManager/system-connections/Private Tunnel - Ashburn, but
> my 
> question is what form does that entry take?  In the [vpn] section I
> see 
> various entries referencing the certificates, specifically:
> 
> cert=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-cert.pem
> key=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-key.pem
> ca=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-ca.pem
> ta=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-tls-auth.pem
> 
> So I assume I need a similar line for this one, but should it be 
> "extra-certs=" or "ec=" there?  I guess I could try both, but I
> would 
> prefer to get it right the first time.  Or is it perhaps something
> else 
> entirely?

Hi,


Editing the connection of NetworkManager with a new option that is not
supported by nm-openvpn plugin does not make it work.
nm-openvpn plugin does not support this option (yet).

See 
https://git.gnome.org/browse/network-manager-openvpn/commit/?id=master
especially 
https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=dd8868f8a020988a47b7d4d4b502a98531fdeee0
which constructs the command line arguments for openvpn binary.

The proper solution is to add support for this option. Patches welcome.


Possible work arounds are:

- try to find a client configuration that does not require this 
  option. Maybe reconfigure the server is feasable.

- use openvpn directly, without NetworkManager

- replace the openvpn binary with a wrapper shell script, that hacks
  this option. Something like (totally untested!)


#!/bin/bash

EXTRA_ARGS=
if [[ echo "$@" | grep -q '--remote MY.REMOTE.THAT.I.RECOGNIZE' ]];
then
    EXTRA_ARGS="--extra-certs /path/to/extra/certs"
fi
exec /path/to/real/openvpn "$@" $EXTRA_ARGS




best,
Thomas

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Reply via email to