On Thu, 2018-02-22 at 11:43 -0500, David H. Durgee wrote: > Thomas Haller wrote: > > On Wed, 2018-02-21 at 12:03 -0500, David H. Durgee wrote: > > > Thomas Haller wrote: > > > > > > I will consider debug logging after you have a chance to inspect > > > the > > > connection show and let me know if it looks sane or is missing a > > > crucial > > > element. > > > > Hi, > > > > the settings don't look wrong, but whether the settings are > > correct > > depends very much on your server configuratoin. Enable debug > > logging > > and see why the connection failed. > > > > Since NM does not support the <extra-certs> argument, you should > > investigate whether that argument is required in your setup. For > > example, (as you said, plain openvpn works) by running openvpn with > > the > > ovpn without the <extra-certs> option. > > > > > > best, > > Thomas > > Per your suggestion I tried using openvpn with the edited file and > as > expected it fails to connect. So the <extra-certs> appears to be > required to initialize the connection. Now the question is how do I > add > them to the configuration? I manually added the contents of that > element to a file ~/.certs/nm-openvpn/Ashburn-edited-extra-certs.pem > along with the other elements, but that appears to be insufficient. > > I assume that I need to add the proper entry to > /etc/NetworkManager/system-connections/Private Tunnel - Ashburn, but > my > question is what form does that entry take? In the [vpn] section I > see > various entries referencing the certificates, specifically: > > cert=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-cert.pem > key=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-key.pem > ca=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-ca.pem > ta=/home/dhdurgee/.cert/nm-openvpn/Ashburn-edited-tls-auth.pem > > So I assume I need a similar line for this one, but should it be > "extra-certs=" or "ec=" there? I guess I could try both, but I > would > prefer to get it right the first time. Or is it perhaps something > else > entirely?
Hi, Editing the connection of NetworkManager with a new option that is not supported by nm-openvpn plugin does not make it work. nm-openvpn plugin does not support this option (yet). See https://git.gnome.org/browse/network-manager-openvpn/commit/?id=master especially https://git.gnome.org/browse/network-manager-openvpn/tree/src/nm-openvpn-service.c?id=dd8868f8a020988a47b7d4d4b502a98531fdeee0 which constructs the command line arguments for openvpn binary. The proper solution is to add support for this option. Patches welcome. Possible work arounds are: - try to find a client configuration that does not require this option. Maybe reconfigure the server is feasable. - use openvpn directly, without NetworkManager - replace the openvpn binary with a wrapper shell script, that hacks this option. Something like (totally untested!) #!/bin/bash EXTRA_ARGS= if [[ echo "$@" | grep -q '--remote MY.REMOTE.THAT.I.RECOGNIZE' ]]; then EXTRA_ARGS="--extra-certs /path/to/extra/certs" fi exec /path/to/real/openvpn "$@" $EXTRA_ARGS best, Thomas
signature.asc
Description: This is a digitally signed message part
_______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
