Thomas Haller wrote:
On Thu, 2018-02-22 at 11:43 -0500, David H. Durgee wrote:
Thomas Haller wrote:
On Wed, 2018-02-21 at 12:03 -0500, David H. Durgee wrote:
Thomas Haller wrote:

I will consider debug logging after you have a chance to inspect
connection show and let me know if it looks sane or is missing a

the settings don't look wrong, but whether the settings  are
depends very much on your server configuratoin. Enable debug
and see why the connection failed.

Since NM does not support the <extra-certs> argument, you should
investigate whether that argument is required in your setup. For
example, (as you said, plain openvpn works) by running openvpn with
ovpn without the <extra-certs> option.

Per your suggestion I tried using openvpn with the edited file and
expected it fails to connect.  So the <extra-certs> appears to be
required to initialize the connection.  Now the question is how do I
them to the configuration?  I manually added the contents of that
element to a file ~/.certs/nm-openvpn/Ashburn-edited-extra-certs.pem
along with the other elements, but that appears to be insufficient.

I assume that I need to add the proper entry to
/etc/NetworkManager/system-connections/Private Tunnel - Ashburn, but
question is what form does that entry take?  In the [vpn] section I
various entries referencing the certificates, specifically:


So I assume I need a similar line for this one, but should it be
"extra-certs=" or "ec=" there?  I guess I could try both, but I
prefer to get it right the first time.  Or is it perhaps something

Editing the connection of NetworkManager with a new option that is not
supported by nm-openvpn plugin does not make it work.
nm-openvpn plugin does not support this option (yet).

which constructs the command line arguments for openvpn binary.

The proper solution is to add support for this option. Patches welcome.
I doubt my programming skills are up to a patch for this.  Is this one on the list somewhere of addition options to be supported?  If not, can it be added?  In either case, any idea of when it might be available?  Is there a release schedule for the plugin?
Possible work arounds are:

- try to find a client configuration that does not require this
   option. Maybe reconfigure the server is feasable.

Not in this case, this is not my server but a service provider.

- use openvpn directly, without NetworkManager

That is my current approach, I guess I can continue doing so while the option is added to the plugin.

- replace the openvpn binary with a wrapper shell script, that hacks
   this option. Something like (totally untested!)


if [[ echo "$@" | grep -q '--remote MY.REMOTE.THAT.I.RECOGNIZE' ]];
     EXTRA_ARGS="--extra-certs /path/to/extra/certs"
exec /path/to/real/openvpn "$@" $EXTRA_ARGS

I guess that might work, but it is a bit messy.

Given that I only need to use the service when taking my laptop out of the office I believe I can live with continuing to use openvpn directly until the plugin supports the <extra-certs> option. I doubt that private tunnel is the only service using this option, so I suspect others are also encountering it and adding support to the plugin should be done at some point.

Thanks again for your assistance in this matter.

networkmanager-list mailing list

Reply via email to