Re: Problems with OpenVPN client conf having several remotes
On Mon, 2021-06-14 at 17:52 +, Samuel Le Thiec via networkmanager-list wrote: > Hello again:) > > I encountered two problems with an openvpn client conf having several remotes. > > The first problem occurs when importing a openvpn client config having > multiple remotes > mixing udp & tcp and using the "implicit udp syntax": > > $ grep ^remote openvpn.conf > remote ovpn.mydomain.com > remote ovpn.mydomain.com 53 > remote ovpn.mydomain.com 1194 tcp > > When imported in Network Manager, this translates to (in the vpn settings: > Identity → > General → Gateway) : > ovpn.mydomain.com, ovpn.mydomain.com:53, ovpn.mydomain.com:1194:tcp > > When I try to enable the vpn connection, it goes back to being disabled > immediately. > Here > is the error message I can see in the journal: > Options error: --explicit-exit-notify can only be used with --proto udp > > Now, if I change the gateway vpn setting to: > ovpn.mydomain.com:1194:udp, ovpn.mydomain.com:53:udp, > ovpn.mydomain.com:1194:tcp > > Then, I can enable the vpn and it looks like it's working... > > **BUT** > > When I look closer, the fallback/try on the other remotes does not seem to > work: on the > journal, I can see the tries on the first remote (IPv6, then IPv4), then I > see this log > entry: > > Jun 14 19:44:31 nsfw nm-openvpn-serv[333567]: Connect timer expired, > disconnecting. > > This "fallback mechanism" works fine when invoking openvpn directly. Is there > something > else to do to have it working with Network Manager? Hello, I just would like to make sure this message does not get lost in the way. Let me summarise it, I think there is two problems with the openvpn functionnality within Network Manager : 1. When importing an openvpn config file: NM can't start a openvpn 'connection' with a remote using implicit UDP notation and a tcp (server1:port1 server2:port2:tcp) (see above) 2. The fallback mechanism does not seem to work with NetworkManager, probably because it takes too long and NM tags the connection as failing: is there a way to force it to continue trying indefinitely? Thank you, samuel > > Any help greatly appreciated! > > Thanks, > > samuel > > PS: I'm using: > > $ NetworkManager --version > 1.30.4-1.fc34 > > > ___ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Problems with OpenVPN client conf having several remotes
Hello again:) I encountered two problems with an openvpn client conf having several remotes. The first problem occurs when importing a openvpn client config having multiple remotes mixing udp & tcp and using the "implicit udp syntax": $ grep ^remote openvpn.conf ovpn.mydomain.com ovpn.mydomain.com 53 ovpn.mydomain.com 1194 tcp When imported in Network Manager, this translates to (in the vpn settings: Identity → General → Gateway) : ovpn.mydomain.com, ovpn.mydomain.com:53, ovpn.mydomain.com:1194:tcp When I try to enable the vpn connection, it goes back to being disabled immediately. Here is the error message I can see in the journal: Options error: --explicit-exit-notify can only be used with --proto udp Now, if I change the gateway vpn setting to: ovpn.mydomain.com:1194:udp, ovpn.mydomain.com:53:udp, ovpn.mydomain.com:1194:tcp Then, I can enable the vpn and it looks like it's working... **BUT** When I look closer, the fallback/try on the other remotes does not seem to work: on the journal, I can see the tries on the first remote (IPv6, then IPv4), then I see this log entry: Jun 14 19:44:31 nsfw nm-openvpn-serv[333567]: Connect timer expired, disconnecting. This "fallback mechanism" works fine when invoking openvpn directly. Is there something else to do to have it working with Network Manager? Any help greatly appreciated! Thanks, samuel PS: I'm using: $ NetworkManager --version 1.30.4-1.fc34 ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
On Thu, 2021-06-03 at 17:44 +0200, Beniamino Galvani wrote: > On Thu, Jun 03, 2021 at 07:17:31AM +0000, Samuel Le Thiec via > networkmanager-list wrote: > > Hi, > > > For a moment I thought that Network Manager may be assuming a > > point-to-point topology > > for > > the VPN instead of the "topology subnet" as specified in the server.conf, > > so I did try > > to > > 'push "topology subnet"' to the clients, but it didn't help: without the > > 'push "route- > > ipv6 > > .."' above, the client is still missing the route to the subnet. > > Right, 'topology' has no effect for IPv6. > > > > I can totally live with that, but is it the expected behaviour? If so, > > > why does it > > > differ from starting openvpn manually from the cli or even as a systemd > > > openvpn-client@.service? > > It's not expected. I think the NetworkManager OpenVPN plugin parses > the IPv6 configuration incorrectly. If the server pushes, for example: > > ifconfig-ipv6 2001:db8:f00:bebe::1003/64 2001:db8:f00:bebe::1 > > NetworkManager considers the first argument as the subnet and the > second as the peer, and so it does something equivalent to: > > ip addr add dev tun0 2001:db8:f00:bebe::1003/64 peer 2001:db8:f00:bebe::1 > > which appears in the "ip -6 addr" output as: > > inet6 2001:db8:f00:bebe::1003 peer 2001:db8:f00:bebe::1/128 scope global > valid_lft forever preferred_lft forever > > Instead, according to 'man openvpn', NM should simply add address > "2001:db8:f00:bebe::1003/64" and use the second argument as a fallback > gateway for the routes specified by '--route-ipv6': > > --ifconfig-ipv6 ipv6addr/bits ipv6remote > configure IPv6 address ipv6addr/bits on the ``tun'' device. The > second parameter is used as route target for --route-ipv6 if no > gateway is specified. > > --route-ipv6 ipv6addr/bits [gateway] [metric] > setup IPv6 routing in the system to send the specified IPv6 net- > work into OpenVPN's ``tun''. The gateway parameter is only used > for IPv6 routes across ``tap'' devices, and if missing, the > ``ipv6remote'' field from --ifconfig-ipv6 is used. > > I have opened an issue for this [1] and I will prepare a patch for it. > > [1] https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/71 > > Beniamino Hello Beniamino, This seems great, thank you! On a unrelated subject, may I ask here why NM tries to reroute everything through the vpn by default instead of letting the vpn server decide of the default behaviour? I find it somewhat counterintuitive but there's certainly a good reason! Thanks again, samuel signature.asc Description: This is a digitally signed message part ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
On Tue, 2021-06-01 at 21:52 +, Samuel Le Thiec via networkmanager-list wrote: > > On Tue, 2021-06-01 at 13:27 +, Samuel Le Thiec via networkmanager-list > wrote: > > Note: sorry for the potential duplicate email, I sent it before & after > > having > > registered to the list! > > > > Hello all, > > > > I have a working openvpn config (see below) which I can't get to fully work > > with Network > > Manager: the private IPv6 network is not accessible when connecting to the > > VPN with > > NM(*). > > > > Here is what I get for tun0 when connecting with NM: > > > > > > $ ip a l tun0 > > 17: tun0: mtu 1500 qdisc fq_codel > > state > > UNKNOWN > > group default qlen 500 > > link/none > > inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0 > > valid_lft forever preferred_lft forever > > inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope > > global > > noprefixroute > > valid_lft forever preferred_lft forever > > > > > > When connecting with systemd or via the command line (sudo openvpn --config > > vpn.conf) : > > > > $ ip a l tun0 > > > > 14: tun0: mtu 1500 qdisc fq_codel > > state > > UNKNOWN > > group default qlen 500 > > link/none > > > > inet 10.66.6.4/24 scope global tun0 > > > > valid_lft forever preferred_lft forever > > > > inet6 2001:bc8:3d1d:1337::1002/64 scope global > > valid_lft forever preferred_lft forever > > inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy > > valid_lft forever preferred_lft forever > > > > > > → Note the scope global inet6 differences above: peer vs subnet > > > > (*) In order to avoid having all my trafic routed through the vpn, I did > > check "Use this > > connection only for resources on its network" for IPv4 & IPv6. > > > > Is there a way to make Network Manager behave like openvpn --config > > vpn.conf? > > > Hello again:) > > I don't know why this would be needed, but I noticed this can be worked > around by > pushing the route towards the server-ipv6 subnet from the openvpn server, > with the > directive: > > push "route-ipv6 2001:bc8:3d1d:1337::/64" > > For a moment I thought that Network Manager may be assuming a point-to-point topology for the VPN instead of the "topology subnet" as specified in the server.conf, so I did try to 'push "topology subnet"' to the clients, but it didn't help: without the 'push "route-ipv6 .."' above, the client is still missing the route to the subnet. > I can totally live with that, but is it the expected behaviour? If so, why > does it > differ from starting openvpn manually from the cli or even as a systemd > openvpn-client@.service? > > Thanks in advance! > > samuel > > > Here is additionnal informations: > > > > > > $ nmcli device show tun0 > > GENERAL.DEVICE: tun0 > > GENERAL.TYPE: tun > > GENERAL.HWADDR: (unknown) > > GENERAL.MTU: 1500 > > GENERAL.STATE: 100 (connected (externally)) > > GENERAL.CONNECTION: tun0 > > GENERAL.CON-PATH: > > /org/freedesktop/NetworkManager/ActiveConnection/27 > > IP4.ADDRESS[1]: 10.66.6.4/24 > > IP4.GATEWAY: -- > > IP4.ROUTE[1]: dst = 10.66.6.0/24, nh = 0.0.0.0, > > mt = 50 > > IP6.ADDRESS[1]: 2001:bc8:3d1d:1337::1002/64 > > IP6.GATEWAY: -- > > IP6.ROUTE[1]: dst = 2001:bc8:3d1d:1337::1/128, nh > > = ::, mt = > > 256 > > IP6.ROUTE[2]: dst = 2001:bc8:3d1d:1337::1002/128, > > nh = ::, mt > > = > > 50 > > IP6.ROUTE[3]: dst = 2001:bc8:3d1d:1337::1/128, nh > > = ::, mt = > > 50 > > > > > > And the openvpn client config I imported from NM (minus the certs): > > | client > > | dev tun > > | #
Re: openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
Hello again:) I don't know why this would be needed, but I noticed this can be worked around by pushing the route towards the server-ipv6 subnet from the openvpn server, with the directive: push "route-ipv6 2001:bc8:3d1d:1337::/64" I can totally live with that, but is it the expected behaviour? If so, why does it differ from starting openvpn manually from the cli or even as a systemd openvpn-client@.service? Thanks in advance! samuel On Tue, 2021-06-01 at 13:27 +0000, Samuel Le Thiec via networkmanager-list wrote: > Note: sorry for the potential duplicate email, I sent it before & after having > registered to the list! > > Hello all, > > I have a working openvpn config (see below) which I can't get to fully work > with Network > Manager: the private IPv6 network is not accessible when connecting to the > VPN with > NM(*). > > Here is what I get for tun0 when connecting with NM: > > > $ ip a l tun0 > 17: tun0: mtu 1500 qdisc fq_codel > state > UNKNOWN > group default qlen 500 > link/none > inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0 > valid_lft forever preferred_lft forever > inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope global > noprefixroute > valid_lft forever preferred_lft forever > > > When connecting with systemd or via the command line (sudo openvpn --config > vpn.conf) : > > $ ip a l tun0 > > 14: tun0: mtu 1500 qdisc fq_codel > state > UNKNOWN > group default qlen 500 > link/none > > inet 10.66.6.4/24 scope global tun0 > > valid_lft forever preferred_lft forever > > inet6 2001:bc8:3d1d:1337::1002/64 scope global > valid_lft forever preferred_lft forever > inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy > valid_lft forever preferred_lft forever > > > → Note the scope global inet6 differences above: peer vs subnet > > (*) In order to avoid having all my trafic routed through the vpn, I did > check "Use this > connection only for resources on its network" for IPv4 & IPv6. > > Is there a way to make Network Manager behave like openvpn --config vpn.conf? > > Here is additionnal informations: > > > $ nmcli device show tun0 > GENERAL.DEVICE: tun0 > GENERAL.TYPE: tun > GENERAL.HWADDR: (unknown) > GENERAL.MTU: 1500 > GENERAL.STATE: 100 (connected (externally)) > GENERAL.CONNECTION: tun0 > GENERAL.CON-PATH: > /org/freedesktop/NetworkManager/ActiveConnection/27 > IP4.ADDRESS[1]: 10.66.6.4/24 > IP4.GATEWAY: -- > IP4.ROUTE[1]: dst = 10.66.6.0/24, nh = 0.0.0.0, mt > = 50 > IP6.ADDRESS[1]: 2001:bc8:3d1d:1337::1002/64 > IP6.GATEWAY: -- > IP6.ROUTE[1]: dst = 2001:bc8:3d1d:1337::1/128, nh = > ::, mt = > 256 > IP6.ROUTE[2]: dst = 2001:bc8:3d1d:1337::1002/128, > nh = ::, mt > = > 50 > IP6.ROUTE[3]: dst = 2001:bc8:3d1d:1337::1/128, nh = > ::, mt = > 50 > > > And the openvpn client config I imported from NM (minus the certs): > | client > | dev tun > | # try standard port first > | remote hub.nsoc.fr > | remote hub.nsoc.fr 53 > | ping 25 > | ping-restart 120 > | persist-key > | persist-tun > | tls-version-min 1.3 > | remote-cert-tls server > | mute-replay-warnings > | > | askpass > | verb 3 > | > | > | > | > | > > > Thank you in advance! > > Samuel > > ___ > networkmanager-list mailing list > networkmanager-list@gnome.org > https://mail.gnome.org/mailman/listinfo/networkmanager-list ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
Note: sorry for the potential duplicate email, I sent it before & after having registered to the list! Hello all, I have a working openvpn config (see below) which I can't get to fully work with Network Manager: the private IPv6 network is not accessible when connecting to the VPN with NM(*). Here is what I get for tun0 when connecting with NM: $ ip a l tun0 17: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0 valid_lft forever preferred_lft forever inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope global noprefixroute valid_lft forever preferred_lft forever When connecting with systemd or via the command line (sudo openvpn --config vpn.conf) : $ ip a l tun0 14: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.66.6.4/24 scope global tun0 valid_lft forever preferred_lft forever inet6 2001:bc8:3d1d:1337::1002/64 scope global valid_lft forever preferred_lft forever inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy valid_lft forever preferred_lft forever → Note the scope global inet6 differences above: peer vs subnet (*) In order to avoid having all my trafic routed through the vpn, I did check "Use this connection only for resources on its network" for IPv4 & IPv6. Is there a way to make Network Manager behave like openvpn --config vpn.conf? Here is additionnal informations: $ nmcli device show tun0 GENERAL.DEVICE: tun0 GENERAL.TYPE: tun GENERAL.HWADDR: (unknown) GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected (externally)) GENERAL.CONNECTION: tun0 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/27 IP4.ADDRESS[1]: 10.66.6.4/24 IP4.GATEWAY: -- IP4.ROUTE[1]: dst = 10.66.6.0/24, nh = 0.0.0.0, mt = 50 IP6.ADDRESS[1]: 2001:bc8:3d1d:1337::1002/64 IP6.GATEWAY: -- IP6.ROUTE[1]: dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt = 256 IP6.ROUTE[2]: dst = 2001:bc8:3d1d:1337::1002/128, nh = ::, mt = 50 IP6.ROUTE[3]: dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt = 50 And the openvpn client config I imported from NM (minus the certs): | client | dev tun | # try standard port first | remote hub.nsoc.fr | remote hub.nsoc.fr 53 | ping 25 | ping-restart 120 | persist-key | persist-tun | tls-version-min 1.3 | remote-cert-tls server | mute-replay-warnings | | askpass | verb 3 | | | | | Thank you in advance! Samuel ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
openvpn.conf working on the CLI and with systemd but not with NM: wrong IPv6 setting when configuring the tun interface?
Hello all, Please, make sure to CC me in your replies so I'm sure to get them! I have a working openvpn config (see below) which I can't get to fully work with Network Manager: the private IPv6 network is not accessible when connecting to the VPN with NM(*). Here is what I get for tun0 when connecting with NM: $ ip a l tun0 17: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.66.6.4/24 brd 10.66.6.255 scope global noprefixroute tun0 valid_lft forever preferred_lft forever inet6 2001:bc8:3d1d:1337::1002 peer 2001:bc8:3d1d:1337::1/64 scope global noprefixroute valid_lft forever preferred_lft forever When connecting with systemd or via the command line (sudo openvpn --config vpn.conf) : $ ip a l tun0 14: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.66.6.4/24 scope global tun0 valid_lft forever preferred_lft forever inet6 2001:bc8:3d1d:1337::1002/64 scope global valid_lft forever preferred_lft forever inet6 fe80::24b7:bb72:a319:252d/64 scope link stable-privacy valid_lft forever preferred_lft forever → Note the scope global inet6 differences above: peer vs subnet (*) In order to avoid having all my trafic routed through the vpn, I did check "Use this connection only for resources on its network" for IPv4 & IPv6. Is there a way to make Network Manager behave like openvpn --config vpn.conf? Here is additionnal informations: $ nmcli device show tun0 GENERAL.DEVICE: tun0 GENERAL.TYPE: tun GENERAL.HWADDR: (unknown) GENERAL.MTU:1500 GENERAL.STATE: 100 (connected (externally)) GENERAL.CONNECTION: tun0 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/27 IP4.ADDRESS[1]: 10.66.6.4/24 IP4.GATEWAY:-- IP4.ROUTE[1]: dst = 10.66.6.0/24, nh = 0.0.0.0, mt = 50 IP6.ADDRESS[1]: 2001:bc8:3d1d:1337::1002/64 IP6.GATEWAY:-- IP6.ROUTE[1]: dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt = 256 IP6.ROUTE[2]: dst = 2001:bc8:3d1d:1337::1002/128, nh = ::, mt = 50 IP6.ROUTE[3]: dst = 2001:bc8:3d1d:1337::1/128, nh = ::, mt = 50 And the openvpn client config I imported from NM (minus the certs): | client | dev tun | # try standard port first | remote hub.nsoc.fr | remote hub.nsoc.fr 53 | ping 25 | ping-restart 120 | persist-key | persist-tun | tls-version-min 1.3 | remote-cert-tls server | mute-replay-warnings | | askpass | verb 3 | | | | | Thank you in advance! Samuel ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
