Re: Add OpenVPN support
Hi Jeff, On Mon, Nov 22, 2010 at 03:55:52PM +0800, Zheng, Jeff wrote: On Thu, Nov 18, 2010 at 04:28:22PM +0100, Daniel Wagner wrote: Hi Jeff, On Thu, Nov 18, 2010 at 11:07:13PM +0800, Zheng, Jeff wrote: Do you mean openvpn plugin? If this way, I will check next week (I'll annual leave Friday). I just used the rpm that Martin built for MeeGo. Ah, okay. Which version has been packeged? OpenVPN is in 0.63. OpenVPN is in 0.63 = The support for OpenVPN is in connman version 0.63. Though I used 0.63, but OpenVPN might not be built. I built from latest code(74558dc6e1), but connmand crashed: connmand[6323]: Removing default gateway route failed (No such process) connmand[6323]: Aborting (signal 11) connmand[6323]: backtrace connmand[6323]: [0]: [0xb773d400] connmand[6323]: [1]: ./connmand() [0x806e007] connmand[6323]: [2]: ./connmand(connman_rtnl_add_newlink_watch+0xc4) [0x80905c4] connmand[6323]: [3]: ./connmand() [0x806df71] connmand[6323]: [4]: ./connmand() [0x8073078] connmand[6323]: [5]: /lib/libdbus-1.so.3(dbus_connection_dispatch+0x38b) [0x1664bb] connmand[6323]: [6]: ./connmand() [0x8051fc0] connmand[6323]: [7]: /lib/libglib-2.0.so.0() [0xd349cd] connmand[6323]: [8]: /lib/libglib-2.0.so.0(g_main_context_dispatch+0x1b7) [0xd337f9] connmand[6323]: [9]: /lib/libglib-2.0.so.0() [0xd33e20] connmand[6323]: [10]: /lib/libglib-2.0.so.0(g_main_loop_run+0x221) [0xd343b7] connmand[6323]: [11]: ./connmand() [0x8071d4c] connmand[6323]: [12]: /lib/libc.so.6(__libc_start_main+0xe7) [0xac8bb7] connmand[6323]: [13]: ./connmand() [0x8051b61] connmand[6323]: +++ Attached is detailed log file. Can you please ran this log output throught the test/backtrace script? thanks, daniel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
RE: Add OpenVPN support
Can you please ran this log output throught the test/backtrace script? backtrace [0]: vpn_newlink() [vpn.c:147] [1]: connman_rtnl_add_newlink_watch() [rtnl.c:244] [2]: vpn_notify() [vpn.c:171] [3]: task_filter() [task.c:402] [4]: message_dispatch() [mainloop.c:80] [5]: main() [main.c:262] [6]: _start() [iptables.c:0] --- ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN support
On Mon, Nov 22, 2010 at 04:15:19PM +0800, Zheng, Jeff wrote: Can you please ran this log output throught the test/backtrace script? backtrace [0]: vpn_newlink() [vpn.c:147] [1]: connman_rtnl_add_newlink_watch() [rtnl.c:244] [2]: vpn_notify() [vpn.c:171] [3]: task_filter() [task.c:402] [4]: message_dispatch() [mainloop.c:80] [5]: main() [main.c:262] [6]: _start() [iptables.c:0] --- Thanks. Don't know if I have time today to look at it. In case you have time to fix it, please go ahaid :) It looks like a NULL pointer thing to me. daniel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN support
Hi Jeff, On Thu, Nov 18, 2010 at 03:15:34PM +0800, Zheng, Jeff wrote: Do you mean compile with patch [PATCH v0 1/2] openvpn: add suport for static key setup? compile passed. Yes, I don't have a static key setup (yet). So the patch should compile fine but it will almost certently not work. But I still failed with SSL/TLS (not with the patch): First let's get the TLS setup working. This should work(TM). # connect-vpn openvpn openvpn xfzheng.sh.intel.com sh.intel.com /root/.openvpn/ca.crt /root/.openvpn/client1.crt /root/.openvpn/client1.key This looks okay. sys.argv[7] is /root/.openvpn/client1.key Traceback (most recent call last): File /usr/lib/connman/test/connect-vpn, line 42, in module OpenVPN.Key: sys.argv[7]})) File /usr/lib/python2.6/site-packages/dbus/proxies.py, line 68, in __call__ return self._proxy_method(*args, **keywords) File /usr/lib/python2.6/site-packages/dbus/proxies.py, line 140, in __call__ **keywords) File /usr/lib/python2.6/site-packages/dbus/connection.py, line 630, in call_blocking message, timeout) dbus.exceptions.DBusException: org.moblin.connman.Error.NotSupported: Not supported Can you post the connman log? I can't figure what's going wrong. I can connect with openvpn directly. I'm using openvpn-2.1.3, both server and client disable comp-lzo. server is in 64bit fedora11 and client in meego 1.1 For reference here is the configuration for my openvpn server: dev tun0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem server 10.1.0.0 255.255.255.0 push redirect-gateway def1 push dhcp-option DNS 85.25.128.10 push dhcp-option DNS 85.25.255.10 push topology net30 The topology and redirect-gateway push isn't really needed. It just a left over from a debugging session. daniel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
RE: Add OpenVPN support
Hi Daniel, Thanks for quick response. Connmand log attached. Server configure file(remove ^# and ^; lines) is: port 1194 proto udp dev tun ca /CA/private/ca.crt cert /CA/private/server.crt key /CA/private/server.key # This file should be kept secret dh /CA/private/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 persist-key persist-tun status openvpn-status.log verb 3 And below is client configure file that I can connect with openvpn --config this file: client dev tun proto udp remote xfzheng.sh.intel.com 1194 resolv-retry infinite nobind persist-key persist-tun ca /root/.openvpn/ca.crt cert /root/.openvpn/client1.crt key /root/.openvpn/client1.key ns-cert-type server verb 3 Bests Jeff -Original Message- From: Daniel Wagner [mailto:w...@monom.org] Sent: Thursday, November 18, 2010 4:17 PM To: Zheng, Jeff Cc: connman@connman.net Subject: Re: Add OpenVPN support Hi Jeff, On Thu, Nov 18, 2010 at 03:15:34PM +0800, Zheng, Jeff wrote: Do you mean compile with patch [PATCH v0 1/2] openvpn: add suport for static key setup? compile passed. Yes, I don't have a static key setup (yet). So the patch should compile fine but it will almost certently not work. But I still failed with SSL/TLS (not with the patch): First let's get the TLS setup working. This should work(TM). # connect-vpn openvpn openvpn xfzheng.sh.intel.com sh.intel.com /root/.openvpn/ca.crt /root/.openvpn/client1.crt /root/.openvpn/client1.key This looks okay. sys.argv[7] is /root/.openvpn/client1.key Traceback (most recent call last): File /usr/lib/connman/test/connect-vpn, line 42, in module OpenVPN.Key: sys.argv[7]})) File /usr/lib/python2.6/site-packages/dbus/proxies.py, line 68, in __call__ return self._proxy_method(*args, **keywords) File /usr/lib/python2.6/site-packages/dbus/proxies.py, line 140, in __call__ **keywords) File /usr/lib/python2.6/site-packages/dbus/connection.py, line 630, in call_blocking message, timeout) dbus.exceptions.DBusException: org.moblin.connman.Error.NotSupported: Not supported Can you post the connman log? I can't figure what's going wrong. I can connect with openvpn directly. I'm using openvpn-2.1.3, both server and client disable comp-lzo. server is in 64bit fedora11 and client in meego 1.1 For reference here is the configuration for my openvpn server: dev tun0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem server 10.1.0.0 255.255.255.0 push redirect-gateway def1 push dhcp-option DNS 85.25.128.10 push dhcp-option DNS 85.25.255.10 push topology net30 The topology and redirect-gateway push isn't really needed. It just a left over from a debugging session. daniel connman.log.gz Description: connman.log.gz ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN support
Hi Jeff, On Thu, Nov 18, 2010 at 04:44:04PM +0800, Zheng, Jeff wrote: Thanks for quick response. Connmand log attached. Thanks. I see that passing the values through the provider works. But I don't see anything about the openvpn plugin, e.g. I have following in my log file: connmand[5579]: src/provider.c:connman_provider_driver_register() driver 0x18b3918 name openvpn connmand[5579]: src/provider.c:connman_provider_driver_register() driver 0x18b3a38 name openconnect Can you check if openvpn is built? daniel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN support
Hi Jeff, On Thu, Nov 18, 2010 at 11:07:13PM +0800, Zheng, Jeff wrote: Do you mean openvpn plugin? If this way, I will check next week (I'll annual leave Friday). I just used the rpm that Martin built for MeeGo. Ah, okay. Which version has been packeged? OpenVPN is in 0.63. I don't have a MeeGo running. Looking at the repo.meego.org, I think 0.60.5 has been used, right? Is OpenVPN already packaged for MeeGo? :) daniel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN support
On Thu, Nov 18, 2010 at 04:28:22PM +0100, Daniel Wagner wrote: Hi Jeff, On Thu, Nov 18, 2010 at 11:07:13PM +0800, Zheng, Jeff wrote: Do you mean openvpn plugin? If this way, I will check next week (I'll annual leave Friday). I just used the rpm that Martin built for MeeGo. Ah, okay. Which version has been packeged? OpenVPN is in 0.63. OpenVPN is in 0.63 = The support for OpenVPN is in connman version 0.63. daniel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN support
Hi Jeff, On Wed, Nov 17, 2010 at 01:58:26PM +0800, Zheng, Jeff wrote: How can I use connect-vpn script? I can connect to a point to point server with: openvpn --config config The content of config is: remote xfzheng.sh.intel.com dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key Currently the plugin can handly only the tls setup. In order to support the static key mode there is need for some more openvpn argument handling. In this config file I don't see cafile and certfile that connect-vpn needs So I ignore these two parameters in script but it still complains: # connect-vpn openvpn myvpn xfzheng.sh.intel.com mydomain.com 1 1 static.key Yeah, that wont work right now. First the script needs get smarter and then the key has to passed in the provider and the openvpn plugin has to pass this to the openvpn argument list. Can you give the patches I'll append to this mail a try? Only compiled, not really tested. I think the 'ifconfig' argument is not really working since it needs to arguments. daniel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN support
Can you give the patches I'll append to this mail a try? Only compiled, not really tested. I think the 'ifconfig' argument is not really working since it needs to arguments. ... it needs two arguments. ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
RE: Add OpenVPN support
Hi Daniel, Do you mean compile with patch [PATCH v0 1/2] openvpn: add suport for static key setup? compile passed. But I still failed with SSL/TLS (not with the patch): # connect-vpn openvpn openvpn xfzheng.sh.intel.com sh.intel.com /root/.openvpn/ca.crt /root/.openvpn/client1.crt /root/.openvpn/client1.key sys.argv[7] is /root/.openvpn/client1.key Traceback (most recent call last): File /usr/lib/connman/test/connect-vpn, line 42, in module OpenVPN.Key: sys.argv[7]})) File /usr/lib/python2.6/site-packages/dbus/proxies.py, line 68, in __call__ return self._proxy_method(*args, **keywords) File /usr/lib/python2.6/site-packages/dbus/proxies.py, line 140, in __call__ **keywords) File /usr/lib/python2.6/site-packages/dbus/connection.py, line 630, in call_blocking message, timeout) dbus.exceptions.DBusException: org.moblin.connman.Error.NotSupported: Not supported I can connect with openvpn directly. I'm using openvpn-2.1.3, both server and client disable comp-lzo. server is in 64bit fedora11 and client in meego 1.1 Bests Jeff -Original Message- From: Daniel Wagner [mailto:w...@monom.org] Sent: Wednesday, November 17, 2010 6:19 PM To: Zheng, Jeff Cc: connman@connman.net Subject: Re: Add OpenVPN support Hi Jeff, On Wed, Nov 17, 2010 at 01:58:26PM +0800, Zheng, Jeff wrote: How can I use connect-vpn script? I can connect to a point to point server with: openvpn --config config The content of config is: remote xfzheng.sh.intel.com dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key Currently the plugin can handly only the tls setup. In order to support the static key mode there is need for some more openvpn argument handling. In this config file I don't see cafile and certfile that connect-vpn needs So I ignore these two parameters in script but it still complains: # connect-vpn openvpn myvpn xfzheng.sh.intel.com mydomain.com 1 1 static.key Yeah, that wont work right now. First the script needs get smarter and then the key has to passed in the provider and the openvpn plugin has to pass this to the openvpn argument list. Can you give the patches I'll append to this mail a try? Only compiled, not really tested. I think the 'ifconfig' argument is not really working since it needs to arguments. daniel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN support
Hi Samuel, On Wed, Nov 03, 2010 at 03:12:42PM +0100, Samuel Ortiz wrote: All patches (except the openconnect one) applied now. I'd appreciate if you could give it a try against your OpenVPN setup. I have it running now for a day. Also did some disconnect and reconnect. Every thing works fine for me. cheers, daniel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN support
Hi Daniel, On Tue, Nov 02, 2010 at 06:19:29PM +0100, Daniel Wagner wrote: Hi, This version works for me stable. The problem was the OpenVPN does an inactivity check and if this is true then it does automatically a reconnection. This fails currently because the DNS server is behind the not-existing tunnel... This feature is now disabled. The automake magic now works for all cases. I have builded all variants and it worked as expected. Samuel: Would you like me to cleanup the first patch? Or do you have something better in the pipe? So I have cleaned the first patch up, and split it into several pieces. I also changed the property name from Destination to Peer. All patches (except the openconnect one) applied now. I'd appreciate if you could give it a try against your OpenVPN setup. Cheers, Samuel. -- Intel Open Source Technology Centre http://oss.intel.com/ ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN Support
Good Morning Samuel, On Wed, Oct 27, 2010 at 02:05:49AM +0200, Samuel Ortiz wrote: Hi Daniel, On Tue, Oct 26, 2010 at 03:54:23PM +0200, Daniel Wagner wrote: Hi, yet another update on this patch. OpenVPN is now running, but I'm struggling with the settings. The OpenVPN server settings seems broken. I can ping the server address (10.1.0.1) from my client (10.1.0.6). But everything else doesn't work yet. Some more debugging needed here :) Another thing I found out is that if there is no netmask set on the provider, connman does not setup the route. Don't know if this a bug in connman or in my setup. Although your OpenVPN server should probably provide you with a proper netmask, I just pushed a patch to have ConnMan being less pedantic about the netmask. So your routes should be set now (Which might also fix the problem you're describing in the first paragraph), could you please try ? OpenVPN only pushes a netmask for tap devices not for tun devices: --up cmd Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel. For --dev tun execute as: cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init | restart ] For --dev tap execute as: cmd tap_dev tap_mtu link_mtu ifconfig_local_ip ifconfig_netmask [ init | restart ] and vpn.c sets up a tun device. The patch looks good to me otherwise, except for the Makefile.plugins hack. Marcel told me he will try to find out why we're linking twice when a source file is defined twice in builtin_sources. Thanks. Most likely I would have to spend a week to figure out what's going on. So any help is highly appreciated. cheers, daniel ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
Re: Add OpenVPN Support
Hi Samuel,
On Wed, Oct 27, 2010 at 02:05:49AM +0200, Samuel Ortiz wrote:
Hi Daniel,
On Tue, Oct 26, 2010 at 03:54:23PM +0200, Daniel Wagner wrote:
Hi,
yet another update on this patch. OpenVPN is now running, but I'm
struggling with the settings. The OpenVPN server settings seems
broken. I can ping the server address (10.1.0.1) from my client
(10.1.0.6). But everything else doesn't work yet. Some more debugging
needed here :)
Another thing I found out is that if there is no netmask set on the
provider, connman does not setup the route. Don't know if this a bug
in connman or in my setup.
Although your OpenVPN server should probably provide you with a proper
netmask, I just pushed a patch to have ConnMan being less pedantic about the
netmask. So your routes should be set now (Which might also fix the problem
you're describing in the first paragraph), could you please try ?
The netmask problem is solved.
I fixed my server setup, so all the traffic is routed to the openvpn
server and the server acts as default gateway. On the server I have
following configuration:
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.1.0.0 255.255.255.0
push redirect-gateway def1
push dhcp-option DNS 85.25.128.10
push dhcp-option DNS 85.25.255.10
On the client side I have:
client
dev tun
remote hotel311.server4you.de
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert freakazoid.crt
key freakazoid.key
The def1 flag does:
def1 -- Use this flag to override the default gateway by using
0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This
has the benefit of overriding but not wiping out the
original default gateway
So starting openvpn without connman (just fetch local IP address with
dhclient), the routing table looks like this:
$ ip r
85.25.146.15 via 192.168.0.254 dev eth0
10.1.0.5 dev tun0 proto kernel scope link src 10.1.0.6
10.1.0.1 via 10.1.0.5 dev tun0
192.168.0.0/16 dev eth0 proto kernel scope link src 192.168.101.14
0.0.0.0/1 via 10.1.0.5 dev tun0
128.0.0.0/1 via 10.1.0.5 dev tun0
default via 192.168.0.254 dev eth0
and everthing works fine. I have to admit I haven't really understood
the 0.0.0.0/1 and 128.0.0.0/1 magic but it helped in my case :)
If I use connman with openvpn together then the routing looks like
this:
$ ip r
10.1.0.5 via 192.168.0.254 dev eth0
10.1.0.5 dev vpn0 scope link
192.168.0.0/16 dev eth0 proto kernel scope link src 192.168.101.14
default via 10.1.0.6 dev vpn0 scope link
and openvpn complains about not finding the openvpn server:
connmand[10724]: vpn0 {create} index 17 type 65534 NONE
connmand[10724]: vpn0 {update} flags 4240 DOWN
connmand[10724]: vpn0 {newlink} index 17 operstate 2 DOWN
openvpn[10730]: OpenVPN 2.1.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL]
[PKCS11] built on Jan 5 2010
openvpn[10730]: WARNING: No server certificate verification method has been
enabled. See http://openvpn.net/howto.html#mitm for more info.
openvpn[10730]: NOTE: the current --script-security setting may allow this
configuration to call user-defined scripts
openvpn[10730]: UDPv4 link local: [undef]
openvpn[10730]: UDPv4 link remote: 85.25.146.15:1194
openvpn[10730]: [toronto053.server4you.de] Peer Connection Initiated with
85.25.146.15:1194
openvpn[10730]: TUN/TAP device vpn0 opened
openvpn[10730]: /home/wagi/src/connman/scripts/openvpn-script vpn0 1500 1541
10.1.0.6 10.1.0.5 init
openvpn[10730]: Initialization Sequence Completed
connmand[10724]: vpn0 {newlink} index 17 operstate 2 DOWN
connmand[10724]: vpn0 {update} flags 69841 UP,RUNNING,LOWER_UP
connmand[10724]: vpn0 {newlink} index 17 operstate 0 UNKNOWN
connmand[10724]: vpn0 up
connmand[10724]: vpn0 lower up
connmand[10724]: Deleting host route failed (No such process)
connmand[10724]: Removing default gateway route failed (No such process)
connmand[10724]: Enabling DNS server 192.168.100.4
connmand[10724]: Deleting host route failed (No such process)
connmand[10724]: Removing default gateway route failed (No such process)
connmand[10724]: Adding DNS server 85.25.128.10
connmand[10724]: vpn0 {add} address 10.1.0.6/32 label vpn0
connmand[10724]: vpn0 ip bound
openvpn[10730]: write UDPv4 []: Network is unreachable (code=101)
connmand[10724]: vpn0 {add} route 10.1.0.5 gw 0.0.0.0 scope 253 LINK
connmand[10724]: eth0 {add} route 10.1.0.5 gw 192.168.0.254 scope 0 UNIVERSE
connmand[10724]: eth0 {del} route 192.168.0.254 gw 0.0.0.0 scope 253 LINK
connmand[10724]: eth0 ip release
connmand[10724]: eth0 {del} route 0.0.0.0 gw 192.168.0.254 scope 0 UNIVERSE
connmand[10724]: Enabling DNS server 192.168.100.4
connmand[10724]: Disabling DNS server 85.25.128.10
connmand[10724]: Disabling DNS server 192.168.100.4
connmand[10724]: Enabling DNS server 85.25.128.10
connmand[10724]: vpn0 {add} route 0.0.0.0
Re: Add OpenVPN Support
Hi Daniel, On Tue, Oct 26, 2010 at 03:54:23PM +0200, Daniel Wagner wrote: Hi, yet another update on this patch. OpenVPN is now running, but I'm struggling with the settings. The OpenVPN server settings seems broken. I can ping the server address (10.1.0.1) from my client (10.1.0.6). But everything else doesn't work yet. Some more debugging needed here :) Another thing I found out is that if there is no netmask set on the provider, connman does not setup the route. Don't know if this a bug in connman or in my setup. Although your OpenVPN server should probably provide you with a proper netmask, I just pushed a patch to have ConnMan being less pedantic about the netmask. So your routes should be set now (Which might also fix the problem you're describing in the first paragraph), could you please try ? The patch looks good to me otherwise, except for the Makefile.plugins hack. Marcel told me he will try to find out why we're linking twice when a source file is defined twice in builtin_sources. Cheers, Samuel. -- Intel Open Source Technology Centre http://oss.intel.com/ ___ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman
