Ubuntu
network-manager-openvpn package

nm-openvpn with preshared key doesn't work

Bug #193686 reported by Lorant Nemeth on 2008-02-20

This bug report is a duplicate of: Bug #451533: network-manager openvpn does not support static key. Edit Remove

This bug affects 8 people

Affects		Status	Importance	Assigned to	Milestone
	network-manager-openvpn (Ubuntu)	New	Undecided	Unassigned

Bug Description

Binary package hint: network-manager-openvpn

Hi,

I can't get openvpn with preshared key working with network-manager (from command line it works fine). Problem seems to be, that although I don't use tls mode there's a parameter added (not configurable nor via gui nor via gconf editor) which is valid only in tls mode (ns_cert_type). See syslog output below:

Feb 20 15:20:17 kolibri ntpd[5860]: Deleting interface #6 tun0, 192.168.200.2#123, interface stats: received=0, sent=0, dropped=0, active_time=900 secs
Feb 20 15:32:40 kolibri NetworkManager: <info> Will activate VPN connection 'Example-openvpn', service 'org.freedesktop.NetworkManager.openvpn', user_name 'loci', vpn_data 'connection-type / shared-key / dev / tun / remote / alnitak / port / 1194 / proto / udp / servercert-insecure / no / ca / / cert / / key / / comp-lzo / no / shared-key / /home/loci/static.key / local-ip / 192.168.200.2 / remote-ip / 192.168.200.1 / username / ', route ''.
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 1 of 4 (Connection Prepare) scheduled...
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 1 of 4 (Connection Prepare) ran VPN service daemon org.freedesktop.NetworkManager.openvpn (PID 7392)
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 1 of 4 (Connection Prepare) complete.
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 2 of 4 (Connection Prepare Wait) scheduled...
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 1 -> 6.
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 2 of 4 (Connection Prepare Wait) waiting...
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 2 of 4 (Connection Prepare Wait) complete.
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 3 of 4 (Connect) scheduled...
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 3 of 4 (Connect) sending connect request.
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 3 of 4 (Connect) request sent, waiting for reply...
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 6 -> 3.
Feb 20 15:32:40 kolibri nm-openvpn[7395]: Options error: Parameter ns_cert_type can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
Feb 20 15:32:40 kolibri nm-openvpn[7395]: Use --help for more information.
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 3 of 4 (Connect) reply received.
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 4 of 4 (IP Config Get) timeout scheduled...
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN Activation (Example-openvpn) Stage 3 of 4 (Connect) complete, waiting for IP configuration...
Feb 20 15:32:40 kolibri NetworkManager: <WARN> nm_vpn_service_process_signal(): VPN failed for service 'org.freedesktop.NetworkManager.openvpn', signal 'ConnectFailed', with message 'The VPN login failed because the VPN program could not connect to the VPN server.'.
Feb 20 15:32:40 kolibri NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 3 -> 6.
Feb 20 15:32:40 kolibri NetworkManager: <WARN> nm_vpn_service_stop_connection(): (VPN Service org.freedesktop.NetworkManager.openvpn): could not stop connection 'Example-openvpn' because service was 6.

Revision history for this message

Thomas Novin (thomasn80) wrote on 2008-05-13:

Hello

Please export the configuration and attach it here. Also try it from command line and also attach that working configuration here.

Revision history for this message

pittipatti (pittipatti) wrote on 2008-05-22:

routus.pcf Edit (275 bytes, application/x-font)

The command-line which is executed when openvpn gets called is:

/usr/sbin/openvpn --remote routus.ip.addr --ns-cert-type server --nobind --dev tun --proto udp --port 1194 --syslog nm-openvpn --up /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper --up-restart --persist-key --persist-tun --management 127.0.0.1 1194 --management-query-passwords --secret dev --secret /home/patrick/test.key --ifconfig 192.168.1.222 192.168.1.220

When removing the parameter "--ns-cert-type server" through a wrapper-script to openvpn openvpn starts fine, but the "nm-openvpn-service-openvpn-helper" complains, that it can't pull configuration data:

May 22 09:19:52 portus nm-openvpn-service-openvpn-helper: <WARNING>^I main (): nm-openvpn-service-openvpn-helper didn't receive a VPN Gateway from openvpn.
May 22 09:19:52 portus nm-openvpn[13076]: script failed: shell command exited with error status: 1

after removing the "--up" parameter through the wrapper-script, too, openvpn starts fine and the tunnel can be user for quite some sekonds, but then network-manager complains:

May 22 09:24:04 portus NetworkManager: <WARN> nm_vpn_service_process_signal(): VPN failed for service 'org.freedesktop.NetworkManager.openvpn', signal 'ConnectFailed', with message 'The VPN login failed because the VPN program could not connect to the VPN server.'.

starting openvpn from the command line with the parameters mentioned above (without --ns-cert-type and --up) works fine.

Revision history for this message

woodguy (poeschl) wrote on 2008-07-26:

Download full text (3.3 KiB)

got the same issue here. it works fine from the commandline, but via
network-manager-openvpn I get the following error (same as above).

I use a preshared key too.

Jul 26 18:45:59 trinity NetworkManager: <info> Will activate VPN connection 'stern', service 'org.freedesktop.NetworkManager.openvpn', user_name 'up', vpn_data 'connection-type / shared-key / dev / tun / remote / 213.208.137.47 / port / 1194 / proto / udp / servercert-insecure / no / ca / / cert / / key / / comp-lzo / yes / shared-key / /home/up/roterstern_openvpn.key / local-ip / 10.1.0.2 / remote-ip / 10.1.0.1 / username / ', route ''.
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 1 of 4 (Connection Prepare) scheduled...
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 1 of 4 (Connection Prepare) ran VPN service daemon org.freedesktop.NetworkManager.openvpn (PID 2474)
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 1 of 4 (Connection Prepare) complete.
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 2 of 4 (Connection Prepare Wait) scheduled...
Jul 26 18:45:59 trinity NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 1 -> 6.
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 2 of 4 (Connection Prepare Wait) waiting...
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 2 of 4 (Connection Prepare Wait) complete.
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 3 of 4 (Connect) scheduled...
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 3 of 4 (Connect) sending connect request.
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 3 of 4 (Connect) request sent, waiting for reply...
Jul 26 18:45:59 trinity NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 6 -> 3.
Jul 26 18:45:59 trinity nm-openvpn[2477]: Options error: Parameter ns_cert_type can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
Jul 26 18:45:59 trinity nm-openvpn[2477]: Use --help for more information.
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 3 of 4 (Connect) reply received.
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 4 of 4 (IP Config Get) timeout scheduled...
Jul 26 18:45:59 trinity NetworkManager: <info> VPN Activation (stern) Stage 3 of 4 (Connect) complete, waiting for IP configuration...
Jul 26 18:45:59 trinity NetworkManager: <WARN> nm_vpn_service_process_signal(): VPN failed for service 'org.freedesktop.NetworkManager.openvpn', signal 'ConnectFailed', with message 'The VPN login failed because the VPN program could not connect to the VPN server.'.
Jul 26 18:45:59 trinity NetworkManager: <debug> [1217090759.633709] nm_dbus_signal_filter(): NetworkManagerInfo triggered update of VPN connection 'stern'
Jul 26 18:45:59 trinity NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 3 -> 6.
Jul 26 ...

got the same issue here. it works fine from the commandline, but via 
network-manager-openvpn I get the following error (same as above).

I use a preshared key too.

Jul 26 18:45:59 trinity NetworkManager: <info>  Will activate VPN connection 'stern', service 'org.freedesktop.NetworkManager.openvpn', user_name 'up', vpn_data 'connection-type / shared-key / dev / tun / remote / 213.208.137.47 / port / 1194 / proto / udp / servercert-insecure / no / ca /  / cert /  / key /  / comp-lzo / yes / shared-key / /home/up/roterstern_openvpn.key / local-ip / 10.1.0.2 / remote-ip / 10.1.0.1 / username / ', route ''. 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 1 of 4 (Connection Prepare) scheduled... 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 1 of 4 (Connection Prepare) ran VPN service daemon org.freedesktop.NetworkManager.openvpn (PID 2474) 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 1 of 4 (Connection Prepare) complete. 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 2 of 4 (Connection Prepare Wait) scheduled... 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 1 -> 6. 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 2 of 4 (Connection Prepare Wait) waiting... 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 2 of 4 (Connection Prepare Wait) complete. 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 3 of 4 (Connect) scheduled... 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 3 of 4 (Connect) sending connect request. 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 3 of 4 (Connect) request sent, waiting for reply... 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 6 -> 3. 
Jul 26 18:45:59 trinity nm-openvpn[2477]: Options error: Parameter ns_cert_type can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
Jul 26 18:45:59 trinity nm-openvpn[2477]: Use --help for more information.
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 3 of 4 (Connect) reply received. 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 4 of 4 (IP Config Get) timeout scheduled... 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN Activation (stern) Stage 3 of 4 (Connect) complete, waiting for IP configuration... 
Jul 26 18:45:59 trinity NetworkManager: <WARN>  nm_vpn_service_process_signal(): VPN failed for service 'org.freedesktop.NetworkManager.openvpn', signal 'ConnectFailed', with message 'The VPN login failed because the VPN program could not connect to the VPN server.'. 
Jul 26 18:45:59 trinity NetworkManager: <debug> [1217090759.633709] nm_dbus_signal_filter(): NetworkManagerInfo triggered update of VPN connection 'stern' 
Jul 26 18:45:59 trinity NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' signaled state change 3 -> 6. 
Jul 26 18:45:59 trinity NetworkManager: <WARN>  nm_vpn_service_stop_connection(): (VPN Service org.freedesktop.NetworkManager.openvpn): could not stop connection 'stern' because service was 6.

Revision history for this message

Serge (snp-z9) wrote on 2008-08-03:

I got the same issue. (network-manager-openvpn 0.3.2svn2342-1ubuntu4 installed, ubuntu 7.10 "gutsy")

I investigated trouble and found:

1. Option "Edit VPN connection -> Optional -> X.509: Allow server certificate without server extension" doesn't needed when using preshared key. If it unchecked, commandline option "--ns-cert-type server" is added to openvpn call and all things gets broken. If it checked, that option is not added.

2. When using preshared key, openvpn doesn't pass environment variable "trusted_ip" to "--up" script, so nm-openvpn-service-openvpn-helper reports "didn't receive a VPN Gateway from openvpn" and returns error code. I wrote small and ugly patch, which can help authors of nm-openvpn to understand problem and to find better solution:

diff -ruN network-manager-openvpn_0.3.2svn2342.orig/src/nm-openvpn-service-openvpn-helper.c network-manager-openvpn_0.3.2svn2342.orig_fixed/src/nm-openvpn-service-openvpn-helper.c
--- network-manager-openvpn_0.3.2svn2342.orig/src/nm-openvpn-service-openvpn-helper.c 2007-02-28 13:57:49.000000000 +0300
+++ network-manager-openvpn_0.3.2svn2342.orig_fixed/src/nm-openvpn-service-openvpn-helper.c 2008-08-03 04:23:35.000000000 +0400
@@ -340,6 +340,7 @@
// print_env();

   vpn_gateway = getenv( "trusted_ip" );
+ if (!vpn_gateway) vpn_gateway = getenv( "remote_1" );
   tundev = getenv ("dev");
   ip4_ptp = getenv("ifconfig_remote");
   ip4_address = getenv("ifconfig_local");

Revision history for this message

trolando (n-launchpad-tvandijk-nl) wrote on 2008-10-16:

I have the same problem.

Simple tunnel, shared key over TCP. Fairly straightforward. Works if I use openvpn from the commandline, fails when using network manager with the error described.

Configuration:

dev tun
proto tcp-client
remote the.ip.address.com
nobind
ifconfig 10.1.2.2 10.1.2.1
up ./home.up
down ./home.down
secret static.key
ping 15
tun-mtu 1500
mssfix 1400
verb 3

Revision history for this message

Jeremy Visser (jeremy-visser) wrote on 2008-11-03:

I get the same issue, too, using NM 0.6.6 on Gentoo with openvpn plugin 0.3.2_p20070621. Haven't yet tested on Hardy, but I will do so soon.

Revision history for this message

Alexander Sack (asac) wrote on 2008-11-03:

please test intrepid instead of hardy which has 0.7

Changed in network-manager-openvpn:
status:	New → Incomplete

Revision history for this message

imachine (m-jedrasik) wrote on 2009-02-19:

I have a problem with 9.04 Jaunty and with 8.10 Intrepid, on both machines whenever I try to use STATIC KEY for OpenVPN, I'm asked for some Local IP Address, which is totally irrelevant.

Some guy tried doing some patches over here: http://<email address hidden>/msg10957.html

I suppose it's upstream, tho how much upstream development of NetworkManager does Ubuntu dev team contribute?

If any, then I guess it's just as valid to mention it here then.

Regards,

Revision history for this message

Benjamin Bach (benjaoming) wrote on 2009-05-07:

Bug also present on 9.04. Tested with shared key and UDP connection. Switching to TLS connection type worked fine.

May 7 19:49:36 host nm-openvpn[4301]: /sbin/ifconfig tun0 192.168.2.1 pointopo
int 192.168.3.1 mtu 1500
May 7 19:49:36 host kernel: [27688.086905] tun0: Disabled Privacy Extensions
May 7 19:49:36 host nm-openvpn[4301]: /usr/lib/network-manager-openvpn/nm-open
vpn-service-openvpn-helper tun0 1500 1544 192.168.2.1 192.168.3.1 init
May 7 19:49:36 host NetworkManager: <info> VPN plugin failed: 2
May 7 19:49:36 host nm-openvpn[4301]: script failed: external program exited w
ith error status: 1
May 7 19:49:36 host nm-openvpn[4301]: Exiting
May 7 19:49:36 host NetworkManager: <info> VPN plugin failed: 1
May 7 19:49:36 host NetworkManager: <info> VPN plugin state changed: 6
May 7 19:49:36 host NetworkManager: <info> VPN plugin state change reason: 0
May 7 19:49:36 host NetworkManager: <WARN> connection_state_changed(): Could
not process the request because no VPN connection was active.

Revision history for this message

Johannes Rohr (jorohr) wrote on 2009-06-18:

#10

same here on Jaunty, using UDP connection, static key., tap device. BTW, in that case the plugin should not ask for a remote IP, instead, openvpn expects the netmask. Actually, both the local IP and the netmask can also be requested via DHCP from a DHCP server on the other side.

Therefore, the whole interface is quite confusing and prone to provoke errors.

And, yes, on the command line openvpn works just fine for me.

Revision history for this message

Johannes Rohr (jorohr) wrote on 2009-06-18:

#11

bug has been confirmed both for intrepid and jaunty, thus the "incomplete" mark is no longer valid.

Changed in network-manager-openvpn (Ubuntu):
status:	Incomplete → New

Revision history for this message

unggnu (unggnu) wrote on 2009-10-19:

#12

This seems to work again in current Karmic, Ubuntu 9.10. It hasn't worked at first but now seems to.
Could somebody confirm this?

Revision history for this message

Johannes Rohr (jorohr) wrote on 2009-10-29:

#13

doesn't work for me, unfortunately. I use a tap device.

Revision history for this message

mikeL (thabird) wrote on 2009-11-24:

#14

It's not working with karmic....

It still forces the user to provide local and ... ip's which aren't needed at all for a straight forward and plain simple static key stetup...

----------------------
dev tap

proto tcp-client

comp-lzo

secret XXXXXXXXXX

remote XXXXXXXXX XXXX

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #451533 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

routus.pcf Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntunetwork-manager-openvpn package

nm-openvpn with preshared key doesn't work

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
network-manager-openvpn package