FS#68567 - [openvpn] Networkmanager broken after last changes

Attached to Project: Arch Linux
Opened by Iyan (iyanmv) - Sunday, 08 November 2020, 18:26 GMT
Last edited by Toolybird (Toolybird) - Saturday, 03 June 2023, 00:04 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 8
Private No

Details

Description:
Connecting to VPN using NetworkManager stopped working after upgrade 2.4.9-2 -> 2.5.0-1. With version 2.5.0-3 from [testing] still same issue.
This task depends upon

Closed by  Toolybird (Toolybird)
Saturday, 03 June 2023, 00:04 GMT
Reason for closing:  Fixed
Additional comments about closing:  Included in latest updates.
Comment by RoundCube (RoundCube) - Tuesday, 10 November 2020, 00:52 GMT
Can't confirm. Using 2.5.0-3.
Comment by Iyan (iyanmv) - Tuesday, 10 November 2020, 10:14 GMT
I just double check, and it does not work for me. I am using the applet for Plasma, but I can confirm the same issue using nmcli. And checking with journalctl I see that it fails with:
VPN plugin: failed: login-failed (0)
VPN plugin: failed: connect-failed (1)

Downgrading to 2.4.9-2 solves the issue. Anyone can replicate?
Comment by Iyan (iyanmv) - Tuesday, 10 November 2020, 10:16 GMT Comment by Oleg (o_m) - Thursday, 12 November 2020, 19:00 GMT
Confirm this issue using openvpn 2.5.0-3 and nm-openvpn plugin
Comment by Andrey (melentye) - Sunday, 15 November 2020, 14:50 GMT
Ran into the same issue but without NetworkManager: I use systemd scripts for the openvpn client and the recent change in openvpn 2.5.0-3 with User=openvpn Group=network in the systemd unit breaks things:

- files that are only readable by root in /etc/openvpn can't be read - fair enough
- after chowning the openvpn configs, next error was:

write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting

Turns out this was my firewall having some user-based outbound rules - perhaps that'll save someone a few minutes too.
Comment by Johan (jstrom) - Tuesday, 17 November 2020, 12:29 GMT
I've got a "me too" report. With 2.5.0-3 + networkmanager-openvpn 1.8.12-1 it no longer connects. Downgrading to 2.4.9-2 and it immediately connects.


My nmcli config:

[connection]
id=MyVPN
uuid=f5f235d3-d2df-40b3-b21a-33f8321c74ff
type=vpn
autoconnect=true
#¤permissions=user:johan:;

[vpn]
ca=/etc/ca-certificates/trust-source/anchors/ca.pem
cert=/etc/openvpn/client/client.crt
cert-pass-flags=0
connection-type=tls
key=/etc/openvpn/client/client.key
remote=my.vpn.com
service-type=org.freedesktop.NetworkManager.openvpn
cipher=AES-128-CBC
remote-cert-tls=server
float=yes

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto




Error when connecting:
nov 17 13:14:39 sgo nm-openvpn[74610]: /usr/lib/nm-openvpn-service-openvpn-helper --debug 0 74606 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_4 --tun -- tun0 1500 1556 172.28.3.10 172.28.3.9 init
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3270] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/5)
nov 17 13:14:39 sgo systemd-udevd[74611]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3433] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN connection: (IP Config Get) reply received.
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3513] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: VPN connection: (IP4 Config Get) reply received
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3549] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: VPN connection: (IP6 Config Get) reply received
nov 17 13:14:39 sgo NetworkManager[74299]: <warn> [1605615279.3550] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: invalid IP6 config received!
nov 17 13:14:39 sgo NetworkManager[74299]: <warn> [1605615279.3552] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: VPN connection: did not receive valid IP config information
nov 17 13:14:39 sgo nm-openvpn[74610]: GID set to nm-openvpn
nov 17 13:14:39 sgo nm-openvpn[74610]: UID set to nm-openvpn
nov 17 13:14:39 sgo nm-openvpn[74610]: Initialization Sequence Completed
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3590] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN plugin: state changed: started (4)
nov 17 13:14:39 sgo nm-openvpn[74610]: event_wait : Interrupted system call (code=4)
nov 17 13:14:39 sgo nm-openvpn[74610]: net_addr_ptp_v4_del: 172.28.3.10 dev tun0
nov 17 13:14:39 sgo nm-openvpn[74610]: sitnl_send: rtnl: generic error (-1): Operation not permitted
nov 17 13:14:39 sgo nm-openvpn[74610]: Linux can't del IP from iface tun0
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3676] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN plugin: state changed: stopping (5)
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3678] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN plugin: state changed: stopped (6)
Comment by ketsui (ketsui) - Wednesday, 18 November 2020, 04:41 GMT
You guys should try using 2.4.9-2 systemd units on version 2.5.0-3 to make sure it's not caused by this patch:
https://github.com/archlinux/svntogit-packages/blob/packages/openvpn/trunk/0001-unprivileged.patch
Edit: never mind, according to the original reporter version 2.5.0-1 which doesn't have this patch yet is broken too, looks like you should bring this up to upstream.
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn
Comment by Tomasz M. Nowak (tmn505) - Tuesday, 01 December 2020, 23:49 GMT
@o_m @jstrom
Fix your IPv6 setup or/and remove 'push "redirect-gateway ipv6 def1 bypass-dhcp"' in server config.

Culprits, OpenVPN 2.4.9:
~ nm-openvpn[8594]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
~ nm-openvpn[8594]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
~ NetworkManager[465]: <info> [1605205080.1428] vpn-connection[0x557849664740,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",6:(tun0)]: Data: No IPv6 configuration

vs OpenVPN 2.5.0:
~NetworkManager[465]: <info> [1605203437.7906] vpn-connection[0x557849664320,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",4:(tun0)]: VPN connection: (IP6 Config Get) reply received
~NetworkManager[465]: <warn> [1605203437.7907] vpn-connection[0x557849664320,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",4:(tun0)]: invalid IP6 config received!
~NetworkManager[465]: <warn> [1605203437.7908] vpn-connection[0x557849664320,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",4:(tun0)]: VPN connection: did not receive valid IP config information
Comment by Johan (jstrom) - Wednesday, 02 December 2020, 08:11 GMT
Aha, yes indeed that was the problem.

At first glance I thought that I do not have a single IPv6 config line in either the server (2.5.0 on FreeBSD) or client. But still the server seems to have added "route-ipv6 2000::/3" to the list of pushed options, as indicated in server logs.
After some digging I realised that my client-specific config had that route-ipv6 directive... Removing that, and I can now connect fine with 2.5.0.

Both the VPN server and the client network has IPv6, but I have not explicitly configured it in OpenVPN. Last time I looked into OpenVPN and v6, support in openvpn was lacking, hence the leftovers. Time to revisit that and configure it properly perhaps.

So the "error" (fatal warn?) was right on front of me the whole time.. Should have read more thoroughly, thanks for the hint!
Comment by Oleg (o_m) - Sunday, 06 December 2020, 13:07 GMT
I can change something for client-side only. NM in [vpn] section of connection config file has option "tun-ipv6=no". That's working with openvpn 2.4.9 package, but not with openvpn-2.5.0-3.... Is "client-specific config had that route-ipv6 directive..." on vpn-provider side?
Comment by Johan (jstrom) - Sunday, 06 December 2020, 13:28 GMT
Yes, OpenVPN server has possibility to have different config for different clients via "client-config-dir" directive.

Perhaps you can look into pull-filter directive to ignore certain pushed commands?
Comment by prince_archine (prince_archine) - Wednesday, 13 January 2021, 17:16 GMT
I've had this bug the last month. I am using XFCE gui and set my VPN in the Network Connections. IPv6 is set to Disable or Ignore (neither works).

The only solution for me is downgrade:

$ sudo pacman -U https://archive.archlinux.org/packages/o/openvpn/openvpn-2.4.9-2-x86_64.pkg.tar.zst
Comment by Olivier (nemolivier) - Friday, 15 January 2021, 21:18 GMT
Hello, same issue here (cyberghost) Downgrading solve the issue.
Comment by Brian Turek (Caligatio) - Wednesday, 10 February 2021, 13:49 GMT
It looks like one of the NetworkManger OpenVPN plugin maintainers has submitted a merge request to fix this: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/34
Comment by Brian Turek (Caligatio) - Saturday, 27 February 2021, 09:16 GMT
I can confirm that the aforementioned merge request (which is now committed) fixes the incompatibility with OpenVPN 2.5. There is no available information when the next version of networkmanager-openvpn will be released so I revived the networkmanager-openvpn-git package in AUR that includes the needed fix: https://aur.archlinux.org/packages/networkmanager-openvpn-git/

Loading...