FS#68567 - [openvpn] Networkmanager broken after last changes
Attached to Project:
Arch Linux
Opened by Iyan (iyanmv) - Sunday, 08 November 2020, 18:26 GMT
Last edited by Toolybird (Toolybird) - Saturday, 03 June 2023, 00:04 GMT
Opened by Iyan (iyanmv) - Sunday, 08 November 2020, 18:26 GMT
Last edited by Toolybird (Toolybird) - Saturday, 03 June 2023, 00:04 GMT
|
Details
Description:
Connecting to VPN using NetworkManager stopped working after upgrade 2.4.9-2 -> 2.5.0-1. With version 2.5.0-3 from [testing] still same issue. |
This task depends upon
Closed by Toolybird (Toolybird)
Saturday, 03 June 2023, 00:04 GMT
Reason for closing: Fixed
Additional comments about closing: Included in latest updates.
Saturday, 03 June 2023, 00:04 GMT
Reason for closing: Fixed
Additional comments about closing: Included in latest updates.
VPN plugin: failed: login-failed (0)
VPN plugin: failed: connect-failed (1)
Downgrading to 2.4.9-2 solves the issue. Anyone can replicate?
success openvpn2.4.9.txt (9.7 KiB)
- files that are only readable by root in /etc/openvpn can't be read - fair enough
- after chowning the openvpn configs, next error was:
write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
Turns out this was my firewall having some user-based outbound rules - perhaps that'll save someone a few minutes too.
My nmcli config:
[connection]
id=MyVPN
uuid=f5f235d3-d2df-40b3-b21a-33f8321c74ff
type=vpn
autoconnect=true
#¤permissions=user:johan:;
[vpn]
ca=/etc/ca-certificates/trust-source/anchors/ca.pem
cert=/etc/openvpn/client/client.crt
cert-pass-flags=0
connection-type=tls
key=/etc/openvpn/client/client.key
remote=my.vpn.com
service-type=org.freedesktop.NetworkManager.openvpn
cipher=AES-128-CBC
remote-cert-tls=server
float=yes
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto
Error when connecting:
nov 17 13:14:39 sgo nm-openvpn[74610]: /usr/lib/nm-openvpn-service-openvpn-helper --debug 0 74606 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_4 --tun -- tun0 1500 1556 172.28.3.10 172.28.3.9 init
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3270] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/5)
nov 17 13:14:39 sgo systemd-udevd[74611]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3433] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN connection: (IP Config Get) reply received.
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3513] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: VPN connection: (IP4 Config Get) reply received
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3549] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: VPN connection: (IP6 Config Get) reply received
nov 17 13:14:39 sgo NetworkManager[74299]: <warn> [1605615279.3550] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: invalid IP6 config received!
nov 17 13:14:39 sgo NetworkManager[74299]: <warn> [1605615279.3552] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: VPN connection: did not receive valid IP config information
nov 17 13:14:39 sgo nm-openvpn[74610]: GID set to nm-openvpn
nov 17 13:14:39 sgo nm-openvpn[74610]: UID set to nm-openvpn
nov 17 13:14:39 sgo nm-openvpn[74610]: Initialization Sequence Completed
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3590] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN plugin: state changed: started (4)
nov 17 13:14:39 sgo nm-openvpn[74610]: event_wait : Interrupted system call (code=4)
nov 17 13:14:39 sgo nm-openvpn[74610]: net_addr_ptp_v4_del: 172.28.3.10 dev tun0
nov 17 13:14:39 sgo nm-openvpn[74610]: sitnl_send: rtnl: generic error (-1): Operation not permitted
nov 17 13:14:39 sgo nm-openvpn[74610]: Linux can't del IP from iface tun0
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3676] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN plugin: state changed: stopping (5)
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3678] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN plugin: state changed: stopped (6)
https://github.com/archlinux/svntogit-packages/blob/packages/openvpn/trunk/0001-unprivileged.patch
Edit: never mind, according to the original reporter version 2.5.0-1 which doesn't have this patch yet is broken too, looks like you should bring this up to upstream.
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn
Fix your IPv6 setup or/and remove 'push "redirect-gateway ipv6 def1 bypass-dhcp"' in server config.
Culprits, OpenVPN 2.4.9:
~ nm-openvpn[8594]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
~ nm-openvpn[8594]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
~ NetworkManager[465]: <info> [1605205080.1428] vpn-connection[0x557849664740,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",6:(tun0)]: Data: No IPv6 configuration
vs OpenVPN 2.5.0:
~NetworkManager[465]: <info> [1605203437.7906] vpn-connection[0x557849664320,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",4:(tun0)]: VPN connection: (IP6 Config Get) reply received
~NetworkManager[465]: <warn> [1605203437.7907] vpn-connection[0x557849664320,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",4:(tun0)]: invalid IP6 config received!
~NetworkManager[465]: <warn> [1605203437.7908] vpn-connection[0x557849664320,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",4:(tun0)]: VPN connection: did not receive valid IP config information
At first glance I thought that I do not have a single IPv6 config line in either the server (2.5.0 on FreeBSD) or client. But still the server seems to have added "route-ipv6 2000::/3" to the list of pushed options, as indicated in server logs.
After some digging I realised that my client-specific config had that route-ipv6 directive... Removing that, and I can now connect fine with 2.5.0.
Both the VPN server and the client network has IPv6, but I have not explicitly configured it in OpenVPN. Last time I looked into OpenVPN and v6, support in openvpn was lacking, hence the leftovers. Time to revisit that and configure it properly perhaps.
So the "error" (fatal warn?) was right on front of me the whole time.. Should have read more thoroughly, thanks for the hint!
Perhaps you can look into pull-filter directive to ignore certain pushed commands?
The only solution for me is downgrade:
$ sudo pacman -U https://archive.archlinux.org/packages/o/openvpn/openvpn-2.4.9-2-x86_64.pkg.tar.zst