Riaan's SysAdmin Blog

My tips, howtos, gotchas, snippets and stuff. Use at your own risk!

VPN

OpenVPN with Gnome NetworkManager plug-in

Instructions how to use the OpenVPN plug-in with the Gnome NetworkManager.

Details:

- In this case the OpenVPN server hands out dynamic IP addresses.
- Ubuntu 12.10 64-bit client.

Get your user configuration file:

In a browser visit your OpenVPN server webpage at https://server.domain/
Follow Login > Download “Yourself (user-locked profile)” > Save As client.ovpn
** I renamed the file to client_29.ovpn since I have multiple servers I connect to.

Split client.ovpn into several files:

The Gnome NetworkManager does not like using one big configuration file, although the command line OpenVPN client does work fine with one file (client.ovpn).  For NetworkManager you can break out manually with an editor or as follow. I used my personal home folder to store the files.

sed -n '//,/<\/tls-auth>/p' client_29.ovpn > sitename_ovpn_29tls.key
sed -n '//,/<\/cert>/p' client_29.ovpn > sitename_ovpn_29.crt
sed -n '//,/<\/ca>/p' client_29.ovpn > sitename_ovpn_29ca.cer
sed -n '//,/<\/key>/p' client_29.ovpn > sitename_ovpn_29.key

** After you split the configuration up remember to edit the files and remove the lines containing the open <> and close </> tags.

Install the OpenVPN plugin for NetworkManager:

# aptitude install network-manager-openvpn-gnome

Below are some screen shots showing some configuration settings fro this particular setup. Your mileage may vary depending on how your administrator configured the server.


Add a new VPN Connection in GNOME:


Reference certificates and keys:


General Settings:


TLS Key:

Showing syslog while connecting (snipped):

Nov 22 08:49:42 u12 NetworkManager[660]:  Starting VPN service 'openvpn'...
Nov 22 08:49:43 u12 nm-openvpn[4791]: Control Channel Authentication: using '/home/rrosso/sitename_ovpn_29tls.key' as a OpenVPN static key file
Nov 22 08:49:43 u12 nm-openvpn[4791]: LZO compression initialized
Nov 22 08:49:47 u12 NetworkManager[660]:  IPv4 configuration:
Nov 22 08:49:47 u12 NetworkManager[660]:  Internal Gateway: 172.22.91.1
Nov 22 08:49:47 u12 NetworkManager[660]:  Internal Address: 172.22.91.253
Nov 22 08:49:47 u12 NetworkManager[660]:  Internal Prefix: 24
Nov 22 08:49:48 u12 NetworkManager[660]:  VPN connection 'sitename device 29' (IP Config Get) complete.
Nov 22 08:49:48 u12 NetworkManager[660]:  ((null)): writing resolv.conf to /sbin/resolvconf
Nov 22 08:49:49 u12 dbus[402]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
Nov 22 08:49:52 u12 nm-openvpn[4791]: Initialization Sequence Completed
Nov 22 08:50:08 u12 ntpdate[4876]: step time server 91.189.94.4 offset 9.301349 sec

Older (pre Ubuntu 12.04) information.  May or may not be useful to you.

How to test a manual connection(no Network Manager plug-in):

rrosso@u10:~$ sudo openvpn --config client.ovpn --script-security 2
Sat Mar 19 10:14:34 2011 OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 12 2010
Enter Auth Username:rrosso
Enter Auth Password:
...

Older versions of Ubuntu and NetworkManager this was a necessary addition to set DNS:

rrosso@u10:~$ tail -3 client.ovpn
#rrosso added for DNS resolver
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Several problems I encountered with permissions on older versions:
- NetworkManager: <WARN> vpn_service_watch_cb()
- VPN service 'org.freedesktop.NetworkManager.openvpn' exited with error: 1
- connection_need_secrets_cb()

https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/360818

Debug NetworkManager as follow:
http://live.gnome.org/NetworkManager/Debugging

# OPENVPN_DEBUG=1 /usr/lib/network-manager-openvpn/nm-openvpn-service

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527975
https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/360818

** Not sure if tinkering with this next file helped but changed it to look as follow and could at least troubleshoot further after wards.

Permissions problem:

# cat /etc/dbus-1/system.d/nm-openvpn-service.conf
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="org.freedesktop.NetworkManager.openvpn"/>
<allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
</policy>
</busconfig>

** I restored the original file and things are still working

Some older links on DNS resolver and OpenVPN:
http://www.subvs.co.uk/openvpn_resolvconf
http://forums.openvpn.net/topic7109.html

admin

Bio Info for Riaan