Bug 1033868

Summary: NM ignores IPv6 setting received from OpenVPN
Product: [Fedora] Fedora Reporter: Jan Včelák <jv+fedora>
Component: NetworkManager-openvpnAssignee: Dan Williams <dcbw>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: choeger, david, dcbw, huzaifas, jklimes, psimerda, steve, thaller, tore, vg.aetera
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-01 04:05:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Včelák 2013-11-23 21:48:15 UTC 
Description of problem:

Our VPN server is configured to provide both IPv4 and IPv6 configuration. Starting openvpn from console sets IPv6 address and routing correctly. But IPv6 configuration is ignored when the VPN connection is established using Network Manager (in KDE).

Version-Release number of selected component (if applicable):
NetworkManager-openvpn-0.9.8.2-3.fc19.x86_64
NetworkManager-0.9.8.8-1.fc19.x86_64
openvpn-2.3.2-4.fc19.x86_64
kde-workspace-4.11.3-1.fc19.x86_64


How reproducible:
always


Steps to Reproduce:
1. Configure OpenVPN in KDE network settings, enable IPv6 and mark it as required
2. journalctl -f
3. connect to created VPN connection


Actual results:
IPv6 configuration is ignored. (NetworkManager[434]: <info> No IPv6 configuration)

Expected results:
IPv6 configuration is set.


Additional info:

Network manager configuration and logs:

% sudo cat /etc/NetworkManager/system-connections/vpn
[connection]
id=VPN
uuid=c7cf8dfa-d3c1-4111-ac4a-2b4e606372c6
type=vpn
permissions=user:jan:;
autoconnect=false
timestamp=1385240983
zone=

[vpn]
service-type=org.freedesktop.NetworkManager.openvpn
connection-type=tls
remote=vpn-server-address
cipher=AES-256-CBC
comp-lzo=yes
cert-pass-flags=2
tap-dev=no
proto-tcp=no
port=1194
mssfix=no
ca=/some/path/cacert.pem
cert=/some/path/cert.pem
key=/some/path/key.pem
ta=/some/path/tls_auth

[ipv6]
method=auto
never-default=true
may-fail=false
ip6-privacy=0

[ipv4]
method=auto
never-default=true
may-fail=false

% journalctl -f
...
Nov 23 22:30:14 host NetworkManager[434]: <info> Starting VPN service 'openvpn'...
Nov 23 22:30:14 host NetworkManager[434]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 4484
Nov 23 22:30:14 host NetworkManager[434]: <info> VPN service 'openvpn' appeared; activating connections
Nov 23 22:30:17 host NetworkManager[434]: <info> VPN plugin state changed: starting (3)
Nov 23 22:30:17 host NetworkManager[434]: <info> VPN connection 'VPN' (Connect) reply received.
Nov 23 22:30:17 host nm-openvpn[4488]: OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
Nov 23 22:30:17 host nm-openvpn[4488]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 23 22:30:17 host nm-openvpn[4488]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 23 22:30:17 host nm-openvpn[4488]: Control Channel Authentication: using '/some/path/tls_auth' as a OpenVPN static key file
Nov 23 22:30:17 host nm-openvpn[4488]: UDPv4 link local: [undef]
Nov 23 22:30:17 host nm-openvpn[4488]: UDPv4 link remote: [AF_INET]x.x.x.x:1194
Nov 23 22:30:18 host nm-openvpn[4488]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1548'
Nov 23 22:30:18 host nm-openvpn[4488]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1490'
Nov 23 22:30:18 host nm-openvpn[4488]: [x.x.x.x] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Nov 23 22:30:20 host nm-openvpn[4488]: TUN/TAP device tun0 opened
Nov 23 22:30:20 host nm-openvpn[4488]: /usr/libexec/nm-openvpn-service-openvpn-helper tun0 1500 1558 x.x.x.x x.x.x.x init
Nov 23 22:30:20 host NetworkManager[434]: <info> VPN connection 'VPN' (IP4 Config Get) reply received from old-style plugin.
Nov 23 22:30:20 host nm-openvpn[4488]: Initialization Sequence Completed
Nov 23 22:30:20 host NetworkManager[434]: <info> VPN Gateway: x.x.x.x
Nov 23 22:30:20 host NetworkManager[434]: <info> Tunnel Device: tun0
Nov 23 22:30:20 host NetworkManager[434]: <info> IPv4 configuration:
Nov 23 22:30:20 host NetworkManager[434]: <info>   Internal Gateway: x.x.x.x
Nov 23 22:30:20 host NetworkManager[434]: <info>   Internal Address: x.x.x.x
Nov 23 22:30:20 host NetworkManager[434]: <info>   Internal Prefix: 32
Nov 23 22:30:20 host NetworkManager[434]: <info>   Internal Point-to-Point Address: x.x.x.x
Nov 23 22:30:20 host NetworkManager[434]: <info>   Maximum Segment Size (MSS): 0
Nov 23 22:30:20 host NetworkManager[434]: <info>   Static Route: x.x.x.x/32   Next Hop: x.x.x.x
Nov 23 22:30:20 host NetworkManager[434]: <info>   Static Route: x.x.x.x/21   Next Hop: x.x.x.x
...
Nov 23 22:30:20 host NetworkManager[434]: <info>   Forbid Default Route: yes
Nov 23 22:30:20 host NetworkManager[434]: <info>   Internal DNS: x.x.x.x
Nov 23 22:30:20 host NetworkManager[434]: <info>   DNS Domain: '(none)'
Nov 23 22:30:20 host NetworkManager[434]: <info> No IPv6 configuration
Nov 23 22:30:20 host systemd-journal[202]: Forwarding to syslog missed 3 messages.
Nov 23 22:30:21 host NetworkManager[434]: <info> VPN connection 'VPN' (IP Config Get) complete.
...

OpenVPN started manually:

% cat vpn.conf
remote x.x.x.x
port 1194
dev tun
tun-ipv6
client

ca       "/some/path/cacert.pem"
cert     "/some/path/cert.pem"
key      "/some/path/key.pem"
tls-auth "/some/path/tls_auth"

comp-lzo
cipher AES-256-CBC
up-delay
verb 3

% sudo openvpn vpn.conf
Sat Nov 23 22:36:34 2013 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
Sat Nov 23 22:36:34 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Enter Private Key Password:
Sat Nov 23 22:36:36 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Nov 23 22:36:36 2013 Control Channel Authentication: using '/some/path/tls_auth' as a OpenVPN static key file
Sat Nov 23 22:36:36 2013 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 23 22:36:36 2013 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 23 22:36:36 2013 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sat Nov 23 22:36:38 2013 UDPv4 link local (bound): [undef]
Sat Nov 23 22:36:38 2013 UDPv4 link remote: [AF_INET]x.x.x.x:1194
Sat Nov 23 22:36:38 2013 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=1b47a4cd 09ccd64b
Sat Nov 23 22:36:38 2013 VERIFY OK: depth=1, C=XX, L=X, O=XX, CN=XX Root Certification Authority, emailAddress=ca@xx
Sat Nov 23 22:36:38 2013 VERIFY OK: depth=0, C=XX, L=X, O=XX, CN=XX
Sat Nov 23 22:36:39 2013 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1548'
Sat Nov 23 22:36:39 2013 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1490'
Sat Nov 23 22:36:39 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 23 22:36:39 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 23 22:36:39 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 23 22:36:39 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 23 22:36:39 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Sat Nov 23 22:36:39 2013 [x.x.x.x] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Sat Nov 23 22:36:41 2013 SENT CONTROL [x.x.x.x]: 'PUSH_REQUEST' (status=1)
Sat Nov 23 22:36:41 2013 PUSH: Received control message: 'PUSH_REPLY,ifconfig-ipv6 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/120 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx,ping 10,ping-restart 60,route x.x.x.x 255.255.255.255,route x.x.x.x 255.255.248.0,...,dhcp-option DNS x.x.x.x,tun-ipv6,route-ipv6 2001:xxxx::/32 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx,ifconfig x.x.x.x x.x.x.x'
Sat Nov 23 22:36:41 2013 OPTIONS IMPORT: timers and/or timeouts modified
Sat Nov 23 22:36:41 2013 OPTIONS IMPORT: --ifconfig/up options modified
Sat Nov 23 22:36:41 2013 OPTIONS IMPORT: route options modified
Sat Nov 23 22:36:41 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Nov 23 22:36:41 2013 ROUTE_GATEWAY x.x.x.x/255.255.255.0 IFACE=wlp3s0 HWADDR=00:23:14:xx:xx:xx
Sat Nov 23 22:36:41 2013 ROUTE6: default_gateway=UNDEF
Sat Nov 23 22:36:41 2013 TUN/TAP device tun0 opened
Sat Nov 23 22:36:41 2013 TUN/TAP TX queue length set to 100
Sat Nov 23 22:36:41 2013 do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=1
Sat Nov 23 22:36:41 2013 /usr/sbin/ip link set dev tun0 up mtu 1500
Sat Nov 23 22:36:41 2013 /usr/sbin/ip addr add dev tun0 local x.x.x.x peer x.x.x.x
Sat Nov 23 22:36:41 2013 /usr/sbin/ip -6 addr add 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/120 dev tun0
Sat Nov 23 22:36:41 2013 /usr/sbin/ip route add x.x.x.x/32 via x.x.x.x
Sat Nov 23 22:36:41 2013 /usr/sbin/ip route add x.x.x.x/21 via x.x.x.x
...
Sat Nov 23 22:36:41 2013 add_route_ipv6(2001:xxxx::/32 -> 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx metric -1) dev tun0
Sat Nov 23 22:36:41 2013 /usr/sbin/ip -6 route add 2001:xxxx::/32 dev tun0
Sat Nov 23 22:36:41 2013 Initialization Sequence Completed
Comment 1 Pavel Šimerda (pavlix) 2013-11-25 15:50:29 UTC 
Added upstream tracker in hope it's relevant.
Comment 2 Jan Včelák 2014-01-25 00:49:51 UTC 
Btw. as the network manager in KDE is completely different in Fedora 20, the IPv6 configuration for VPN was removed. I hope this will have a better resolution...
Comment 3 Fedora Update System 2014-01-29 08:11:12 UTC 
NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20
Comment 4 Jan Včelák 2014-01-29 09:29:51 UTC 
% rpm -qa "*NetworkManager*"
NetworkManager-0.9.9.0-26.git20131003.fc20.x86_64
NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20.x86_64
NetworkManager-openvpn-gnome-0.9.9.0-0.1.git20140128.fc20.x86_64
NetworkManager-glib-0.9.9.0-26.git20131003.fc20.x86_64

The IPv6 configuration seems to be recognized, but NM crashes afterwards:

Jan 29 10:15:33 hostname NetworkManager[25163]: <info> VPN connection 'xxx' (IP Config Get) reply received.
Jan 29 10:15:33 hostname NetworkManager[25163]: <info> VPN connection 'xxx' (IP4 Config Get) reply received.
Jan 29 10:15:33 hostname NetworkManager[25163]: <info> VPN plugin state changed: started (4)
Jan 29 10:15:33 hostname NetworkManager[25163]: <info> VPN connection 'xxx' (IP6 Config Get) reply received.
Jan 29 10:15:33 hostname NetworkManager[25163]: <info> VPN Gateway: xxx.xx.xxx.x
Jan 29 10:15:33 hostname NetworkManager[25163]: <info> Tunnel Device: tun0
Jan 29 10:15:33 hostname NetworkManager[25163]: <info> IPv4 configuration:
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Internal Gateway: xxx.xx.xx.xx
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Internal Address: xxx.xx.xx.xx
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Internal Prefix: 32
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Internal Point-to-Point Address: xxx.xx.xx.xx
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Maximum Segment Size (MSS): 0
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Static Route: xxx.xx.xx.x/32   Next Hop: xxx.xx.xx.xx
...
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Static Route: xxx.xx.xxx.xxx/30   Next Hop: xxx.xx.xx.xx
Jan 29 10:15:33 hostname nm-openvpn[25345]: Initialization Sequence Completed
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Static Route: xxx.xx.xxx.xxx/29   Next Hop: xxx.xx.xx.xx
...
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Static Route: xxx.xx.x.x/24   Next Hop: xxx.xx.xx.xx
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Forbid Default Route: yes
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Internal DNS: xxx.xx.xx.x
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   DNS Domain: '(none)'
Jan 29 10:15:33 hostname NetworkManager[25163]: <info> IPv6 configuration:
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Internal Address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Internal Prefix: 120
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Internal Point-to-Point Address: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Maximum Segment Size (MSS): 0
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Static Route: xxxx:xxxx::/32   Next Hop: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   Forbid Default Route: no
Jan 29 10:15:33 hostname NetworkManager[25163]: <info>   DNS Domain: '(none)'
Jan 29 10:15:33 hostname NetworkManager[25163]: <info> (tun0): link connected
Jan 29 10:15:33 hostname dbus[585]: [system] Activating via systemd: service name='org.freedesktop.NetworkManager' unit='dbus-org.freedesktop.NetworkManager.service'
Jan 29 10:15:33 hostname NetworkManager[25350]: <info> NetworkManager (version 0.9.9.0-26.git20131003.fc20) is starting...
Comment 5 Thomas Haller 2014-01-29 09:46:04 UTC 
(In reply to Jan Včelák from comment #4)
> % rpm -qa "*NetworkManager*"
> NetworkManager-0.9.9.0-26.git20131003.fc20.x86_64
> NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20.x86_64
> NetworkManager-openvpn-gnome-0.9.9.0-0.1.git20140128.fc20.x86_64
> NetworkManager-glib-0.9.9.0-26.git20131003.fc20.x86_64

I *think* you see the crash because NetworkManager-0.9.9.0-26 does not have this patch from upstream: http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=90782cf023c2fc2c223203a97ca2ea56a0c61c55 (as mentioned in upstream bugzilla https://bugzilla.gnome.org/show_bug.cgi?id=682620)

I am a bit surprised, that you don't see as last logline:

  ** ERROR:platform/nm-linux-platform.c:2212:build_rtnl_addr: assertion failed:
(!nle)

Could you confirm, that NetworkManager crashes because of this failed assert? E.g. set the log-level to DEBUG or run it in the terminal with:

  NetworkManager --debug --log-level=DEBUG --log-domains=ALL


Thank you
Comment 6 Tore Anderson 2014-01-29 10:47:35 UTC 
Interesting, I'm running NetworkManager-0.9.9.0-26.git20131003.fc20.x86_64 + NetworkManager-openvpn-0.9.8.2-4.fc20.x86_64, the latter patched with the upstream commit adding IPv6 support, and I do not get the crash. Under "IPv6 configuration" however NM logs "Internal Point-to-Point Address: ::" instead of a real IPv6 address like with Jan.

I'm thinking maybe this has something to do with upstream changes in OpenVPN. Jan, could you test with OpenVPN 2.4 (http://fud.no/nm-openvpn-ipv6/openvpn-2.4.0-0.git20131215.fc20.x86_64.rpm) and see if you get the crash then?

Tore
Comment 7 Jirka Klimes 2014-01-29 10:54:36 UTC 
Jan, can you try with this scratch build of NetworkManager?
http://koji.fedoraproject.org/koji/taskinfo?taskID=6467191

It contains 90782cf023c2fc2c223203a97ca2ea56a0c61c55 commit fixing an assert.
Comment 8 Tore Anderson 2014-01-29 11:38:53 UTC 
(In reply to Jirka Klimes from comment #7)
> Jan, can you try with this scratch build of NetworkManager?
> http://koji.fedoraproject.org/koji/taskinfo?taskID=6467191
> 
> It contains 90782cf023c2fc2c223203a97ca2ea56a0c61c55 commit fixing an assert.

I reproduced Jan's crash with NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20, and can confirm that NetworkManager-0.9.9.0-27_1.git20131003.fc20.x86_64 from the above scratch build fixes it.

Tore
Comment 9 Fedora Update System 2014-01-29 15:22:31 UTC 
NetworkManager-0.9.9.0-28.git20131003.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/NetworkManager-0.9.9.0-28.git20131003.fc20
Comment 10 Jirka Klimes 2014-01-29 15:30:20 UTC 
Tore, thanks for testing!

(In reply to Fedora Update System from comment #9)
> NetworkManager-0.9.9.0-28.git20131003.fc20 has been submitted as an update
> for Fedora 20.
> https://admin.fedoraproject.org/updates/NetworkManager-0.9.9.0-28.
> git20131003.fc20
The submitted NetworkManager should work with NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20.
Comment 11 Fedora Update System 2014-01-30 03:31:12 UTC 
Package NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-1746/NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20
then log in and leave karma (feedback).
Comment 12 Jan Včelák 2014-01-30 11:48:02 UTC 
> Could you confirm, that NetworkManager crashes because of this failed
> assert? E.g. set the log-level to DEBUG or run it in the terminal with:
> 
>   NetworkManager --debug --log-level=DEBUG --log-domains=ALL

NetworkManager[3966]: <debug> [1391082060.935455] [platform/nm-platform.c:1125] nm_platform_ip6_address_add(): address: adding or updating IPv6 address
**
ERROR:platform/nm-linux-platform.c:2264:build_rtnl_addr: assertion failed: (!nle)
Neúspěšně ukončen (SIGABRT)
[root@hostname ~]#

> Jan, can you try with this scratch build of NetworkManager?
> http://koji.fedoraproject.org/koji/taskinfo?taskID=6467191
> 
> It contains 90782cf023c2fc2c223203a97ca2ea56a0c61c55 commit fixing an assert.

I have tried and I confirm that the assertion failure is gone.
Comment 13 Fedora Update System 2014-02-01 04:05:25 UTC 
NetworkManager-0.9.9.0-28.git20131003.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2014-02-03 02:47:55 UTC 
NetworkManager-openvpn-0.9.9.0-0.1.git20140128.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.