Bug 1194643

Summary: Importing a *.ovpn file with "tcp" specified, tcp doesn't take effect.
Product: [Fedora] Fedora Reporter: kristoffer.paulsson
Component: NetworkManager-openvpnAssignee: Dan Williams <dcbw>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 21CC: anass.1430, choeger, dcbw, huzaifas, info, jklimes, psimerda, steve, thaller
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: NetworkManager-openvpn-1.0.6-3.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-04 22:52:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description kristoffer.paulsson 2015-02-20 12:52:40 UTC
Description of problem:
My server admin gave me an *.ovpn file too the companys firewall. He had specified connection over port 443 with tcp. Importing the *.ovpn file via Settings -> Network -> [+] -> VPN -> Import from file... -> Create -> Select the file and then install. Trying to connect via OpenVPN results in "Connection timeout".

Version-Release number of selected component (if applicable):
NetworkManager GNOME 3.14.2

How reproducible:
Import a ovpn file similar to

==================== *.ovpn ======================

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 443 tcp
lport 0
verify-x509-name "vpn.company.tld" name
pkcs12 pfsensea-TCP-443-username.p12
comp-lzo

==========================================

Then connect and you will get time out. The key here is the "tcp".

Steps to Reproduce:
1. Settings -> Network -> [+] -> VPN -> Import from file... -> Create
2. Top-left-menu -> VPN -> Connect
3. journalctl -xn


Actual results:
feb 20 13:13:52 localhost.localdomain NetworkManager[825]: <warn>  VPN connection 'pfsensea-TCP-443-username' connect timeout exceeded.
feb 20 13:13:52 localhost.localdomain NetworkManager[825]: ** Message: Terminated openvpn daemon with PID 6788.
feb 20 13:13:52 localhost.localdomain nm-openvpn[6788]: SIGTERM[hard,init_instance] received, process exiting


Expected results:
A working OpenVPN connection

Additional info:
In order to fix this I need to set "Use a TCP connection"

Top-left-menu -> VPN -> VPN-Settings -> Identity -> Advanced -> General and set "Use a TCP connection"

This solves the problem. But this should also happen automatically at import of *.ovpn.

Comment 1 Jirka Klimes 2015-02-20 14:07:05 UTC
The current importing code [1] only reads host and port from "remote" option, not protocol. openvpn plugin was updated ([2], [3]) to support port and protocol in "Gateway" entry in GUI. Unfortunately, the importing code has not been updated.

We will look into the problem. In the meantime, a workaround is to put protocol in "proto" option in *.ovpn:
Instead:
remote xxx.xxx.xxx.xxx 443 tcp
use
remote xxx.xxx.xxx.xxx 443
proto tcp

We also work on scripts for importing VPN configs, see [4]. (At present, it doesn't support protocol in "remote" as well, because the implementation followed the GUI import code).

[1] https://git.gnome.org/browse/network-manager-openvpn/tree/properties/import-export.c#n510
[2] https://git.gnome.org/browse/network-manager-openvpn/commit/?id=c55ba4e8c21f4980af848881cd1615460c7f0622
[3] https://bugzilla.gnome.org/show_bug.cgi?id=712710
[4] http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=jk/vpn-import-scripts&id=5b77663804cde36a3890b4763d2c9c241b76f05f

Comment 2 Jirka Klimes 2015-04-20 10:20:34 UTC
*** Bug 1212316 has been marked as a duplicate of this bug. ***

Comment 3 Jirka Klimes 2015-05-18 08:59:39 UTC
I have pushed code adding import/export bits for protocol to upstream branch jk/import-proto-in-remote.

Comment 4 Thomas Haller 2015-05-18 10:11:15 UTC

parse_protocol (const char *str, const char *line, gboolean *is_tcp)

the @is_tcp argument is never used.


otherwise LGTM

Comment 5 Jirka Klimes 2015-05-26 07:52:30 UTC
(In reply to Thomas Haller from comment #4)
> 
> parse_protocol (const char *str, const char *line, gboolean *is_tcp)
> 
> the @is_tcp argument is never used.
> 

I think this is no problem and it is better to return result in a parse function. The argument might be used later.

Pushed to upstream master:
211a99e merge: fixes for import/export code (rh #1194643)
e6d9c33 import/export: add missing code for 'remote-random' option
6d275a2 import/export: handle protocol from 'remote' option (rh #1194643)

Comment 6 Fedora Update System 2015-08-28 12:20:15 UTC
NetworkManager-1.0.6-2.fc22 NetworkManager-openswan-1.0.6-2.fc22 NetworkManager-openvpn-1.0.6-2.fc22 NetworkManager-vpnc-1.0.6-3.fc22 network-manager-applet-1.0.6-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-10143

Comment 7 Fedora Update System 2015-09-02 16:21:45 UTC
NetworkManager-1.0.6-2.fc22, NetworkManager-openswan-1.0.6-2.fc22, NetworkManager-openvpn-1.0.6-3.fc22, NetworkManager-vpnc-1.0.6-3.fc22, network-manager-applet-1.0.6-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update network-manager-applet NetworkManager-openvpn NetworkManager-vpnc NetworkManager NetworkManager-openswan'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-10143

Comment 8 Fedora Update System 2015-09-08 11:14:33 UTC
NetworkManager-1.0.6-3.fc22 NetworkManager-openswan-1.0.6-2.fc22 NetworkManager-openvpn-1.0.6-3.fc22 NetworkManager-vpnc-1.0.6-3.fc22 network-manager-applet-1.0.6-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-10143

Comment 9 Fedora Update System 2015-09-08 21:26:30 UTC
NetworkManager-1.0.6-4.fc22, NetworkManager-openswan-1.0.6-2.fc22, NetworkManager-openvpn-1.0.6-3.fc22, NetworkManager-vpnc-1.0.6-3.fc22, network-manager-applet-1.0.6-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update network-manager-applet NetworkManager NetworkManager-openvpn NetworkManager-openswan NetworkManager-vpnc'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-10143

Comment 10 Anass Ahmed 2015-09-21 12:17:08 UTC
I don't know if it's related but some hotspots doesn't have SSL (or TLS) support.

I work from a co-working space which use Microtik but with no HTTPS. This leads to the same error when trying to visit anything starts with "https://" in its URL while redirecting to their hotsport login page.

I switched to "http://" to make it work flawlessly (BTW, I'm using the last NetworkManager update 1.0.6-5).

Comment 11 Fedora Update System 2015-09-28 21:01:08 UTC
NetworkManager-1.0.6-6.fc22 NetworkManager-openswan-1.0.6-2.fc22 NetworkManager-openvpn-1.0.6-3.fc22 NetworkManager-vpnc-1.0.6-3.fc22 network-manager-applet-1.0.6-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-10143

Comment 12 Fedora Update System 2015-10-02 03:49:35 UTC
NetworkManager-1.0.6-6.fc22, NetworkManager-openswan-1.0.6-2.fc22, NetworkManager-openvpn-1.0.6-3.fc22, NetworkManager-vpnc-1.0.6-3.fc22, network-manager-applet-1.0.6-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update NetworkManager-openswan network-manager-applet NetworkManager NetworkManager-openvpn NetworkManager-vpnc'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-10143

Comment 13 Fedora Update System 2015-10-04 22:52:18 UTC
NetworkManager-1.0.6-6.fc22, NetworkManager-openswan-1.0.6-2.fc22, NetworkManager-openvpn-1.0.6-3.fc22, NetworkManager-vpnc-1.0.6-3.fc22, network-manager-applet-1.0.6-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.