Bug 1306746

Summary: proto TCP incorrectly passed on to openvpn
Product: [Fedora] Fedora Reporter: Xavier Van Dessel <x.van_dessel>
Component: NetworkManager-openvpnAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: choeger, dcbw, gustavojcoferreira, hussamaismail, huzaifas, lkundrak, psimerda, steve, thaller
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: NetworkManager-openvpn-1.0.8-2.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-12 02:24:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Bug none

Description Xavier Van Dessel 2016-02-11 17:29:34 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
Fedora 22
NetworkManager:x86-64 version 1:1.0.10-2.fc22
NetworkManager-openvpn.x86_64         1:1.0.8-1.fc22                    @updates
NetworkManager-openvpn-gnome.x86_64   1:1.0.8-1.fc22                    @updates
openvpn.x86_64                           2.3.10-1.fc22

How reproducible:
always

Steps to Reproduce:
1. With root, use nm-connection-editor to get the GUI to define a new connection.
2. Add connection of type Openvpn
3. Fill in some basic data to be able to save the connection (gateway, remote IP, local IP). I have used a static key file but this probably won't matter
4. Use the Advanced... button, where you activate the "Use a TCP connection" option. Close that window.
5. Save that new connection (assuming it is still named "VPN connection 1") and close the connection editor.
6. Don't bother setting up a server side. You won't need it to cause the error
7. With root, try to start the new connection with this command: "nmcli c up "VPN connection 1" (or whatever name you gave it).

Actual results:
Error: Connection activation failed: unknown reason.

Expected results:
A working connection

Additional info:

The file used by network manager looks OK, and contains this line:
proto-tcp=yes


When starting the nm-openvpn-service in --debug mode, we get this additional info that points to a possible cause:
vpn
	service-type : "org.freedesktop.NetworkManager.openvpn" (s)
	user-name : NULL (sd)
	persistent : FALSE (sd)
	data : local-ip=172.30.255.73,connection-type=static-key,remote=xxxxxxxxxxxxx.org,proto-tcp=yes,remote-ip=192.168.1.74,static-key=/etc/openvpn/static.key,port=11111,dev-type=tun,dev=01 (s)
	secrets :  (s)

This part looks OK, as it clearly sets the proto-tcp to yes.

However, the call to openvpn is then as follows:
nm-openvpn-Message: EXEC: '/usr/sbin/openvpn --remote xxxxxxxxxxxx.org 11111 tcp --nobind --dev 01 --dev-type tun --auth-nocache --verb 10 --script-security 2 --up /usr/libexec/nm-openvpn-service-openvpn-helper --helper-debug --tun -- --up-restart --persist-key --persist-tun --management /var/run/NetworkManager/nm-openvpn-<someUUIDhere> unix --management-client-user root --management-client-group root --management-query-passwords --auth-retry interact --route-noexec --ifconfig-noexec --secret /etc/openvpn/static_vesalius_euler.key --ifconfig 192.168.1.73 192.168.1.74 --user nm-openvpn --group nm-openvpn'
nm-openvpn-Message: openvpn started with pid <somePID>
Options error: --proto tcp is ambiguous in this context.  Please specify --proto tcp-server or --proto tcp-client
Use --help for more information.

As is clear from this output, the openvpn version that is shipped with Fedora 22 and above expects a different syntax. I believe at least version 1 of openvpn used indeed the "tcp" keyword, but several 2.3 versions don't.

Possible solution:
replace the "TCP" checkbox by a combo box to select "udp" (the default), "tcp-client" or "tcp-server".
Comment 1 Thomas Haller 2016-02-11 17:37:52 UTC 
fixed upstream:

master: https://git.gnome.org/browse/network-manager-openvpn/commit/?h=03ad88a8678f2204784ba38dfe60c6f8410a9ffe

nm-1-0: https://git.gnome.org/browse/network-manager-openvpn/commit/?h=90489e9dc5851b3546e6f2579dad42ab3d86096a
Comment 2 Fedora Update System 2016-02-11 18:21:43 UTC 
NetworkManager-openvpn-1.0.8-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ca8b078021
Comment 3 Fedora Update System 2016-02-12 13:51:29 UTC 
NetworkManager-openvpn-1.0.8-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ca8b078021
Comment 4 Hussama Ismail 2016-02-14 15:38:03 UTC 
@Thomas, How are you? 

I was able to reproduce this bug following the suggested steps by @Xavier. Unfortunately, after that I've updated my fedora 22 with testing packages, the behavior was the same.
Comment 5 Thomas Haller 2016-02-14 18:59:46 UTC 
(In reply to Hussama Ismail from comment #4)
> @Thomas, How are you? 
> 
> I was able to reproduce this bug following the suggested steps by @Xavier.
> Unfortunately, after that I've updated my fedora 22 with testing packages,
> the behavior was the same.

Strange. Could you provide more information? Especially the command line arguments which nm-openvpn-service passed to openvpn. Thanks
Comment 6 Gustavo Ferreira 2016-07-06 02:59:12 UTC 
Created attachment 1176700 [details]
Bug

The problem persists with full updated machine on fedora 22.
Comment 7 Gustavo Ferreira 2016-07-06 03:03:08 UTC 
By the way, I am using OpenVPN 2.3.11, which is the version available in the repository.
Comment 8 Gustavo Ferreira 2016-07-06 03:09:49 UTC 
I am sorry, I just noticed I am running NetworkManager-openvpn-1.0.8-1.fc22, even though I have a fully updated machine.

Since the patch have been submitted 5 months ago, I thought it would be in the stable repo by now. I will try the patch and report back.
Comment 9 Gustavo Ferreira 2016-07-06 03:16:06 UTC 
I can now confirm that this patch works for me!

I am very sorry for all this spam.

One question though, can anyone tell me when is this patch going to be released on the stable repo?

Thank you, and sorry once again.
Comment 10 Thomas Haller 2016-07-06 08:14:47 UTC 
(In reply to Gustavo Ferreira from comment #9)
> I can now confirm that this patch works for me!
> 
> I am very sorry for all this spam.
> 
> One question though, can anyone tell me when is this patch going to be
> released on the stable repo?


what means "stable repo"? The patch is part of upstream's nm-1-0, nm-1-2, master branches. And its in Fedora 22 and newer.
Comment 11 Gustavo Ferreira 2016-07-06 11:38:12 UTC 
I mean that I have a fully updated fedora 22 and the version I had was NetworkManager-openvpn-1.0.8-1.fc22. I had to enable the testing repo in order to get the version NetworkManager-openvpn-1.0.8-2.fc22.

Can you check please, that the new version is in fact in fedora repository?
Because when I do a dnf search NetworkManager-openvpn, the only thing I get is this:

NetworkManager-openvpn-1:1.0.8-1.fc22.x86_64
NetworkManager-openvpn-gnome-1:1.0.8-1.fc22.x86_64

Meaning that I am not getting the the version 8-2 unless I enable the updates-testing repository.

I also would like to point out that when I run openvpn from shell, after I exit my routes are back to the previous state whereas if I start openvpn from the NetworkManager, I lose connectivity after I stop the vpn (my default gateway is not back to the previous one).

Please let me know what type of information do you need to get an understanding of what is happening in my machine.
Comment 12 Thomas Haller 2016-07-06 12:20:15 UTC 
(In reply to Gustavo Ferreira from comment #11)
> I mean that I have a fully updated fedora 22 and the version I had was
> NetworkManager-openvpn-1.0.8-1.fc22. I had to enable the testing repo in
> order to get the version NetworkManager-openvpn-1.0.8-2.fc22.
> 
> Can you check please, that the new version is in fact in fedora repository?
> Because when I do a dnf search NetworkManager-openvpn, the only thing I get
> is this:
> 
> NetworkManager-openvpn-1:1.0.8-1.fc22.x86_64
> NetworkManager-openvpn-gnome-1:1.0.8-1.fc22.x86_64
> 
> Meaning that I am not getting the the version 8-2 unless I enable the
> updates-testing repository.


Hi,

There is update https://bodhi.fedoraproject.org/updates/FEDORA-2016-ca8b078021 which still waits until the package gets +3 Karma points. Anyway, the fix is rather trivial, I pushed it now manually.

Thanks for pointing that out. I missed it.

 
> I also would like to point out that when I run openvpn from shell, after I
> exit my routes are back to the previous state whereas if I start openvpn
> from the NetworkManager, I lose connectivity after I stop the vpn (my
> default gateway is not back to the previous one).
> 
> Please let me know what type of information do you need to get an
> understanding of what is happening in my machine.

let's keep the issues separate. Please open a separate bug against NetworkManager, if you think this is a bug. But note, that f22 is rather old. You will not get much fixes there. Please consider updating to a new Fedora release.
Comment 13 Fedora Update System 2016-07-12 02:23:58 UTC 
NetworkManager-openvpn-1.0.8-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.