Red Hat Bugzilla – Bug 1306746
proto TCP incorrectly passed on to openvpn
Last modified: 2016-07-11 22:24:03 EDT
Description of problem:
Version-Release number of selected component (if applicable):
NetworkManager:x86-64 version 1:1.0.10-2.fc22
NetworkManager-openvpn.x86_64 1:1.0.8-1.fc22 @updates
NetworkManager-openvpn-gnome.x86_64 1:1.0.8-1.fc22 @updates
Steps to Reproduce:
1. With root, use nm-connection-editor to get the GUI to define a new connection.
2. Add connection of type Openvpn
3. Fill in some basic data to be able to save the connection (gateway, remote IP, local IP). I have used a static key file but this probably won't matter
4. Use the Advanced... button, where you activate the "Use a TCP connection" option. Close that window.
5. Save that new connection (assuming it is still named "VPN connection 1") and close the connection editor.
6. Don't bother setting up a server side. You won't need it to cause the error
7. With root, try to start the new connection with this command: "nmcli c up "VPN connection 1" (or whatever name you gave it).
Error: Connection activation failed: unknown reason.
A working connection
The file used by network manager looks OK, and contains this line:
When starting the nm-openvpn-service in --debug mode, we get this additional info that points to a possible cause:
service-type : "org.freedesktop.NetworkManager.openvpn" (s)
user-name : NULL (sd)
persistent : FALSE (sd)
data : local-ip=172.30.255.73,connection-type=static-key,remote=xxxxxxxxxxxxx.org,proto-tcp=yes,remote-ip=192.168.1.74,static-key=/etc/openvpn/static.key,port=11111,dev-type=tun,dev=01 (s)
secrets : (s)
This part looks OK, as it clearly sets the proto-tcp to yes.
However, the call to openvpn is then as follows:
nm-openvpn-Message: EXEC: '/usr/sbin/openvpn --remote xxxxxxxxxxxx.org 11111 tcp --nobind --dev 01 --dev-type tun --auth-nocache --verb 10 --script-security 2 --up /usr/libexec/nm-openvpn-service-openvpn-helper --helper-debug --tun -- --up-restart --persist-key --persist-tun --management /var/run/NetworkManager/nm-openvpn-<someUUIDhere> unix --management-client-user root --management-client-group root --management-query-passwords --auth-retry interact --route-noexec --ifconfig-noexec --secret /etc/openvpn/static_vesalius_euler.key --ifconfig 192.168.1.73 192.168.1.74 --user nm-openvpn --group nm-openvpn'
nm-openvpn-Message: openvpn started with pid <somePID>
Options error: --proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client
Use --help for more information.
As is clear from this output, the openvpn version that is shipped with Fedora 22 and above expects a different syntax. I believe at least version 1 of openvpn used indeed the "tcp" keyword, but several 2.3 versions don't.
replace the "TCP" checkbox by a combo box to select "udp" (the default), "tcp-client" or "tcp-server".
NetworkManager-openvpn-1.0.8-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ca8b078021
NetworkManager-openvpn-1.0.8-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ca8b078021
@Thomas, How are you?
I was able to reproduce this bug following the suggested steps by @Xavier. Unfortunately, after that I've updated my fedora 22 with testing packages, the behavior was the same.
(In reply to Hussama Ismail from comment #4)
> @Thomas, How are you?
> I was able to reproduce this bug following the suggested steps by @Xavier.
> Unfortunately, after that I've updated my fedora 22 with testing packages,
> the behavior was the same.
Strange. Could you provide more information? Especially the command line arguments which nm-openvpn-service passed to openvpn. Thanks
Created attachment 1176700 [details]
The problem persists with full updated machine on fedora 22.
By the way, I am using OpenVPN 2.3.11, which is the version available in the repository.
I am sorry, I just noticed I am running NetworkManager-openvpn-1.0.8-1.fc22, even though I have a fully updated machine.
Since the patch have been submitted 5 months ago, I thought it would be in the stable repo by now. I will try the patch and report back.
I can now confirm that this patch works for me!
I am very sorry for all this spam.
One question though, can anyone tell me when is this patch going to be released on the stable repo?
Thank you, and sorry once again.
(In reply to Gustavo Ferreira from comment #9)
> I can now confirm that this patch works for me!
> I am very sorry for all this spam.
> One question though, can anyone tell me when is this patch going to be
> released on the stable repo?
what means "stable repo"? The patch is part of upstream's nm-1-0, nm-1-2, master branches. And its in Fedora 22 and newer.
I mean that I have a fully updated fedora 22 and the version I had was NetworkManager-openvpn-1.0.8-1.fc22. I had to enable the testing repo in order to get the version NetworkManager-openvpn-1.0.8-2.fc22.
Can you check please, that the new version is in fact in fedora repository?
Because when I do a dnf search NetworkManager-openvpn, the only thing I get is this:
Meaning that I am not getting the the version 8-2 unless I enable the updates-testing repository.
I also would like to point out that when I run openvpn from shell, after I exit my routes are back to the previous state whereas if I start openvpn from the NetworkManager, I lose connectivity after I stop the vpn (my default gateway is not back to the previous one).
Please let me know what type of information do you need to get an understanding of what is happening in my machine.
(In reply to Gustavo Ferreira from comment #11)
> I mean that I have a fully updated fedora 22 and the version I had was
> NetworkManager-openvpn-1.0.8-1.fc22. I had to enable the testing repo in
> order to get the version NetworkManager-openvpn-1.0.8-2.fc22.
> Can you check please, that the new version is in fact in fedora repository?
> Because when I do a dnf search NetworkManager-openvpn, the only thing I get
> is this:
> Meaning that I am not getting the the version 8-2 unless I enable the
> updates-testing repository.
There is update https://bodhi.fedoraproject.org/updates/FEDORA-2016-ca8b078021 which still waits until the package gets +3 Karma points. Anyway, the fix is rather trivial, I pushed it now manually.
Thanks for pointing that out. I missed it.
> I also would like to point out that when I run openvpn from shell, after I
> exit my routes are back to the previous state whereas if I start openvpn
> from the NetworkManager, I lose connectivity after I stop the vpn (my
> default gateway is not back to the previous one).
> Please let me know what type of information do you need to get an
> understanding of what is happening in my machine.
let's keep the issues separate. Please open a separate bug against NetworkManager, if you think this is a bug. But note, that f22 is rather old. You will not get much fixes there. Please consider updating to a new Fedora release.
NetworkManager-openvpn-1.0.8-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.