GNOME Bugzilla – Bug 778154
openvpn import ignores key-direction 1 option when tls-auth is an external file
Last modified: 2017-12-28 10:36:55 UTC
When importing an .ovpn config, the "key-direction 1" option is ignored if the tls-auth option points to an external file. This causes VPN session setup to fail (after a timeout). The "key-direction 1" import works if the .ovpn config is first rewritten to either use the inline <tls-auth> syntax or else use the "tls-auth filename 1" syntax. NetworkManager 1.2.4 NetworkManager-openvpn 1.2.6 and 1.2.8 (same problem in both) $ nmcli --version nmcli tool, version 1.2.4 $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety $ openvpn --version OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no
could you attach the .ovpn file here (after removing private data). Thanks
Created attachment 345470 [details] Example ovpn config w/ key-direction and external tls-auth file
I noticed this same problem, except in my case it was with the inline configuration. If "key-direction 1" appeared on the line *after* "</tls-auth>", it was ignored during import. If I moved "key-direction 1" to the line *before* "<tls-auth>", it was properly recognized on import. This is with network-manager-openvpn 1.2.8 on Debian testing. I'm not sure if this is the same bug or different. Looking at the attached config file, I notice that the key-direction line is also after the tls-auth line. @Forest, does the problem go away for you if you move the key-direction line above the tls-auth line?
> does the problem go away for you if you move the key-direction line above the tls-auth line? Nope; moving the key-direction line above the tls-auth line does not fix it for me. Tested with NetworkManager-openvpn 1.2.6. The 1.2.8 changelog doesn't mention any key-direction parsing changes, so I imagine it's the same there.
P.S. I tested both with a GUI import and an nmcli import. The ta-direction line was not imported (as ta-dir) in either case.
Very annoying issue discovered here: https://github.com/kylemanna/docker-openvpn/issues/268
Created attachment 356919 [details] [review] [PATCH] import: fix parsing of key direction
(In reply to Beniamino Galvani from comment #7) > Created attachment 356919 [details] [review] [review] > [PATCH] import: fix parsing of key direction lgtm
Applied: https://git.gnome.org/browse/network-manager-openvpn/commit/?id=28636684a268e280accaeb378f00f4a80e9e0377
*** Bug 792007 has been marked as a duplicate of this bug. ***