After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 731620 - No GUI option for IPv6
No GUI option for IPv6
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: VPN: openvpn
unspecified
Other All
: Normal enhancement
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
: 784461 790769 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2014-06-13 14:19 UTC by Fohlen
Modified: 2017-11-23 21:38 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Allow IPv6 remote address in gateway entry while editing an openvpn connection (1.81 KB, patch)
2017-08-16 06:57 UTC, Jonathan Kang
none Details | Review
add support for IP address family specifier for remote protocol (15.96 KB, patch)
2017-08-18 12:30 UTC, Thomas Haller
none Details | Review

Description Fohlen 2014-06-13 14:19:00 UTC
As OpenVPN introduces IPv6, there should also be the possibility to setup IPv6 within the Network Manager Gui, or it should switch autocratically.
To get this done, only the protocol needs to be changed within the OpenVPN config (from udp -> upd6, tcp -> tcp6). Introducing a automatic switch would be a convenient solution.
Comment 1 Thomas Haller 2014-07-29 12:43:57 UTC
Are you referring to the configuration

 --remote host [port] [proto]

with [proto] being udp6 or tcp6?


or do you mean:
  --proto p
     "Use protocol p for communicating with remote host. p can
      be udp, tcp-client, or tcp-server."

Manual pages don't mention udp6/tcp6. https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage


Some more details would be advised.
Comment 2 Fohlen 2014-08-04 07:33:27 UTC
Hello Thomas.
Yes, I am referring to --remote host [port] [proto]
There is currently no option in the Network Manager GUI to use IPv6 addresses (for remote hosts).
Comment 3 Thomas Haller 2014-08-04 08:32:17 UTC
The manual page makes no mention about --remote accepting udp6/tcp6.

Can you provide a link?


Why would openvpn ask for such a configuration? You configure the remote host (which either resolves to IPv4 or IPv6, so what's the point of explicitly specifying that?)
Comment 4 killerpsi23 2015-10-21 06:51:33 UTC
Same problem.

OpenVPN manpage needs updating. It mentions 'udp6/tcp6' but not at the option '--proto'.

'--proto udp6/tcp6' is need for connecting to an OpenVPN server with an IPv6 address. Otherwise, if use '--proto udp/tcp', openvpn will fails to resolve the IPv6 address of server.

https://github.com/OpenVPN/openvpn/blob/master/README.IPv6

The only documentation about this problem provided by OpenVPN which I can find is the one embedded in its source code archive.
Comment 5 Frederic Crozat 2017-02-04 16:25:19 UTC
I can confirm the issue. On a network with only IPv6 available (FOSDEM conference default wifi, for instance), it is not possible to use an openVPN VPN configured with NetworkManager, because it only tries udp (which means udpv4 for openVPN) and there is no way to either force udpv6 or, even better, have both tried options tried if the first fails.
Comment 6 Jonathan Kang 2017-06-22 08:18:30 UTC
Looking at bug#682620, this issue should have been fixed. And it seems to
require openVPN 2.4 to make it work.
Comment 7 Jonathan Kang 2017-08-16 06:57:04 UTC
Created attachment 357689 [details] [review]
Allow IPv6 remote address in gateway entry while editing an openvpn connection

I'm working on the IPv6 support in NM-openvpn recently. And this is the first
patch which allows IPv6 remote address in gateway entry while editing an
openvpn conneciton.

I've made some progress in parsing IPv6 remote address. That patch will be
attached soon.
Comment 8 Thomas Haller 2017-08-18 12:28:54 UTC
(In reply to Jonathan Kang from comment #7)
> Created attachment 357689 [details] [review] [review]
> Allow IPv6 remote address in gateway entry while editing an openvpn
> connection
> 
> I'm working on the IPv6 support in NM-openvpn recently. And this is the first
> patch which allows IPv6 remote address in gateway entry while editing an
> openvpn conneciton.
> 
> I've made some progress in parsing IPv6 remote address. That patch will be
> attached soon.

Hi Jonathan,

the change in check_gateway_entry() seems not correct to me. Does Openvpn even support specifying an IPv6 remote address with [::] notation?

I think we could just search from the colon from the right end, so one could specify
  2001:dead:beef::1:1194:udp
or just
  2001:dead:beef::1::

also, the parsing of this line is currently duplicated at 3 places. It should be moved to one function.
Comment 9 Thomas Haller 2017-08-18 12:30:57 UTC
Created attachment 357891 [details] [review]
add support for IP address family specifier for remote protocol

Add support for udp4/udp6/tcp4/tcp6 and the tcp*-client specifiers.

- refactor parsing of host:port:proto for --remote into a function
  nmovpn_remote_parse(). Also, search for the ':' delimiter from
  the right side. That way, one could use colons in the host like
  using an IPv6 address "aa:bb::1:1194:udp" (or just "aa:bb::1::").

- during export, also consider '\t' as delimiter for mulitple
  remotes.

- during export, if port is unspecified but proto is given (a very
  unusual case), export port as "1194" instead of "443" for TCP. That
  is what server also does in case port is missing, and also is 1194
  the default port for OpenVPN.
Comment 10 Jonathan Kang 2017-08-21 07:36:19 UTC
(In reply to Thomas Haller from comment #8)
> (In reply to Jonathan Kang from comment #7)
> > Created attachment 357689 [details] [review] [review] [review]
> > Allow IPv6 remote address in gateway entry while editing an openvpn
> > connection
> > 
> > I'm working on the IPv6 support in NM-openvpn recently. And this is the first
> > patch which allows IPv6 remote address in gateway entry while editing an
> > openvpn conneciton.
> > 
> > I've made some progress in parsing IPv6 remote address. That patch will be
> > attached soon.
> 
> Hi Jonathan,
> 
> the change in check_gateway_entry() seems not correct to me. Does Openvpn
> even support specifying an IPv6 remote address with [::] notation?

Emm. I checked wikipedia[1] and found out this rule, but I'm not sure if it's used
in openvpn.
> 
> I think we could just search from the colon from the right end, so one could
> specify
>   2001:dead:beef::1:1194:udp
> or just
>   2001:dead:beef::1::

I suppose we'll have to add two ':' after the ipv6 address even if we don't want
to specify the port and proto. Inputing "2001:dead:beef::1" lead to an invalid
config.

*[1]https://en.wikipedia.org/wiki/IPv6_address#Literal_IPv6_addresses_in_network_resource_identifiers
Comment 11 Thomas Haller 2017-08-21 09:18:41 UTC
(In reply to Jonathan Kang from comment #10)
> (In reply to Thomas Haller from comment #8)
> > (In reply to Jonathan Kang from comment #7)
> > > Created attachment 357689 [details] [review] [review] [review] [review]
> > > Allow IPv6 remote address in gateway entry while editing an openvpn
> > > connection
> > > 
> > > I'm working on the IPv6 support in NM-openvpn recently. And this is the first
> > > patch which allows IPv6 remote address in gateway entry while editing an
> > > openvpn conneciton.
> > > 
> > > I've made some progress in parsing IPv6 remote address. That patch will be
> > > attached soon.
> > 
> > Hi Jonathan,
> > 
> > the change in check_gateway_entry() seems not correct to me. Does Openvpn
> > even support specifying an IPv6 remote address with [::] notation?
> 
> Emm. I checked wikipedia[1] and found out this rule, but I'm not sure if
> it's used
> in openvpn.

This [::] notation is mostly used in URLs. It's not clear that openvpn supports that .


> > 
> > I think we could just search from the colon from the right end, so one could
> > specify
> >   2001:dead:beef::1:1194:udp
> > or just
> >   2001:dead:beef::1::
> 
> I suppose we'll have to add two ':' after the ipv6 address even if we don't
> want
> to specify the port and proto. Inputing "2001:dead:beef::1" lead to an
> invalid
> config.
> 
> *[1]https://en.wikipedia.org/wiki/
> IPv6_address#Literal_IPv6_addresses_in_network_resource_identifiers

correct.
Comment 12 Thomas Haller 2017-08-21 09:42:58 UTC
(In reply to Thomas Haller from comment #11)
> (In reply to Jonathan Kang from comment #10)
> > (In reply to Thomas Haller from comment #8)
> 
> > > I think we could just search from the colon from the right end, so one could
> > > specify
> > >   2001:dead:beef::1:1194:udp
> > > or just
> > >   2001:dead:beef::1::
> > 
> > I suppose we'll have to add two ':' after the ipv6 address even if we don't
> > want
> > to specify the port and proto. Inputing "2001:dead:beef::1" lead to an
> > invalid
> > config.
> > 
> > *[1]https://en.wikipedia.org/wiki/
> > IPv6_address#Literal_IPv6_addresses_in_network_resource_identifiers
> 
> correct.

we could try to guess that the first part already is IPv6 address, and that the colon shall not be treated as separator. But that complicates the rules how to interpret the string. That is not hard to implement, but hard to document/understand for the user.

Given how unlikely it is that somebody enters there a plain IPv6 address, the current notation seems simpler and suitable. Dunno.
Comment 13 Jonathan Kang 2017-08-21 10:02:41 UTC
(In reply to Thomas Haller from comment #12)
> 
> we could try to guess that the first part already is IPv6 address, and that
> the colon shall not be treated as separator. But that complicates the rules
> how to interpret the string. That is not hard to implement, but hard to
> document/understand for the user.
> 
> Given how unlikely it is that somebody enters there a plain IPv6 address,
> the current notation seems simpler and suitable. Dunno.

Fair enough. It makes sense to me.

Thanks.
Comment 14 Thomas Haller 2017-08-21 10:34:21 UTC
Thinking some more...

guessing makes it hard to understand what means "2001:dead:beef::1:1194" 

Maybe the plugin could allow the [::] notation (even if openvpn itself wouldn't support it). But that seems unexpected to the user as well (we either would need to document to use "[]" or "::").

The problem is that we use colon as separator. We cannot change that now, so plain IPv6 addresses are problematic either way. The workaround is to append :: to an IPv6 address, which seems acceptable (but still ugly).
Comment 15 Beniamino Galvani 2017-08-28 09:25:21 UTC
To make it simpler for users, without the need to consult the
documentation, we could accept all the following:

 IPv6
 IPv6:port:proto
 [IPv6]
 [IPv6]:port
 [IPv6]:port:proto

Also, a tooltip in the GUI could show what the valid syntax is.
Comment 16 Thomas Haller 2017-08-28 15:32:02 UTC
Ok, after discussion, I merged https://git.gnome.org/browse/network-manager-openvpn/commit/?id=3c5c7efba75ffd121be3b0ac179c36ca9aa772b0

Now, IPv6 addresses can both be escaped with square brackets and are taken verbatim. That is, parsing them as IPv6 address has highest priority, for that reason

  "aa:bb::1:1194:udp"

is an invalid confguration (because it looks like the port is "udp").
The workaround is "[aa:bb::1]:1194:udp".


Another outcome is that 

  --remote a:

cannot be expressed in NM configuration, because 
 - "a:" would be treated as "a"
 - "a::" would be treated as "a::"
 - "a:::" would be treated as "a::"

You can also not do

  --remote a: 1194

because
 - "a::1194" would be treated as "a::1194"
 - "a::1194:" would be treated as "a::1194"



Basically, certain hostnames with colon (but not IPv6 addresses) cannot be supported with this syntax.
Comment 17 Thomas Haller 2017-09-26 08:58:28 UTC
*** Bug 784461 has been marked as a duplicate of this bug. ***
Comment 18 Thomas Haller 2017-11-23 21:38:35 UTC
*** Bug 790769 has been marked as a duplicate of this bug. ***