After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 767737 - NetworkManager fails to automatically reconnect to VPN server after ping-restart
NetworkManager fails to automatically reconnect to VPN server after ping-restart
Status: RESOLVED OBSOLETE
Product: NetworkManager
Classification: Platform
Component: VPN: openvpn
1.2.x
Other Linux
: Normal major
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2016-06-16 18:15 UTC by cryzed
Modified: 2020-11-12 14:35 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description cryzed 2016-06-16 18:15:50 UTC 
NetworkManager+OpenVPN seems to systematically fail at all possible levels to automatically reconnect to the configured VPN server after a ping-restart.

By systematically fail I mean:

1) When an address instead of an IP is used in the client configuration file ("remote") NetworkManager will fail to resolve the address because the connection to the DNS server is attempted to be made over the disconnected VPN tunnel.

2) If 1) is solved by either replacing the address with an IP, using "persist-remote-ip" or using a local DNS resolver (e.g. Unbound), connecting to the VPN server will still fail, because the connection is attempted to be made over the disconnected VPN tunnel -- key negotiation and all other attempts at communicating with the VPN server will obviously fail.

I think this could be fixed by either removing the tunnel route entirely or adjusting its metric when a ping-restart occurs, and reverting the changes after a successful connection. As long as this doesn't happen, I'd almost say that at least enabling "persist-remote-ip" should be the default behaviour -- because how else would NetworkManager manage to resolve the VPN address if no local DNS resolver is specified (and one is lucky enough that the TTL for the domain hasn't timed out)?

However even if this was the case, the actual issue of establishing a connection to the resolved VPN IP still exists.

Is this simply a configuration issue on my end? The configuration files I am using can be found here: https://www.privateinternetaccess.com/openvpn/openvpn.zip. An excerpt of the nm-openvpn log during a disconnect:

    16.06.16 19:07  nm-openvpn  [Private Internet Access] Inactivity timeout (--ping-restart), restarting
    16.06.16 19:07  nm-openvpn  SIGUSR1[soft,ping-restart] received, process restarting
    16.06.16 19:07  nm-openvpn  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    16.06.16 19:07  nm-openvpn  UDPv4 link local: [undef]
    16.06.16 19:07  nm-openvpn  UDPv4 link remote: [AF_INET]46.166.188.193:1194
    16.06.16 19:08  nm-openvpn  TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    16.06.16 19:08  nm-openvpn  TLS Error: TLS handshake failed
    16.06.16 19:08  nm-openvpn  SIGUSR1[soft,tls-error] received, process restarting
    16.06.16 19:08  nm-openvpn  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

The address could be resolved here because of my running Unbound instance, however actually contacting the server failed because of the still existing and disconnected VPN route.
Comment 1 cryzed 2016-06-16 21:46:57 UTC 
After some more investigation NetworkManager already adds a direct route to the VPN IP via the default gateway:

    46.166.188.241 via 192.168.0.1 dev enp7s0  proto static  metric 100 

The only thing that I can imagine happening right now that would prevent reconnecting to the server, is that the DNS resolver returns a different A-record for the VPN domain at the time of reconnection, which does not have an extra route configured -- thus it would try to connect to it over the VPN tunnel instead of the previous default gateway.

If this is true, adding persist-remote-ip should magically "fix" everything. I'll have to wait and see. However if this works, it would just be a workaround -- ideally NetworkManager would add direct routing via the previous default gateway for every A-record of the VPN's domain.
Comment 2 cryzed 2016-06-19 21:38:19 UTC 
Here's much more information regarding this issue, and why I created it initially: https://github.com/flamusdiu/python-pia/issues/8
Comment 3 André Klapper 2020-11-12 14:35:01 UTC 
bugzilla.gnome.org is being shut down in favor of a GitLab instance. 
We are closing all old bug reports and feature requests in GNOME Bugzilla which have not seen updates for a long time.

If you still use NetworkManager and if you still see this bug / want this feature in a recent and supported version of NetworkManager, then please feel free to report it at https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/

Thank you for creating this report and we are sorry it could not be implemented (workforce and time is unfortunately limited).