GNOME Bugzilla – Bug 778123
NetworkManager-openvpn mishandles the comp-lzo option, thereby breaking the ovpn config and causing AUTH_FAILED
Last modified: 2017-02-06 01:07:33 UTC
NetworkManager-openvpn fails to establish a VPN session, reporting a password authentication error, even though the username and password I entered are correct. Running openvpn from the command line, using the same username, password, and the ovpn file from which NetworkManager imported the setttings, works just fine. I did not have this problem in Ubuntu 16.04 (xenial). NetworkManager 1.2.4 NetworkManager-openvpn 1.2.6 and 1.2.8 (same problem in both) $ nmcli --version nmcli tool, version 1.2.4 $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.10 Release: 16.10 Codename: yakkety $ openvpn --version OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no $ tail -f /var/log/syslog Feb 2 23:49:01 computer NetworkManager[1329]: <info> [1486108141.0702] audit: op="connection-activate" uuid="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" name="example" pid=3136 uid=1000 result="success" Feb 2 23:49:01 computer NetworkManager[1329]: <info> [1486108141.0741] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: Started the VPN service, PID 5074 Feb 2 23:49:01 computer NetworkManager[1329]: <info> [1486108141.0828] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: Saw the service appear; activating connection Feb 2 23:49:01 computer nm-openvpn[5081]: OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016 Feb 2 23:49:01 computer nm-openvpn[5081]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Feb 2 23:49:01 computer NetworkManager[1329]: nm-openvpn[5074] <info> openvpn[5081] started Feb 2 23:49:01 computer NetworkManager[1329]: <info> [1486108141.1490] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN plugin: state changed: starting (3) Feb 2 23:49:01 computer NetworkManager[1329]: <info> [1486108141.1491] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN connection: (ConnectInteractive) reply received Feb 2 23:49:01 computer nm-openvpn[5081]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 2 23:49:01 computer nm-openvpn[5081]: Control Channel Authentication: using '/home/ubuntu/vpn/ovpn.example.net/networkmanager/example.ovpn.tls-auth' as a OpenVPN static key file Feb 2 23:49:01 computer nm-openvpn[5081]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay Feb 2 23:49:01 computer nm-openvpn[5081]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Feb 2 23:49:01 computer nm-openvpn[5081]: UDPv4 link local: [undef] Feb 2 23:49:01 computer nm-openvpn[5081]: UDPv4 link remote: [AF_INET]10.10.10.10:1194 Feb 2 23:49:01 computer nm-openvpn[5081]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558' Feb 2 23:49:01 computer nm-openvpn[5081]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Feb 2 23:49:01 computer nm-openvpn[5081]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]10.10.10.10:1194 Feb 2 23:49:04 computer nm-openvpn[5081]: AUTH: Received control message: AUTH_FAILED Feb 2 23:49:04 computer nm-openvpn[5081]: SIGUSR1[soft,auth-failure] received, process restarting Feb 2 23:49:04 computer NetworkManager[1329]: nm-openvpn[5074] <warn> Password verification failed Feb 2 23:49:06 computer NetworkManager[1329]: <info> [1486108146.0884] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN plugin: requested secrets; state connect (4) Feb 2 23:49:06 computer nm-openvpn[5081]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 2 23:49:06 computer nm-openvpn[5081]: UDPv4 link local: [undef] Feb 2 23:49:06 computer nm-openvpn[5081]: UDPv4 link remote: [AF_INET]10.10.10.10:1194 Feb 2 23:49:06 computer nm-openvpn[5081]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558' Feb 2 23:49:06 computer nm-openvpn[5081]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Feb 2 23:49:06 computer nm-openvpn[5081]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]10.10.10.10:1194 Feb 2 23:49:08 computer nm-openvpn[5081]: AUTH: Received control message: AUTH_FAILED Feb 2 23:49:08 computer nm-openvpn[5081]: SIGUSR1[soft,auth-failure] received, process restarting Feb 2 23:49:08 computer NetworkManager[1329]: nm-openvpn[5074] <warn> Password verification failed Feb 2 23:49:09 computer NetworkManager[1329]: <info> [1486108149.2841] audit: op="connection-deactivate" uuid="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" name="example" pid=3136 uid=1000 result="success" Feb 2 23:49:09 computer dbus[1315]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' Feb 2 23:49:09 computer NetworkManager[1329]: nm-openvpn[5074] <info> openvpn[5081]: send SIGTERM Feb 2 23:49:09 computer NetworkManager[1329]: nm-openvpn[5074] <info> wait for 1 openvpn processes to terminate... Feb 2 23:49:09 computer nm-openvpn[5081]: SIGTERM[hard,init_instance] received, process exiting Feb 2 23:49:09 computer NetworkManager[1329]: nm-openvpn[5074] <info> openvpn[5081] exited with success Feb 2 23:49:09 computer NetworkManager[1329]: <warn> [1486108149.2918] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN plugin: failed: connect-failed (1) Feb 2 23:49:09 computer NetworkManager[1329]: <info> [1486108149.2919] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN plugin: state changed: stopping (5) Feb 2 23:49:09 computer dbus-daemon[2669]: Activating service name='org.freedesktop.Notifications' Feb 2 23:49:09 computer dbus-daemon[2669]: Successfully activated service 'org.freedesktop.Notifications' Feb 2 23:49:09 computer NetworkManager[1329]: <info> [1486108149.2921] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN plugin: state changed: stopped (6) Feb 2 23:49:09 computer systemd[1]: Starting Network Manager Script Dispatcher Service... Feb 2 23:49:09 computer dbus[1315]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' Feb 2 23:49:09 computer systemd[1]: Started Network Manager Script Dispatcher Service. Feb 2 23:49:09 computer nm-dispatcher: req:1 'vpn-down' [eth0]: new request (1 scripts) Feb 2 23:49:09 computer nm-dispatcher: req:1 'vpn-down' [eth0]: start running ordered scripts... $ journalctl -u NetworkManager Feb 02 23:49:01 computer NetworkManager[1329]: <info> [1486108141.0702] audit: op="connection-activate" uuid="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" name="example" pid=3136 uid=1000 result="success" Feb 02 23:49:01 computer NetworkManager[1329]: <info> [1486108141.0741] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: Started the VPN service, PID 5074 Feb 02 23:49:01 computer NetworkManager[1329]: <info> [1486108141.0828] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: Saw the service appear; activating connection Feb 02 23:49:01 computer nm-openvpn[5081]: OpenVPN 2.3.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2016 Feb 02 23:49:01 computer nm-openvpn[5081]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Feb 02 23:49:01 computer NetworkManager[1329]: nm-openvpn[5074] <info> openvpn[5081] started Feb 02 23:49:01 computer NetworkManager[1329]: <info> [1486108141.1490] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN plugin: state changed: starting (3) Feb 02 23:49:01 computer NetworkManager[1329]: <info> [1486108141.1491] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN connection: (ConnectInteractive) reply received Feb 02 23:49:01 computer nm-openvpn[5081]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 02 23:49:01 computer nm-openvpn[5081]: Control Channel Authentication: using '/home/ubuntu/vpn/ovpn.example.net/networkmanager/example.ovpn.tls-auth' as a OpenVPN static key file Feb 02 23:49:01 computer nm-openvpn[5081]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay Feb 02 23:49:01 computer nm-openvpn[5081]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Feb 02 23:49:01 computer nm-openvpn[5081]: UDPv4 link local: [undef] Feb 02 23:49:01 computer nm-openvpn[5081]: UDPv4 link remote: [AF_INET]10.10.10.10:1194 Feb 02 23:49:01 computer nm-openvpn[5081]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558' Feb 02 23:49:01 computer nm-openvpn[5081]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Feb 02 23:49:01 computer nm-openvpn[5081]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]10.10.10.10:1194 Feb 02 23:49:04 computer nm-openvpn[5081]: AUTH: Received control message: AUTH_FAILED Feb 02 23:49:04 computer nm-openvpn[5081]: SIGUSR1[soft,auth-failure] received, process restarting Feb 02 23:49:04 computer NetworkManager[1329]: nm-openvpn[5074] <warn> Password verification failed Feb 02 23:49:06 computer NetworkManager[1329]: <info> [1486108146.0884] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN plugin: requested secrets; state connect (4) Feb 02 23:49:06 computer nm-openvpn[5081]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 02 23:49:06 computer nm-openvpn[5081]: UDPv4 link local: [undef] Feb 02 23:49:06 computer nm-openvpn[5081]: UDPv4 link remote: [AF_INET]10.10.10.10:1194 Feb 02 23:49:06 computer nm-openvpn[5081]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558' Feb 02 23:49:06 computer nm-openvpn[5081]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Feb 02 23:49:06 computer nm-openvpn[5081]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]10.10.10.10:1194 Feb 02 23:49:08 computer nm-openvpn[5081]: AUTH: Received control message: AUTH_FAILED Feb 02 23:49:08 computer nm-openvpn[5081]: SIGUSR1[soft,auth-failure] received, process restarting Feb 02 23:49:08 computer NetworkManager[1329]: nm-openvpn[5074] <warn> Password verification failed Feb 02 23:49:09 computer NetworkManager[1329]: <info> [1486108149.2841] audit: op="connection-deactivate" uuid="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" name="example" pid=3136 uid=1000 result="success" Feb 02 23:49:09 computer NetworkManager[1329]: nm-openvpn[5074] <info> openvpn[5081]: send SIGTERM Feb 02 23:49:09 computer NetworkManager[1329]: nm-openvpn[5074] <info> wait for 1 openvpn processes to terminate... Feb 02 23:49:09 computer NetworkManager[1329]: nm-openvpn[5074] <info> openvpn[5081] exited with success Feb 02 23:49:09 computer NetworkManager[1329]: <warn> [1486108149.2918] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN plugin: failed: connect-failed (1) Feb 02 23:49:09 computer NetworkManager[1329]: <info> [1486108149.2919] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN plugin: state changed: stopping (5) Feb 02 23:49:09 computer NetworkManager[1329]: <info> [1486108149.2921] vpn-connection[0x557d295f73c0,XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX,"example",0]: VPN plugin: state changed: stopped (6) $ nmcli con s example connection.id: example connection.uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX connection.interface-name: -- connection.type: vpn connection.autoconnect: yes connection.autoconnect-priority: 0 connection.timestamp: 0 connection.read-only: no connection.permissions: user:ubuntu connection.zone: -- connection.master: -- connection.slave-type: -- connection.autoconnect-slaves: -1 (default) connection.secondaries: connection.gateway-ping-timeout: 0 connection.metered: unknown connection.lldp: -1 (default) ipv4.method: auto ipv4.dns: ipv4.dns-search: ipv4.dns-options: (default) ipv4.dns-priority: 0 ipv4.addresses: ipv4.gateway: -- ipv4.routes: ipv4.route-metric: -1 ipv4.ignore-auto-routes: no ipv4.ignore-auto-dns: no ipv4.dhcp-client-id: -- ipv4.dhcp-timeout: 0 ipv4.dhcp-send-hostname: yes ipv4.dhcp-hostname: -- ipv4.dhcp-fqdn: -- ipv4.never-default: no ipv4.may-fail: yes ipv4.dad-timeout: -1 (default) ipv6.method: auto ipv6.dns: ipv6.dns-search: ipv6.dns-options: (default) ipv6.dns-priority: 0 ipv6.addresses: ipv6.gateway: -- ipv6.routes: ipv6.route-metric: -1 ipv6.ignore-auto-routes: no ipv6.ignore-auto-dns: no ipv6.never-default: no ipv6.may-fail: yes ipv6.ip6-privacy: 0 (disabled) ipv6.addr-gen-mode: stable-privacy ipv6.dhcp-send-hostname: yes ipv6.dhcp-hostname: -- vpn.service-type: org.freedesktop.NetworkManager.openvpn vpn.user-name: -- vpn.data: key = /home/ubuntu/vpn/ovpn.example.net/networkmanager/example.ovpn.key, verify-x509-name = subject:CN=OpenVPN Server, dev = tun, ca = /home/ubuntu/vpn/ovpn.example.net/networkmanager/example.ovpn.ca.crt, cert = /home/ubuntu/vpn/ovpn.example.net/networkmanager/example.ovpn.user.crt, username = myusername, dev-type = tun, ns-cert-type = server, reneg-seconds = 604800, cert-pass-flags = 0, cipher = AES-128-CBC, remote = 10.10.10.10:1194:udp, password-flags = 1, connection-type = password-tls, ta-dir = 1, ta = /home/ubuntu/vpn/ovpn.example.net/networkmanager/example.ovpn.tls-auth vpn.secrets: <hidden> vpn.persistent: no vpn.timeout: 0
Feb 02 23:49:06 computer nm-openvpn[5081]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Looks like a mis-configuration. Try enabling comp-lzo client side (you can do that in the nm-connection-editor GUI), or using nmcli. nmcli connection modify "$NAME" +vpn.data 'comp-lzo=adaptive' nmcli connection modify "$NAME" +vpn.data 'comp-lzo=no-by-default' nmcli connection modify "$NAME" +vpn.data 'comp-lzo=yes' nmcli connection modify "$NAME" -vpn.data 'comp-lzo' See `man openvpn` for what comp-lzo means.
Thanks for the hint. Enabling lzo in the Advanced config dialog did indeed get it working. This reveals that NetworkManager-openvpn is mishandling the comp-lzo option. The .ovpn config file generated by my provider includes "comp-lzo no", which (from the openvpn man page) "will turn off compression by default, but allow a future directive push from the server to dynamically change the on/off/adaptive setting". Bug: NetworkManager-openvpn seems to be ignoring the comp-lzo option when it imports an .ovpn config file. This prevents the server's pushed setting from working, leading instead to the AUTH_FAILED error, while manually running openvpn with the original .ovpn config file works fine. Bug: NetworkManager-openvpn's GUI exposes only a yes/no check box to represent the comp-lzo option, which has 3 possible settings: yes, no, or adaptive (the default). Bug: When the check box is unchecked, which any reasonable user would expect to mean "no", NetworkManager-openvpn fails to pass "comp-lzo no" to openvpn. This leads openvpn to use its default "adaptive" setting, which breaks the server's pushed option, causing a failure.
Clarification on that first bug I described above: NetworkManager-openvpn ignores/strips the "comp-lzo no" option when it imports an .ovpn config file, apparently leading to openvpn's default "adaptive" setting being used when it runs. This prevents the server's pushed comp-lzo setting from working, leading to the AUTH_FAILED error.
(In reply to Forest from comment #2) > Thanks for the hint. Enabling lzo in the Advanced config dialog did indeed > get it working. > > This reveals that NetworkManager-openvpn is mishandling the comp-lzo option. > > The .ovpn config file generated by my provider includes "comp-lzo no", which > (from the openvpn man page) "will turn off compression by default, but allow > a future directive push from the server to dynamically change the > on/off/adaptive setting". > > Bug: > NetworkManager-openvpn seems to be ignoring the comp-lzo option when it > imports an .ovpn config file. This prevents the server's pushed setting > from working, leading instead to the AUTH_FAILED error, while manually > running openvpn with the original .ovpn config file works fine. recent versions of nm-openvpn plugin correctly import the "comp-lzo" option. You probably imported the connection with an older version. > Bug: > NetworkManager-openvpn's GUI exposes only a yes/no check box to represent > the comp-lzo option, which has 3 possible settings: yes, no, or adaptive > (the default). openvpn's comp-lzo option has 4 possible settings: yes, not, adaptive or ~unset~. The GUI exposes only two of them: yes and ~unset~. That is a missing feature, but really it may be just a simplification of the UI which simply doesn't expose all of the options. nmcli supports all of them, see comment 1. > Bug: > When the check box is unchecked, which any reasonable user would expect to > mean "no", NetworkManager-openvpn fails to pass "comp-lzo no" to openvpn. > This leads openvpn to use its default "adaptive" setting, which breaks the > server's pushed option, causing a failure. Not passing --comp-lzo to openvpn is not the same as "--comp-lzo adaptive". ~unset~ is very different. Whether you choose yes, no, or adaptive makes not much of a difference.
>openvpn's comp-lzo option has 4 possible settings: yes, not, adaptive or >~unset~. I'm just going by openvpn's man page, which says lists 3 possible values. If their man page needs updating, please let them know. Here's the text: --comp-lzo [mode] Use fast LZO compression -- may add up to 1 byte per packet for incompressible data. mode may be "yes", "no", or "adaptive" (default). Regardless of whether comp-lzo has three or four possible values, the fact remains that NetworkManager-openvpn fails to import the "no" value, and presents a UI that fails to let the user correct the problem. Result: VPN doesn't work. >recent versions of nm-openvpn plugin correctly import the "comp-lzo" option. No, they don't. Perhaps there are some special circumstances in which they work? In my tests, they fail. I tested with 1.2.6 and 1.2.8. The behavior was wrong in both, and I don't see any newer version on gnome.org. https://download.gnome.org/sources/NetworkManager-openvpn/ >You probably imported the connection with an older version. No, I didn't. I deleted the connection, rebooted, and imported anew when testing each version.
(In reply to Forest from comment #5) > >openvpn's comp-lzo option has 4 possible settings: yes, not, adaptive or > >~unset~. > > I'm just going by openvpn's man page, which says lists 3 possible values. If > their man page needs updating, please let them know. Here's the text: > > --comp-lzo [mode] > Use fast LZO compression -- may add up to 1 byte per packet for > incompressible data. mode may be "yes", "no", or "adaptive" > (default). > > Regardless of whether comp-lzo has three or four possible values, 3 possible "mode" values, plus the possibility not to specify --comp-lzo at all. Making 4 in total. ("--comp-lzo [mode]" is not the same as not specifying --comp-lzo on the command line). > the fact > remains that NetworkManager-openvpn fails to import the "no" value, and > presents a UI that fails to let the user correct the problem. Result: VPN > doesn't work. > > > >recent versions of nm-openvpn plugin correctly import the "comp-lzo" option. > > No, they don't. Perhaps there are some special circumstances in which they > work? In my tests, they fail. I tested with 1.2.6 and 1.2.8. The behavior > was wrong in both, and I don't see any newer version on gnome.org. > https://download.gnome.org/sources/NetworkManager-openvpn/ > > >You probably imported the connection with an older version. > > No, I didn't. I deleted the connection, rebooted, and imported anew when > testing each version. The nm-openvpn plugin supports all 4 options -- except the GUI as it has only a boolean checkbox. So the GUI coerces the unsupported options "no" -> ~unset~ "adaptive" -> "yes" So, if you open the "Advanced" page and click "Save", the GUI will update the value to be either ~unset~ or "yes". That is: you loose the unsupported setting once you click "Save". You can reproduce the same issue via: nmcli connection modify "$NAME" +vpn.data 'comp-lzo=no-by-default' and then editing the connection in nm-connection-editor. Import of a .ovpn file with "comp-lzo no" in the GUI works correctly, unless(!) you click "Save" in the "Advanced" dialog. One problem here is, that the GUI coerces "no" to ~unset~. Such a change breaks the setup as the client can no longer connect to the server that wants to use comp-lzo. A fix for this would be better to coerce a explict "no" to "yes". Anyway, instead I added support for "no" and "adaptive" to the GTK GUI: https://git.gnome.org/browse/network-manager-openvpn/commit/?id=f3ec272521ce7788c03c93f8f3baf99d33b167d8 Closing as fixed, please reopen if something is missing. thanks!
I haven't tested extensively yet, but I applied your patches to Ubuntu's current network-manager-openvpn package (version 1.2.6), and it's working so far. Thanks for the quick action!