GNOME Bugzilla – Bug 793334
Imported OpenVPN connection fails when launched
Last modified: 2018-03-07 22:48:25 UTC
**Steps to reproduce:** * Install OpenVPN plugin for NetworkManager (`sudo apt install network-manager-openvpn-gnome`) * Download an OVPN file * Open the Network tool * Click the "+" button * Select "Import from file..." * Navigate to OVPN file, select it and click "Open" (an "Add VPN" window will appear) * Fill in VPN credentials: * Type (Automatic: "Password with certificates") * User name * Password * Certificates and key (Automatic: files imported from OVPN file) * Do not fill in "User key password" (not required) * Click "Add" * Activate VPN connection 1: Activate from GNOME desktop * Activate VPN connection 2: Activate with nmcli: `sudo nmcli connection up CONNECTION_NAME` * Activate VPN connection 3: Activate with openvpn: `sudo openvpn --config FILENAME.ovpn` **What should happen:** * VPN connection succeeds all three times. **What happens instead:** * Activate VPN connection 1: Immediately fails. No error message. * Activate VPN connection 2: Fails with "Error: Connection activation failed: Unknown reason" * Activate VPN connection 3: Succeeds. (correct) **Notes:** * Since the OpenVPN connection succeeds, we know there isn't a problem with the OVPN file. * `nmcli --version` returns `nmcli tool, version 1.10.2` on my up-to-date PureOS installation. * Opening the VPN connection in the GUI, I can see that the private key field is no longer filled in. If I fill it in, apply and open the connection again, it remains not filled in. * Could this be a regression of https://bugzilla.gnome.org/show_bug.cgi?id=620896 * Checking /var/log/syslog for additional error messages, I found... ``` Feb 7 16:43:09 librem15 NetworkManager[1032]: <info> [1518014589.0625] vpn-connection[0x5640fcaec840,4d038cae-f34b-4625-b015-e014f301023e,"purist",0]: Saw the service appear; activating connection Feb 7 16:43:12 librem15 NetworkManager[1032]: <info> [1518014592.2706] vpn-connection[0x5640fcaec840,4d038cae-f34b-4625-b015-e014f301023e,"purist",0]: VPN plugin: state changed: starting (3) Feb 7 16:43:12 librem15 nm-openvpn[12603]: Options error: If you use one of --cert or --key, you must use them both Feb 7 16:43:12 librem15 nm-openvpn[12603]: Use --help for more information. Feb 7 16:43:12 librem15 NetworkManager[1032]: <info> [1518014592.2746] vpn-connection[0x5640fcaec840,4d038cae-f34b-4625-b015-e014f301023e,"purist",0]: VPN connection: (ConnectInteractive) reply received Feb 7 16:43:12 librem15 NetworkManager[1032]: <warn> [1518014592.2867] vpn-connection[0x5640fcaec840,4d038cae-f34b-4625-b015-e014f301023e,"purist",0]: VPN plugin: failed: connect-failed (1) Feb 7 16:43:12 librem15 NetworkManager[1032]: <warn> [1518014592.2871] vpn-connection[0x5640fcaec840,4d038cae-f34b-4625-b015-e014f301023e,"purist",0]: VPN plugin: failed: connect-failed (1) Feb 7 16:43:12 librem15 NetworkManager[1032]: <info> [1518014592.2871] vpn-connection[0x5640fcaec840,4d038cae-f34b-4625-b015-e014f301023e,"purist",0]: VPN plugin: state changed: stopping (5) Feb 7 16:43:12 librem15 NetworkManager[1032]: <info> [1518014592.2872] vpn-connection[0x5640fcaec840,4d038cae-f34b-4625-b015-e014f301023e,"purist",0]: VPN plugin: state changed: stopped (6) Feb 7 16:43:12 librem15 NetworkManager[1032]: <info> [1518014592.2904] vpn-connection[0x5640fcaec840,4d038cae-f34b-4625-b015-e014f301023e,"purist",0]: VPN service disappeared ``` **Installed packages (PureOS, based on Debian Testing):** * libc6: 2.26-4 * libglib2.0-0: 2.54.3-2 * libglib2.0-data: 2.54.3-2 * libgtk-3-0: 3.22.26-2 * libnm0: 1.10.2-4 * libnma0: 1.8.10-2 * libsecret-1-0: 0.18.5-5 * libsecret-common: 0.18.5-5 * network-manager: 1.10.2-4 * network-manager-openvpn: 1.8.0-2 * network-manager-openvpn-gnome: 1.8.0-2 * openvpn: 2.4.4-2
Downstream (PureOS) issue: https://tracker.pureos.net/T323
>> Options error: If you use one of --cert or --key, you must use them both How does your ovpn file look like, and how does it look after import (that is, the output of `nmcli connection show "$NAME"`)?
Created attachment 368257 [details] Example of failing OVPN file (redacted)
Created attachment 368258 [details] nmcli output after OVPN file is imported (redacted)
Created attachment 368259 [details] nmcli output after adding username and password via the GUI (redacted)
I've added redacted versions of: * the OVPN file * nmcli output after importing the OVPN with nmcli * nmcli output after setting the username and password in the GUI If I import the OVPN with the GUI (and set the username and password at the same time), the output is the same.
After import, both "cert" and "key" are set. So, it's unclear where the error Options error: If you use one of --cert or --key, you must use them both comes from. Can you enable debug logging of the plugin? You do so, by setting TRACE level for the VPN_PLUGIN logging domain. For example, via [logging] level=TRACE domains=ALL,VPN_PLUGIN in NetworkManager.conf (and start NM). or `sudo nmcli general logging domains ALL:KEEP,VPN_PLUGIN:TRACE` Afterwards, re-activate the connection and see why openvpn failed. Maybe post relevant parts of the logfile, be cautious about sensitive data.
This downstream report suggests that the issue is resolved in the latest (unreleased) version https://bugs.archlinux.org/task/55785
Attempted: ``` sudo nmcli general logging domains ALL:KEEP,VPN_PLUGIN:TRACE sudo nmcli connection up --ask my_tunnel ``` Relevant logs from /var/log/syslog : ``` Mar 6 13:54:43 mail NetworkManager[1109]: nm-openvpn[29947] <debug> connection ------------------------------------- Mar 6 13:54:43 mail NetworkManager[1109]: connection Mar 6 13:54:43 mail NetworkManager[1109]: #011id : "my_tunnel" (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011uuid : "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011interface-name : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011type : "vpn" (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011permissions : [] (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011autoconnect : TRUE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011autoconnect-priority : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011autoconnect-retries : -1 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011timestamp : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011read-only : FALSE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011zone : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011master : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011slave-type : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011secondaries : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011gateway-ping-timeout : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011metered : ((NMMetered) NM_METERED_UNKNOWN) (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011lldp : -1 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011stable-id : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011auth-retries : -1 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: ipv6 Mar 6 13:54:43 mail NetworkManager[1109]: #011method : "auto" (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011dns : [] (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011dns-search : [] (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011dns-options : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dns-priority : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011addresses : ((GPtrArray*) 0x556e0a91b400) (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011gateway : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011routes : ((GPtrArray*) 0x556e0a91b420) (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011route-metric : -1 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011route-table : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011ignore-auto-routes : FALSE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011ignore-auto-dns : FALSE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dhcp-hostname : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dhcp-send-hostname : TRUE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011never-default : FALSE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011may-fail : TRUE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dad-timeout : -1 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dhcp-timeout : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011addr-gen-mode : 1 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011token : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: proxy Mar 6 13:54:43 mail NetworkManager[1109]: #011method : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011browser-only : FALSE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011pac-url : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011pac-script : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: vpn Mar 6 13:54:43 mail NetworkManager[1109]: #011service-type : "org.freedesktop.NetworkManager.openvpn" (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011user-name : "root" (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011persistent : FALSE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011data : ((GHashTable*) 0x7f5498006de0) (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011secrets : ((GHashTable*) 0x7f54980076a0) (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011timeout : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: ipv4 Mar 6 13:54:43 mail NetworkManager[1109]: #011method : "auto" (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011dns : [] (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011dns-search : [] (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011dns-options : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dns-priority : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011addresses : ((GPtrArray*) 0x556e0a91b4e0) (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011gateway : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011routes : ((GPtrArray*) 0x556e0a91b500) (s) Mar 6 13:54:43 mail NetworkManager[1109]: #011route-metric : -1 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011route-table : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011ignore-auto-routes : FALSE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011ignore-auto-dns : FALSE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dhcp-hostname : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dhcp-send-hostname : TRUE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011never-default : FALSE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011may-fail : TRUE (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dad-timeout : -1 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dhcp-timeout : 0 (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dhcp-client-id : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: #011dhcp-fqdn : NULL (sd) Mar 6 13:54:43 mail NetworkManager[1109]: nm-openvpn[29947] <debug> EXEC: '/usr/sbin/openvpn --remote vpn.example.com 1194 udp --comp-lzo adaptive --nobind --dev tun --cipher AES-256-CBC --auth-nocache --tls-auth /home/username/.cert/nm-openvpn/my_tunnel-tls-auth.pem 1 --verify-x509-name vpn.example.com name --remote-cert-tls server --reneg-sec 0 --verb 10 --syslog nm-openvpn --script-security 2 --up /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --debug 7 29947 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_17 --tun -- --up-restart --persist-key --persist-tun --management /var/run/NetworkManager/nm-openvpn-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx unix --management-client-user root --management-client-group root --management-query-passwords --auth-retry interact --route-noexec --ifconfig-noexec --client --ca /home/username/.cert/nm-openvpn/my_tunnel-ca.pem --cert /home/username/.cert/nm-openvpn/my_tunnel-ca.pem --auth-user-pass --user nm-openvpn --group nm-openvpn --chroot /var/lib/openvpn/chroot' Mar 6 13:54:43 mail NetworkManager[1109]: nm-openvpn[29947] <info> openvpn[29988] started Mar 6 13:54:43 mail NetworkManager[1109]: <info> [1520337283.2980] vpn-connection[0x999999999999,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,"my_tunnel",0]: VPN plugin: state changed: starting (3) Mar 6 13:54:43 mail NetworkManager[1109]: <info> [1520337283.2981] vpn-connection[0x999999999999,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,"my_tunnel",0]: VPN connection: (ConnectInteractive) reply received Mar 6 13:54:43 mail nm-openvpn[29988]: Options error: If you use one of --cert or --key, you must use them both Mar 6 13:54:43 mail nm-openvpn[29988]: Use --help for more information. Mar 6 13:54:43 mail NetworkManager[1109]: nm-openvpn[29947] <warn> openvpn[29988] exited with error code 1 Mar 6 13:54:43 mail NetworkManager[1109]: <warn> [1520337283.3039] vpn-connection[0x999999999999,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,"my_tunnel",0]: VPN plugin: failed: connect-failed (1) Mar 6 13:54:43 mail NetworkManager[1109]: <warn> [1520337283.3039] vpn-connection[0x999999999999,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,"my_tunnel",0]: VPN plugin: failed: connect-failed (1) Mar 6 13:54:43 mail NetworkManager[1109]: <info> [1520337283.3039] vpn-connection[0x999999999999,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,"my_tunnel",0]: VPN plugin: state changed: stopping (5) Mar 6 13:54:43 mail NetworkManager[1109]: <info> [1520337283.3040] vpn-connection[0x999999999999,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,"my_tunnel",0]: VPN plugin: state changed: stopped (6) Mar 6 13:54:43 mail NetworkManager[1109]: <info> [1520337283.3065] vpn-connection[0x999999999999,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,"my_tunnel",0]: VPN service disappeared ```
nm-openvpn[29947] <debug> EXEC: '/usr/sbin/openvpn --remote vpn.example.com 1194 udp --comp-lzo adaptive --nobind --dev tun --cipher AES-256-CBC --auth-nocache --tls-auth /home/username/.cert/nm-openvpn/my_tunnel-tls-auth.pem 1 --verify-x509-name vpn.example.com name --remote-cert-tls server --reneg-sec 0 --verb 10 --syslog nm-openvpn --script-security 2 --up /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --debug 7 29947 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_17 --tun -- --up-restart --persist-key --persist-tun --management /var/run/NetworkManager/nm-openvpn-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx unix --management-client-user root --management-client-group root --management-query-passwords --auth-retry interact --route-noexec --ifconfig-noexec --client --ca /home/username/.cert/nm-openvpn/my_tunnel-ca.pem --cert /home/username/.cert/nm-openvpn/my_tunnel-ca.pem --auth-user-pass --user nm-openvpn --group nm-openvpn --chroot /var/lib/openvpn/chroot' [snip] Options error: If you use one of --cert or --key, you must use them both The file in comment 5 no longer specifies a "key". Seems to got broken by editing it in the GUI. Seems fixed by https://git.gnome.org/browse/network-manager-openvpn/commit/?id=b83f028a6da067dcc9b31555c15411f0288ebda1
yeah, quite likely the same issue. closing as duplicate. Thanks David *** This bug has been marked as a duplicate of bug 788226 ***