[Pkg-utopia-maintainers] Bug#748072: [network-manager-openvpn] No internet connection with nm-openvpn
dispatcher
dispatcher at cmail.nu
Tue May 13 22:17:19 UTC 2014
Package: network-manager-openvpn
Version: 0.9.8.4-2
Severity: normal
--- Please enter the report below this line. ---
After the Heartbleed vulnerability was discovered, my vpn provider
changed their configuration: they use now tls-auth and 4096 bit size RSA
and DH keys (cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA).
After this upgrade I can connect to the vpn server with kde-nm-frontend
but I have no internet connection inside the tunnel. (The logs are 1
month old, but nothing changed in the meantime).
At first I could not connect to the server at all. This is the system
log after initiating connection from the frontend:
14/04/2014 23:29:33 hostname NetworkManager[2898] <info>
Starting VPN service 'openvpn'...
14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN
service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 5101
14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN
service 'openvpn' appeared; activating connections
14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN
plugin state changed: starting (3)
14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN
connection 'AirVPN_Romania_UDP-443' (Connect) reply received.
14/04/2014 23:29:33 hostname NetworkManager[2898] <warn> VPN
plugin failed: 1
14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN
plugin state changed: stopped (6)
14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN
plugin state change reason: 0
14/04/2014 23:29:33 hostname NetworkManager[2898] <info> Policy
set 'ZZZ' (wlan0) as default for IPv4 routing and DNS.
14/04/2014 23:29:33 hostname NetworkManager[2898] <error>
[1397510973.305198] [nm-system.c:1266]
nm_system_replace_default_ip6_route(): (wlan0): failed to set IPv6
default route: -7
14/04/2014 23:29:33 hostname NetworkManager[2898] <info> Policy
set 'ZZZ' (wlan0) as default for IPv6 routing and DNS.
14/04/2014 23:29:33 hostname NetworkManager[2898] <warn> error
disconnecting VPN: Could not process the request because no VPN
connection was active.
14/04/2014 23:29:38 hostname NetworkManager[2898] <info> VPN
service 'openvpn' disappeared
I discovered that the frontend doesn't respect the lzo-compression
setting from the imported config file (it sets it to "enabled"). So I
disabled it and was able to establish a connection to the vpn server,
however I had no connection to the internet inside the tunnel.
Log:
14/04/2014 22:49:44 hostname NetworkManager[2890] <info>
Starting VPN service 'openvpn'...
14/04/2014 22:49:44 hostname NetworkManager[2890] <info> VPN
service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7026
14/04/2014 22:49:44 hostname NetworkManager[2890] <info> VPN
service 'openvpn' appeared; activating connections
14/04/2014 22:49:44 hostname NetworkManager[2890] <info> VPN
plugin state changed: starting (3)
14/04/2014 22:49:44 hostname NetworkManager[2890] <info> VPN
connection 'AirVPN_Romania_UDP-443' (Connect) reply received.
14/04/2014 22:49:44 hostname nm-openvpn[7029] OpenVPN 2.3.2
x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia]
[MH] [IPv6] built on Mar 17 2014
14/04/2014 22:49:44 hostname nm-openvpn[7029] WARNING: No
server certificate verification method has been enabled. See
http://openvpn.net/howto.html#mitm for more info.
14/04/2014 22:49:44 hostname nm-openvpn[7029] NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts
14/04/2014 22:49:44 hostname nm-openvpn[7029] WARNING: file
'/home/administrator/AirVPN/user.key' is group or others accessible
14/04/2014 22:49:44 hostname nm-openvpn[7029] WARNING: file
'/home/administrator/AirVPN/ta.key' is group or others accessible
14/04/2014 22:49:44 hostname nm-openvpn[7029] Control Channel
Authentication: using '/home/administrator/AirVPN/ta.key' as a OpenVPN
static key file
14/04/2014 22:49:44 hostname nm-openvpn[7029] UDPv4 link local:
[undef]
14/04/2014 22:49:44 hostname nm-openvpn[7029] UDPv4 link
remote: [AF_INET]109.163.230.232:443
14/04/2014 22:49:47 hostname dhclient DHCPDISCOVER on eth0 to
255.255.255.255 port 67 interval 20
14/04/2014 22:49:55 hostname nm-openvpn[7029] WARNING:
'link-mtu' is used inconsistently, local='link-mtu 1557',
remote='link-mtu 1558'
14/04/2014 22:49:55 hostname nm-openvpn[7029] WARNING:
'comp-lzo' is present in remote config but missing in local config,
remote='comp-lzo'
14/04/2014 22:49:58 hostname nm-openvpn[7029] [server] Peer
Connection Initiated with [AF_INET]109.163.230.232:443
14/04/2014 22:50:01 hostname nm-openvpn[7029] TUN/TAP device
tun0 opened
14/04/2014 22:50:01 hostname nm-openvpn[7029]
/usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper tun0 1500 1557
10.4.30.78 10.4.30.77 init
14/04/2014 22:50:01 hostname NetworkManager[2890] <warn>
/sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...
14/04/2014 22:50:01 hostname NetworkManager[2890]
SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0,
iface: tun0)
14/04/2014 22:50:01 hostname NetworkManager[2890]
SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0,
iface: tun0): no ifupdown configuration found.
14/04/2014 22:50:01 hostname NetworkManager[2890] <info> VPN
connection 'AirVPN_Romania_UDP-443' (IP4 Config Get) reply received from
old-style plugin.
14/04/2014 22:50:01 hostname NetworkManager[2890] <info> VPN
Gateway: 109.163.230.232
14/04/2014 22:50:01 hostname NetworkManager[2890] <info> Tunnel
Device: tun0
14/04/2014 22:50:01 hostname NetworkManager[2890] <info> IPv4
configuration:
14/04/2014 22:50:01 hostname NetworkManager[2890] <info>
Internal Gateway: 10.4.30.77
14/04/2014 22:50:01 hostname NetworkManager[2890] <info>
Internal Address: 10.4.30.78
14/04/2014 22:50:01 hostname NetworkManager[2890] <info>
Internal Prefix: 32
14/04/2014 22:50:01 hostname NetworkManager[2890] <info>
Internal Point-to-Point Address: 10.4.30.77
14/04/2014 22:50:01 hostname NetworkManager[2890] <info>
Maximum Segment Size (MSS): 0
14/04/2014 22:50:01 hostname NetworkManager[2890] <info>
Static Route: 10.4.0.1/32 Next Hop: 10.4.0.1
14/04/2014 22:50:01 hostname NetworkManager[2890] <info>
Forbid Default Route: no
14/04/2014 22:50:01 hostname NetworkManager[2890] <info>
Internal DNS: 10.4.0.1
14/04/2014 22:50:01 hostname NetworkManager[2890] <info> DNS
Domain: '(none)'
14/04/2014 22:50:01 hostname NetworkManager[2890] <info> No IPv6
configuration
14/04/2014 22:50:01 hostname nm-openvpn[7029] Initialization
Sequence Completed
14/04/2014 22:50:02 hostname NetworkManager[2890] <info> VPN
connection 'AirVPN_Romania_UDP-443' (IP Config Get) complete.
14/04/2014 22:50:02 hostname NetworkManager[2890] <info> Policy
set 'AirVPN_Romania_UDP-443' (tun0) as default for IPv4 routing and DNS.
14/04/2014 22:50:02 hostname NetworkManager[2890] <error>
[1397508602.543640] [nm-system.c:1266]
nm_system_replace_default_ip6_route(): (wlan0): failed to set IPv6
default route: -7
14/04/2014 22:50:02 hostname NetworkManager[2890] <info> Policy
set 'ZZZ' (wlan0) as default for IPv6 routing and DNS.
14/04/2014 22:50:02 hostname dbus[2837] [system] Activating
service name='org.freedesktop.nm_dispatcher' (using servicehelper)
14/04/2014 22:50:02 hostname NetworkManager[2890] <info> VPN
plugin state changed: started (4)
14/04/2014 22:50:02 hostname dbus[2837] [system] Successfully
activated service 'org.freedesktop.nm_dispatcher'
14/04/2014 22:50:05 hostname nm-dispatcher.action Script
'/etc/NetworkManager/dispatcher.d/01ifupdown' took too long; killing it.
14/04/2014 22:50:05 hostname NetworkManager[2890] <warn>
Dispatcher script timed out: Script
'/etc/NetworkManager/dispatcher.d/01ifupdown' timed out.
14/04/2014 22:50:07 hostname dhclient DHCPDISCOVER on eth0 to
255.255.255.255 port 67 interval 11
14/04/2014 22:50:11 hostname nm-openvpn[7029] write to TUN/TAP
: Invalid argument (code=22)
14/04/2014 22:50:18 hostname dhclient DHCPDISCOVER on eth0 to
255.255.255.255 port 67 interval 5
14/04/2014 22:50:21 hostname nm-openvpn[7029] write to TUN/TAP
: Invalid argument (code=22)
14/04/2014 22:50:23 hostname dhclient No DHCPOFFERS received.
14/04/2014 22:50:23 hostname dhclient No working leases in
persistent database - sleeping.
14/04/2014 22:50:31 hostname nm-openvpn[7029] write to TUN/TAP
: Invalid argument (code=22)
I was advised to run openvpn manually in the terminal. Result: I was
able to establish a vpn connection and I had the internet connection
inside the tunnel.
Log:
administrator at hostname:~/AirVPN$ sudo openvpn
~/AirVPN/AirVPN_Romania_UDP-443.ovpn
Mon Apr 14 23:38:09 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Mar
17 2014
Mon Apr 14 23:38:09 2014 WARNING: file 'user.key' is group or others
accessible
Mon Apr 14 23:38:09 2014 WARNING: file 'ta.key' is group or others
accessible
Mon Apr 14 23:38:09 2014 Control Channel Authentication: using 'ta.key'
as a OpenVPN static key file
Mon Apr 14 23:38:09 2014 Outgoing Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 14 23:38:09 2014 Incoming Control Channel Authentication: Using
160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 14 23:38:09 2014 Socket Buffers: R=[212992->131072]
S=[212992->131072]
Mon Apr 14
23:38:09 2014 UDPv4 link local: [undef]
Mon Apr 14 23:38:09 2014 UDPv4 link remote: [AF_INET]109.163.230.232:443
Mon Apr 14 23:38:09 2014 TLS: Initial packet from
[AF_INET]109.163.230.232:443, sid=ef7a6c26 bc89ef18
Mon Apr 14 23:38:10 2014 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia,
O=airvpn.org, CN=airvpn.org CA, emailAddress=info at airvpn.org
Mon Apr 14 23:38:10 2014 Validating certificate key usage
Mon Apr 14 23:38:10 2014 ++ Certificate has key usage 00a0, expects 00a0
Mon Apr 14 23:38:10 2014 VERIFY KU OK
Mon Apr 14 23:38:10 2014 Validating certificate extended key usage
Mon Apr 14 23:38:10 2014 ++ Certificate has EKU (str) TLS Web Server
Authentication, expects TLS Web Server Authentication
Mon Apr 14 23:38:10 2014 VERIFY EKU OK
Mon Apr 14 23:38:10 2014 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia,
O=airvpn.org, CN=server, emailAddress=info at airvpn.org
Mon Apr 14 23:38:17 2014 Data Channel Encrypt: Cipher 'AES-256-CBC'
initialized with 256 bit key
Mon Apr 14 23:38:17 2014 Data Channel Encrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Mon Apr 14 23:38:17 2014 Data Channel Decrypt: Cipher 'AES-256-CBC'
initialized with 256 bit key
Mon Apr 14 23:38:17 2014 Data Channel Decrypt: Using 160 bit message
hash 'SHA1' for HMAC authentication
Mon Apr 14 23:38:17 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 4096 bit RSA
Mon Apr 14 23:38:17 2014 [server] Peer Connection Initiated with
[AF_INET]109.163.230.232:443
Mon Apr 14 23:38:19 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Apr 14 23:38:19 2014 PUSH: Received control message:
'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo
no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig
10.4.30.78 10.4.30.77'
Mon Apr 14 23:38:19 2014 OPTIONS IMPORT: timers and/or timeouts modified
Mon Apr 14 23:38:19 2014 OPTIONS IMPORT: LZO parms modified
Mon Apr 14 23:38:19 2014 OPTIONS IMPORT: --ifconfig/up options modified
Mon Apr 14 23:38:19 2014 OPTIONS IMPORT: route options modified
Mon Apr 14 23:38:19 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified
Mon Apr 14 23:38:19 2014 ROUTE_GATEWAY 192.168.1.1/255.255.255.0
IFACE=wlan0 HWADDR=00:26:c7:94:96:ec
Mon Apr 14 23:38:19 2014 TUN/TAP device tun0 opened
Mon Apr 14 23:38:19 2014 TUN/TAP TX queue length set to 100
Mon Apr 14 23:38:19 2014 do_ifconfig, tt->ipv6=0,
tt->did_ifconfig_ipv6_setup=0
Mon Apr 14 23:38:19 2014 /sbin/ip link set dev tun0 up mtu 1500
Mon Apr 14 23:38:19 2014 /sbin/ip addr add dev tun0 local 10.4.30.78
peer 10.4.30.77
Mon Apr 14 23:38:19 2014 /sbin/ip route add 109.163.230.232/32 via
192.168.1.1
Mon Apr 14 23:38:19 2014 /sbin/ip route add 0.0.0.0/1 via 10.4.30.77
Mon Apr 14 23:38:19 2014 /sbin/ip route add 128.0.0.0/1 via 10.4.30.77
Mon Apr 14 23:38:19 2014 /sbin/ip route add 10.4.0.1/32 via 10.4.30.77
Mon Apr 14 23:38:19 2014 Initialization Sequence Completed
SUMMARY:
I am not sure if it's the problem with network-manager or its kde
frontend, but the only way to have internet connection is to use openvpn
from command line.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.13-1-amd64
Debian Release: jessie/sid
500 testing security.debian.org
500 testing ftp.pl.debian.org
400 unstable ftp.pl.debian.org
--- Package information. ---
Depends (Version) | Installed
=================================-+-=============
libc6 (>= 2.4) |
libdbus-1-3 (>= 1.0.2) |
libdbus-glib-1-2 (>= 0.78) |
libglib2.0-0 (>= 2.37.3) |
libnm-glib-vpn1 (>= 0.7.999) |
libnm-glib4 (>= 0.7.999) |
libnm-util2 (>= 0.8.998) |
openvpn (>= 2.1~rc9) |
Package's Recommends field is empty.
Package's Suggests field is empty.
More information about the Pkg-utopia-maintainers
mailing list