unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
* Getting network-manager-openconnect to work
@ 2020-04-22 12:25 divan
  0 siblings, 0 replies; 7+ messages in thread
From: divan @ 2020-04-22 12:25 UTC (permalink / raw)
  To: Help guix

Hi Guixers,

There is also a bug report about this query.

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=37369

I'm not having any luck getting network-manager-openconnect to work for
me.

For one, using nm-connection-editor on cli or via exwm program launcher,
and creating a new connection tells me:

Insufficient privileges

Apr 12 21:32:20 swift NetworkManager[385]: <info>  [1586719940.8362] audit: op="connection-add" pid=2616 uid=1000 result="fail" reason="Insufficient privileges."

$ id
uid=1000(ds) gid=998(users) groups=998(users),972(docker),975(libvirt),978(adbusers),984(kvm),986(cdrom),989(lp),990(netdev),991(audio),992(video),993(input),999(wheel)

Full system config is pasted below[1].

My groups appear fine. Perhaps some issue with polkit?

polkit is running though.

polkitd    864     1  0 12:33 ?        00:00:00 /gnu/store/mw57n9nj3y20bfm9ijcbpm16gpsik6sg-polkit-0.116/lib/polkit-1/polkitd --no-debug

Not sure if it's the way my desktop is started with exwm.

I am able to up / down connections via "nmcli con up id" and without
sudo.

I know others have sometimes complained about network manager
permissions as a user. It seems it works for some but not others.

Secondly, upping a openconnect network manager connection file which is
known to work on another distro results in this:

$ nmcli con up id my-vpn-2fa --ask
Error: openconnect failed: Could not find "openconnect" binary
A password is required to connect to 'my-vpn-2fa.
Gateway (vpn.secrets.gateway):

I notice that after about a minute the GUI form pops up. I then prompts
me for my 2FA meaning it passed the 1st authentication bit. After I
approve, it then dissapears and seems to disconnect.

Apr 12 21:18:38 swift NetworkManager[360]: <info>  [1586719118.6929] agent-manager: req[0x1043510, :1.159/nmcli-connect/1000]: agent registered
Apr 12 21:18:38 swift NetworkManager[360]: <info>  [1586719118.6976] audit: op="connection-activate" uuid="40441d34-5290-4631-8796-5fb57d0f1bf2" name="vpn-fnb-2fa" pid=12530 uid=1000 result="success"
Apr 12 21:18:38 swift NetworkManager[360]: <info>  [1586719118.7034] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: Started the VPN service, PID 12536
Apr 12 21:18:38 swift NetworkManager[360]: <info>  [1586719118.7117] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: Saw the service appear; activating connection
Apr 12 21:20:33 swift NetworkManager[360]: <info>  [1586719233.2173] settings-connection[0xecac80,40441d34-5290-4631-8796-5fb57d0f1bf2]: write: successfully committed (keyfile: update /etc/NetworkManager/system-connections/vpn-fnb-2fa (40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa"))
Apr 12 21:20:33 swift NetworkManager[360]: <error> [1586719233.2192] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: final secrets request failed to provide sufficient secrets
Apr 12 21:20:33 swift NetworkManager[360]: <info>  [1586719233.2234] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: VPN plugin: state changed: stopped (6)

Creating a new connecting via sudo and the starting it results in the
same.

Any idea?

[1]: (trimmed slightly)

--8<---------------cut here---------------start------------->8---
(use-modules
 (gnu)
 (gnu packages admin)
 (gnu packages android)                 ;for android-udev-rules
 (gnu packages certs)
 (gnu packages cups)
 (gnu packages gnome)
 (gnu packages gnupg)
 (gnu packages haskell-apps)
 (gnu packages linux)
 (gnu packages shells)
 (gnu packages suckless)
 (gnu packages virtualization)
 (gnu packages wm)
 (gnu packages xorg)
 (gnu services avahi)
 (gnu services cups)
 (gnu services desktop)
 (gnu services dns)
 (gnu services docker)
 (gnu services monitoring)
 (gnu services networking)
 (gnu services pm)
 (gnu services shepherd)
 (gnu services sound)
 (gnu services ssh)
 (gnu services sysctl)
 (gnu services virtualization)
 (gnu services xorg)
 (gnu system nss)
 (gnu system shadow)                    ;for user-group
 (guix build-system trivial)
 (guix download)                        ;for url-fetch
 (guix git-download)
 (guix packages)                        ;for origin
 (nongnu packages linux)
 (srfi srfi-1)                          ;for 'remove'
 )

(define %extra-linux-modules
  '("fuse"                      ; for sshfs
    "nbd"                       ; to mount qcow2 images
    ))

(operating-system
 (host-name "swift")
 (timezone "Africa/Johannesburg")
 (locale "en_US.utf8")
 (locale-libcs (list glibc-2.28 (canonical-package glibc)))

 (hosts-file (local-file "/home/ds/src/ds-config/.config/guix/etc/hosts"))
 (sudoers-file (local-file "/home/ds/src/ds-config/.config/guix/etc/sudoers"))

 (kernel-arguments
  (list
   (string-append "resume_offset=106602496")
   (string-append "modprobe.blacklist=" "pcspkr,snd_pcsp")
   (string-append "net.ifnames=0")
   (string-append "kvm_intel.nested=1")))

 (kernel linux-4.19)
 (firmware (cons* linux-firmware %base-firmware))

 (initrd (lambda (fs . args)
           (apply base-initrd fs
                  #:extra-modules %extra-linux-modules
                  args)))

 (bootloader (bootloader-configuration
              (bootloader grub-efi-bootloader)
              (target "/boot/efi")
              ))

 (mapped-devices (list (mapped-device
                        (source (uuid "3e7beb3b-1037-4ee8-9048-5e048afafbd0"))
                        (target "crypt")
                        (type luks-device-mapping))))

 (file-systems (cons* (file-system
                       (device "/dev/nvme0n1p1")
                       (type "msdos")
                       (mount-point "/boot/efi"))
                      (file-system
                       (device "/dev/mapper/crypt")
                       (mount-point "/")
                       (type "ext4")
                       (dependencies mapped-devices))
                      %base-file-systems))

 (swap-devices '("/mnt/swapfile"))

 (users (cons (user-account
               (name "ds")
               (comment "Divan Santana")
               (group "users")
               (supplementary-groups
                '("adbusers"            ;for adb
                  "wheel" "kvm" "audio" "video" "lp"
                  "docker"
                  "libvirt"
                  "input"
                  ;; "lpadmin"
                  "cdrom" "netdev"))
               (home-directory "/home/ds"))
              %base-user-accounts))

 (groups (cons (user-group (system? #t) (name "adbusers"))
               %base-groups))

 (packages
  (append (map specification->package
               '(
                 "bash-completion"
                 "binutils"
                 "bridge-utils"
                 "dmidecode"
                 "dnsmasq"
                 "docker"
                 "docker-cli"
                 "docker-compose"
                 "dosfstools"
                 "dtach"
                 "ethtool"
                 "font-adobe-source-code-pro"
                 "font-adobe-source-sans-pro"
                 "font-adobe-source-serif-pro"
                 "font-adobe100dpi"
                 "font-adobe75dpi"
                 "font-awesome"
                 "font-bitstream-vera"
                 "font-dejavu"
                 "font-fantasque-sans"
                 "font-fira-code"
                 "font-fira-mono"
                 "font-fira-sans"
                 "font-gnu-freefont-ttf"
                 "font-google-roboto"
                 "font-hack"
                 "font-inconsolata"
                 "font-iosevka"
                 "font-liberation"
                 "font-misc-misc"
                 "font-tamzen"
                 "font-ubuntu"
                 ;; "font-symbola" ;; missing
                 "git"
                 ;; "arc-theme" ;; fixme, should be in core only
                 "gnome-themes-standard" ;; fixme, should be in core only
                 "iptables"
                 "light"
                 "lsof"
                 "mlocate"
                 "mobile-broadband-provider-info"
                 "modem-manager"
                 "neovim"
                 "netcat"
                 "network-manager-applet"
                 "network-manager-openconnect"
                 "network-manager-vpnc"
                 "net-tools"
                 "nss" ;; FIXME: is not providing certutil
                 "nss-certs"
                 "ntfs-3g"
                 "openconnect"
                 "openssh"
                 "parted"
                 "qemu"
                 "rsync"
                 "setxkbmap"
                 "slock"
                 "usb-modeswitch"
                 "usb-modeswitch-data"
                 "udiskie"
                 "xcape"
                 "xdotool" ;; simulate keyboard/mouse presses
                 "xev"
                 "xf86-input-libinput"
                 "xf86-input-synaptics"
                 "xf86-input-wacom"
                 "xf86-video-fbdev"
                 "xinit"
                 "xmodmap"
                 "xorg-server"
                 "xrandr"
                 "xrdb"
                 "xsel"
                 "xset"
                 "kmonad"
                 "xss-lock"
                 "xterm"
                 "xf86-video-intel"
                 ))
          %base-packages))

 (setuid-programs (cons (file-append qemu "/libexec/qemu-bridge-helper")
                        %setuid-programs))

 (services (cons*

            (service openssh-service-type
                     (openssh-configuration
                      (port-number 8444)
                      (permit-root-login 'without-password)
                      ))

            (service tor-service-type)

            (simple-service 'store-my-config
                            etc-service-type
                            `(("config.scm"
                               ,(local-file (assoc-ref
                                             (current-source-location)
                                             'filename)))))

            (service cups-service-type
                     (cups-configuration
                      (web-interface? #t)
                      (extensions
                       (list cups-filters hplip))))

            (screen-locker-service slock "slock")

            (service tlp-service-type
                     (tlp-configuration
                      ;; TODO: enable autosuspend and blacklist certian
                      ;; usb devices.
                      (usb-autosuspend? #f)))

            (service thermald-service-type)

            (service gpm-service-type)
            (service docker-service-type)

            (service libvirt-service-type
                     (libvirt-configuration
                      (unix-sock-group "libvirt")))

            (service virtlog-service-type)

            (service sysctl-service-type
                     (sysctl-configuration
                      (settings '(
                                  ("net.ipv4.ip_forward" . "1")
                                  ("vm.swappiness" . "05")
                                  ))))

            (extra-special-file "/usr/bin/env"
                                (file-append coreutils "/bin/env"))

            firewall-service

          (service prometheus-node-exporter-service-type
                   (prometheus-node-exporter-configuration
                     (web-listen-address ":9100")))

            (service slim-service-type
                     (slim-configuration
                      (auto-login? #t)
                      (default-user "ds")
                      ;; (auto-login-session #f)
                      (xorg-configuration
                       (xorg-configuration
                        (drivers '("modesetting"))
                       ))
                       ))

            (remove (lambda (service)
                      (eq? (service-kind service) avahi-service-type))
                    (remove (lambda (service)
                              (eq? (service-kind service) gdm-service-type))

                            (modify-services %desktop-services
                                             (network-manager-service-type
                                              config => (network-manager-configuration
                                                         (inherit config)
                                                         (dns "dnsmasq")
                                                         (vpn-plugins (list network-manager-openconnect))
                                                         ))
                                             (udev-service-type
                                              config => (udev-configuration
                                                         (inherit config)
                                                         (rules (append (udev-configuration-rules config)
                                                                        (list %backlight-udev-rule android-udev-rules kmonad)))))
                                             (login-service-type
                                              config => (login-configuration
                                                         (inherit config)
                                                         (motd %motd)))))))))
--8<---------------cut here---------------end--------------->8---

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Getting network-manager-openconnect to work
@ 2019-09-10  9:57 Divan Santana
  2019-09-10 11:21 ` pelzflorian (Florian Pelz)
  0 siblings, 1 reply; 7+ messages in thread
From: Divan Santana @ 2019-09-10  9:57 UTC (permalink / raw)
  To: Help guix

Hi Guix,

I'm glad openconnect and network-manager-openconnect are now in Guix!

It would be nice to get it to work via network-manager, though I suppose
it's not essential.

Using openconnect directly works for me.

$ sudo openconnect vpn.somewhere.com

Trying to get it work via network-manager gives an error like so:

$ sudo nmcli con up vpn-fnb --ask
Error: openconnect failed: Could not find "openconnect" binary
A password is required to connect to 'vpn-fnb'.
Gateway (vpn.secrets.gateway):

Even though my services configuration has this vpn-plugins set.

(modify-services %desktop-services
                 (network-manager-service-type
                  config => (network-manager-configuration
                             (inherit config)
                             (dns "dnsmasq")
                             (vpn-plugins (list network-manager-openconnect))
                             ))

Anyone else seen this?

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2020-04-22 12:26 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-22 12:25 Getting network-manager-openconnect to work divan
  -- strict thread matches above, loose matches on Subject: below --
2019-09-10  9:57 Divan Santana
2019-09-10 11:21 ` pelzflorian (Florian Pelz)
2019-09-11 20:46   ` Ludovic Courtès
2019-09-12  5:34     ` pelzflorian (Florian Pelz)
2019-09-16 15:57       ` Ludovic Courtès
2019-09-16 16:06         ` pelzflorian (Florian Pelz)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).