openvpn with networkmanager

openvpn with networkmanager

[Benjamin Slade]

I have the following definition in my config.scm, which I call in
defining the operating system:

````
(define %slade-desktop-services
  (modify-services %desktop-services
    (network-manager-service-type config =>
				  (network-manager-configuration
				   (inherit config)
				   (vpn-plugins (list network-manager-openvpn))))))
````

This does indeed enable the OpenVPN module of NetworkManager, but
NetworkManager doesn't automatically read in the *.opvn files in
/etc/openvpn (which is probably expected), but moreover as an ordinary
user I'm not allowed to create them. Is the best thing to login as root
and add these to NetworkManager?



-- 
Benjamin Slade - https://babbagefiles.xyz
  `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19))
    '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org )
       `(Choose Linux ,(Choose Freedom) . https://linux.com )

Re: openvpn with networkmanager

[Ludovic Courtès]

Hi Benjamin,

Benjamin Slade <beoram@gmail.com> skribis:

> I have the following definition in my config.scm, which I call in
> defining the operating system:
>
> ````
> (define %slade-desktop-services
>   (modify-services %desktop-services
>     (network-manager-service-type config =>
> 				  (network-manager-configuration
> 				   (inherit config)
> 				   (vpn-plugins (list network-manager-openvpn))))))
> ````
>
> This does indeed enable the OpenVPN module of NetworkManager, but
> NetworkManager doesn't automatically read in the *.opvn files in
> /etc/openvpn (which is probably expected), but moreover as an ordinary
> user I'm not allowed to create them. Is the best thing to login as root
> and add these to NetworkManager?

IIRC, NM has a tool to import OpenVPN config files, though it only
understands a subset of the syntax; you have to run it as root:

  sudo nmcli connection import type openvpn file /path/to/whatever.ovpn

Then I think something was broken with VPN support in NM, though I
forgot the details…

HTH,
Ludo’.

Re: openvpn with networkmanager

[Benjamin Slade]

Hi Ludo',

 > IIRC, NM has a tool to import OpenVPN config files, though it only
 > understands a subset of the syntax; you have to run it as root:

 >   sudo nmcli connection import type openvpn file /path/to/whatever.ovpn

 > Then I think something was broken with VPN support in NM, though I
 > forgot the details…

I was able to add an .ovpn openvpn file (the gui nm-connection-editor
also seems to work), and it shows up in the nm-applet, but when I try to
connect to it as a regular user nothing happens. (Though I've used NM
with VPN successfully on another distro.)

What is a recommended/working way of using OpenVPN on GuixSD?  

cheers,
  —Ben

-- 
Benjamin Slade - https://babbagefiles.xyz
  `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19))
    '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org )
       `(Choose Linux ,(Choose Freedom) . https://linux.com )

Re: openvpn with networkmanager

[Adam Massmann]

[-- Attachment #1: Type: text/plain, Size: 894 bytes --]

Hi Ben,

Benjamin Slade <slade@jnanam.net> writes:

>
> What is a recommended/working way of using OpenVPN on GuixSD?  

I do not know what the recommended way of working with
openvpn is, but I do have a working way. Attached is a bash
script that takes a wireless interface as an argument and
starts up a vpn, adjusting dns to avoid dns leaks (you will
need to modify to add the dns for your setup). So if I have
a wifi connection called "interface" I just run
```vpn-launcher-example.sh interface``` to start my vpn
session, and then ```vpn-killer-example.sh interface```
to cleanup the connection after I have finished
openvpn. Also depending on your setup you might need to
either run as root, or sprinkle sudos before the nmcli
calls.

This works well for me, but I strongly doubt it is the
recommended way using openvpn. If anyone has a better way
I'd also love to hear it.

Best,
Adam



[-- Attachment #2: vpn-launcher-example.sh --]
[-- Type: application/x-sh, Size: 599 bytes --]

[-- Attachment #3: vpn-killer-example.sh --]
[-- Type: application/x-sh, Size: 375 bytes --]

Re: openvpn with networkmanager

[Benjamin Slade]

Thanks, Adam, I'll have to try this. It's hard to know how much of the
issues with NetworkManager+VPNs is a GuixSD-specific issue and how much
is just NetworkManager (on my Arch machine, I have to connect to openvpn
'by hand', it won't connect through NetworkManager; but on my
Bedrock/pieces-from-a-bunch-of-different-distros machine, OpenVPN 'just
works' directly in NetworkManager).

 —Ben



On 2018-09-10T10:05:56-0600, Adam Massmann <massmannak@gmail.com> wrote:

 > Hi Ben,

 > Benjamin Slade <slade@jnanam.net> writes:

 > >
 > > What is a recommended/working way of using OpenVPN on GuixSD?

 > I do not know what the recommended way of working with
 > openvpn is, but I do have a working way. Attached is a bash
 > script that takes a wireless interface as an argument and
 > starts up a vpn, adjusting dns to avoid dns leaks (you will
 > need to modify to add the dns for your setup). So if I have
 > a wifi connection called "interface" I just run
 > ```vpn-launcher-example.sh interface``` to start my vpn
 > session, and then ```vpn-killer-example.sh interface```
 > to cleanup the connection after I have finished
 > openvpn. Also depending on your setup you might need to
 > either run as root, or sprinkle sudos before the nmcli
 > calls.

 > This works well for me, but I strongly doubt it is the
 > recommended way using openvpn. If anyone has a better way
 > I'd also love to hear it.

 > Best,
 > Adam




--
Benjamin Slade - https://babbagefiles.xyz
  `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19))
    '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org )
       `(Choose Linux ,(Choose Freedom) . https://linux.com )

Re: openvpn with networkmanager

[Julien Lepiller]

Le 2018-09-10 18:05, Adam Massmann a écrit :
> Hi Ben,
> 
> Benjamin Slade <slade@jnanam.net> writes:
> 
>> 
>> What is a recommended/working way of using OpenVPN on GuixSD?
> 
> I do not know what the recommended way of working with
> openvpn is, but I do have a working way. Attached is a bash
> script that takes a wireless interface as an argument and
> starts up a vpn, adjusting dns to avoid dns leaks (you will
> need to modify to add the dns for your setup). So if I have
> a wifi connection called "interface" I just run
> ```vpn-launcher-example.sh interface``` to start my vpn
> session, and then ```vpn-killer-example.sh interface```
> to cleanup the connection after I have finished
> openvpn. Also depending on your setup you might need to
> either run as root, or sprinkle sudos before the nmcli
> calls.
> 
> This works well for me, but I strongly doubt it is the
> recommended way using openvpn. If anyone has a better way
> I'd also love to hear it.
> 
> Best,
> Adam

On GuixSD, we have an openvpn service, see 
https://guix.info/manual/en/VPN-Services.html#VPN-Services. Once 
configured, you can always start and stop it with "herd start 
openvpn-client" and "herd stop openvpn-client".

Re: openvpn with networkmanager

[Adam Massmann]

Hi Julien,

Julien Lepiller <julien@lepiller.eu> writes:
>
> On GuixSD, we have an openvpn service, see
> https://guix.info/manual/en/VPN-Services.html#VPN-Services. Once
> configured, you can always start and stop it with "herd start
> openvpn-client" and "herd stop openvpn-client".

Thanks for the link, I look forward to trying out the
"Guix-y" way (it's so nice to have my whole OS setup defined
in guix!) when I get some time to configure.

Re: openvpn with networkmanager

[Benjamin Slade]

 > On GuixSD, we have an openvpn service, see
 > https://guix.info/manual/en/VPN-Services.html#VPN-Services. Once
 > configured, you can always start and stop it with "herd start
 > openvpn-client" and "herd stop openvpn-client".

Thanks, Julien. Unfortunately, I don't find that manual page overly
illuminating in terms of how to actually set this up.

Does anyone have an example configuration available anywhere,
particularly one shows how to set up multiple VPNs? I.e. one which
allows for different VPNs to be configured (and switched to, whether via
herd or otherwise)?

thanks,
  —Ben


--
Benjamin Slade - https://babbagefiles.xyz
  `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19))
    '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org )
       `(Choose Linux ,(Choose Freedom) . https://linux.com )

Re: openvpn with networkmanager

[Ludovic Courtès]

Hi,

Benjamin Slade <slade@jnanam.net> skribis:

>  > On GuixSD, we have an openvpn service, see
>  > https://guix.info/manual/en/VPN-Services.html#VPN-Services. Once
>  > configured, you can always start and stop it with "herd start
>  > openvpn-client" and "herd stop openvpn-client".
>
> Thanks, Julien. Unfortunately, I don't find that manual page overly
> illuminating in terms of how to actually set this up.

I think it would be nice to add a commented example to this section of
the manual, like we have for many other services.

Thanks,
Ludo’.

Re: openvpn with networkmanager

[Benjamin Slade]

On 2018-09-13T02:54:52-0600, Ludovic Courtès <ludo@gnu.org> wrote:
 > I think it would be nice to add a commented example to this section of
 > the manual, like we have for many other services.

I think this would be very useful. With an example it should be much
more straightforward to figure out how to use this in practice.  Does
anyone have a working config they could share?

 —Ben

-- 
Benjamin Slade - https://babbagefiles.xyz
  `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19))
    '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org )
       `(Choose Linux ,(Choose Freedom) . https://linux.com )

Re: openvpn with networkmanager

[swedebugia]

Hi

On 2018-09-18 05:55, Benjamin Slade wrote:
> On 2018-09-13T02:54:52-0600, Ludovic Courtès <ludo@gnu.org> wrote:
>   > I think it would be nice to add a commented example to this section of
>   > the manual, like we have for many other services.
>
> I think this would be very useful. With an example it should be much
> more straightforward to figure out how to use this in practice.  Does
> anyone have a working config they could share?
A month has almost passed.
It seems nobody used this yet.
It seems you will have to experiment yourself. :-)

Cheers
Swedebugia

Re: openvpn with networkmanager

[Maxim Cournoyer]

Hello,

Adam Massmann <massmannak@gmail.com> writes:

> Hi Ben,
>
> Benjamin Slade <slade@jnanam.net> writes:
>
>>
>> What is a recommended/working way of using OpenVPN on GuixSD?
>
> I do not know what the recommended way of working with
> openvpn is, but I do have a working way. Attached is a bash
> script that takes a wireless interface as an argument and
> starts up a vpn, adjusting dns to avoid dns leaks (you will
> need to modify to add the dns for your setup). So if I have
> a wifi connection called "interface" I just run
> ```vpn-launcher-example.sh interface``` to start my vpn
> session, and then ```vpn-killer-example.sh interface```
> to cleanup the connection after I have finished
> openvpn. Also depending on your setup you might need to
> either run as root, or sprinkle sudos before the nmcli
> calls.
>
> This works well for me, but I strongly doubt it is the
> recommended way using openvpn. If anyone has a better way
> I'd also love to hear it.
>
> Best,
> Adam

Thanks Adam, it seems a good workaround that I hadn't thought
about. Avenues I have explored so far are:

1. Purely config based. Example:

--8<---------------cut here---------------start------------->8---
client
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
comp-lzo #t
persist-key #t
persist-tun #t
verb 3
remote-cert-tls server
nobind
resolv-retry infinite
remote someserver.net 9999

auth-user-pass
script-security 2  # calling of built-in executables and user-defined scripts.
# Accept DNS changes from the server
# TODO: Need to package "resolvconf"
# The following script comes from
# https://github.com/masterkorp/openvpn-update-resolv-conf/blob/master/update-resolv-conf.sh
#up /etc/openvpn/update-resolv-conf.sh
#down /etc/openvpn/update-resolv-conf.sh
--8<---------------cut here---------------end--------------->8---

As one can see, the solution here would be to have some external script
called which task would be to update /etc/resolv.conf so that DNS
work. Another problem is that the /etc/resolv.conf file is managed by
NetworkManager, so any changes could be lost or reset by it at times.

2. Define a openvpn service as part of your GuixSD config, such as:
--8<---------------cut here---------------end--------------->8---
		   (openvpn-client-service
		    #:config (openvpn-client-configuration
			      (remote
			       (list
				(openvpn-remote-configuration
				 (name "someserver.net")
				 (port 9999))))))
--8<---------------cut here---------------end--------------->8---

Some problems with this second option:

a. It's on by default (I'd prefer it off -- must be easy but I'm
not very knowledgeable about services yet)

b. It doesn't address the DNS question.

3. I've tried using the tools provided by network-manager, and
apparently only 'nmcli' proposes creating a VPN connection. It seems the
parameters it accepts are insufficient to define completely the setup (I
didn't see a parameter to store the remote server for example), so I'm
not sure how it's supposed to work.

Anyway, after creating the connection, I tried activating it, only to
get the error:

Error: Failed to activate 'vpn-wlp0s20f0u1'
(718af83f-9553-4805-9140-4dfd28e46a07) connection: The VPN service
'org.freedesktop.NetworkManager.openvpn' was not installed.

I'll try your solution next. Thank you!

Maxim