5:52 p.m.
Hello,
I'm trying to get vpn connection managed by connman.
I've been looking in the documentation in the sources or website, but
didn't find my answer yet.
So far, I can connect to my OpenVPN server manually via connmanctl, so I
guess my vpn config file is quite ok.
But the remaining question is about the autoconnection and link
verification.
From my understanding autoconnect, reconnect etc, that we can configure
in main config file only applies to technologies, but VPNs are not
technologies from connman perspectives, so they are listed as service
(maybe my statement here is not correct ?).
My goal is to be able, as soon as I get proper network connection,
either by ethernet, cellular or wifi technologies to get connected to my
vpn server and in case of disconnection (so implicitly a connection
check is done in background) to get reconnected.
* How to setup autoconnect and reconnect with OpenVPN (also in case we
change technology from ethernet to cellular for instance) ?
* Regarding routes, I would like to know how to apply the routes
pushed by the OpenVPN server as the default route?
* Regarding DNS server, I also would like to know how to get the DNS
pushed by the OpenVPN applied in resolv.conf ?
If my questions are unclear feel free to ask.
Below you can find more details about my setup.
Thanks,
Florent.
----------------------------------------------------------------------------
My setup is :
* connman 1.33
* connman-vpnd
* connman-plugin-vpn
* openvpn 2.3.14
My VPN config file is :
[global]
Name = OpenVPVN
Description = OepnVPN custom configuration
[provider_openvpn]
Type = OpenVPN
Name = Custom VPN
Host = MY_SERVER_IP
Domain = MY_DOMAIN
Networks =
192.168.1.0/255.255.255.0/10.8.0.1,192.168.0.0/255.255.0.0/10.8.0.1
OpenVPN.ConfigFile=/etc/openvpn/client-openvpn.conf
My VPN config stored by connman is :
connmanctl> services vpn_MY_SERVER_IP_MY_DOMAIN
/net/connman/service/vpn_MY_SERVER_IP_MY_DOMAIN
Type = vpn
Security = [ ]
State = ready
Favorite = True
Immutable = False
AutoConnect = False
Name = Custom VPN
IPv4 = [ Method=fixed, Address=10.8.0.18, Netmask=255.255.255.255,
Gateway=MY_SERVER_IP ]
IPv4.Configuration = [ Method=fixed, Address=10.8.0.18,
Netmask=255.255.255.255, Gateway=MY_SERVER_IP ]
IPv6 = [ ]
IPv6.Configuration = [ Method=off ]
Nameservers = [ 10.8.0.1 ]
Nameservers.Configuration = [ ]
Timeservers = [ ]
Timeservers.Configuration = [ ]
Domains = [ ran.com ]
Domains.Configuration = [ ]
Proxy = [ Method=direct ]
Proxy.Configuration = [ ]
Provider = [ Host=MY_SERVER_IP, Type=openvpn ]
2:39 p.m.
Hi Florent,
On 12/27/2016 06:52 PM, Florent Le Saout wrote:
Hello,
I'm trying to get vpn connection managed by connman.
I've been looking in the documentation in the sources or website, but
didn't find my answer yet.
So far, I can connect to my OpenVPN server manually via connmanctl, so I
guess my vpn config file is quite ok.
But the remaining question is about the autoconnection and link
verification.
From my understanding autoconnect, reconnect etc, that we can configure
in main config file only applies to technologies, but VPNs are not
technologies from connman perspectives, so they are listed as service
(maybe my statement here is not correct ?).
If you set your Ethernet Service and VPN Service to autoconnect, the VPN
tunnel will be openened after the Ethernet Service got connected.
My goal is to be able, as soon as I get proper network connection,
either by ethernet, cellular or wifi technologies to get connected to my
vpn server and in case of disconnection (so implicitly a connection
check is done in background) to get reconnected.
That should work in theory :)
* How to setup autoconnect and reconnect with OpenVPN (also in case
we
change technology from ethernet to cellular for instance) ?
ConnMan will reconnect the tunnel when the underlying connection dies
and there is a new connection established.
* Regarding routes, I would like to know how to apply the routes
pushed by the OpenVPN server as the default route?
ConnMan will add the routes automatically to your routing table. You
just need to push them from the server, e.g. do something like
push "redirect-gateway def1"
* Regarding DNS server, I also would like to know how to get the
DNS
pushed by the OpenVPN applied in resolv.conf ?
Same here ConnMan will take of the DNS resolving, you might need to push
the right DNS entries from the OpenVPN server:
push "dhcp-option DNS 85.25.128.10"
push "dhcp-option DNS 85.25.255.10"
HTH,
Thanks,
Daniel
11:46 a.m.
Hi Daniel,
Thanks for your feedback.
Sorry for the delay but I was fully focused on something else recently.
See my comments inline.
Thanks,
Florent.
On 01/01/2017 15:39, Daniel Wagner wrote:
Hi Florent,
On 12/27/2016 06:52 PM, Florent Le Saout wrote:
> Hello,
>
> I'm trying to get vpn connection managed by connman.
>
> I've been looking in the documentation in the sources or website, but
> didn't find my answer yet.
>
> So far, I can connect to my OpenVPN server manually via connmanctl, so I
> guess my vpn config file is quite ok.
>
> But the remaining question is about the autoconnection and link
> verification.
>
> From my understanding autoconnect, reconnect etc, that we can configure
> in main config file only applies to technologies, but VPNs are not
> technologies from connman perspectives, so they are listed as service
> (maybe my statement here is not correct ?).
If you set your Ethernet Service and VPN Service to autoconnect, the
VPN tunnel will be openened after the Ethernet Service got connected.
Regarding
Ethernet, i see clearly that I can set it here
"DefaultAutoConnectTechnologies = " in the main.conf, which is properly
set as default.
But this is only valid regarding technologies, and VPN is not a
technology but a service, so it's not possible to set it here.
So could you tell me if my assumptions are correct and how to set
AutoConnect and autoreconnect for VPN ?
> My goal is to be able, as soon as I get proper network connection,
> either by ethernet, cellular or wifi technologies to get connected to my
> vpn server and in case of disconnection (so implicitly a connection
> check is done in background) to get reconnected.
That should work in theory :)
It seems it's properly managed but I have to test
a bit more.
> * How to setup autoconnect and reconnect with OpenVPN (also in case we
> change technology from ethernet to cellular for instance) ?
ConnMan will reconnect the tunnel when the underlying connection dies
and there is a new connection established.
Let say for a weird reason that my
tunnel is not working anymore but the
underling connection is still ok, then nothing will do a check inside
excepted OpenVPN client itself ? There is nothing inside connman which
will detect loss of connection of the tunnel itself even if the
underlying connection is still valid?
> * Regarding routes, I would like to know how to apply the routes
> pushed by the OpenVPN server as the default route?
ConnMan will add the routes automatically to your routing table. You
just need to push them from the server, e.g. do something like
push "redirect-gateway def1"
I have that in my server config (I was about
to add it to my original
question) :
* push "redirect-gateway def1 bypass-dhcp"
When I do run OpenVPN manually, I get the route properly setup with my
tunnel as default route, but with connman it's not the case anymore.
Destination Gateway Genmask Flags Metric Ref
Use Iface
default 10.8.0.1 128.0.0.0 UG 0
0 0 tun0
I get those debug messages :
connman-vpnd[1099]: vpn0 {update} flags 102609 <UP,RUNNING,LOWER_UP>
connmand[1095]: vpn0 {update} flags 102609 <UP,RUNNING,LOWER_UP>
connmand[1095]: vpn0 {newlink} index 12 address 00:00:00:00:00:00
mtu 1500
connmand[1095]: vpn0 {newlink} index 12 operstate 6 <UP>
connman-vpnd[1099]: vpn0 {newlink} index 12 operstate 6 <UP>
connmand[1095]: vpn0 {add} address 10.8.0.18/32 label vpn0 family 2
connmand[1095]: Adding host route failed (Network is unreachable)
connmand[1095]: rp_filter set to 2 (loose mode routing), old value was 0
Connected vpn_Test_com
connmanctl> connmand[1095]: ipconfig state 4 ipconfig method 1
connmand[1095]: vpn0 {add} route 10.8.0.1 gw 0.0.0.0 scope 253 <LINK>
connmand[1095]: eth0 {add} route 149.202.178.61 gw 192.168.4.4 scope
0 <UNIVERSE>
connmand[1095]: eth0 {del} route 0.0.0.0 gw 192.168.4.4 scope 0
<UNIVERSE>
connmand[1095]: eth0 {add} route 0.0.0.0 gw 192.168.4.4 scope 0
<UNIVERSE>
And for some reason, since I've added this line
"Networks=192.168.1.0/255.255.255.0/10.8.0.1" in my openvpn config file
for connman, it works almost all the time.
It seems that when connman services are listed this way :
# connmanctl services
* R Test VPN vpn_Test_com
*AO Wired ethernet_7076ff01000c_cable
My routing table is as expected :
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric
Ref Use Iface
default * 0.0.0.0 U
0 0 0 vpn0
10.8.0.1 * 255.255.255.255 UH
0 0 0 vpn0
192.168.4.0 * 255.255.254.0 U
0 0 0 eth0
192.168.4.4 * 255.255.255.255 UH
0 0 0 eth0
192.168.4.201 192.168.4.4 255.255.255.255 UGH 0
0 0 eth0
But when connman services are listed this way :
# connmanctl services
*AO Wired ethernet_7076ff01000c_cable
* R Test VPN vpn_Test_com
My routing table is not as expected :
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
default 192.168.4.4 0.0.0.0 UG 0
0 0 eth0
10.8.0.1 * 255.255.255.255 UH 0
0 0 vpn0
192.168.4.0 * 255.255.254.0 U 0
0 0 eth0
192.168.4.4 * 255.255.255.255 UH 0
0 0 eth0
192.168.4.201 192.168.4.4 255.255.255.255 UGH 0
0 0 eth0
Do you think that the order of the services has any impact on the
default routing interface ?
> * Regarding DNS server, I also would like to know how to get
the DNS
> pushed by the OpenVPN applied in resolv.conf ?
Same here ConnMan will take of the DNS resolving, you might need to push
the right DNS entries from the OpenVPN server:
push "dhcp-option DNS 85.25.128.10"
push "dhcp-option DNS 85.25.255.10"
This part is working properly, when I do a connmanctl services vpn_....
I get :
Nameservers = [ 10.8.0.1 ]
But I have still a question.
If Ethernet and Openvpn are providing DNS server, which one is selected
first ?
HTH,
Thanks,
Daniel
--
*Florent LE SAOUT*
R&D department
Embedded Software Developer
AUSY contractor for KERLINK
6:05 p.m.
Hi,
Sorry to ask again for help, but I'm falling in the routing issue
described below almost all the time now (the default route is still
Ethernet and not vpn).
I can provide more information, like config files in use, to help to
figure out what's going on if needed.
Thanks,
Florent.
On 31/01/2017 12:46, Florent Le Saout wrote:
Hi Daniel,
Thanks for your feedback.
Sorry for the delay but I was fully focused on something else recently.
See my comments inline.
Thanks,
Florent.
On 01/01/2017 15:39, Daniel Wagner wrote:
> Hi Florent,
>
> On 12/27/2016 06:52 PM, Florent Le Saout wrote:
>> Hello,
>>
>> I'm trying to get vpn connection managed by connman.
>>
>> I've been looking in the documentation in the sources or website, but
>> didn't find my answer yet.
>>
>> So far, I can connect to my OpenVPN server manually via connmanctl,
>> so I
>> guess my vpn config file is quite ok.
>>
>> But the remaining question is about the autoconnection and link
>> verification.
>>
>> From my understanding autoconnect, reconnect etc, that we can configure
>> in main config file only applies to technologies, but VPNs are not
>> technologies from connman perspectives, so they are listed as service
>> (maybe my statement here is not correct ?).
>
> If you set your Ethernet Service and VPN Service to autoconnect, the
> VPN tunnel will be openened after the Ethernet Service got connected.
Regarding Ethernet, i see clearly that I can set it here
"DefaultAutoConnectTechnologies = " in the main.conf, which is
properly set as default.
But this is only valid regarding technologies, and VPN is not a
technology but a service, so it's not possible to set it here.
So could you tell me if my assumptions are correct and how to set
AutoConnect and autoreconnect for VPN ?
>
>
>> My goal is to be able, as soon as I get proper network connection,
>> either by ethernet, cellular or wifi technologies to get connected
>> to my
>> vpn server and in case of disconnection (so implicitly a connection
>> check is done in background) to get reconnected.
>
> That should work in theory :)
It seems it's properly managed but I have to test a bit more.
>
>> * How to setup autoconnect and reconnect with OpenVPN (also in
>> case we
>> change technology from ethernet to cellular for instance) ?
>
> ConnMan will reconnect the tunnel when the underlying connection dies
> and there is a new connection established.
Let say for a weird reason that my tunnel is not working anymore but
the underling connection is still ok, then nothing will do a check
inside excepted OpenVPN client itself ? There is nothing inside
connman which will detect loss of connection of the tunnel itself even
if the underlying connection is still valid?
>
>> * Regarding routes, I would like to know how to apply the routes
>> pushed by the OpenVPN server as the default route?
>
> ConnMan will add the routes automatically to your routing table. You
> just need to push them from the server, e.g. do something like
>
> push "redirect-gateway def1"
I have that in my server config (I was about to add it to my original
question) :
* push "redirect-gateway def1 bypass-dhcp"
When I do run OpenVPN manually, I get the route properly setup with my
tunnel as default route, but with connman it's not the case anymore.
Destination Gateway Genmask Flags Metric
Ref Use Iface
default 10.8.0.1 128.0.0.0 UG 0
0 0 tun0
I get those debug messages :
connman-vpnd[1099]: vpn0 {update} flags 102609 <UP,RUNNING,LOWER_UP>
connmand[1095]: vpn0 {update} flags 102609 <UP,RUNNING,LOWER_UP>
connmand[1095]: vpn0 {newlink} index 12 address 00:00:00:00:00:00
mtu 1500
connmand[1095]: vpn0 {newlink} index 12 operstate 6 <UP>
connman-vpnd[1099]: vpn0 {newlink} index 12 operstate 6 <UP>
connmand[1095]: vpn0 {add} address 10.8.0.18/32 label vpn0 family 2
connmand[1095]: Adding host route failed (Network is unreachable)
connmand[1095]: rp_filter set to 2 (loose mode routing), old value
was 0
Connected vpn_Test_com
connmanctl> connmand[1095]: ipconfig state 4 ipconfig method 1
connmand[1095]: vpn0 {add} route 10.8.0.1 gw 0.0.0.0 scope 253 <LINK>
connmand[1095]: eth0 {add} route 149.202.178.61 gw 192.168.4.4
scope 0 <UNIVERSE>
connmand[1095]: eth0 {del} route 0.0.0.0 gw 192.168.4.4 scope 0
<UNIVERSE>
connmand[1095]: eth0 {add} route 0.0.0.0 gw 192.168.4.4 scope 0
<UNIVERSE>
And for some reason, since I've added this line
"Networks=192.168.1.0/255.255.255.0/10.8.0.1" in my openvpn config
file for connman, it works almost all the time.
It seems that when connman services are listed this way :
# connmanctl services
* R Test VPN vpn_Test_com
*AO Wired ethernet_7076ff01000c_cable
My routing table is as expected :
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric
Ref Use Iface
default * 0.0.0.0
U 0 0 0 vpn0
10.8.0.1 * 255.255.255.255
UH 0 0 0 vpn0
192.168.4.0 * 255.255.254.0 U
0 0 0 eth0
192.168.4.4 * 255.255.255.255 UH
0 0 0 eth0
192.168.4.201 192.168.4.4 255.255.255.255 UGH 0
0 0 eth0
But when connman services are listed this way :
# connmanctl services
*AO Wired ethernet_7076ff01000c_cable
* R Test VPN vpn_Test_com
My routing table is not as expected :
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric
Ref Use Iface
default 192.168.4.4 0.0.0.0 UG 0
0 0 eth0
10.8.0.1 * 255.255.255.255 UH 0
0 0 vpn0
192.168.4.0 * 255.255.254.0 U 0
0 0 eth0
192.168.4.4 * 255.255.255.255 UH 0
0 0 eth0
192.168.4.201 192.168.4.4 255.255.255.255 UGH 0
0 0 eth0
Do you think that the order of the services has any impact on the
default routing interface ?
>> * Regarding DNS server, I also would like to know how to get the DNS
>> pushed by the OpenVPN applied in resolv.conf ?
>
> Same here ConnMan will take of the DNS resolving, you might need to push
> the right DNS entries from the OpenVPN server:
>
> push "dhcp-option DNS 85.25.128.10"
> push "dhcp-option DNS 85.25.255.10"
This part is working properly, when I do a connmanctl services
vpn_.... I get :
Nameservers = [ 10.8.0.1 ]
But I have still a question.
If Ethernet and Openvpn are providing DNS server, which one is
selected first ?
>
> HTH,
>
> Thanks,
> Daniel
--
*Florent LE SAOUT*
R&D department
Embedded Software Developer
AUSY contractor for KERLINK
--
*Florent LE SAOUT*
R&D department
Embedded Software Developer
AUSY contractor for KERLINK
8 p.m.
Hi Florent,
On 02/08/2017 07:05 PM, Florent Le Saout wrote:
On 31/01/2017 12:46, Florent Le Saout wrote:
> On 01/01/2017 15:39, Daniel Wagner wrote:
>> On 12/27/2016 06:52 PM, Florent Le Saout wrote:
> Regarding Ethernet, i see clearly that I can set it here
> "DefaultAutoConnectTechnologies = " in the main.conf, which is
> properly set as default.
> But this is only valid regarding technologies, and VPN is not a
> technology but a service, so it's not possible to set it here.
The VPN Service itself has an AutoConnect property which tells
ConnMan to start it automatically.
> Let say for a weird reason that my tunnel is not working anymore
but
> the underling connection is still ok, then nothing will do a check
> inside excepted OpenVPN client itself ? There is nothing inside
> connman which will detect loss of connection of the tunnel itself even
> if the underlying connection is still valid?
No, ConnMan does not have any sort of keep alive test. Though if I
am not mistaken OpenVPN itself has such a bunch option:
--ping-exit n
Causes OpenVPN to exit after n seconds pass without reception of a ping
or other
packet from remote. This option can be combined with --inactive,
--ping, and
--ping-exit to create a two-tiered inactivity disconnect.
For example,
openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60
when used on both peers will cause OpenVPN to exit within 60 seconds if its
peer dis‐
connects, but will exit after one hour if no actual tunnel data is
exchanged.
Though our plugin doesn't know yet about these option but those
could be easily added.
>>> * Regarding routes, I would like to know how to apply
the routes
>>> pushed by the OpenVPN server as the default route?
>>
>> ConnMan will add the routes automatically to your routing table. You
>> just need to push them from the server, e.g. do something like
>>
>> push "redirect-gateway def1"
> I have that in my server config (I was about to add it to my original
> question) :
>
> * push "redirect-gateway def1 bypass-dhcp"
>
> When I do run OpenVPN manually, I get the route properly setup with my
> tunnel as default route, but with connman it's not the case anymore.
>
> Destination Gateway Genmask Flags Metric
> Ref Use Iface
> default 10.8.0.1 128.0.0.0 UG 0
> 0 0 tun0
If possible use the 'ip' tool for reporting. The old tools don't show all
details. So for example 'ip route' gives for my current system:
$ ip r
default via 192.168.178.1 dev wlp2s0b1
192.168.178.0/24 dev wlp2s0b1 proto kernel scope link src 192.168.178.20
192.168.178.1 dev wlp2s0b1 scope link
which I started to like. It takes awhile to get accustom to it :)
> I get those debug messages :
>
> connman-vpnd[1099]: vpn0 {update} flags 102609 <UP,RUNNING,LOWER_UP>
> connmand[1095]: vpn0 {update} flags 102609 <UP,RUNNING,LOWER_UP>
> connmand[1095]: vpn0 {newlink} index 12 address 00:00:00:00:00:00
> mtu 1500
> connmand[1095]: vpn0 {newlink} index 12 operstate 6 <UP>
> connman-vpnd[1099]: vpn0 {newlink} index 12 operstate 6 <UP>
> connmand[1095]: vpn0 {add} address 10.8.0.18/32 label vpn0 family 2
> connmand[1095]: Adding host route failed (Network is unreachable)
So this message is suspicious. Not sure why that happens. Need to read
up what is happening.
> connmand[1095]: rp_filter set to 2 (loose mode routing), old
value
> was 0
> Connected vpn_Test_com
> connmanctl> connmand[1095]: ipconfig state 4 ipconfig method 1
> connmand[1095]: vpn0 {add} route 10.8.0.1 gw 0.0.0.0 scope 253 <LINK>
> connmand[1095]: eth0 {add} route 149.202.178.61 gw 192.168.4.4
> scope 0 <UNIVERSE>
> connmand[1095]: eth0 {del} route 0.0.0.0 gw 192.168.4.4 scope 0
> <UNIVERSE>
> connmand[1095]: eth0 {add} route 0.0.0.0 gw 192.168.4.4 scope 0
> <UNIVERSE>
>
> And for some reason, since I've added this line
> "Networks=192.168.1.0/255.255.255.0/10.8.0.1" in my openvpn config
> file for connman, it works almost all the time.
>
> It seems that when connman services are listed this way :
>
> # connmanctl services
> * R Test VPN vpn_Test_com
> *AO Wired ethernet_7076ff01000c_cable
>
>
> My routing table is as expected :
>
> # route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric
> Ref Use Iface
> default * 0.0.0.0
> U 0 0 0 vpn0
> 10.8.0.1 * 255.255.255.255
> UH 0 0 0 vpn0
> 192.168.4.0 * 255.255.254.0 U
> 0 0 0 eth0
> 192.168.4.4 * 255.255.255.255 UH
> 0 0 0 eth0
> 192.168.4.201 192.168.4.4 255.255.255.255 UGH 0
> 0 0 eth0
>
> But when connman services are listed this way :
>
> # connmanctl services
> *AO Wired ethernet_7076ff01000c_cable
> * R Test VPN vpn_Test_com
>
>
> My routing table is not as expected :
>
> # route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric
> Ref Use Iface
> default 192.168.4.4 0.0.0.0 UG 0
> 0 0 eth0
> 10.8.0.1 * 255.255.255.255 UH 0
> 0 0 vpn0
> 192.168.4.0 * 255.255.254.0 U 0
> 0 0 eth0
> 192.168.4.4 * 255.255.255.255 UH 0
> 0 0 eth0
> 192.168.4.201 192.168.4.4 255.255.255.255 UGH 0
> 0 0 eth0
>
> Do you think that the order of the services has any impact on the
> default routing interface ?
Yes, the ordering of the services defines the default entry. Since there
is only one global default route, the first services sets it.
>>> * Regarding DNS server, I also would like to know how
to get the DNS
>>> pushed by the OpenVPN applied in resolv.conf ?
>>
>> Same here ConnMan will take of the DNS resolving, you might need to push
>> the right DNS entries from the OpenVPN server:
>>
>> push "dhcp-option DNS 85.25.128.10"
>> push "dhcp-option DNS 85.25.255.10"
>
> This part is working properly, when I do a connmanctl services
> vpn_.... I get :
> Nameservers = [ 10.8.0.1 ]
Strange indeed. I haven't tested OpenVPN for a while. I'll setup server
and see if I get the same problems as you.
> But I have still a question.
> If Ethernet and Openvpn are providing DNS server, which one is
> selected first ?
If you use the builtin dnsproxy than ConnMan knows which DNS server it
has to ask for resolving. So if OpenVPN is up than it will use those
entries provided by OpenVPN.
Thanks,
Daniel
ps: please try to avoid HTML emails and top posting.
7:38 a.m.
Hi Florent,
FWIW, I have tested the current HEAD with my OpenVPN server. Pretty
standard configuration:
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/xxx.crt
key /etc/openvpn/keys/xxx.key
dh /etc/openvpn/keys/dh2048.pem
server 10.1.0.0 255.255.255.0
auth SHA512
cipher AES-256-CBC
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
and on the client side:
[provider_openvpn]
Type = OpenVPN
Name = xxx
Host = xxx
Domain = xxx
OpenVPN.CACert = /var/lib/connman-vpn/ca.crt
OpenVPN.Cert = /var/lib/connman-vpn/xxx.crt
OpenVPN.Key = /var/lib/connman-vpn/xxx.key
OpenVPN.Cipher = AES-256-CBC
OpenVPN.Auth = SHA512
OpenVPN.NSCertType = server
and I haven't observed any problems. Let's see if it happens if I use it
more regularly.
Thanks,
Daniel
8:53 a.m.
Hi Daniel,
Thanks for spending some time trying reproducing that. :)
I'm actually on 2.3.14 on both side, compiled for ARM for the client and
x86_64 for the server.
I could not migrate so far on 2.4
* _Regarding routes :_
What I observe is that most of the times routes are properly set and
connman is listing services in the right order :
root # connmanctl services
* R VPN vpn_192_168_4_201_test
*AO Wired ethernet_7076ff010e20_cable
# ip route
default dev vpn0
10.8.0.1 dev vpn0
192.168.4.0/23 dev eth0 src 192.168.4.119
192.168.4.4 dev eth0
192.168.4.201 via 192.168.4.4 dev eth0
But once in a while, it's not correct.
How can we make sure that VPN will always be on top of the others, which
is the default expected behavior from my perspectives ?
I will also try to reproduce it on my side and try to provide you with
as much details as I can.
* _Regarding Autoconnect :_
When you say :
The VPN Service itself has an AutoConnect property which tells
ConnMan to start it automatically.
Do you mean that this is set automatically by default for this type of
service, or do I need to set it manually bu setting an option, because
if this is the case I haven't found it ?
See below the actual details of my connexion :
/net/connman/service/vpn_192_168_4_201_test
Type = vpn
Security = [ ]
State = ready
Favorite = True
Immutable = False
AutoConnect = False
Thanks,
Florent.
On 13/02/2017 08:38, Daniel Wagner wrote:
Hi Florent,
FWIW, I have tested the current HEAD with my OpenVPN server. Pretty
standard configuration:
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/xxx.crt
key /etc/openvpn/keys/xxx.key
dh /etc/openvpn/keys/dh2048.pem
server 10.1.0.0 255.255.255.0
auth SHA512
cipher AES-256-CBC
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
and on the client side:
[provider_openvpn]
Type = OpenVPN
Name = xxx
Host = xxx
Domain = xxx
OpenVPN.CACert = /var/lib/connman-vpn/ca.crt
OpenVPN.Cert = /var/lib/connman-vpn/xxx.crt
OpenVPN.Key = /var/lib/connman-vpn/xxx.key
OpenVPN.Cipher = AES-256-CBC
OpenVPN.Auth = SHA512
OpenVPN.NSCertType = server
and I haven't observed any problems. Let's see if it happens if I use
it more regularly.
Thanks,
Daniel
--
*Florent LE SAOUT*
R&D department
Embedded Software Developer
AUSY contractor for KERLINK
6:41 a.m.
Hi Florent,
Do not top post and no HTML please.
On 02/13/2017 09:53 AM, Florent Le Saout wrote:
Thanks for spending some time trying reproducing that. :)
I'm actually on 2.3.14 on both side, compiled for ARM for the client and
x86_64 for the server.
I could not migrate so far on 2.4
I am not aware of any 2.3 vs 2.4 issues so far. At least for ConnMan it
is the same, unless the few options we use got renamed or removed.
Though the there might be a different behavior between those two
versions, but that seem to me very likely.
* _Regarding routes :_
What I observe is that most of the times routes are properly set and
connman is listing services in the right order :
root # connmanctl services
* R VPN vpn_192_168_4_201_test
*AO Wired ethernet_7076ff010e20_cable
# ip route
default dev vpn0
10.8.0.1 dev vpn0
192.168.4.0/23 dev eth0 src 192.168.4.119
192.168.4.4 dev eth0
192.168.4.201 via 192.168.4.4 dev eth0
But once in a while, it's not correct.
How can we make sure that VPN will always be on top of the others, which
is the default expected behavior from my perspectives ?
Can you send the log file generated by
sudo ./src/connmand -n -d src/service.c 2>&1 | ts '[%H:%M:%.S]' | tee
connman.log
one when it works and one for when it's wrong. If possible annotating
the time when the operations filed with the time stamp, so that we have
a chance to find the right spot.
I will also try to reproduce it on my side and try to provide you
with
as much details as I can.
* _Regarding Autoconnect :_
When you say :
The VPN Service itself has an AutoConnect property which tells
ConnMan to start it automatically.
Do you mean that this is set automatically by default for this type of
service, or do I need to set it manually bu setting an option, because
if this is the case I haven't found it ?
See below the actual details of my connexion :
You need to set it per Service via the D-Bus API, e.g. using connmanctl
connmanctl config VPN_SERVICE_NAME --autoconnect yes
/net/connman/service/vpn_192_168_4_201_test
Type = vpn
Security = [ ]
State = ready
Favorite = True
Immutable = False
AutoConnect = False
Consider this file as read only. It will be overwritten without warning.
If you edit by hand you need first to shutdown connman-vpn
Thanks,
Daniel
4:08 p.m.
Hi Daniel,
Sorry for the delay but I was busy on something else lately.
On 15/02/2017 07:41, Daniel Wagner wrote:
Hi Florent,
Do not top post and no HTML please.
On 02/13/2017 09:53 AM, Florent Le Saout wrote:
> Thanks for spending some time trying reproducing that. :)
>
> I'm actually on 2.3.14 on both side, compiled for ARM for the client and
> x86_64 for the server.
>
> I could not migrate so far on 2.4
I am not aware of any 2.3 vs 2.4 issues so far. At least for ConnMan
it is the same, unless the few options we use got renamed or removed.
Though the there might be a different behavior between those two
versions, but that seem to me very likely.
> * _Regarding routes :_
>
>
> What I observe is that most of the times routes are properly set and
> connman is listing services in the right order :
>
> root # connmanctl services
> * R VPN vpn_192_168_4_201_test
> *AO Wired ethernet_7076ff010e20_cable
>
> # ip route
> default dev vpn0
> 10.8.0.1 dev vpn0
> 192.168.4.0/23 dev eth0 src 192.168.4.119
> 192.168.4.4 dev eth0
> 192.168.4.201 via 192.168.4.4 dev eth0
>
> But once in a while, it's not correct.
> How can we make sure that VPN will always be on top of the others, which
> is the default expected behavior from my perspectives ?
Can you send the log file generated by
sudo ./src/connmand -n -d src/service.c 2>&1 | ts '[%H:%M:%.S]' | tee
connman.log
one when it works and one for when it's wrong. If possible annotating
the time when the operations filed with the time stamp, so that we
have a chance to find the right spot.
I think I figured out the reproducing method.
When I get the first connection, (so before the local settings file
exist : vpn_X_X_X_X/settings) the route is always wrong.
But at the second boot when the file is already there the route is
properly setup.
Please find attached the logs with proper and incorrect route setup.
I guess it's trying to set the default route to the kernel before the
vpn tunnel is actually ready ?
Let me know if there is other points I should check or if I should add
more logs.
> I will also try to reproduce it on my side and try to provide you with
> as much details as I can.
>
> * _Regarding Autoconnect :_
>
> When you say :
>
> The VPN Service itself has an AutoConnect property which tells
> ConnMan to start it automatically.
>
> Do you mean that this is set automatically by default for this type of
> service, or do I need to set it manually bu setting an option, because
> if this is the case I haven't found it ?
> See below the actual details of my connexion :
You need to set it per Service via the D-Bus API, e.g. using connmanctl
connmanctl config VPN_SERVICE_NAME --autoconnect yes
>
> /net/connman/service/vpn_192_168_4_201_test
> Type = vpn
> Security = [ ]
> State = ready
> Favorite = True
> Immutable = False
> AutoConnect = False
Consider this file as read only. It will be overwritten without
warning. If you edit by hand you need first to shutdown connman-vpn
Thanks,
Daniel
Thanks,
Florent.
9:20 p.m.
Hi Florent,
On 04/19/2017 05:08 PM, Florent Le Saout wrote:
I think I figured out the reproducing method.
When I get the first connection, (so before the local settings file
exist : vpn_X_X_X_X/settings) the route is always wrong.
But at the second boot when the file is already there the route is
properly setup.
Please find attached the logs with proper and incorrect route setup.
I guess it's trying to set the default route to the kernel before the
vpn tunnel is actually ready ?
Let me know if there is other points I should check or if I should add
more logs.
Thanks for taking time digging into this. I think with this info I
should be able to see there is a problem. But just not today/tonight :)
Thanks,
Daniel
9:03 a.m.
Hi Daniel,
Yep I spent some time digging into it.
Since it took me few weeks to answer back, I think I'll not complain
about 2-3 days more ;)
Let me know if I can help,
Florent.
On 24/04/2017 22:20, Daniel Wagner wrote:
Hi Florent,
On 04/19/2017 05:08 PM, Florent Le Saout wrote:
> I think I figured out the reproducing method.
>
> When I get the first connection, (so before the local settings file
> exist : vpn_X_X_X_X/settings) the route is always wrong.
>
> But at the second boot when the file is already there the route is
> properly setup.
>
> Please find attached the logs with proper and incorrect route setup.
>
> I guess it's trying to set the default route to the kernel before the
> vpn tunnel is actually ready ?
> Let me know if there is other points I should check or if I should add
> more logs.
Thanks for taking time digging into this. I think with this info I
should be able to see there is a problem. But just not today/tonight :)
Thanks,
Daniel
--
*Florent LE SAOUT*
R&D department
Embedded Software Developer
AUSY contractor for KERLINK
1733
days inactive
1852
days old
10 comments
2 participants
participants (2)
-
Daniel Wagner -
Florent Le Saout