Package: network-manager-openvpn Version: 0.9.8.4-2 Severity: normal --- Please enter the report below this line. ---
After the Heartbleed vulnerability was discovered, my vpn provider changed their configuration: they use now tls-auth and 4096 bit size RSA and DH keys (cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA). After this upgrade I can connect to the vpn server with kde-nm-frontend but I have no internet connection inside the tunnel. (The logs are 1 month old, but nothing changed in the meantime). At first I could not connect to the server at all. This is the system log after initiating connection from the frontend: 14/04/2014 23:29:33 hostname NetworkManager[2898] <info> Starting VPN service 'openvpn'... 14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 5101 14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN service 'openvpn' appeared; activating connections 14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN plugin state changed: starting (3) 14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN connection 'AirVPN_Romania_UDP-443' (Connect) reply received. 14/04/2014 23:29:33 hostname NetworkManager[2898] <warn> VPN plugin failed: 1 14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN plugin state changed: stopped (6) 14/04/2014 23:29:33 hostname NetworkManager[2898] <info> VPN plugin state change reason: 0 14/04/2014 23:29:33 hostname NetworkManager[2898] <info> Policy set 'ZZZ' (wlan0) as default for IPv4 routing and DNS. 14/04/2014 23:29:33 hostname NetworkManager[2898] <error> [1397510973.305198] [nm-system.c:1266] nm_system_replace_default_ip6_route(): (wlan0): failed to set IPv6 default route: -7 14/04/2014 23:29:33 hostname NetworkManager[2898] <info> Policy set 'ZZZ' (wlan0) as default for IPv6 routing and DNS. 14/04/2014 23:29:33 hostname NetworkManager[2898] <warn> error disconnecting VPN: Could not process the request because no VPN connection was active. 14/04/2014 23:29:38 hostname NetworkManager[2898] <info> VPN service 'openvpn' disappeared I discovered that the frontend doesn't respect the lzo-compression setting from the imported config file (it sets it to "enabled"). So I disabled it and was able to establish a connection to the vpn server, however I had no connection to the internet inside the tunnel. Log: 14/04/2014 22:49:44 hostname NetworkManager[2890] <info> Starting VPN service 'openvpn'... 14/04/2014 22:49:44 hostname NetworkManager[2890] <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 7026 14/04/2014 22:49:44 hostname NetworkManager[2890] <info> VPN service 'openvpn' appeared; activating connections 14/04/2014 22:49:44 hostname NetworkManager[2890] <info> VPN plugin state changed: starting (3) 14/04/2014 22:49:44 hostname NetworkManager[2890] <info> VPN connection 'AirVPN_Romania_UDP-443' (Connect) reply received. 14/04/2014 22:49:44 hostname nm-openvpn[7029] OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Mar 17 2014 14/04/2014 22:49:44 hostname nm-openvpn[7029] WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 14/04/2014 22:49:44 hostname nm-openvpn[7029] NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 14/04/2014 22:49:44 hostname nm-openvpn[7029] WARNING: file '/home/administrator/AirVPN/user.key' is group or others accessible 14/04/2014 22:49:44 hostname nm-openvpn[7029] WARNING: file '/home/administrator/AirVPN/ta.key' is group or others accessible 14/04/2014 22:49:44 hostname nm-openvpn[7029] Control Channel Authentication: using '/home/administrator/AirVPN/ta.key' as a OpenVPN static key file 14/04/2014 22:49:44 hostname nm-openvpn[7029] UDPv4 link local: [undef] 14/04/2014 22:49:44 hostname nm-openvpn[7029] UDPv4 link remote: [AF_INET]109.163.230.232:443 14/04/2014 22:49:47 hostname dhclient DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 20 14/04/2014 22:49:55 hostname nm-openvpn[7029] WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558' 14/04/2014 22:49:55 hostname nm-openvpn[7029] WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' 14/04/2014 22:49:58 hostname nm-openvpn[7029] [server] Peer Connection Initiated with [AF_INET]109.163.230.232:443 14/04/2014 22:50:01 hostname nm-openvpn[7029] TUN/TAP device tun0 opened 14/04/2014 22:50:01 hostname nm-openvpn[7029] /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper tun0 1500 1557 10.4.30.78 10.4.30.77 init 14/04/2014 22:50:01 hostname NetworkManager[2890] <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring... 14/04/2014 22:50:01 hostname NetworkManager[2890] SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0) 14/04/2014 22:50:01 hostname NetworkManager[2890] SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found. 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> VPN connection 'AirVPN_Romania_UDP-443' (IP4 Config Get) reply received from old-style plugin. 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> VPN Gateway: 109.163.230.232 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> Tunnel Device: tun0 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> IPv4 configuration: 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> Internal Gateway: 10.4.30.77 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> Internal Address: 10.4.30.78 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> Internal Prefix: 32 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> Internal Point-to-Point Address: 10.4.30.77 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> Maximum Segment Size (MSS): 0 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> Static Route: 10.4.0.1/32 Next Hop: 10.4.0.1 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> Forbid Default Route: no 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> Internal DNS: 10.4.0.1 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> DNS Domain: '(none)' 14/04/2014 22:50:01 hostname NetworkManager[2890] <info> No IPv6 configuration 14/04/2014 22:50:01 hostname nm-openvpn[7029] Initialization Sequence Completed 14/04/2014 22:50:02 hostname NetworkManager[2890] <info> VPN connection 'AirVPN_Romania_UDP-443' (IP Config Get) complete. 14/04/2014 22:50:02 hostname NetworkManager[2890] <info> Policy set 'AirVPN_Romania_UDP-443' (tun0) as default for IPv4 routing and DNS. 14/04/2014 22:50:02 hostname NetworkManager[2890] <error> [1397508602.543640] [nm-system.c:1266] nm_system_replace_default_ip6_route(): (wlan0): failed to set IPv6 default route: -7 14/04/2014 22:50:02 hostname NetworkManager[2890] <info> Policy set 'ZZZ' (wlan0) as default for IPv6 routing and DNS. 14/04/2014 22:50:02 hostname dbus[2837] [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper) 14/04/2014 22:50:02 hostname NetworkManager[2890] <info> VPN plugin state changed: started (4) 14/04/2014 22:50:02 hostname dbus[2837] [system] Successfully activated service 'org.freedesktop.nm_dispatcher' 14/04/2014 22:50:05 hostname nm-dispatcher.action Script '/etc/NetworkManager/dispatcher.d/01ifupdown' took too long; killing it. 14/04/2014 22:50:05 hostname NetworkManager[2890] <warn> Dispatcher script timed out: Script '/etc/NetworkManager/dispatcher.d/01ifupdown' timed out. 14/04/2014 22:50:07 hostname dhclient DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 11 14/04/2014 22:50:11 hostname nm-openvpn[7029] write to TUN/TAP : Invalid argument (code=22) 14/04/2014 22:50:18 hostname dhclient DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5 14/04/2014 22:50:21 hostname nm-openvpn[7029] write to TUN/TAP : Invalid argument (code=22) 14/04/2014 22:50:23 hostname dhclient No DHCPOFFERS received. 14/04/2014 22:50:23 hostname dhclient No working leases in persistent database - sleeping. 14/04/2014 22:50:31 hostname nm-openvpn[7029] write to TUN/TAP : Invalid argument (code=22) I was advised to run openvpn manually in the terminal. Result: I was able to establish a vpn connection and I had the internet connection inside the tunnel. Log: administrator@hostname:~/AirVPN$ sudo openvpn ~/AirVPN/AirVPN_Romania_UDP-443.ovpn Mon Apr 14 23:38:09 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Mar 17 2014 Mon Apr 14 23:38:09 2014 WARNING: file 'user.key' is group or others accessible Mon Apr 14 23:38:09 2014 WARNING: file 'ta.key' is group or others accessible Mon Apr 14 23:38:09 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Mon Apr 14 23:38:09 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Apr 14 23:38:09 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Apr 14 23:38:09 2014 Socket Buffers: R=[212992->131072] S=[212992->131072] Mon Apr 14 23:38:09 2014 UDPv4 link local: [undef] Mon Apr 14 23:38:09 2014 UDPv4 link remote: [AF_INET]109.163.230.232:443 Mon Apr 14 23:38:09 2014 TLS: Initial packet from [AF_INET]109.163.230.232:443, sid=ef7a6c26 bc89ef18 Mon Apr 14 23:38:10 2014 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=i...@airvpn.org Mon Apr 14 23:38:10 2014 Validating certificate key usage Mon Apr 14 23:38:10 2014 ++ Certificate has key usage 00a0, expects 00a0 Mon Apr 14 23:38:10 2014 VERIFY KU OK Mon Apr 14 23:38:10 2014 Validating certificate extended key usage Mon Apr 14 23:38:10 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Mon Apr 14 23:38:10 2014 VERIFY EKU OK Mon Apr 14 23:38:10 2014 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=i...@airvpn.org Mon Apr 14 23:38:17 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mon Apr 14 23:38:17 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Apr 14 23:38:17 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Mon Apr 14 23:38:17 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Apr 14 23:38:17 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Mon Apr 14 23:38:17 2014 [server] Peer Connection Initiated with [AF_INET]109.163.230.232:443 Mon Apr 14 23:38:19 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Mon Apr 14 23:38:19 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.4.0.1,comp-lzo no,route 10.4.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.4.30.78 10.4.30.77' Mon Apr 14 23:38:19 2014 OPTIONS IMPORT: timers and/or timeouts modified Mon Apr 14 23:38:19 2014 OPTIONS IMPORT: LZO parms modified Mon Apr 14 23:38:19 2014 OPTIONS IMPORT: --ifconfig/up options modified Mon Apr 14 23:38:19 2014 OPTIONS IMPORT: route options modified Mon Apr 14 23:38:19 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Mon Apr 14 23:38:19 2014 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlan0 HWADDR=00:26:c7:94:96:ec Mon Apr 14 23:38:19 2014 TUN/TAP device tun0 opened Mon Apr 14 23:38:19 2014 TUN/TAP TX queue length set to 100 Mon Apr 14 23:38:19 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Apr 14 23:38:19 2014 /sbin/ip link set dev tun0 up mtu 1500 Mon Apr 14 23:38:19 2014 /sbin/ip addr add dev tun0 local 10.4.30.78 peer 10.4.30.77 Mon Apr 14 23:38:19 2014 /sbin/ip route add 109.163.230.232/32 via 192.168.1.1 Mon Apr 14 23:38:19 2014 /sbin/ip route add 0.0.0.0/1 via 10.4.30.77 Mon Apr 14 23:38:19 2014 /sbin/ip route add 128.0.0.0/1 via 10.4.30.77 Mon Apr 14 23:38:19 2014 /sbin/ip route add 10.4.0.1/32 via 10.4.30.77 Mon Apr 14 23:38:19 2014 Initialization Sequence Completed SUMMARY: I am not sure if it's the problem with network-manager or its kde frontend, but the only way to have internet connection is to use openvpn from command line. --- System information. --- Architecture: amd64 Kernel: Linux 3.13-1-amd64 Debian Release: jessie/sid 500 testing security.debian.org 500 testing ftp.pl.debian.org 400 unstable ftp.pl.debian.org --- Package information. --- Depends (Version) | Installed =================================-+-============= libc6 (>= 2.4) | libdbus-1-3 (>= 1.0.2) | libdbus-glib-1-2 (>= 0.78) | libglib2.0-0 (>= 2.37.3) | libnm-glib-vpn1 (>= 0.7.999) | libnm-glib4 (>= 0.7.999) | libnm-util2 (>= 0.8.998) | openvpn (>= 2.1~rc9) | Package's Recommends field is empty. Package's Suggests field is empty. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
