Ubuntu
network-manager-openvpn package

network-manager-openvpn config import ignores tls-crypt section

Bug #1847144 reported by Shaya Potter
46
This bug affects 9 people
Affects Status Importance Assigned to Milestone
network-manager-openvpn (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I setup a vpn on raspberry pi with pivpn.

It creates ovpn files with a tls-crypt section

<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<key data>
-----END OpenVPN Static key V1-----
</tls-crypt>

network-manager fails to extract this key and setup the advanced tls-crypt section when one imports the ovpn file and vpn cannot connect (logs only show a timeout).

on the other hand openvpn --config ovpn-file works fine.

extracting the tls-crypt key and setting the tls settings to tls-crypt with this extracted key, enables the vpn to work.

additionally, it doesn't extract the config to verify the name as the ovpn file also requests it do (again, cant set this manually)

ProblemType: Bug
DistroRelease: Ubuntu 19.04
Package: network-manager-openvpn 1.8.10-1
ProcVersionSignature: Ubuntu 5.0.0-27.28-generic 5.0.21
Uname: Linux 5.0.0-27-generic x86_64
ApportVersion: 2.20.10-0ubuntu27.1
Architecture: amd64
CurrentDesktop: KDE
Date: Mon Oct 7 23:30:49 2019
InstallationDate: Installed on 2019-01-06 (274 days ago)
InstallationMedia: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3)
SourcePackage: network-manager-openvpn
UpgradeStatus: Upgraded to disco on 2019-04-18 (172 days ago)

Revision history for this message
Shaya Potter (sjpotter) wrote :
Revision history for this message
Tim Richardson (tim-richardson) wrote :

You are correct. Thanks. I was so puzzled by this.

I am using KDE. Possibly the network manager interface is different. This is what I did.
Imported the openvpn config file into networkmanger. It makes a connection, it times out, and no amount of debugging gives any more hint.

I edit the openvpn file, and extract the key block into a file.
It is the key block in between <tls-crypt> and </tls-crypt>
so my text file looks like this:

-----BEGIN OpenVPN Static key V1-----
92e2de5ae643729863zzzz4a0ebe952
.
.
.

cc05zxzxczczxxczxzxczxce902b498a5
-----END OpenVPN Static key V1-----

I save it as blabla.key

Then I opened the openvpn connection imported into nm, choose Advanced... on the VPM (openvpn) tab,Choose TLS Settings, and change only two things
Mode is TLS-Crypt
and Key File i give the path of the key file created just before.

And immediately, the connection worked

Revision history for this message
Berbigou (poub-clotilde) wrote :

Hello,
same problem as Shaya Potter for me, for server TLS-crypt key AND server name
same solution worked for me

glad to see it's already documented.
btw, I'm on Archlinux 5.4.6-arch3-1 with KDE ...

NetworkManager 1.22.2-1
networkmanager-openvpn 1.8.10-1 (no "-" between network and manager in Arch)

Revision history for this message
Berbigou (poub-clotilde) wrote :

I also noted that NetworkManager export function doesn'( export the advanced settings concerned, but maybe it's a bug report for NetworkManager, not Network-manager-openvpn

Hope it will heelp

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Michael Helmling (supermihi) wrote :

Same here. Not only <tls-crypt> section but also the tls-cipher setting from my .ovpn config file were ignored.

Interestingly it does work when using the networkmanager CLI:

nmcli connection import vpn.ovpn

did import everything correctly. Apparently the UI is not using the same import method as the CLI ...

Revision history for this message
Podesta (podesta) wrote :

Linux 5.13.0-39-generic #44~20.04.1-Ubuntu SMP Thu Mar 24 16:43:35 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux - Kubuntu
Bug still present. Adding with the cli works great:

nmcli connection import type openvpn file FILE.ovpn

Revision history for this message
Berbigou (poub-clotilde) wrote :

Hello,
I noticed today that importing a WireGuard conf file with plasma-nm (on Plasma/ArchLinux, I know I'm not in the right forum), the last number of my IP address is lost in importation : if my IP address is a.b.c.d in the conf file, it becomes a.b.c.0 in networkmanager, rectifying the address makes the tunnel work.

I think someone should rewrite networkmanager importation via plasma-nm (easy to say, but man, there's a lot of problems for a so-called-easy-GUI-tool intended for reading text files).

I also notice that this bug is "confirmed" but "not assigned". Maybe we knock at the wrong door.
I will also notify plasma-nm bugs logs.

Hope that will help someone.

linux 5.17.4.arch1-1
plasma-nm 5.24.4-1

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.