Debian 9 Network Manager client



  • Has anyone had any luck getting a Debian 9 system to connect as a client to pfSense/OpenVPN server? I imported the config using the "Most Clients" inline option from the export wizard. The only lines in the log are not very helpful…

    Dec 26 17:29:36 cb-laptop NetworkManager[484]: <info>[1514327376.3915] audit: op="connection-activate" uuid="03a7626f-da91-48ff-8a60-6ffa433ed5c4" name="edge-UDP4-1194-cboyle-config" pid=2194 uid=1000 result="success"
    Dec 26 17:29:36 cb-laptop NetworkManager[484]: <info>[1514327376.4188] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: Started the VPN service, PID 3848
    Dec 26 17:29:36 cb-laptop NetworkManager[484]: <info>[1514327376.4418] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: Saw the service appear; activating connection
    Dec 26 17:29:36 cb-laptop NetworkManager[484]: <info>[1514327376.8320] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN plugin: state changed: starting (3)
    Dec 26 17:29:36 cb-laptop NetworkManager[484]: <info>[1514327376.8332] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN connection: (ConnectInteractive) reply received
    Dec 26 17:29:36 cb-laptop NetworkManager[484]: Tue Dec 26 17:29:36 2017 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
    Dec 26 17:29:36 cb-laptop nm-openvpn[3854]: OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
    Dec 26 17:29:36 cb-laptop nm-openvpn[3854]: library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
    Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
    Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: UDP link local: (not bound)
    Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
    Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
    Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
    Dec 26 17:30:36 cb-laptop NetworkManager[484]: <warn>[1514327436.7746] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN connection: connect timeout exceeded.
    Dec 26 17:30:36 cb-laptop nm-openvpn-serv[3848]: Connect timer expired, disconnecting.
    Dec 26 17:30:36 cb-laptop NetworkManager[484]: <warn>[1514327436.7968] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN plugin: failed: connect-failed (1)
    Dec 26 17:30:36 cb-laptop NetworkManager[484]: <info>[1514327436.7992] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN plugin: state changed: stopping (5)
    Dec 26 17:30:36 cb-laptop NetworkManager[484]: <info>[1514327436.8001] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN plugin: state changed: stopped (6)
    
    root@cb-laptop:/usr/lib/NetworkManager/VPN#</info></info></warn></warn></info></info></info></info></info> 
    

    I'm still trying to figure out how to get better debugging into on the client side.



  • I was able to get it working by setting the "Key Direction" to 1.
    I guess that part is not included in the exported config.

    Also, had to turn on LZO compression on the client side, even though I have compression turned off on the server side.



  • The key direction is in fact included in the config file, so I guess this is a bug in Gnome's Network Manager import code.


Log in to reply