Debian 9 Network Manager client

coreybrett

Has anyone had any luck getting a Debian 9 system to connect as a client to pfSense/OpenVPN server? I imported the config using the "Most Clients" inline option from the export wizard. The only lines in the log are not very helpful…

Dec 26 17:29:36 cb-laptop NetworkManager[484]: <info>[1514327376.3915] audit: op="connection-activate" uuid="03a7626f-da91-48ff-8a60-6ffa433ed5c4" name="edge-UDP4-1194-cboyle-config" pid=2194 uid=1000 result="success"
Dec 26 17:29:36 cb-laptop NetworkManager[484]: <info>[1514327376.4188] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: Started the VPN service, PID 3848
Dec 26 17:29:36 cb-laptop NetworkManager[484]: <info>[1514327376.4418] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: Saw the service appear; activating connection
Dec 26 17:29:36 cb-laptop NetworkManager[484]: <info>[1514327376.8320] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN plugin: state changed: starting (3)
Dec 26 17:29:36 cb-laptop NetworkManager[484]: <info>[1514327376.8332] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN connection: (ConnectInteractive) reply received
Dec 26 17:29:36 cb-laptop NetworkManager[484]: Tue Dec 26 17:29:36 2017 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Dec 26 17:29:36 cb-laptop nm-openvpn[3854]: OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Dec 26 17:29:36 cb-laptop nm-openvpn[3854]: library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: UDP link local: (not bound)
Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Dec 26 17:29:37 cb-laptop nm-openvpn[3854]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Dec 26 17:30:36 cb-laptop NetworkManager[484]: <warn>[1514327436.7746] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN connection: connect timeout exceeded.
Dec 26 17:30:36 cb-laptop nm-openvpn-serv[3848]: Connect timer expired, disconnecting.
Dec 26 17:30:36 cb-laptop NetworkManager[484]: <warn>[1514327436.7968] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN plugin: failed: connect-failed (1)
Dec 26 17:30:36 cb-laptop NetworkManager[484]: <info>[1514327436.7992] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN plugin: state changed: stopping (5)
Dec 26 17:30:36 cb-laptop NetworkManager[484]: <info>[1514327436.8001] vpn-connection[0x559940804500,03a7626f-da91-48ff-8a60-6ffa433ed5c4,"edge-UDP4-1194-cboyle-config",0]: VPN plugin: state changed: stopped (6)

root@cb-laptop:/usr/lib/NetworkManager/VPN#</info></info></warn></warn></info></info></info></info></info> 

I'm still trying to figure out how to get better debugging into on the client side.

coreybrett

I was able to get it working by setting the "Key Direction" to 1.
I guess that part is not included in the exported config.

Also, had to turn on LZO compression on the client side, even though I have compression turned off on the server side.

coreybrett

The key direction is in fact included in the config file, so I guess this is a bug in Gnome's Network Manager import code.