Ubuntu
network-manager-openvpn package

Problem in nm-openvpn-service.c, openvpn connection fails after key renegotiation because --auth-user-pass is passed with --auth-nocache.

Bug #1681295 reported by Nicholas Stommel on 2017-04-10

This bug affects 5 people

Affects		Status	Importance	Assigned to	Milestone
	network-manager-openvpn (Ubuntu)	Triaged	High	Unassigned

Bug Description

So I've been using OpenVPN through the network-manager-openvpn package integrated into the network manager GUI. I experienced an odd problem where consistently, during or after downloading (in this case, I tested by just downloading the kernel tarball from kernel.org repeatedly, which is around 90MB) Every single time, without fail, the openvpn client would fail and my connection would go dead. To reconnect, I would have to manually restart the network manager.

Now, I played around with .conf files and the CLI openvpn client and noticed EXACTLY the same behavior happening. I eventually arrived to the conclusion that the flag or option "auth-nocache" would cause a connection reset after or during downloads and streaming. I then got to reading the openvpn man pages and I stumbled across this message (you can easily find it by going 'man openvpn | grep nocache') about the guaranteed failure of key renegotiation if auth-user-pass and auth-nocache were used together:
" Further, using --daemon together with --auth-user-pass (entered
on console) and --auth-nocache will fail as soon as key renego‐
tiation (and reauthentication) occurs."

When I removed auth-user-pass from my .conf files, the problem went away. Then I wondered. Now what if...network-manager-openvpn was actually passing both flags to openvpn? Then I downloaded the source tarball and found that indeed, this exact thing is happening on a SINGLE line. See line 1380 of network-manager-openvpn-1.1.93/src/nm-openvpn-service.c
"add_openvpn_arg (args, "--auth-nocache");"

So I decided to comment out that single line. I then rebuilt the packages network-manager-openvpn and network-manager-openvpn-gnome using 'dpkg-buildpackage -us -uc -nc', installed them, and tested downloading the source kernel repeatedly to see if the connection would hold. It does! Literally commenting out ONE line fixed weeks worth of extreme annoyance repeatedly reconnecting to my vpn. This issue is rather annoying and needs to be fixed so openvpn doesn't keep cutting out. I've attached a patch for the source.

See original description

Tags:

Revision history for this message

Nicholas Stommel (nstommel) wrote on 2017-04-10:

The following patch removes the single offending line which causes this issue. Edit (352 bytes, text/plain)

no longer affects:

network-manager (Ubuntu)

Revision history for this message

Nicholas Stommel (nstommel) wrote on 2017-04-10:

network-manager-openvpn_1.1.93-1ubuntu1.1_amd64.deb Edit (28.8 KiB, application/x-debian-package)

Built patched package.

Revision history for this message

Nicholas Stommel (nstommel) wrote on 2017-04-10:

network-manager-openvpn-gnome_1.1.93-1ubuntu1.1_amd64.deb Edit (179.7 KiB, application/x-debian-package)

Additional generated built patched package network-manager-openvpn-gnome

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2017-04-10:

The attachment "The following patch removes the single offending line which causes this issue." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Nicholas Stommel (nstommel) on 2017-04-10

description:

updated

Nicholas Stommel (nstommel) on 2017-04-10

summary:

- Problem in network-manager-openvpn, openvpn fails during and after
- downloads.
+ Problem in nm-openvpn-service.c, openvpn connection fails after key
+ renegotiation because --auth-user-pass is passed with --auth-nocache.

Revision history for this message

Will Rouesnel (w-rouesnel) wrote on 2017-04-28:

Can this be marked as urgent? This is a *huge* problem! I can confirm the attached patch resolves disconnects every 10 minutes for me completely (been up 24 hours so far).

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-04-28:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-openvpn (Ubuntu):
status:	New → Confirmed

Revision history for this message

Will Rouesnel (w-rouesnel) wrote on 2017-04-28:

Patch fixes the problem entirely.

Revision history for this message

Nicholas Stommel (nstommel) wrote on 2017-04-28:

Thanks for the confirmation Will, glad to see that it works. And yeah I think this bug should be marked urgent because without the patch, my vpn connection drops in the same manner every ten minutes or so. The rationale behind not passing auth-nocache seems pretty clear to me based on the openvpn man pages.

Revision history for this message

Sebastien Bacher (seb128) wrote on 2017-09-01:

The issue was reported upstream and they commented

"the plugin doesn't use --daemon, so it's unclear why the quoted message would matter.

It looks like the plugin is unable to re-request the password. So, having openvpn cache the password might workaround the issue in some cases, but it doesn't seem to be the right fix.

Maybe it's due to --user, and later the plugin's /usr/libexec/nm-openvpn-service-openvpn-helper is unable to connect NetworkManager via D-Bus.
Or maybe, openvpn requests a new secret via the --management socket, but the plugin fails to handle the request.

It would be helpful to provide a logfile with full debugging info enabled (beware of private data!!).

On recent versions, you can enable verbose logging via

sudo nmcli general logging level TRACE domains ALL,VPN_PLUGIN

and re-activate the connection.
See https://cgit.freedesktop.org/NetworkManager/NetworkManager/plain/contrib/fedora/rpm/NetworkManager.conf?id=master"