network-manager-openvpn does not support all options supported by openvpn

Same problem.
My OpenVPN server uses a non-default keysize, so I can't use Network Manager to connect bacause there's no way to set keysize on GUI. The log says "WARNING: 'keysize' is used inconsistently".
Please add more options to the "OpenVPN Advanced Options" dialog.

 nm-openvpn does not support *most* of the openvpn options. Just compare number of checkboxes with the number of openvpn options in man page. Most of these unsupported options are obscure enough to not be reported but some - like these ones, pkcs12 support, multiple "remote" options, up/down scripts etc. - are painful enough for some people. There are multiple bugs saying "it does not support option X"
 How hard would it be to support "I have my working config file, use it" advanced option? This would make mm-openvpn usable for people who simply cannot use it now.

I am having the same issue. I occasionally use very simple openvpn tunnels across already encrypted links and in those specific cases I'd like to have encryption off and no authentication. Here is an example config file:

------ cut here ----
remote 192.168.0.101 1000
dev tun0
ifconfig 10.10.10.2 10.10.10.1
proto udp
ping 5
link-mtu 1366
up-delay
daemon
---- end of config file ----

There is no way to implement this presently in "network-manager-openvpn". I'd suggest something like this:

1. Allow an "expert option" to simply specify an openvpn config file to be used for the connection.

2. Include an "advanced" area where the user is allowed to edit the options that will be used (e.g. what follows '/usr/sbin/openvpn' while referencing variable from the rest of the configuration gui. For example:

Edit Command Line: --remote $Gateway $lzo --nobind --dev $tun_or_tap --proto $proto --port $port ...etc

The gui would dynamically build this command line while you edited and/or checked/unchecked options (similar to the way several IDEs do for a compiler/linker).

Another vote for Sergeis suggestion. Please add an option like "I have my working config file, use it". I have a lot of connections to my customers with different settings. None of them do work with the NM-plugin. Sorry, but this plugin is a pain in the a** since the project started and there is no hope that the situation is getting better within the next years. An option to use an existing config file is the best workaround I've heard so far.

I have the same experience. I have a ton of working .ovpn files, but almost none of them translates well into NM setting. In my opinion the greatest help would be to enable NM to run openvpn with supplied configuration file. In fact I only need a very simple wrapper around "sudo openvpn config.ovpn" with simple GUI and integration into NM.

I'd like to support Sergeis request. An option to use a custom config file would be great.

Here's my vote for being able to use an existing OpenVPN config file. You can import one, but that fails if it's not a configuration network-manager-openvpn knows about.

I know I can easily start openvpn from the command line, but as long as I have that network icon there and it has VPN support it would be very nice to be able to use it to start my custom OpenVPN connections. It should not be too difficult to implement. It could be an option on the advanced settings panel.

Isn't there any way to add an option to NM OVPN? I need 'ns-cert-type server' to be able to connect to my workplace.

This bug effects me too… since I installted (K)Ubuntu Intrepid :-(

This also affects me. In my instance, sometimes I need to use Azilink on my phone to tether when I can't get an internet connection. This requires both no encryption and no authentication. It's kind of frustrating, because some applications look at Network Manager's status and if there are no connections there it stays in offline mode. However, with the current configuration I use while tethering, there IS a connection, it's just not reported by Network Manager.

One workaround is to open up gconf-editor, go to /system/networking/connections/#/vpn and add keys for the options you want.

Hi:

After reading the last post suggesting a workaround I try to add some keys with gconf-editor, for example "tls-remote", but didn't work witth Karmic and network-manager-openvpn version 0.8~rc1-0ubuntu1~nm1~karmic, installed from the PPA: http://ppa.launchpad.net/network-manager/ppa/ubuntu

This version of Network Manager ( > 0.8 ) is supposed to accept this kind of options with OpenVPN, as seen here: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/116256

Any suggestion around this issue?.

Cheers, Ibon.

This bug is still around in Ubuntu 10.10.

I am affected due importing 'comp-lzo' setting.

To work around you need to change from
comp-lzo
to
comp-lzo yes

then it will work.

I need multiple remotes. An option to use existing openvpn config would be great.

Comment #8 also indicates a security vulnerability, doesn't it?

I google'd the heck out of this - couldn't find anything. Hack/workaround I used was:

mv /usr/sbin/openvpn /usr/sbin/openvpn.real

make a new shell script for /usr/sbin/openvpn

#!/bin/bash
/usr/sbin/openvpn.real <mycustomoptions_here> $@

I opened bug #1047362 to specifically request support using a .ovpn file directly for configuration, as described in comment #2.

I need to be able to add --explicit-exit-notify. This is a must with UDP connections. I find it bizarre that OpenVPN doesn't enable this by default. However, since it doesn't, NM really needs to be able to call the option explicitly.

Is there a solid reason why there isn't an "advanced options pass-through" ability?

Keysize still isn't configurable.

Robert wrote a path for Fedora: http://pkgs.fedoraproject.org/cgit/NetworkManager-openvpn.git/tree/keysize.patch?h=el6
Maybe the patch is usable for ubuntu, too?

Hope this helps to fix that.

Thank you.

The --ping-restart option isn't supported too.

I would like to propose the following patch to handle the options in the configuration file (just tested it right now, and it does the job)

[vpn]
<...>
ping=10
ping-restart=60

As one can see, the process spawned has the proper arguments :
$ ps auxw | grep vpn
root 3752 0.0 0.0 28444 2728 ? S 22:16 0:00 /usr/sbin/openvpn --remote <...> --nobind --dev tun --proto udp --port 1194 --auth-nocache --ping-restart 60 --ping 10 --syslog nm-openvpn --script-security 2 --up /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --up-restart --persist-key --persist-tun --management 127.0.0.1 1194 --management-query-passwords --route-noexec --ifconfig-noexec --secret <...> --ifconfig 192.168.100.2 192.168.100.1

This alone of course won't fix the UI, but it's a start.

The attachment "Adds "--ping" and "--ping-restart"" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

I'm using openvpn behind a proxy that doesn't work with the auto detection of the authentification method. I should force 'basic', but it is not present in the currently supported options.

> Isn't there any way to add an option to NM OVPN? I need 'ns-cert-type server' to be able to connect to my workplace.

> Comment #8 also indicates a security vulnerability, doesn't it?

Yes, lack of ns-cert-type server support is indeed a security vulnerability. It affects sites that use a single CA to sign both client and server certificates. The risk is that anyone's client certificate can be used to impersonate the server; for example, to execute a man-in-the-middle attack.

One workaround would be to use the newer "--remote-cert-tls server" option instead, but that requires an X.509v3 extension in the server certificate, which some sites do not have.

Another workaround would be to use the "--verify-x509-name" option, but network-manager-openvpn does not support it.

Another workaround would be to use the "--tls-remote" option, but that one is deprecated, and network-manager-openvpn's support for it breaks if there is a space in the server certificate's Common Name field.

https://openvpn.net/index.php/open-source/documentation/howto.html#mitm

In short, NetworkManager's OpenVPN support is not merely weak; it is severely broken. This particular break (which is not the only one) puts users at risk by silently discarding important security precautions that are configured in the .ovpn files it "imports".

Related upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=704866

Here's a patch to enable use of the tls-cipher option in the connection files, in Xenial.
I adjusted the patch TJ wrote for Wily a while ago.

It would be grand if one could just add arbitrary key/value pairs of arguments.