openvpn / openvpn3-linux Goto Github PK

OpenVPN 3 Linux client

License: GNU Affero General Public License v3.0

Makefile 1.80% Shell 0.26% M4 2.47% C++ 85.12% Python 9.78% CMake 0.52% JavaScript 0.05%

openvpn vpn-tunnel vpn-client linux dbus security vpn

openvpn3-linux's Introduction

OpenVPN 3 Linux

OpenVPN 3 Linux is an OpenVPN platform which builds on capabilities available on newer Linux distributions. Compared to the more classic OpenVPN 2.x generation, OpenVPN 3 Linux covers many more aspects of the VPN configuration and session life-cycle than prior OpenVPN generations did.

To quickly compare them, OpenVPN 2.x provides a single executable which is responsible for a single VPN session. There are no configuration or session management in OpenVPN 2.x itself, it depends on the systemd [email protected] and [email protected] unit files, the Network Manager OpenVPN plug-in or other third-party management tools.

OpenVPN 3 Linux provides full configuration and session management in addition to providing the VPN tunnel itself. For example, it has built in privilege separation and execution models, for improved process security. This allows unprivileged users to start their own VPN sessions and manage them themselves. VPN configuration profiles can be shared with other users on the system or kept private. All without installing anything additionally.

Through this privilege separation model, the network configuration aspect of the VPN tunnel is split out into its own process which runs with as few privileges as possible. In practice that means it can only do network configuration changes. This process knows nothing about the connection to the VPN server, it just facilitates creating the virtual network adapter and configuring it with network routes. This network configuration service is also capable of setting up the DNS resolver out-of-the-box. For OpenVPN 2.x to do that, it would need to run additional scripts or use specific plug-ins to trigger such updates on the system.

The same OpenVPN 3 Core library which is used in the OpenVPN Connect clients is also used in this project. This implementation does not support all options OpenVPN 2.x does, but if you have a functional configuration with OpenVPN Connect (typically on Android or iOS devices) it should work with this client. In general OpenVPN 3 supports routed TUN configurations; TAP and bridged setups are not supported and will not work.

The OpenVPN 3 Linux architecture is based on splitting up the functionality into several independently running services. They are referred to as backend services. The interaction with these services happens through what is referred to as a user front-end. This project also ships with a Python 3 module which can be used to implement your own OpenVPN front-ends.

On a more technical level, the integration between the user front-end and the backend services is built on top of D-Bus. Any programming language supporting D-Bus can also be used to extend and implement a richer functionality.

Pre-built binaries

See the instructions on https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux how to install pre-built OpenVPN 3 Linux packages on Debian, Ubuntu, Fedora, Red Hat Enterprise Linux, CentOS and Scientific Linux.

Getting started using OpenVPN 3 Linux

See the QUICK-START document to get started using OpenVPN 3 Linux.

Introduction to the OpenVPN 3 Linux architecture

To interact with the various OpenVPN 3 services running in the background, three different utilities are provided.

openvpn2 (man page)

This is an interface which tries to look and behave more like the classic OpenVPN 2.x versions. It does only allow options which are supported by the OpenVPN 3 Core Library, plus there are a handful options which are ignored as it is possible to establish connections without those options active. Only client side options are supported.

When running openvpn2 with --daemon it will return a D-Bus session path to the VPN session. This path can be used by the openvpn3 utility to further manage this session.
openvpn3 (man page)

This is a brand new command line interface which does not look like OpenVPN 2.x at all. It can be used to start, stop, pause, resume tunnels and retrieve tunnel statistics. It can also be used as import, retrieve and manage configurations stored in the configuration manager, as well as handling access control lists for VPN configuration profiles and running VPN sessions.
openvpn3-admin (man page)

This will mostly only work when run as root. This is used to adjust some settings or retrieve information for some of the backend services and related system administration tasks.

As mentioned earlier, the OpenVPN 3 Linux project is built on top of D-Bus. This provides an API which can be used to further interact with the OpenVPN 3 Linux stack. It can be used to create a new user front-end or it can be used to trigger other operations on the host when certain events happens.

The OpenVPN 3 Linux stack consists of several D-Bus services running in the background. There are six services which is good to beware of. All of these services will normally start automatically. And when they are idle for a while with no data to maintain, they will shut-down automatically.

openvpn3-service-configmgr (man page | D-Bus documentation)

This is the configuration manager. All configuration profiles will be uploaded to and managed by this service before a tunnel is started. This service also ensures only users granted access to imported VPN profiles has the proper access to them. By default this process is started as the openvpn user.
openvpn3-service-sessionmgr (man page | D-Bus documentation)

This manages all VPN tunnels which are about to start or has started. It takes care of communicating with the VPN backend processes and ensures only users with the right access levels can manage the various tunnels. This service is started as the openvpn user.
openvpn3-service-backendstart (man page | D-Bus documentation)

This is a helper service and is only availble for the session manager. The only task this service has is to start a new VPN client backend processes (the VPN tunnel instances). By default this is also started as the openvpn user.
openvpn3-service-client (man page | D-Bus documentation)

This must be started by the openvpn3-service-backendstart service. One such process is started per VPN client. Once it has started, it registers itself with the session manager and the session manager provides it with the needed details so it can retrieve the proper configuration profile from the configuration manager. This service will depend on the openvpn3-service-netcfg to manage the tun interface and related configuration. This service is started as the openvpn users.
openvpn3-service-netcfg (man page | D-Bus documentation)

This provides a service similar to a VPN API on some platforms. It is responsible for creating, managing and destroying of virtual tunnel interfaces, such as the tun or ovpn Data Channel Offload interfaces. It will also configure them in addition to handle the DNS configuration provided by the VPN server. This is the most privileged process which only have a few capabilities enabled (such as CAP_NET_ADMIN and possibly CAP_DAC_OVERRIDE or CAP_NET_RAW). With these capabilities, the service can run as the openvpn user.

Currently DNS configuration is done by manipulating /etc/resolv.conf directly. Support for systemd-resolved has been added. On Linux distrubutions expected to be pre-configured with systemd-resolved, OpenVPN 3 Linux will use this service. On other distributions this need to be enabled manually by running the following command as root:
```
# openvpn3-admin netcfg-service --config-set systemd-resolved true
```
Next time the openvpn3-service-netcfg service restarts, systemd-resolved support will be used instead. Note, this requires at least systemd v243 or newer (or a distribution which has back-ported a newer version). This works now with CentOS 8, Fedora 31 and newer, Red Hat Enterprise Linux 8 or Ubuntu 20.04 and newer.

To disable the systemd-resovled integration and use /etc/resolv.conf instead, run these commands as root:
```
# openvpn3-admin netcfg-service --config-unset systemd-resolved
# openvpn3-admin netcfg-service --config-set resolv-conf /etc/resolv.conf
```
openvpn3-service-logger (man page | D-Bus documentation)

This service will listen for log events happening from all the various services in the OpenVPN 3 Linux stack. It supports writing these events to the console (stdout), files or redirect to syslog or the systemd-journald. This is also automatically started when needed, if it isn't already running.

More information can be found in the openvpn3-linux(7) man page and OpenVPN 3 D-Bus overview.

Kernel based Data Channel Offload (DCO) support

The Data Channel Offload support moves the processing of the OpenVPN data channel operations from the client process to the kernel, via the ovpn-dco-v2 kernel module. This means the encryption and decryption of the tunnelled network traffic is kept entirely in kernel space instead of being send back and forth between the kernel and the OpenVPN client process. This has the potential to improve the overall VPN throughput. This module must be installed before OpenVPN 3 Linux can make use of this feature. This is shipped in the OpenVPN 3 Linux package repositories or can be built from the source code.

The ovpn-dco kernel module currently only support Linux kernel 5.4 and newer. Currently supported distributions with DCO support:

CentOS 8
Fedora 36 and newer
Red Hat Enterprise Linux 8 and newer
Ubuntu 20.04 and newer

The ovpn-dco-v2 kernel module is currently not functional on RHEL/CentOS due to the kernel version is older than 4.18. OpenVPN 3 Linux will build with the --enable-dco feature but requires a functional ovpn-dco kernel module to be fully functional.

To build OpenVPN 3 Linux with this support, add --enable-dco to the ./configure command.

SELinux support

The openvpn3-service-netcfg service depends on being able to pass a file descriptor to the tun device it has created on behalf of the openvpn3-service-client service (where each of these processes represents a single VPN session). This is done via D-Bus. But on systems with SELinux, the D-Bus daemon is not allowed to pass file descriptors related to /dev/net/tun.

The OpenVPN 3 Linux project ships two SELinux policy modules, which will be installed in /usr/share/selinux/packages.

The openvpn3.pp policy package adds a SELinux boolean, dbus_access_tuntap_device, which grants processes, such as dbus-daemon or dbus-broker daemon (running under the system_dbusd_t process context) access to files labelled as tun_tap_device_t; which matches the label of /dev/net/tun. Without this policy enabled, the openvpn3-service-netcfg service will not be able to create or manage TUN devices.

To install and activate this SELinux security module, as root run:

     # semodule -i /etc/openvpn3/selinux/openvpn3.pp
     # semanage boolean --m --on dbus_access_tuntap_device

For users installing the pre-built RPM binaries, this is handled by the RPM scriptlet during package install.

The second policy module, openvpn3_service.pp, will confine both the openvpn3-service-netcfg and openvpn3-service-client processes into their own SELinux process contexts (openvpn3_netcfg_t and openvpn3_client_t). See the src/selinux/openvpn3_service.te source for more details.

For the RPM builds, both SELinux policies are provided in the openvpn3-selinux package.

Logging

Logging happens via openvpn3-service-logger. If not started manually, it will automatically be started by the backend processes needing it. The default configuration sends log data to syslog or systemd-journald, depending on the Linux distribution. Unless --syslog, --journald or --log-file is provided, it will log to the console (stdout).

Real-time log events can be received on a per-session level, by using the openvpn3 log command.

This log service is managed via openvpn3-admin log-service. For systems using systemd-journald, the openvpn3-admin journal command provides a convenient approach to retrive only OpenVPN 3 Linux related log entries from the systemd journal.

For more information about logging, see the openvpn3-service-logger(8), man page, D-Bus Logging and net.openvpn.v3.log D-Bus service documentation.

Debugging

For information about debugging, please see docs/debugging.md

Building from source

For information about building OpenVPN 3 Linux from source, please see BUILD.md.

Contribution

Code contributions Code contributions are most welcome. Please submit patches for review to the [email protected] mailing list. All patches must carry a Signed-off-by line and must be reviewed publicly before acceptance. Pull requests are not acceptable unless it is for early reviews and patch discussions. Final patches MUST go to the mailing list.
Testing This code is quite new, but has been used a lot in various setups. Please reach out on libera.chat @ #openvpn for help and discussing issues you encounter, or subscribe to and ask on the [email protected] mailing list.
Packagers We are beginning to targeting packaging in Linux distributions. The Fedora Copr repository is one which is currently available. We are looking for people willing to package this in other Linux distributions as well.

openvpn3-linux's People

Contributors

Stargazers

Watchers

Forkers

wei576262547 jeis2497052 jiuzhuaxiong guozanhua jmcabandara realtime4life kristallwang umtkrl1993 szczygielskid bestjie lightvpn githubfocus benyanke pepe-invest chinesefree slamj1 thewafflication kikou2016 beenjaminmb bohdanhamulets lifenng smxzi zorro2000se ed-os han767 anhduy0962 httpsgithu watemlifts sitedata vlad0115 yogeshchandola highland-custom-designs wuju86 adot-martin changsongyang adityavs robertozz nigelwz swsjonathan stribog-konsult-ltd rc-chuah raynersec sivakumar46 shawshining mvoitko claytonburns krstnaparker bendb-instacart petercrosby oribenhur kmihiranga isabella232 wookieesnacks kenux-sudo worratep2546 dylu6699 inkythousand rloutrel icecreamrua my-2-test ricardocchaves rodrigo-calovi salewski chamuel86 blogericg felipealfonsog axkami drcomvampi1 classicvalues optydeviocourses nashsequeira katteyoung gptubpkcshkzjc8fkcrxudk6sbecpm49p5xu46u potatoparser fldu mattock tsuibin ghassanmab jkotra d12fk techsd webzcc gugen-otsuki pks-os manak0786 ab49k swebdev100 805jurassicparkharp dsch obleey xgtat guilherme-argentino mascazubi abdalhalanz45 nicolas-hubup raphmad gmh5225 sallamy2580 asgardkali mralone9021

openvpn3-linux's Issues

Question: It supports ipsec connections?

I need ipsec in my vpn´s

openvpn3-autoload / ConfigParser.py do not allow the usage of possible argument

Given: The template configuration file from ubuntu 20.04

$ openvpn3 version
OpenVPN 3/Linux v13_beta (openvpn3)
OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

$ less  /usr/share/doc/openvpn/examples/sample-config-files/client.conf

When: Using the 'mute' parameter with openvpn3-autoload
mute 20

Then:

expected: the parameter is accepted
found: (I am still verifying for route-method and route-delay)

Traceback (most recent call last):
  File "/usr/sbin/openvpn3-autoload", line 83, in find_autoload_configs
    opts = openvpn3.ConfigParser(['openvpn3-autoload',
  File "/usr/lib/python3/dist-packages/openvpn3/ConfigParser.py", line 89, in __init__
    self.__opts = vars(self.__parser.parse_args(self.__args))
  File "/usr/lib/python3.8/argparse.py", line 1780, in parse_args
    args, argv = self.parse_known_args(args, namespace)
  File "/usr/lib/python3.8/argparse.py", line 1812, in parse_known_args
    namespace, args = self._parse_known_args(args, namespace)
  File "/usr/lib/python3.8/argparse.py", line 2018, in _parse_known_args
    start_index = consume_optional(start_index)
  File "/usr/lib/python3.8/argparse.py", line 1958, in consume_optional
    take_action(action, args, option_string)
  File "/usr/lib/python3.8/argparse.py", line 1886, in take_action
    action(self, namespace, argument_values, option_string)
  File "/usr/lib/python3/dist-packages/openvpn3/ConfigParser.py", line 863, in __call__
    args = vars(parser.parse_args(shlex.split('\n'.join(cfg),
  File "/usr/lib/python3.8/argparse.py", line 1783, in parse_args
    self.error(msg % ' '.join(argv))
  File "/usr/lib/python3/dist-packages/openvpn3/ConfigParser.py", line 64, in error
    raise Exception("%s: error: %s"  % (self.prog, message))
Exception: openvpn3-autoload: error: unrecognized arguments: --route-method exe --mute 20 --route-delay 2

Routing using host names does not work

Is seems that routes using hostnames doesent work in .ovpn files,

Example: route xyz.blabla.dk 255.255.255.255 is ignored.

Whereas: route 41.114.122.15 255.255.255.255 works.

$ openvpn3 version
OpenVPN 3/Linux v13_beta (openvpn3)
OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

resolv.conf overwrite by default

By default I use some custom DNS resolvers. But Openvpn3 when activated, overwrite my DNS servers with its preferred one.
I wish to avoid leaking my DNS queries by default, is it possible ?

Repository - considder adding the [arch=] parameter to (deb) sources lists

Hi,

you may want to add the [arch=] parameter to your downloadable (deb) sources lists, defining the available architectures ege. deb [arch=amd64] https://swupdate.openvpn.net/community/openvpn3/repos buster main.

On Systems that have enabled i386 apt/apt-get update throws a warning otherwise that the repository "..doesn't support architecture 'i386'"

Cannot install on Fedora 34

$ sudo yum install openvpn3-client
[sudo] password for user: 
Last metadata expiration check: 1:14:56 ago on Wed 28 Apr 2021 12:31:59 PM PDT.
Error: 
 Problem: conflicting requests
  - nothing provides libprotobuf.so.24()(64bit) needed by openvpn3-client-13-0.beta1.fc34.x86_64
(try to add '--skip-broken' to skip uninstallable packages)

Looks like Fedora shipped with protobuf 3.14 which has libprotobuf.so.25, not .24.

openvpn2 front-end: ModuleNotFoundError

Hey there,

I just want to inform you about one minor bug I noticed on Debian 9 and Ubuntu 18.04:
After compiling and installing the project, using /usr/bin/openvpn2 produces the following error:

/usr/bin/openvpn2 --help

Traceback (most recent call last):
File "/usr/bin/openvpn2", line 45, in
from openvpn3 import StatusMajor, StatusMinor
ModuleNotFoundError: No module named 'openvpn3'

Using openvpn3-linux/src/python/openvpn2 on the other hand works as expected.
openvpn3-linux/src/python/openvpn2 --help (produces expected output)

proto-overwrite isn't working

I'm trying to force openvpn3 to use TCP over UDP by using this
openvpn3 config-manage --config <NAME> --proto-override tcp
but from the log, I see it still uses the UDP

by running openvpn3 config-manage --config <NAME> -s i see there is an overwrite set for it but still it's not getting honored
BTW overwriting the port seems to be taking effect

is there anything I'm missing?

Ovpn

Rejected options in Python config parser: --data-ciphers / --data-ciphers-fallback

Hi, I connected to a vpn with the openvpn3 command and it works. But as I tried to auto load the vpn it throwed an error.

Failed to start new session: Connection not ready to connect yet (object does not exist)

when I run sudo openvpn3 session-start --config client.ovpn on ubuntu 18.04 It failed, it prints:

Using configuration profile from file: client.ovpn
Session path: /net/openvpn/v3/sessions/f004337ds9e88s4d23s8d9esd5027a5b0972
Auth User name:
Auth Password: 
Enter Google Authenticator Code: 165297
session-start: ** ERROR ** Failed to start new session: Connection not ready to connect yet (object does not exist)

and on journalctl -ex:

 1월 20 00:23:19 bhyoo-virtual-machine dbus-daemon[927]: [system] Activating service name='net.openvpn.v3.sessions' requested by ':1.115' (uid=0 pid=5804 comm="openvpn3 session-start --config client.ovpn " label
 1월 20 00:23:19 bhyoo-virtual-machine net.openvpn.v3.sessions[927]: OpenVPN 3/Linux v7_beta (openvpn3-service-sessionmgr)
 1월 20 00:23:19 bhyoo-virtual-machine net.openvpn.v3.sessions[927]: OpenVPN core 3.git:HEAD:1668f1cd linux x86_64 64-bit
 1월 20 00:23:19 bhyoo-virtual-machine net.openvpn.v3.sessions[927]: Copyright (C) 2012-2017 OpenVPN Inc. All rights reserved.
 1월 20 00:23:19 bhyoo-virtual-machine net.openvpn.v3.log[4958]: Logger VERB2: Attached: {tag:4455907153902855771}  [:1.116/net.openvpn.v3.sessions]
 1월 20 00:23:19 bhyoo-virtual-machine dbus-daemon[927]: [system] Successfully activated service 'net.openvpn.v3.sessions'
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.log[4958]: {tag:15979736196443158099} Config Manager INFO: Parsed single-use configuration 'client.ovpn', owner: root
 1월 20 00:23:20 bhyoo-virtual-machine dbus-daemon[927]: [system] Activating service name='net.openvpn.v3.backends' requested by ':1.116' (uid=122 pid=5808 comm="/usr/lib/x86_64-linux-gnu/openvpn3-linux/openvpn3
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.backends[927]: OpenVPN 3/Linux v7_beta (openvpn3-service-backendstart)
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.backends[927]: OpenVPN core 3.git:HEAD:1668f1cd linux x86_64 64-bit
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.backends[927]: Copyright (C) 2012-2017 OpenVPN Inc. All rights reserved.
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.log[4958]: Logger VERB2: Attached: {tag:3185898936652274477}  [:1.117/net.openvpn.v3.backends]
 1월 20 00:23:20 bhyoo-virtual-machine dbus-daemon[927]: [system] Successfully activated service 'net.openvpn.v3.backends'
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.backends[927]: Re-initiated process from pid 5817 to backend process pid 5818
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.backends[927]: OpenVPN 3/Linux v7_beta (openvpn3-service-client)
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.backends[927]: OpenVPN core 3.git:HEAD:1668f1cd linux x86_64 64-bit
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.backends[927]: Copyright (C) 2012-2017 OpenVPN Inc. All rights reserved.
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.log[4958]: Logger VERB2: Attached: {tag:15086041118856162295}  [:1.118/net.openvpn.v3.backends]
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.log[4958]: Logger VERB2: Attached: {tag:15921432625201831649}  [:1.118/net.openvpn.v3.sessions]
 1월 20 00:23:20 bhyoo-virtual-machine net.openvpn.v3.log[4958]: {tag:15086041118856162295} Client VERB1: Initializing VPN client session, token 8e178843t404ct4f28t84e7t9760cc0a3c2e
 1월 20 00:23:21 bhyoo-virtual-machine openvpn3-servic[5818]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
 1월 20 00:23:21 bhyoo-virtual-machine dbus-daemon[927]: [system] Rejected send message, 0 matched rules; type="method_return", sender=":1.118" (uid=122 pid=5818 comm="/usr/lib/x86_64-linux-gnu/openvpn3-linux/op
 1월 20 00:23:26 bhyoo-virtual-machine net.openvpn.v3.log[4958]: Logger VERB2: Detached: {tag:3185898936652274477}  [:1.117/net.openvpn.v3.backends]
 1월 20 00:23:27 bhyoo-virtual-machine openvpn3-servic[5818]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
 1월 20 00:23:27 bhyoo-virtual-machine dbus-daemon[927]: [system] Rejected send message, 0 matched rules; type="method_return", sender=":1.118" (uid=122 pid=5818 comm="/usr/lib/x86_64-linux-gnu/openvpn3-linux/op
 1월 20 00:23:32 bhyoo-virtual-machine openvpn3-servic[5818]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
 1월 20 00:23:32 bhyoo-virtual-machine dbus-daemon[927]: [system] Rejected send message, 0 matched rules; type="method_return", sender=":1.118" (uid=122 pid=5818 comm="/usr/lib/x86_64-linux-gnu/openvpn3-linux/op
 1월 20 00:23:32 bhyoo-virtual-machine net.openvpn.v3.log[4958]: {tag:15086041118856162295} Client INFO: Starting connection
 1월 20 00:23:32 bhyoo-virtual-machine net.openvpn.v3.log[4958]: {tag:15086041118856162295} Client VERB1: Username/password provided successfully for 'isac.yoo'
 1월 20 00:23:32 bhyoo-virtual-machine net.openvpn.v3.log[4958]: {tag:15086041118856162295} Client VERB1: Waiting for server response
 1월 20 00:23:32 bhyoo-virtual-machine net.openvpn.v3.log[4958]: {tag:17621744109520087757} Network Configuration INFO: Virtual device '8e178843t404ct4f28t84e7t9760cc0a3c2e' registered on /net/openvpn/v3/netcfg/
 1월 20 00:23:32 bhyoo-virtual-machine net.openvpn.v3.netcfg[927]: Error while executing NetlinkRoute4(add: 1) ens33: -17
 1월 20 00:23:32 bhyoo-virtual-machine net.openvpn.v3.log[4958]: {tag:17621744109520087757} Network Configuration INFO: Add bypass route to 52.68.183.173 ipv6: no
 1월 20 00:23:32 bhyoo-virtual-machine net.openvpn.v3.log[4958]: {tag:15086041118856162295} Client INFO: Connecting
 1월 20 00:23:34 bhyoo-virtual-machine openvpn3-servic[5818]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
 1월 20 00:23:34 bhyoo-virtual-machine dbus-daemon[927]: [system] Rejected send message, 0 matched rules; type="method_return", sender=":1.118" (uid=122 pid=5818 comm="/usr/lib/x86_64-linux-gnu/openvpn3-linux/op
 1월 20 00:23:36 bhyoo-virtual-machine openvpn3-servic[5818]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
 1월 20 00:23:36 bhyoo-virtual-machine dbus-daemon[927]: [system] Rejected send message, 0 matched rules; type="method_return", sender=":1.118" (uid=122 pid=5818 comm="/usr/lib/x86_64-linux-gnu/openvpn3-linux/op
 1월 20 00:23:36 bhyoo-virtual-machine kernel: openvpn3-servic[5818]: segfault at 18 ip 000055d134a3481b sp 00007ffc7cf3c9a0 error 4 in openvpn3-service-client[55d1349f5000+147000]
 1월 20 00:23:36 bhyoo-virtual-machine kernel: Code: 48 8b 7d 00 48 85 ff 74 0f 48 89 44 24 08 e8 8c 50 ff ff 48 8b 44 24 08 48 89 45 00 48 89 45 08 48 05 40 02 00 00 48 89 45 10 <48> 8b 43 18 0f b6 90 e9 03 00 
 1월 20 00:23:36 bhyoo-virtual-machine net.openvpn.v3.sessions[927]: terminate called after throwing an instance of 'openvpn::DBusException'
 1월 20 00:23:36 bhyoo-virtual-machine net.openvpn.v3.sessions[927]:   what():  Failed retrieving property value for 'device_path': The name :1.118 was not provided by any .service files

Invalid JSON data

I'm trying to setup autoload. I made a folder ~/.config/openvpn3/autoload containing two files client.ovpn and client.autoload where the latter is simply:

{
    "autostart": true,
}

When I run openvpn3-autoload --directory .config/openvpn3/autoload I get the error:

Invalid JSON data in ".config/openvpn3/autoload/client.ovpn": Expecting property name enclosed in double quotes: line 3 column 1 (char 25)

The .ovpn file shouldn't be json right? Or did I misunderstand something. Thanks in advance!

openvpn3 Auto logon not working

tried add - auth-user-pass auth.txt in configuration file but still connection failed
Session path: /net/openvpn/v3/sessions/e3e25ec5s478es40e0sb894s67967d978c99
session-start: ** ERROR ** Failed to start session

same configuration file woks without auth.txt ( manually need to pass the credentials)
openvpn3 session-start --config /home/XXXX/openvpn/XXXX.ovpn
Using configuration profile from file: /home/XXXX/openvpn/XXX.ovpn
Session path: /net/openvpn/v3/sessions/2d0b8583sbbc4s48aasaa09sa9012dd8da4a
Auth User name:
Auth Password:
Connected

syntax error near unexpected token `${datarootdir}/selinux/devel,' Ubuntu 20.04

Hi dear OpenVpn Team,
I tried to build this project on my Xubuntu 20.04, but it failed when I ran:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/va
And I should verify that autoconf-archive is installed too.

Here is the log:

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking how to create a pax tar archive... gnutar
checking whether make supports nested variables... (cached) yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking how to run the C preprocessor... gcc -E
checking for ranlib... ranlib
checking whether ln -s works... yes
checking for a sed that does not truncate output... /usr/bin/sed
checking whether make sets $(MAKE)... (cached) yes
checking whether g++ supports C++11 features by default... yes
checking whether g++ supports C++14 features by default... yes
checking for a Python interpreter with version >= 3.5... python3
checking for python3... /usr/bin/python3
checking for python3 version... 3.8
checking for python3 platform... linux
checking for python3 script directory... ${prefix}/lib/python3.8/site-packages
checking for python3 extension module directory... ${exec_prefix}/lib/python3.8/site-packages
checking for LIBLZ4... yes
checking for LIBJSONCPP... yes
checking for LIBGLIBGIO... yes
checking for LIBUUID... yes
checking for LIBCAPNG... yes
checking for OPENSSL... yes
configure: Using ASIO source directory: ./vendor/asio
configure: Using OpenVPN 3 Core Library directory: ./openvpn3-core
checking OpenVPN 3 Core Library version... 3.git:HEAD:5b15dbe9
configure: Using ovpn-dco source directory: ./ovpn-dco
./configure: line 7699: syntax error near unexpected token ${datarootdir}/selinux/devel,' ./configure: line 7699: AX_RECURSIVE_EVAL(${datarootdir}/selinux/devel, selinux_devel_path)'

Can't install openvpn3 on ubuntu - wrong URLs

wget -O /etc/apt/sources.list.d/openvpn3.list https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-$DISTRO.list``

--2021-04-28 10:12:56--  https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-.list
Resolving swupdate.openvpn.net (swupdate.openvpn.net)... 104.18.110.96, 104.18.109.96
Connecting to swupdate.openvpn.net (swupdate.openvpn.net)|104.18.110.96|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2021-04-28 10:12:56 ERROR 404: Not Found.

regards

Ubuntu issues with libcap-ng-dev

The readme states that to build, the following packages need to be installed from apt:

build-essential git pkg-config autoconf autoconf-archive libglib2.0-dev libjsoncpp-dev uuid-dev libmbedtls-dev liblz4-dev libcapng-dev

The package libcapng-dev is not found, but libcap-ng-dev is, and allows the build to continue.

Could not establish a connection with 'net.openvpn.v3.sessions'

We are trying to get this working for NixOS (NixOS/nixpkgs#120352)
However we get the error * ERROR ** Could not establish a connection with 'net.openvpn.v3.sessions
I have not been able to find more debugging information (nothing in journalctl)
Please advise how to proceed.

Thanks!

Error: openvpn3-autoload: error: argument --key: No such file or directory (If the file name contains spaces)

Hi.
Step to reproduce:
add to file name space: 'ovpn config.key'
Edit the config file:
key '/etc/openvpn/client/ovpn config.key' or key "/etc/openvpn/client/ovpn config.key"

Run:
openvpn3-autoload --directory ...
And get error:
Error: openvpn3-autoload: error: argument --key: No such file or directory ' "/etc/openvpn/client/ovpn config.key" '

And it's enough to get an error to specify in the file path (" ") or (' ')

--auth-user-pass flag not working

I'm attempting to use the auth-user-pass config in the client.ovpn and --auth-user-pass via command line but it doesn't appear that either is supported.

When using the command line argument I receive:

sudo openvpn3 session-start --config ~/Documents/client.ovpn --auth-user-pass
            
openvpn3/session-start: unrecognized option '--auth-user-pass'

When I configure my client.ovpn with: auth-user-pass /home/nick/Documents/vpnpass.txt

I receive:

sudo openvpn3 session-start --config ~/Documents/client.ovpn
                 
Using configuration profile from file: /home/nick/Documents/client.ovpn
Session path: /net/openvpn/v3/sessions/7887ed5ds9d9bs494csaf2fsb65cf4906fcb
session-start: ** ERROR ** Failed to start session

My version:

openvpn3 version

OpenVPN 3/Linux v10_beta (openvpn3)
OpenVPN core 3.git:HEAD:bf9f309f linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

Running without the command line argument and without the auth-user-pass configuration in my client.ovpn works fine but I obviously need to enter my credentials everytime. It would be great to get this supported like it was on openvpn

Thanks!

VPN client is not reporting a MAC/UUID address.

I used the HW address checking script in my openvpn server : OpenVPN Access Server Post_auth Hardware Address Checking Script

When I use openvpn3 in Ubuntu 16.04 / 20.04 , I cannot login my server, here is server log:

VPN Auth Failed: 'VPN client is not reporting a MAC/UUID address. Please verify that a suitable OpenVPN client is being used.' ['VPN client is not reporting a MAC/UUID address. Please verify that a suitable OpenVPN client is being used.']

2021-01-15T15:34:56+0800 [stdout#info] ***** POST_AUTH MAC CHECK: action taken : VPN connection denied with a suitable error message.
2021-01-15T15:34:56+0800 [stdout#info] ***** POST_AUTH MAC CHECK: connection attempt : FAILED

While other OS client is OK (MacOS)

I don't know if my config is wrong .. or openvpn3-linux doesn't report client's MAC address is by design...
Thanks a lot .

Change pulling of codename to something sensible

In your docs there are multiple errors. You are not after either distro nor releasename

You are after codename. Man lsb_release for more.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.10
Release:        20.10
Codename:       groovy

Replace

 wget -O /etc/apt/sources.list.d/openvpn3.list https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-$DISTRO.list

with

 wget -O /etc/apt/sources.list.d/openvpn3.list https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-$(lsb_release -sc).list

example echo

$ echo wget -O /etc/apt/sources.list.d/openvpn3.list https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-$(lsb_release -sc).list
wget -O /etc/apt/sources.list.d/openvpn3.list https://swupdate.openvpn.net/community/openvpn3/repos/openvpn3-groovy.list

Port Override Requires Int, but Config Manager Requires Boolen or String for Overrides

I was trying to use the port override in a .autoload file. Using any integer results in the error message, "Unsupported override data type: i." This is true even if I quote the integer. Escaping the quotes (i.e. trying to force the string) errors out because an int is required.

configmgr.hpp OverrideValue set_override function only accepts string and boolean g_types. I would submit a pull request, but I haven't quite used github enough to be comfortable doing so.

"./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var" error

./configure: line 7441: syntax error near unexpected token ${datarootdir}/selinux/devel,' ./configure: line 7441: AX_RECURSIVE_EVAL(${datarootdir}/selinux/devel, selinux_devel_path)'

Build doesn't work without selinux

Steps to reproduce:

be on a linux distro with no selinux (I'm using manjaro ARM)
run ./bootstrap.sh then ./configure ... as per building from source instructions
configure exits with an error (details below)
include the flag --disable-selinux-build as per the instructions in ./configure --help

Expected behaviour

./configure command completes successfully

Actual behaviour

./configure command still exits with the same error

Error message during configure, which I receive regardless of the --disable-selinux-build flag:

configure: Using ASIO source directory: ./vendor/asio
configure: Using OpenVPN 3 Core Library directory: ./openvpn3-core
checking OpenVPN 3 Core Library version... 3.git:HEAD:bf9f309f
./configure: line 7436: syntax error near unexpected token `${datarootdir}/selinux/devel,'
./configure: line 7436: `        AX_RECURSIVE_EVAL(${datarootdir}/selinux/devel, selinux_devel_path)'

I worked around this by simply editing and manually deleting the section about selinux from the configure script. Ideally the script would correctly detect selinux availability and exclude generating the policy files if it's not present on the system.

openvpn3-service-client misinterprets `--keepalive` option

Hi,

I've exported openvpn config file from my Asus router and imported to ubuntu 20.10:
openvpn3 config-import --config client.ovpn
openvpn3 session-start --config-path /net/openvpn/v3/configuration/21672a50xbf... etc
When I try to login: auth user and password, I always get: session-start: ** ERROR ** Failed to start session

Could anyone help, please?

Best,
Rui

OpevVPn Access Server routing table help needed.

Hello,

I have been trying to setup::

Device A (PLC, static IP=10.10.10.11) 
        |
        | eth0 connection 
        |
Device B (raspberry B 3,  Jessie)
        |
        | OpenVPN  Clients
        |
Device C (laptop, Windows 8.1)

The thing is Device B and Device C are OpenVPN clients connected to same OpenVPN access server running on Ubuntu system. Also I am using wi-fi router for net connectivity.

My IP configurations are:

(Device A) PLC ---> 10.10.10.11

(Device B)R-pi ---> 
cat /etc/dhcpcd.conf

interface eth0 
static ip_address=10.10.10.10/24 
static domain_name_servers=192.168.1.1

VPN network IP= 10.8.0.2

(Device C) Windows 8.1 --->
VPN network IP= 10.8.0.5

My current state is:

ip route

default via 192.168.1.1 dev wlp2s0 proto dhcp metric 600 
169.254.0.0/16 dev wlp2s0 scope link metric 1000 
172.27.224.0/23 dev as0t0 proto kernel scope link src 172.27.224.1 
172.27.226.0/23 dev as0t1 proto kernel scope link src 172.27.226.1 
172.27.228.0/23 dev as0t2 proto kernel scope link src 172.27.228.1 
172.27.230.0/23 dev as0t3 proto kernel scope link src 172.27.230.1 
172.27.232.0/23 dev as0t4 proto kernel scope link src 172.27.232.1 
172.27.234.0/23 dev as0t5 proto kernel scope link src 172.27.234.1 
172.27.236.0/23 dev as0t6 proto kernel scope link src 172.27.236.1 
172.27.238.0/23 dev as0t7 proto kernel scope link src 172.27.238.1 
192.168.1.0/24 dev wlp2s0 proto kernel scope link src 192.168.1.61 metric 600

What should be the static routes on router, on OpenVPN Server web UI and on server??

Trying to figure this out for a long time now. But no luck.
Please Help!

How to make openvpn3-linux client work with network manager?

When I connect the VPN using openvpn3 session-start --config client.ovpn I am able to connect to the internet alongwith the VPN local IPs but when I connect using network-manager, I am able to connect to the VPN local IPs but not able to connect to the internet. I have the update-systemd-resolve setup and I am able to resolve DNS while connected to VPN to get that out of the way.

network-manager

aguru@pc:~$ resolvectl query github.com
github.com: 192.30.255.113                     -- link: tun0

-- Information acquired via protocol DNS in 1.1ms.
-- Data is authenticated: no

openvpn3 uses my wifi for all internet and tun0 only for certain IPs?

aguru@pc:~$ resolvectl query github.com
github.com: 13.234.210.38                      -- link: wlp0s20f3

-- Information acquired via protocol DNS in 97.6ms.
-- Data is authenticated: no

The only difference that I could note was the link.

System:

aguru@pc:~$ uname -a
Linux pc 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
aguru@pc:~$ 
aguru@pc:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.2 LTS
Release:	20.04
Codename:	focal
aguru@pc:~$ 
aguru@pc:~$ openvpn3 version
OpenVPN 3/Linux v13_beta (openvpn3)
OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.
aguru@pc:~$ 
aguru@pc:~$ openvpn --version
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
aguru@pc:~$ 
aguru@pc:~$ nmcli --version
nmcli tool, version 1.22.10

I have 2 openvpn versions (as mentioned in the output above)- any probable conflicts?

From what I can understand nmcli is not able to correctly setup routes that are pushed by VPN server?
Is there someway to correctly setup network-manager?

Improve openvpn3 and Python module to support libsecret for providing credentials automatically

Hello.
If i use many '.ovpn' config files. I set autoload json files: "autostart": false .
This is so that all sessions do not autostar at once.

Then I need to use session-start.
But I have to catch the stdin username/password prompt.

Why is this logic?

Сan solve the problem by making one directory per conf/autoload file. And set "autostart": true .
But all the time using openvpn3-autoload will generate new sessions for one config file.

OpenVPN3 stopped working after kernel update

Installed openvpn3 client as per instructions (https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux).

Everything worked fine until last kernel update.
I can provide more info if needed -- please write back.

Running this openvpn3 version on Debian 10:

$ openvpn3 version
OpenVPN 3/Linux v13_beta (openvpn3)
OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

My system:

$ uname -a
Linux lenovo-m58 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux

and:

$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Cannot build on openSUSE

I'm trying to package openvpn3 for openSUSE and running into the following failures with ./configure

checking for OPENSSL... yes
configure: Using ASIO source directory: ./vendor/asio
configure: Using OpenVPN 3 Core Library directory: ./openvpn3-core
checking OpenVPN 3 Core Library version... 3.git:HEAD:ce0c9963
configure: Using ovpn-dco source directory: ./ovpn-dco
./configure: line 7802: syntax error near unexpected token `${datarootdir}/selinux/devel,'
./configure: line 7802: `        AX_RECURSIVE_EVAL(${datarootdir}/selinux/devel, selinux_devel_path)'

I'm not sure where to start figuring this out :-/

Remove multiple configs having same name

I was doing the openvpn3-autoload test and ended up with multiple same config name.

➜ openvpn3 config-remove -c openvpn-in* --force
config-remove: ** ERROR ** No configuration profiles found
➜ openvpn3 config-remove -c openvpn-in --force
config-remove: ** ERROR ** More than one configuration profile was found with the given name

I tried doing above but had no success.
Isn't there any hack to remove all the same configs so that I don't have to manually remove each of them.

My config is getting deleted after a reboot

OS: ubuntu 20.04
openvpn3 version

OpenVPN 3/Linux v9_beta (openvpn3)
OpenVPN core 3.git:HEAD:811dac2e linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

I'm using openvpn3 config-import --config <path_to_ovpn_file> to import my client config file to the store.
then I'm changing it's name to be somthing more easy to type
openvpn3 config-manage --path <config_path_from_configs-list> --rename <new_name>

All is good up until I reboot then I lose my configs and I need to do it all over again

Python module does not properly handle MFA/OTP authentication

Q: How can I autoload user and password with OTP based MFA dynamic challenge for openvpn3 and only prompt for MFA code?

Attempts Made:

I created the below script to inject OTP based MFA code at request time into a .autoload config with openvpn3-autoload to simplify the login process with our OpenVPN requirements. I figure the script should be able to get around the static requirement until the MFA needs renewal but I am still getting issues with the dynamic_challenge parameter.

I get the following message from connection with the openvpn3-autoload using openvpn3 sessions-list:

Status: Connection, Configuration requires user input: Dynamic Challenge

OpenVPN3 Autoload Credentials Script

    #!/bin/bash
    set -e
    
    ## Requirements
    # - openvpn3
    # - openvpn3-autoload
    
    # When you are logged in you may download a client.ovpn file.  First create a
    # subdir at ~/.openvpn and copy the downloaded file to this directory.  
    
    echo '{"autostart": true,"user-auth": { "autologin": true,"username": "{{ OPENVPN_USR }}", "password": "{{ OPENVPN_PW }}", "dynamic_challenge": "{{ OPENVPN_MFA_CODE }}"},"tunnel": {"ipv6": [ "default" ],"persist": true}}' > ${HOME}/.openvpn/autoload.tmpl
    
    OPENVPN_CLIENT=client
    OPENVPN_USR="my.user"
    OPENVPN_PW="password"
    OPENVPN_USR=${OPENVPN_USR:-`read -p "User login: " OPENVPN_USR; echo $OPENVPN_USR`}
    OPENVPN_PW=${OPENVPN_PW:-`read -p "User Pass: " OPENVPN_PW; echo $OPENVPN_PW`}
    
    read -p "Please enter MFA code: " OPENVPN_MFA_CODE
    
    export OPENVPN_USR=${OPENVPN_USR}
    export OPENVPN_PW=${OPENVPN_PW}
    export OPENVPN_MFA_CODE=${OPENVPN_MFA_CODE}
    
    ## This is an internal tool to our org but you could figure out how to use jq also.
    ## tmpz -t ${HOME}/.openvpn/autoload.tmpl -o ${HOME}/.openvpn/${OPENVPN_CLIENT}.autoload
    rm ${HOME}/.openvpn/autoload.tmpl
    
    # I am open to suggestions if you have a better way.
    openvpn3-autoload --directory ${HOME}/.openvpn

I have tried passing a parameter file like below to the ovpn file with auth-user-pass credentials.txt(ie: dbus).

credentials.txt

    my.user
    password

I get connection failure with auth-user-pass and no dynamic challenge.

OpenVPN Client for Ubuntu 18.04LTS with NetPlan Issues

Hi,
I hope this is the right place for this as I couldn't put this in the OpenVPN section for issues. OpenVPN doesn't get DNS resolution on a connection under Ubuntu 18.04LTS since ubuntu went to Netplan for the networking stack. This is becoming an issues for me since this was working under 14.04 and 16.04. Connecting to a pfsense box i was able to do DNS and see the entire network. Under Ubuntu 18.04 I get a connection but broken network connection and not able to hit different vlans under the same pfsense systems. The GUI portion of the client works fine as far as importing configs and what not but the underlying stack is broken. Please advise.

Thanks.

Configurations using --pkcs12 for key/cert/ca are not working

READ THIS CAREFULLY BEFORE ADDING A NEW COMMENT

Does your configuration file use the pkcs12 option? If yes, continue. If not, this issue ticket is not your problem - look up another issue or file a new one.
Can you try starting the session using the openvpn2 command line front-end? If that does not work, this issue ticket is not your problem - look up another issue or file a new one.
If you still do not know if your issue is related to the pkcs12 option, search for pkcs12 in the configuration you have?
a) Have you imported your configuration using openvpn3 config-import or do you use openvpn3-autoload? Run this command:
```
  $ openvpn3 config-dump --config $CONFIG_NAME | grep pkcs12
```
If this returns nothing, this issue ticket is not your problem - look up another issue or file a new one.

If you do not know your $CONFIG_NAME, run openvpn3 configs-list and see if you find it there.

b) If you have your OpenVPN client configuration file saved as a file, run this command:
```
 $ grep pkcs12 $CONFIG_FILE
```
If this returns nothing, this issue ticket is not your problem - look up another issue or file a new one.

If you have discovered that your configuration file does make use of the pkcs12 option, then you can continue reading. Otherwise, this issue ticket is not your problem - look up another issue or file a new one.

I set up a clean install of OpenVPN 3 client on my Ubuntu 18.04 machine. When I run:

sudo openvpn3 session-start --config FILENAME.ovpn

I get the following error:

session-start: ** ERROR ** Failed to start new session: Failed calling D-Bus method Ready: GDBus.Error:net.openvpn.v3.sessions.error: Backend VPN process have died.  Session is no longer valid.

This configuration file contains a PKCS#12 file with valid client/ca certs and private key.

Can anyone help figure out what is going wrong here?

openvpn3-service-configmgr crashed with SIGABRT

OS: ubuntu 20.04
This is what i see on journalctl

Aug 7 01:11:39 Oris-Laptop dbus-daemon[959]: [system] Activating service name='net.openvpn.v3.configuration' requested by ':1.1442' (uid=1000 pid=19388 comm="openvpn3 config-import --config /home/ori/Download" label="unconfined") (using servicehelper)
Aug 7 01:11:39 Oris-Laptop net.openvpn.v3.configuration[19392]: OpenVPN 3/Linux v10_beta (openvpn3-service-configmgr)
Aug 7 01:11:39 Oris-Laptop net.openvpn.v3.configuration[19392]: OpenVPN core 3.git:HEAD:bf9f309f linux x86_64 64-bit
Aug 7 01:11:39 Oris-Laptop net.openvpn.v3.configuration[19392]: Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.
Aug 7 01:11:39 Oris-Laptop net.openvpn.v3.log[6307]: Logger VERB2: Attached: {tag:8095744316103647505} [:1.1443/net.openvpn.v3.configuration]
Aug 7 01:11:39 Oris-Laptop dbus-daemon[959]: [system] Successfully activated service 'net.openvpn.v3.configuration'
Aug 7 01:11:39 Oris-Laptop net.openvpn.v3.configuration[19392]: terminate called after throwing an instance of 'openvpn::option_error'
Aug 7 01:11:39 Oris-Laptop net.openvpn.v3.configuration[19392]: what(): option_error: option was not properly closed out

Connections fails with `--remote-random-hostname`

Version Used

openvpn3 version
OpenVPN 3/Linux v14_beta (openvpn3)
OpenVPN core 3.git:HEAD:fce979ec linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

Error message

session-start: ** ERROR ** Failed to start new session: Failed calling D-Bus method Connect: GDBus.Error:net.openvpn.v3.sessions.error: Failed communicating with VPN backend: Failed calling D-Bus method Connect: GDBus.Error:net.openvpn.v3.error.client: Configuration parsing failed: ERR_PROFILE_GENERIC: remote_list_error: remote-random-hostname without PRNG

DNS randomly doesn't pop

OS : Ubuntu 20.04 LTS
Openvpn version : OpenVPN 3/Linux v13_beta

Problem :

Randomly, the DNS isn't configured.
I run a systemd-resolve --status and see no DNS.
Restarting it or disconnecting and re connecting fixes the issues most of the time.
I've tried to get a number : Out of 10 disconnection / reconnection, i get the DNS 7/10 times

Ubuntu 21.04 support

When We can expect support for Ubuntu 21.04 ? Thanks

Add flag to use system default ASIO on compile

Hi, Firstly thanks for your work.
I'm currently trying to make a user defined openvpn3 client package on archlinux. Actually it's already uploaded on here. And I want to use official asio package of archlinux which is currently 1.14.0 instead of default submodule for maintainability.

So I tried to modify configure.ac but I faced two issues.

even if I set ASIO_SOURCEDIR to system asio path, archlinux does not install asio like there source tree does. asio source tree: asio/asio/include/asio, archlinux: usr/include/asio/ (you can check in Package Contents on here)
I can not set to use system asio on runtime. I did not check source but I guess -DASIO_STANDALONE exists to include asio binary to openvpn3-linux binary. So even if I set ASIO_SOURCEDIR, I can not exclude -DASIO_STANDALONE.

Should I add another flag to set to use system asio? need some help!

Alpine/musl support

Currently attempting to build this for alpine, it looks like most things are good, a missing #include <sys/types> and <unistd.h> in a couple spots, but otherwise looks like I should be able to build this.

It would be really nice to just be able to install this via apk, or even the binaries. Building projects like this is not a specialty of mine, so ever updating might be kinda painful.

Raspbian GNU/Linux support (armv7l/armhf 32-bit)

Is openvpn3 client supported in Raspbian GNU/Linux >?

keepalive must have at leasdt 3 arguments - docs only outline 2

I am trying to use OpenVPN to connect from Github Actions to a remote server.

Using openvpn2 --config config.ovpn --pkcs12 foo.p12 --daemon I get the following error message:

 ERROR ** org.gtk.GDBus.UnmappedGError.Quark._g_2dio_2derror_2dquark.Code36: GDBus.Error:net.openvpn.v3.sessions.error: Failed communicating with VPN backend: Failed calling D-Bus method Connect: GDBus.Error:net.openvpn.v3.backend.error.standard: Failed executing D-Bus call 'Connect': Configuration parsing failed: ERR_PROFILE_OPTION: option_error: option 'keepalive' must have at least 3 arguments

keepalive 5 20 is defined in the .ovpn file.

https://github.com/OpenVPN/openvpn3-linux/blob/master/docs/man/openvpn2.1.rst#options shows that keepalive accepts 2 args.

ERROR 'NoneType' object is not subscriptable

When I use the command openvpn2 --config client.ovpn --client I get the error
** ERROR ** 'NoneType' object is not subscriptable
It works with openvpn3.

client.ovpn:

dev tun
tls-client
remote [IP] 1194
redirect-gateway def1
dhcp-option DNS 1.1.1.1
pull
ca ca.crt
comp-lzo
reneg-sec 0
auth-user-pass

openvpn3-autoload stills asks for auth credentials

Here's my .autoload config

{
   "autostart": false,
    "name": "openvpn-in",
    "remote": {
        "proto-override": "udp",
        "timeout": "300",
        "compression": "asym"
    },
    "tunnel": {
        "ipv6": "default",
        "persist": true,
        "dns-setup-disabled": false
    },
    "user-auth": {
        "autologin": true,
        "username": "user",
        "password": "secret"
    } 
}

Here's my configs list

Configuration path
Imported                        Last used                 Used
Name                                                      Owner
------------------------------------------------------------------------------
/net/openvpn/v3/configuration/2984ca8fxda0ax416ax997exc50ee5cad031
Tue Sep 15 13:33:59 2020        Tue Sep 15 13:34:28 2020  1
openvpn-in                                                rajesh
------------------------------------------------------------------------------

As soon as I try to connect with my session path, it prompts for an auth.

➜  openvpn3 session-start -p /net/openvpn/v3/configuration/2984ca8fxda0ax416ax997exc50ee5cad031
Session path: /net/openvpn/v3/sessions/2c82f155s145ds4f0dsa4f0s5bd678025e87
Auth User name:

Am I missing anything?

Fedora 33 needs systemd-resolved; resolv.conf not being restored properly

after disconnecting from vpn, i am unable to connect again with error:

session-start: ** ERROR ** Failed to connect: Connection, Client reconnect

[:/] openvpn3 version
OpenVPN 3/Linux v13_beta (openvpn3)
OpenVPN core 3.git:HEAD:ce0c9963 linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.

It didn't like my .ovpn config file

Should I expect it to work with my current openvpn config file?
Tried
openvpn3 session-start --config my-current-connection.ovpn

./configure: line 7255: syntax error

Hi, and thanks for the opportunity to try you next thing. Trying to build it on Arch Linux, no luck. I see it's not officially supported, just letting you know.

➜  openvpn3-linux git:(master) uname -a
Linux jotunheim 5.1.7-arch1-1-ARCH #1 SMP PREEMPT Tue Jun 4 15:47:45 UTC 2019 x86_64 GNU/Linux

Current master, same result for v6_beta

➜  src git clone [email protected]:OpenVPN/openvpn3-linux.git
Cloning into 'openvpn3-linux'...
remote: Enumerating objects: 1249, done.
remote: Counting objects: 100% (1249/1249), done.
remote: Compressing objects: 100% (435/435), done.
remote: Total 5150 (delta 873), reused 1179 (delta 808), pack-reused 3901
Receiving objects: 100% (5150/5150), 2.07 MiB | 3.58 MiB/s, done.
Resolving deltas: 100% (3785/3785), done.
➜  src cd openvpn3-linux            
➜  openvpn3-linux git:(master) ./bootstrap.sh 
** Initializing git submodules ...
Submodule 'openvpn3-core' (git://github.com/OpenVPN/openvpn3) registered for path 'openvpn3-core'
Submodule 'asio' (git://github.com/chriskohlhoff/asio) registered for path 'vendor/asio'
Cloning into '/home/etsvigun/devenv/src/openvpn3-linux/openvpn3-core'...
Cloning into '/home/etsvigun/devenv/src/openvpn3-linux/vendor/asio'...
Submodule path 'openvpn3-core': checked out 'e1647eb4072090859ca8ed5b0b6e3b9e24961a9c'
Submodule path 'vendor/asio': checked out '90f32660cd503494b3707840cfbd5434d8e9dabe'

** Updating version.m4 ...
Version: master_346098aef5b1a092

** Running autoreconf ...
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal -I m4
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: running: /usr/bin/autoconf
autoreconf: running: /usr/bin/autoheader
autoreconf: running: automake --add-missing --copy --no-force
configure.ac:27: installing './compile'
configure.ac:24: installing './install-sh'
configure.ac:24: installing './missing'
Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'
src/python/Makefile.am:34: installing './py-compile'
autoreconf: Leaving directory `.'

➜  openvpn3-linux git:(master) ./configure 
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking how to create a pax tar archive... gnutar
checking whether make supports nested variables... (cached) yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking how to run the C preprocessor... gcc -E
checking whether ln -s works... yes
checking for a sed that does not truncate output... /usr/bin/sed
checking whether make sets $(MAKE)... (cached) yes
checking whether g++ supports C++11 features by default... yes
checking whether g++ supports C++14 features by default... yes
checking for a Python interpreter with version >= 3.4... python
checking for python... /usr/bin/python
checking for python version... 3.7
checking for python platform... linux
checking for python script directory... ${prefix}/lib/python3.7/site-packages
checking for python extension module directory... ${exec_prefix}/lib/python3.7/site-packages
checking for LIBLZ4... yes
checking for LIBJSONCPP... yes
checking for LIBGLIBGIO... yes
checking for LIBUUID... yes
checking for LIBCAPNG... yes
checking for OPENSSL... yes
configure: Using ASIO source directory: ./vendor/asio
configure: Using OpenVPN 3 Core Library directory: ./openvpn3-core
checking OpenVPN 3 Core Library version... 3.git:HEAD:e1647eb4
./configure: line 7255: syntax error near unexpected token `${datarootdir}/selinux/devel,'
./configure: line 7255: `        AX_RECURSIVE_EVAL(${datarootdir}/selinux/devel, selinux_devel_path)'

--disable-selinux-build not working

Hello, I'm trying to package openvpn3@13_beta for NixOS.
I tried to disable the selinux build (that is only needed for distros like fedora) with --disable-selinux-build but I it seems like this switch is ignored :

./configure: line 8859: syntax error near unexpected token `${datarootdir}/selinux/devel,'
./configure: line 8859: `        AX_RECURSIVE_EVAL(${datarootdir}/selinux/devel, selinux_devel_path)'

Reproducing

install nix cf https://nixos.org/guides/install-nix.html
run :

$ nix-store -r $(nix-instantiate -E 'import (builtins.fetchTarball {
  url = "http://github.com/SCOTT-HAMILTON/Nixpkgs/archive/5041c3e9106cb7180c2401804d3d9d7b2be3f508.tar.gz";
  sha256 = "1v7kpc4lz77sx66dd2bvdqwspk8aim4x1libdw65rxbb7f6dsdj8";
}) {}' -A openvpn3)

Here is the full build log :

building '/nix/store/gypx5m3g5inasi12r72q0dakg1dwzfq8-openvpn3-13_beta.drv'...
unpacking sources
unpacking source archive /nix/store/yzfv64z1vjbh1c70sskihb5apzcl5x73-source
source root is source
patching sources
Version: fetchgit_2031975261858750
patching script interpreter paths in ./openvpn3-core/scripts/version
./openvpn3-core/scripts/version: interpreter directive changed from "#!/bin/bash" to "/nix/store/jdi2v7ir1sr6vp7pc5x0nhb6lpcmg6xg-bash-4.4-p23/bin/bash"
autoreconfPhase
autoreconf: export WARNINGS=
autoreconf: Entering directory '.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: configure.ac: not using Libtool
autoreconf: configure.ac: not using Intltool
autoreconf: configure.ac: not using Gtkdoc
autoreconf: running: /nix/store/d8xbvj4mnw7idjyfm0lcgw1kyld9cfmh-autoconf-2.70/bin/autoconf --force
autoreconf: running: /nix/store/d8xbvj4mnw7idjyfm0lcgw1kyld9cfmh-autoconf-2.70/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:27: installing './compile'
configure.ac:24: installing './install-sh'
configure.ac:24: installing './missing'
Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'
src/python/Makefile.am:35: installing './py-compile'
autoreconf: Leaving directory '.'
configuring
configure flags: --disable-dependency-tracking --prefix=/nix/store/vrlixi66zh1iali33rnfdl2alq7j6v95-openvpn3-13_beta --disable-selinux-build
checking for a BSD-compatible install... /nix/store/lr96h3dlny8aiba9p3rmxcxfda0ijj08-coreutils-8.32/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /nix/store/lr96h3dlny8aiba9p3rmxcxfda0ijj08-coreutils-8.32/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking how to create a pax tar archive... gnutar
checking whether make supports nested variables... (cached) yes
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C++... yes
checking whether g++ accepts -g... yes
checking for g++ option to enable C++11 features... none needed
checking whether make supports the include directive... yes (GNU style)
checking dependency style of g++... none
checking for gcc... gcc
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... none
checking pkg-config is at least version 0.9.0... yes
checking how to run the C preprocessor... gcc -E
checking for ranlib... ranlib
checking whether ln -s works... yes
checking for a sed that does not truncate output... /nix/store/4nf4ih03fcq7gk08spjzxvwph1vyx1kr-gnused-4.8/bin/sed
checking whether make sets $(MAKE)... (cached) yes
checking whether g++ supports C++11 features by default... yes
checking whether g++ supports C++14 features by default... yes
checking for a Python interpreter with version >= 3.5... python
checking for python... /nix/store/d44wd6n98f93hjr6q1d1phhh1hw7a17d-python3-3.8.8/bin/python
checking for python version... 3.8
checking for python platform... linux
checking for python script directory... ${prefix}/lib/python3.8/site-packages
checking for python extension module directory... ${exec_prefix}/lib/python3.8/site-packages
checking for liblz4... yes
checking for jsoncpp... yes
checking for gio-2.0... yes
checking for gio-unix-2.0... yes
checking for uuid... yes
checking for libcap-ng... yes
checking for openssl >= 1.0.2... yes
configure: Using ASIO source directory: ./vendor/asio
configure: Using OpenVPN 3 Core Library directory: ./openvpn3-core
checking OpenVPN 3 Core Library version... 3.git:fetchgit:ce0c9963
configure: Using ovpn-dco source directory: ./ovpn-dco
./configure: line 8859: syntax error near unexpected token `${datarootdir}/selinux/devel,'
./configure: line 8859: `        AX_RECURSIVE_EVAL(${datarootdir}/selinux/devel, selinux_devel_path)'
builder for '/nix/store/gypx5m3g5inasi12r72q0dakg1dwzfq8-openvpn3-13_beta.drv' failed with exit code 2
error: build of '/nix/store/gypx5m3g5inasi12r72q0dakg1dwzfq8-openvpn3-13_beta.drv' failed

NB : I also have to ask if openvpn3 is under agpl3Only or agpl3Plus license cf https://www.gnu.org/licenses/identify-licenses-clearly.html.

v12 is not asking for 2FA prompt

openvpn3 v12 is not presenting 2FA prompt, we are using a Duo Security 2FA script on the server and works on latest OSX, Windows clients and on v11 for linux.

Thanks