Getting network-manager-openconnect to work

On Tue, Sep 10, 2019 at 11:57:11AM +0200, Divan Santana wrote:

Cc’ing bug-guix@gnu.org

I suspect something like the attached patch would help (and expand the

closure of network-manager to always include openconnect).

To test, follow section “Building from Git” from the manual or Laura’s

video 04-packaging-part-one.webm from

https://lists.gnu.org/archive/html/guix-devel/2019-07/msg00249.html,

but after the initial clone command, do

git apply the-attached.patch

Then after make, do

sudo -E ./pre-inst-env guix system reconfigure /etc/config.scm

(or whatever your configuration file is called). I cannot test right

now and have never used openconnect. It is quite possible I made a

mistake.

Regards,

Florian

From 8de7675a2dc2c1385d312e35136f8fa9eb4f9825 Mon Sep 17 00:00:00 2001

Patch source to use it instead of searching /usr/bin.

---

gnu/packages/gnome.scm | 8 ++++++++

1 file changed, 8 insertions(+)

Instead of adding openconnect to network-manager, would it be enough to

(substitute* "the-file"

(("/usr/sbin/openconnect") "openconnect"))

--

Efraim Flashner <efraim@flashner.co.il> ????? ?????

GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351

Confidentiality cannot be guaranteed on emails sent or received unencrypted

On Wed, Sep 11, 2019 at 10:38:22AM +0300, Efraim Flashner wrote:

No, at least the comment documenting nm_utils_file_search_in_paths says:

/**

I do not know if my patch works though.

Regards,

Florian

Hi Florian,

"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:

Something I don’t get: why does NM itself know about openconnect?

There’s a network-manager-openconnect plugin, so I would expect

everything openconnect to happen there. Do you know why it’s not that

way?

Thanks,

Ludo’.

On Wed, Sep 11, 2019 at 10:46:56PM +0200, Ludovic Courtès wrote:

I don’t know. The patch addresses (if it works) a function called

nm_vpn_openconnect_authenticate_helper within the code for

NetworkManager clients like nmtui, probably also nm-connection-editor,

that calls openconnect --authenticate.

Perhaps the network manager service could symlink the openconnect

binary to the plugins directory when used and NetworkManager could be

made to look there, but it would be nice to know if the current patch

works.

Regards,

Florian

On Tue, Sep 10, 2019 at 01:21:20PM +0200, pelzflorian (Florian Pelz) wrote:

Sorry, my old patch did not even build. A friend lent me her

AnyConnect credentials so I can test. I will test now and send a

working patch.

Regards,

Florian

Hi Florian,

"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:

So I guess we first need someone to tell us whether the patch “works”,

as you wrote, right? :-)

Ludo’.

On Mon, Sep 16, 2019 at 05:57:51PM +0200, Ludovic Courtès wrote:

Currently I have built the attached patch, but NetworkManager

segfaults when connecting, and I try to debug why.

Regards,

Florian

From 1efadd4619f397429d5fae024b46cd8100870c42 Mon Sep 17 00:00:00 2001

Patch source to use it instead of searching /usr/bin.

---

gnu/packages/gnome.scm | 8 ++++++++

1 file changed, 8 insertions(+)

Hello!

There might be a workaround:

NetworkManager stopped segfaulting for me after I “edited” the

openconnect VPN connection in nm-connection-editor without making any

changes to the connection. Apparently this fixed get_secrets_done_cb

being passed what GDB calls an “<incomplete type>” as the connection

and crashing in nm_connection_get_setting_by_name. I need to repeat

this nm-connection-editor editing after every reboot.

Does editing the VPN connection in nm-connection-editor fix the

problem for you, Divan Santana?

No patch at all is required for me. nmtui works fine without the patch.

This issue is not present in Arch Linux using the more recent

NetworkManager 1.20.2. I have not yet attempted to upgrade Guix’

NetworkManager to a more recent version.

Regards,

Florian

pelzflorian (Florian Pelz) <pelzflorian@pelzflorian.de> writes:

I'll let you know.

pelzflorian (Florian Pelz) <pelzflorian@pelzflorian.de> writes:

So firstly I can't edit the connection as my user, without sudo. Not

sure if I need to be in some group to do that?

I then edited something like so:

ds@swift ~ $ sudo nm-connection-editor

Password:

(nm-connection-editor:1990): Gtk-WARNING **: 16:01:57.175: Could not find the icon 'pan-down-symbolic-ltr'. The 'hicolor' theme

was not found either, perhaps you need to install it.

You can get a copy from:

http://icon-theme.freedesktop.org/releases

(nm-connection-editor:1990): Gtk-WARNING **: 16:02:01.028: Could not load a pixbuf from /org/gtk/libgtk/theme/Adwaita/assets/check-symbolic.svg.

This may indicate that pixbuf loaders or the mime database could not be found.

GLib-GIO-Message: 16:02:08.131: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications.

Once I edited the connection and tried to connect it still fails for me

like this:

ds@swift ~ $ sudo nmcli con up vpn-example --ask

Error: openconnect failed: Could not find "openconnect" binary

A password is required to connect to 'vpn-example'.

Gateway (vpn.secrets.gateway): ^Cds@swift ~ $

On arch, with the same connection file, it works on CLI with above

command.

I then tried starting nm-applet and then running:

ds@swift ~ $ sudo nmcli con up vpn-example

It then brings up the GUI and shows me a certificate for remote

gateway. Asks me to select my group and enter username and password. So

it appears like it's working. It then fails to auth for some reason.

Sep 28 16:07:16 localhost NetworkManager[506]: <info> [1569679636.8722] vpn-connection[0x1cae420,ed432bd4-9078-493d-a9c3-fb7ac4199917,"vpn-example",0]: VPN service disappeared

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0578] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/10)

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0847] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0860] keyfile: add connection in-memory (3a679fd7-0450-43ef-8e48-63850b1f0798,"tun0")

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0871] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0878] device (tun0): Activation: starting connection 'tun0' (3a679fd7-0450-43ef-8e48-63850b1f0798)

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0882] device (tun0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0886] device (tun0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0888] device (tun0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0889] device (tun0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0891] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.0893] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')

Sep 28 16:11:33 localhost nscd: 464 monitored file `/etc/resolv.conf` was written to

Sep 28 16:11:33 localhost NetworkManager[506]: <info> [1569679893.1084] device (tun0): Activation: successful, device activated.

Sep 28 16:11:34 localhost ntpd[507]: Listen normally on 11 tun0 10.7.246.164:123

Sep 28 16:11:34 localhost ntpd[507]: Listen normally on 12 tun0 [fe80::60db:5ddd:b445:60e9%11]:123

Sep 28 16:11:36 localhost nscd: 464 monitored file `/etc/resolv.conf` was moved into place, adding watch

Sep 28 16:11:47 localhost NetworkManager[506]: <info> [1569679907.3367] device (tun0): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')

Sep 28 16:11:48 localhost ntpd[507]: Deleting interface #11 tun0, 10.7.246.164#123, interface stats: received=0, sent=0, dropped=0, active_time=14 secs

Sep 28 16:11:48 localhost ntpd[507]: Deleting interface #12 tun0, fe80::60db:5ddd:b445:60e9%11#123, interface stats: received=0, sent=0, dropped=0, active_time=14 secs

Sep 28 16:12:02 localhost NetworkManager[506]: <info> [1569679922.9339] audit: op="connection-activate" uuid="ed432bd4-9078-493d-a9c3-fb7ac4199917" name="vpn-example" pid=2986 uid=1000 result="success"

Sep 28 16:12:02 localhost NetworkManager[506]: <info> [1569679922.9371] vpn-connection[0x1cae220,ed432bd4-9078-493d-a9c3-fb7ac4199917,"vpn-example",0]: Started the VPN service, PID 2992

Sep 28 16:12:02 localhost NetworkManager[506]: <info> [1569679922.9439] vpn-connection[0x1cae220,ed432bd4-9078-493d-a9c3-fb7ac4199917,"vpn-example",0]: Saw the service appear; activating connection

Sep 28 16:12:13 localhost ntpd[507]: Soliciting pool server 196.10.54.57

Sep 28 16:12:28 localhost NetworkManager[506]: <info> [1569679948.1291] settings-connection[0x1b091c0,ed432bd4-9078-493d-a9c3-fb7ac4199917]: write: successfully commited (keyfile: update /etc/NetworkManager/system-connections/vpn-example (ed432bd4-9078-493d-a9c3-fb7ac4199917,"vpn-example"))

Sep 28 16:12:28 localhost NetworkManager[506]: <error> [1569679948.1318] vpn-connection[0x1cae220,ed432bd4-9078-493d-a9c3-fb7ac4199917,"vpn-example",0]: final secrets request failed to provide sufficient secrets

Sep 28 16:12:28 localhost NetworkManager[506]: <info> [1569679948.1343] vpn-connection[0x1cae220,ed432bd4-9078-493d-a9c3-fb7ac4199917,"vpn-example",0]: VPN service disappeared

Sep 28 16:12:46 localhost NetworkManager[506]: <warn> [1569679966.0102] error requesting auth for org.freedesktop.NetworkManager.wifi.share.protected: Authorization check failed: Failed to open file “/proc/3076/status”: No such file or directory

Sep 28 16:12:46 localhost NetworkManager[506]: <warn> [1569679966.0107] error requesting auth for org.freedesktop.NetworkManager.wifi.share.open: Authorization check failed: Failed to open file “/proc/3076/status”: No such file or directory

Sep 28 16:12:46 localhost NetworkManager[506]: <warn> [1569679966.0110] error requesting auth for org.freedesktop.NetworkManager.settings.modify.system: Authorization check failed: Failed to open file “/proc/3076/status”: No such file or directory

Sep 28 16:12:46 localhost NetworkManager[506]: <warn> [1569679966.0114] error requesting auth for org.freedesktop.NetworkManager.settings.modify.own: Authorization check failed: Failed to open file “/proc/3076/status”: No such file or directory

Sep 28 16:12:46 localhost NetworkManager[506]: <warn> [1569679966.0118] error requesting auth for org.freedesktop.NetworkManager.settings.modify.hostname: Authorization check failed: Failed to open file “/proc/3076/status”: No such file or directory

Sep 28 16:12:46 localhost NetworkManager[506]: <warn> [1569679966.0120] error requesting auth for org.freedesktop.NetworkManager.settings.modify.global-dns: Authorization check failed: Failed to open file “/proc/3076/status”: No such file or directory

Sep 28 16:12:46 localhost NetworkManager[506]: <warn> [1569679966.0124] error requesting auth for org.freedesktop.NetworkManager.reload: Authorization check failed: Failed to open file “/proc/3076/status”: No such file or directory

Sep 28 16:12:46 localhost NetworkManager[506]: <warn> [1569679966.0127] error requesting auth for org.freedesktop.NetworkManager.checkpoint-rollback: Authorization check failed: Failed to open file “/proc/3076/status”: No such file or directory

Sep 28 16:12:46 localhost NetworkManager[506]: <warn> [1569679966.0130] error requesting auth for org.freedesktop.NetworkManager.enable-disable-statistics: Authorization check failed: Failed to open file “/proc/3076/status”: No such file or directory

Sep 28 16:12:46 localhost NetworkManager[506]: <warn> [1569679966.0133] error requesting auth for org.freedesktop.NetworkManager.enable-disable-connectivity-check: Authorization check failed: Failed to open file “/proc/3076/status”: No such file or directory

For me, before editing the connection, NetworkManager crashed with a

segfault and restarted after attempting to connect with a faulty VPN

connection. The same may be what happens to you.

However, I can add a new connection with gnome-control-center or

nm-connection-editor (without using any “connection file”; GNOME asks

me for the sudo password though) and then I fill in the gateway field.

I can then use for example nmtui to activate the connection.

I noticed I have openconnect in my config.scm’s system packages, but I

believe it is not relevant.

I use:

(network-manager-service-type config =>

(network-manager-configuration

(inherit config)

(dns "dnsmasq")

(vpn-plugins (list network-manager-openconnect))))

dnsmasq is probably not required, but I do not know.

Regards,

Florian

On Sat, Sep 28, 2019 at 04:16:40PM +0200, Divan Santana wrote:

P.S. I use

(users (cons (user-account

(name "florian")

(comment "Florian Pelz")

(group "users")

(supplementary-groups '("wheel" "netdev"

"audio" "video"

"httpd" "kvm"))

(home-directory "/home/florian"))

%base-user-accounts))

which is the default when installing Guix with the GNOME desktop plus

unrelated httpd and kvm.

netdev group seems relevant.

Regards,

Florian

Regarding openconnect, no workarounds are necessary anymore for me on

core-updates, which uses a more recent network-manager@1.14.4 and will

soon be on Guix master.

Regards,

Florian

pelzflorian (Florian Pelz) <pelzflorian@pelzflorian.de> writes:

This is mine

(users (cons (user-account

(name "ds")

(comment "Divan Santana")

(group "users")

(supplementary-groups

'("adbusers" ;for adb

"wheel" "kvm" "audio" "video" "lp"

"docker"

;; "lpadmin"

"cdrom" "netdev"))

;;(shell #~(string-append #$zsh "/bin/zsh"))

(home-directory "/home/ds"))

%base-user-accounts))

Already had netdev. Seems same as yours. I'll look into it more

sometime.

Thanks

Hi again,

I'm not having any luck getting network-manager-openconnect to work for

me.

For one, using nm-connection-editor on cli or via exwm program launcher,

and creating a new connection tells me:

Insufficient privileges

Apr 12 21:32:20 swift NetworkManager[385]: <info> [1586719940.8362] audit: op="connection-add" pid=2616 uid=1000 result="fail" reason="Insufficient privileges."

$ id

uid=1000(ds) gid=998(users) groups=998(users),972(docker),975(libvirt),978(adbusers),984(kvm),986(cdrom),989(lp),990(netdev),991(audio),992(video),993(input),999(wheel)

Full system config is pasted below[1].

My groups appear fine. Perhaps some issue with polkit?

polkit is running though.

polkitd 864 1 0 12:33 ? 00:00:00 /gnu/store/mw57n9nj3y20bfm9ijcbpm16gpsik6sg-polkit-0.116/lib/polkit-1/polkitd --no-debug

Not sure if it's the way my desktop is started with exwm.

I am able to up / down connections via "nmcli con up id" and without

sudo.

Secondly, upping a openconnect network manager connection file which is

known to work on another distro results in this:

$ nmcli con up id my-vpn-2fa --ask

Error: openconnect failed: Could not find "openconnect" binary

A password is required to connect to 'my-vpn-2fa.

Gateway (vpn.secrets.gateway):

I notice that after about a minute the GUI form pops up. I then prompts

me for my 2FA meaning it passed the 1st authentication bit. After I

approve, it then dissapears and seems to disconnect.

Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.6929] agent-manager: req[0x1043510, :1.159/nmcli-connect/1000]: agent registered

Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.6976] audit: op="connection-activate" uuid="40441d34-5290-4631-8796-5fb57d0f1bf2" name="vpn-fnb-2fa" pid=12530 uid=1000 result="success"

Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.7034] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: Started the VPN service, PID 12536

Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.7117] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: Saw the service appear; activating connection

Apr 12 21:20:33 swift NetworkManager[360]: <info> [1586719233.2173] settings-connection[0xecac80,40441d34-5290-4631-8796-5fb57d0f1bf2]: write: successfully committed (keyfile: update /etc/NetworkManager/system-connections/vpn-fnb-2fa (40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa"))

Apr 12 21:20:33 swift NetworkManager[360]: <error> [1586719233.2192] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: final secrets request failed to provide sufficient secrets

Apr 12 21:20:33 swift NetworkManager[360]: <info> [1586719233.2234] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: VPN plugin: state changed: stopped (6)

Creating a new connecting via sudo and the starting it results in the

same.

Any idea?

[1]: (trimmed slightly)

Hi again,

I'm not having any luck getting network-manager-openconnect to work for

me.

For one, using nm-connection-editor on cli or via exwm program launcher,

and creating a new connection tells me:

Insufficient privileges

Apr 12 21:32:20 swift NetworkManager[385]: <info> [1586719940.8362] audit: op="connection-add" pid=2616 uid=1000 result="fail" reason="Insufficient privileges."

$ id

uid=1000(ds) gid=998(users) groups=998(users),972(docker),975(libvirt),978(adbusers),984(kvm),986(cdrom),989(lp),990(netdev),991(audio),992(video),993(input),999(wheel)

Full system config is pasted below[1].

My groups appear fine. Perhaps some issue with polkit?

polkit is running though.

polkitd 864 1 0 12:33 ? 00:00:00 /gnu/store/mw57n9nj3y20bfm9ijcbpm16gpsik6sg-polkit-0.116/lib/polkit-1/polkitd --no-debug

Not sure if it's the way my desktop is started with exwm.

I am able to up / down connections via "nmcli con up id" and without

sudo.

Secondly, upping a openconnect network manager connection file which is

known to work on another distro results in this:

$ nmcli con up id my-vpn-2fa --ask

Error: openconnect failed: Could not find "openconnect" binary

A password is required to connect to 'my-vpn-2fa.

Gateway (vpn.secrets.gateway):

I notice that after about a minute the GUI form pops up. I then prompts

me for my 2FA meaning it passed the 1st authentication bit. After I

approve, it then dissapears and seems to disconnect.

Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.6929] agent-manager: req[0x1043510, :1.159/nmcli-connect/1000]: agent registered

Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.6976] audit: op="connection-activate" uuid="40441d34-5290-4631-8796-5fb57d0f1bf2" name="vpn-fnb-2fa" pid=12530 uid=1000 result="success"

Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.7034] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: Started the VPN service, PID 12536

Apr 12 21:18:38 swift NetworkManager[360]: <info> [1586719118.7117] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: Saw the service appear; activating connection

Apr 12 21:20:33 swift NetworkManager[360]: <info> [1586719233.2173] settings-connection[0xecac80,40441d34-5290-4631-8796-5fb57d0f1bf2]: write: successfully committed (keyfile: update /etc/NetworkManager/system-connections/vpn-fnb-2fa (40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa"))

Apr 12 21:20:33 swift NetworkManager[360]: <error> [1586719233.2192] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: final secrets request failed to provide sufficient secrets

Apr 12 21:20:33 swift NetworkManager[360]: <info> [1586719233.2234] vpn-connection[0x10d4330,40441d34-5290-4631-8796-5fb57d0f1bf2,"vpn-fnb-2fa",0]: VPN plugin: state changed: stopped (6)

Creating a new connecting via sudo and the starting it results in the

same.

Any idea?

[1]: (trimmed slightly)