openfortivpn icon indicating copy to clipboard operation
openfortivpn copied to clipboard

Published 20 hours ago verified publisher icon adrienverge

NetworkManager problem with 1.20.4 on Linux

Open UffeJakobsen opened this issue 1 year ago • 20 comments

Hello,

I see what appears to be similar problems as reported in #1118

I'm running ArchLinux

Using a (know working) connection profile from NetworkManager GUI I'm able to authenticate and establish VPN connection with openfortivpn-1.20.4 - but no data gets through the VPN

But I'm able to connect with openfortivpn-1.20.4 started manually from the CLI - and data will flow through the VPN

Downgrading to openfortivpn-1.20.3 solves the problem - connection profiles via NetworkManager GUI is working again

With openfortivpn-1.20.4 - connections established through NetworkManager GUI connection profiles terminales after 2.5 minuttes with this message - as you can see it is a one-way connection (Sent 18110 bytes, received 0 bytes.)

pppd[6025]: No response to 4 echo-requests NetworkManager[6025]: No response to 4 echo-requests NetworkManager[6025]: Serial link appears to be disconnected. NetworkManager[6025]: Connect time 2.5 minutes. NetworkManager[6025]: Sent 18110 bytes, received 0 bytes. pppd[6025]: Serial link appears to be disconnected. pppd[6025]: Connect time 2.5 minutes. pppd[6025]: Sent 18110 bytes, received 0 bytes.

BTW: archlinux is using pppd version 2.4.9 (package name ppp-2.4.9-3)

Looking at your commit log between versions 1.20.3 and 1.20.4 - I see only one commit - adding option "ipcp-accept-remote"

Could it be that you have created some sort of incompatibility with pppd versions < 2.5.0 ?

UffeJakobsen avatar Jun 22 '23 09:06 UffeJakobsen

It works for me on Ubuntu 22.04 with PPP 2.4.9.

Please try from the command line, not Network Manager.

DimitriPapadopoulos avatar Jun 22 '23 09:06 DimitriPapadopoulos

Please try from the command line, not Network Manager.

I already stated that in my first entry - CLI works - NM GUI does not - downgrading to openfortivpn-1.20.3 makes NM GUI work again

In short - this is the important details from the first entry:

  1. From NM GUI: I'm able to authenticate and establish VPN connection with openfortivpn-1.20.4 - but no data gets through the VPN

  2. From CLI: I'm able to authenticate and establish VPN connection with openfortivpn-1.20.4 - and data will flow through the VPN

  3. Downgrading to openfortivpn-1.20.3 solves the problem from 1) - connection profiles via NetworkManager GUI is working again

UffeJakobsen avatar Jun 22 '23 10:06 UffeJakobsen

i have the exact same issue, downgrading to 1.20.3 fixes it

ironashram avatar Jun 22 '23 12:06 ironashram

Have you opened a ticket against NetworkManager-fortisslvpn?

DimitriPapadopoulos avatar Jun 22 '23 12:06 DimitriPapadopoulos

just opened https://gitlab.gnome.org/GNOME/NetworkManager-fortisslvpn/-/issues/63 and pointed to this issue

ironashram avatar Jun 22 '23 13:06 ironashram

I will revert 3b54df0, making its code optional. But chances are this will break PPP 2.5.0 again.

DimitriPapadopoulos avatar Jun 22 '23 21:06 DimitriPapadopoulos

I'm experiencing the same issue, on my system it is assigning the VPN server address as the Peer address on the ppp0 interface. As a result the VPN can no longer reach the VPN server as all VPN traffic is routed via itself, the connection then gives up after 2.5 minutes when it times out.

Manually setting the correct peer address and replacing the routes restores my VPN connectivity, and it no longer stops after 2.5 minutes.

I'm seeing this on Arch with:

networkmanager 1.42.6-1
networkmanager-fortisslvpn 1.4.0-2
openfortivpn 1.20.4-1

pentaxslr avatar Jun 23 '23 08:06 pentaxslr

@pentaxslr We have released 1.20.5, which partially reverts 3b54df0 from 1.20.4, making its code optional. This will give us time to get to the bottom of this issue. Doesn't it work for you?

DimitriPapadopoulos avatar Jun 24 '23 10:06 DimitriPapadopoulos

I also seem to have this issue (CLI works but NM Gui not). I am on Arch and will test/report back as soon as the package has been updated to 1.20.5

Utini2000 avatar Jun 26 '23 07:06 Utini2000

Upgraded manually to 1.20.5, now everything works fine (ArchLinux + NetworkManager + NetworkManager-fortisslvpn + openfortivpn), on 1.20.4 experienced the same issue as described by the OP

mexus avatar Jun 26 '23 10:06 mexus

@arthurrmp This issue is about NetworkManager. I doubt you have the same issue on mascOS.

DimitriPapadopoulos avatar Jun 26 '23 11:06 DimitriPapadopoulos

@Utini2000 @mexus Please note that 1.20.5 is a temporary revert of the change in 1.20.4.

I believe the change will eventually have to be re-applied, so this issue needs to be fixed in NetworkManager-fortisslvpn. Do not hesitate to comment in NetworkManager-fortisslvpn#63 instead of here, if you want the issue fixed.

DimitriPapadopoulos avatar Jun 26 '23 11:06 DimitriPapadopoulos

@Utini2000 @mexus Please note that 1.20.5 is a temporary revert of the change in 1.20.4.

I believe the change will eventually have to be re-applied, so this issue needs to be fixed in NetworkManager-fortisslvpn. Do not hesitate to comment in NetworkManager-fortisslvpn#63 instead of here, if you want the issue fixed.

Thanks @DimitriPapadopoulos ! By the way, do you have any thoughts on what could have gone wrong with the plugin?

mexus avatar Jun 26 '23 12:06 mexus

Thanks @DimitriPapadopoulos ! By the way, do you have any thoughts on what could have gone wrong with the plugin?

For now, I haven't found the time to look into it, but:

  1. The need for this change is explained in https://github.com/adrienverge/openfortivpn/pull/1111#issuecomment-1572513382:

    The change from this PR disables enforcement of the remote IP when one is explicitly configured. It is unlikely that the VPN server would ever accept "169.254.2.1" as its address.

    The remote address is hardcoded here: https://github.com/adrienverge/openfortivpn/blob/0141147530f3516b70ebb78ef89585c3fd1b8f4f/src/tunnel.c#L236

  2. An effect of this change is explained in https://github.com/adrienverge/openfortivpn/issues/1120#issuecomment-1603953588:

    I'm experiencing the same issue, on my system it is assigning the VPN server address as the Peer address on the ppp0 interface. As a result the VPN can no longer reach the VPN server as all VPN traffic is routed via itself, the connection then gives up after 2.5 minutes when it times out.

We probably just need to make an exception for the VPN server address itself when routing through the tunnel (there should probably be an exception for the DHCP server too but that's another issue). Patches welcome, here (at least for macOS) and in NetworkManager-fortisslvpn!

DimitriPapadopoulos avatar Jun 27 '23 09:06 DimitriPapadopoulos

I use version 1.20.5 on FreeBSD 14.0-CURRENT. FreeBSD obviously does not use NetworkManager and the same issue happens as well, with openfortivpn starting from the command line.

pkubaj avatar Jul 27 '23 08:07 pkubaj

@pkubaj I am surprised you experience the "same issue", as openfortivpn uses ppp instead of pppd on FreeBSD. Please open a different ticket if needed.

DimitriPapadopoulos avatar Jul 27 '23 09:07 DimitriPapadopoulos

The following versions under Fedora 39 Silverblue exhibit the same issue:

openfortivpn-1.21.0-2.fc39.x86_64 NetworkManager-fortisslvpn-1.4.0-5.fc39.x86_64 NetworkManager-fortisslvpn-gnome-1.4.0-5.fc39.x86_64

What exactly is the status on this issue?

ziswiler avatar Nov 27 '23 07:11 ziswiler

@ziswiler Which issue? Have you tried openfortivpn from the command line? If not, please do and report back.

DimitriPapadopoulos avatar Nov 27 '23 07:11 DimitriPapadopoulos

Yes, but the NetworkManager integration still fails just as described in this ticket.

ziswiler avatar Nov 27 '23 07:11 ziswiler

It's best to create or a ticket, or follow an existing one, in the NetworkManager-fortisslvpn page. In the meantime, #1171 and this ticket #1120 probably describe the problem best.

DimitriPapadopoulos avatar Nov 27 '23 08:11 DimitriPapadopoulos