François' Blog

OpenVPN and NetworkManager 1.2

Published on 2016-05-15

Doing a new round of tests for OpenVPN client support I decided to test how well Fedora 24 Beta and Ubuntu 16.04 work. They both have NetworkManager 1.2 which brings a lot of improvements to the OpenVPN plugin, particularly when importing configurations. Particularly I was testing the way imports from eduvpn, a managed VPN service worked.

It turned out it works pretty well, with a minor issue that is already fixed in the development branch of NetworkManager. Ubuntu has some issues with DNS servers provided over the VPN.

Importing a configuration using NetworkManager 1.2 resulted in a small issue with comp-lzo that was fixed the same day, for release in a next point release of NetworkManager 1.2. In the case of eduvpn, the server pushed comp-lzo:

comp-lzo no
push "comp-lzo no"

The client had the following:

comp-lzo no

The issue was that OpenVPN import in NetworkManager saw comp-lzo no as having compression disabled, which is only kind of correct: having this option, even if it is set to no allows the server to override it. Even if the server again overrides it with no it still does not work when comp-lzo is missing:

WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

Using comp-lzo yes in the client configuration allows for the import to work correctly and the VPN to work perfectly on Fedora.

On Ubuntu there is an additional issue with DNS, particularly in the part that integrates with dnsmasq. It was reported almost 3 years ago, but hasn't been fixed yet.

The work-around is not difficult, but still cumbersome and requires root. Disable dnsmasq for NetworkManager which is used by default on Ubuntu by modifying /etc/NetworkManager/NetworkManager.conf. Add a # in front of the dns=dnsmasq line. Then restart NetworkManager, or simply reboot the system. That should be all!