Segfault when connecting

[derpda]

Hey, first of all thanks for writing this nm extension!

I'm trying to connect to my university's F5 VPN, but do not get a dialog for entering a secret. nm-applet tells me it fails "because there were no valid VPN secrets".

I am running Arch Linux and am on kernel 5.12.9. My WM is i3 (if it helps). I am able to use other VPNs through networkmanager.

dmesg tells me:

[  847.206816] audit: type=1111 audit(1622975740.954:286): pid=8850 uid=0 auid=4294967295 ses=4294967295 msg='op=connection-activate uuid=a244af62-b86a-4a34-872b-1960885a8f2a name="TokyoTechVPN" pid=766 uid=1000 result=success exe="/usr/bin/NetworkManager" hostname=? addr=? terminal=? res=success'
[  847.343203] nm-f5vpn-auth-d[18577]: segfault at 0 ip 000055b6959e4d57 sp 00007ffc7b0f8480 error 4 in nm-f5vpn-auth-dialog[55b6959e4000+4000]
[  847.343222] Code: c1 ba 02 00 00 00 be 01 00 00 00 31 c0 ff 15 90 61 00 00 49 89 44 24 58 b8 01 00 00 00 66 0f 1f 44 00 00 48 63 f8 48 83 c0 01 <4d> 8b 7c c5 f0 4d 85 ff 75 ef 48 c1 e7 03 4d 89 6c 24 60 45 31 f6

I realize this isn't exactly a stack trace and probably not enough to go on, so let know if there is any more info I can get you!

[ohwgiles]

Definitely should not segfault. I will fix that.

Having said that, it looks like this plugin will not work with your university's VPN. The auth-dialog essentially tries to parse the HTML presented by the web login form and request the necessary credentials from the user using a native GTK dialog. This works OK when you can rely on the web form presented by the server to be more or less consistent - but in this particular case it looks like it has been heavily customized (first time I've seen this...)

If you are happy doing the auth in the browser, then before the prompt to launch the proprietary client, you can copy the MRHSession cookie (need to fetch again when the session expires) and the tunnel ID (should be static) from the browser and insert it into the command line app provided in this repo using f5vpn-cli -c -h $HOST -z $VPN_ID -s $MRHSESSION, or equivalently using the nm plugin by adding the VPN ID and the session cookie to /etc/NetworkManager/system-connections/$VPN.nmconnection

I am open to suggestions for somehow supporting the authentication process for such customized servers....

[derpda]

I see, thank you for looking into this so quickly! As I don't intend to use this frequently, I am absolutely fine with some manual work.

I'm not familiar with how nm and this extension work, but would it be possible to have the login happen in the browser instead of a GTK dialog? Much like Slack opens a new browser tab to let you login to another workspace.

I was able to get the MRHSession, but I have 2 problems:

• Where can I get the tunnel ID (VPN_ID)?
• f5vpn-cli seems to not be available. It is not in the $PATH and I cannot find any such program withfind.

Since I am on arch, I installed your extension from the networkmanager-f5vpn AUR package. Looking at the PKGBUILD, it seems that it just grabs the source from this repo, then builds and installs it. It does not set the WITH_CLI_TOOL option. I edited the PKGBUILD to also include that cmake option, but noticed f5vpn-cli is still not in the path. It seems that there are no install instructions for it, so a line like install(TARGETS f5vpn-cli RUNTIME DESTINATION bin) in CMakeLists.txt might be what's needed!

[derpda]

I tested it just now, and with the CMake change it does indeed install f5vpn-cli correctly to /usr/bin as part of the package. Remaining problem now is how to acquire the tunnel ID... I am not that familiar with VPNs so this might be trivial, but it would be great if you could help me out!

[ohwgiles]

how to acquire the tunnel ID...

It's a good question. You might find it somewhere in the html on the page where it requests to launch the proprietary client. Or you may find it with something like curl -b MRHSession=$SESSION 'https://$HOST/vdesk/resource_list.xml?resourcetype=res' - this is what the auth-dialog does.

[derpda]

So that returns the following with a valid session:

<res type='resource_list'>
  <opts>
    <opt type='available_rq' mode='GET' max_uri_size='2048' uri='/vdesk/resource_info_v2.xml' prtn_opt='1'/>
  </opts>
  <lists>
    <list type='network_access'>
      <entry type='group_names' param='na_res'>/Common/Network-Access__Service-A__Full</entry>
    </list>
  </lists>
</res>

What am I looking at here? =D

[ohwgiles]

The ID is /Common/Network-Access__Service-A__Full. In theory, you could have access to several different tunnels, they would then all be listed here and you would need to choose between them. In practice, I've only ever seen one option.

[derpda]

Thank you! I'll try it as soon as I get back to my arch machine and let you know how it goes.

About suggestions for how to handle customized servers, what do you think about what I suggested earlier?

I'm not familiar with how nm and this extension work, but would it be possible to have the login happen in the browser instead of a GTK dialog? Much like Slack opens a new browser tab to let you login to another workspace.

Is that feasible?

[derpda]

So it looks like I am getting a valid response:

5vpn-cli -c -h apm.nap.gsic.titech.ac.jp -z /Common/Network-Access__Service-A__Full -s <valid_key>

Quickly returns

1bf5bc
connection closed

It looks like the the connection is immediately closed. I figured this might be a permissions issue, and running it with sudo indeed gets me one step further:

<some key>
connection up!
ip route add 0.0.0.0/0 via 1.1.1.1 dev ppp0
resolvconf 131.112.125.58
resolvconf 131.112.181.2

It seems to stay open at this point, however I am not able to access anything with it.

Ideally I would like to use it with the nm addon to connect instead of the CLI tool, and just put the key in config manually. I can't seem to figure out the correct names to use in the <VPN>.nmconnection file, specifically those for the MHR_SESSION and the VPN_ID.

My current attempt is

[connection]
id=TokyoTechVPN
uuid=a244af62-b86a-4a34-872b-1960885a8f2a
type=vpn
autoconnect=false
permissions=

[vpn]
hostname=apm.nap.gsic.titech.ac.jp 
service-type=org.freedesktop.NetworkManager.f5vpn
secrets=263f73f3ea3b914b3da762ee57ad68d8
data={'f5vpn-tunnel-id':'/Common/Network-Access__Service-A__Full'}

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

[proxy]

(It's an old and thus invalid secret, left it there to show how exactly the config looks)

With this config, it still tries to open the auth-dialog and segfaults.

[ohwgiles]

You need to add to that file:

[vpn-secrets]
f5vpn-session-key=$MRH_SESSION
f5vpn-tunnel-id=$VPN_ID

You can remove secrets and data from [vpn]

[derpda]

Thank you!

This is now the nmconnection file

[connection]
id=TokyoTechVPN
uuid=a244af62-b86a-4a34-872b-1960885a8f2a
type=vpn
autoconnect=false
permissions=

[vpn]
hostname=apm.nap.gsic.titech.ac.jp 
service-type=org.freedesktop.NetworkManager.f5vpn

[vpn-secrets]
f5vpn-session-key=263f73f3ea3b914b3da762ee57ad68d8
f5vpn-tunnel-id=/Common/Network-Access__Service-A__Full

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

[proxy]

I am using a currently valid session key (ie not the same as in the config posted above), but running nmcli connection up TokyoTechVPN returns

Error: Connection activation failed: No valid secrets
Hint: use 'journalctl -xe NM_CONNECTION=a244af62-b86a-4a34-872b-1960885a8f2a + NM_DEVICE=wlan0' to get more details.

Running the suggested journalctl yields the following:

Jun 09 17:17:28 x1 NetworkManager[5399]: <info>  [1623226648.6392] vpn-connection[0x55edcd91e100,a244af62-b86a-4a34-872b-1960885a8f2a,"TokyoTechVPN",0]: Started the VPN service, PID 5460
Jun 09 17:17:28 x1 NetworkManager[5399]: <info>  [1623226648.6480] vpn-connection[0x55edcd91e100,a244af62-b86a-4a34-872b-1960885a8f2a,"TokyoTechVPN",0]: Saw the service appear; activating connection
Jun 09 17:17:28 x1 NetworkManager[5399]: <error> [1623226648.6510] vpn-connection[0x55edcd91e100,a244af62-b86a-4a34-872b-1960885a8f2a,"TokyoTechVPN",0]: plugin NeedSecrets request #1 failed: URL using bad/illegal format or missing URL
Jun 09 17:17:28 x1 NetworkManager[5399]: <info>  [1623226648.6524] vpn-connection[0x55edcd91e100,a244af62-b86a-4a34-872b-1960885a8f2a,"TokyoTechVPN",0]: VPN plugin: state changed: stopped (6)

It seems the URL is somehow malformed? Sorry to keep bothering you with this, and thanks again for helping out!

[ohwgiles]

Regarding the command line client; since it is intended for debugging it does not actually modify your routing tables or your DNS settings, just prints the ip route command and resolv.conf entries you would need to use:

ip route add 0.0.0.0/0 via 1.1.1.1 dev ppp0
resolvconf 131.112.125.58
resolvconf 131.112.181.2

The fact you got this far means there is no reason it should not work with network manager, which would then handle the routes and dns for you.

I'm not familiar with how nm and this extension work, but would it be possible to have the login happen in the browser instead of a GTK dialog? Much like Slack opens a new browser tab to let you login to another workspace.

Yes, this is feasible, but at least for servers where it isn't necessary I think it would be a step backwards in usability. I'm not very motivated to implement it myself but would accept a PR that did so.

[ohwgiles]

It seems the URL is somehow malformed?

Looks ok to me....is the hostname the exact same hostname you used with f5vpn-cli? For further debug might need to compile the plugin with WITH_DEBUG cmake option

[derpda]

Yes, this is feasible, but at least for servers where it isn't necessary I think it would be a step backwards in usability. I'm not very motivated to implement it myself but would accept a PR that did so.

Makes sense. I personally don't need this VPN all that much, but if I feel like learning more about gtk and VPNs I might look into it.

I found the problem with my config... there was a rogue space at the end of the line

hostname=apm.nap.gsic.titech.ac.jp 

You can see that in the config I posted. My user vim settings delete trailing whitespace, but running it with sudo vim bypasses that config. Embarrassing stuff...

So I NetworkManager now successfully connects to the VPN - great! Sadly I still cannot connect to anything - I can't even ping 8.8.8.8 (Google DNS). Maybe something about the routing? I can confirm that the VPN works from my phone.

Let me know if this goes beyond the scope of this repo!

[ohwgiles]

Sadly I still cannot connect to anything - I can't even ping 8.8.8.8 (Google DNS). Maybe something about the routing?

Hmm... can you ping the tunnel endpoint 1.1.1.1? Can you ping the DNS server 131.112.125.58?

[derpda]

I cannot ping either. ip route show returns the following:

default via 1.1.1.1 dev ppp0 proto static metric 50 
default via 192.168.1.1 dev wlan0 proto dhcp metric 600 
1.1.1.1 dev ppp0 proto kernel scope link src 131.112.9.51 metric 50 
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.156 metric 600

[ohwgiles]

Debugging further will get a bit tricky. I would try to get f5vpn-cli working first. It would probably mean running the proprietary client and comparing them, which could require MITMing yourself to compare the ppp data that goes over ssl. Maybe there is some extra option or behaviour required by this server that openssl+pppd does not implement by default. A bit strange, since the first handshake obviously succeeds...

[derpda]

I'll try and see if I can come up with anything. If I find a specific problem and if that problem is connected with this repo I'll make a new issue, but now I'll close this one. Thanks for all the help!

[ohwgiles]

NB: Web login implemented in 807a7f208e084364fc80b5170223004f42526e48