Closed derpda closed 3 years ago
Definitely should not segfault. I will fix that.
Having said that, it looks like this plugin will not work with your university's VPN. The auth-dialog
essentially tries to parse the HTML presented by the web login form and request the necessary credentials from the user using a native GTK dialog. This works OK when you can rely on the web form presented by the server to be more or less consistent - but in this particular case it looks like it has been heavily customized (first time I've seen this...)
If you are happy doing the auth in the browser, then before the prompt to launch the proprietary client, you can copy the MRHSession
cookie (need to fetch again when the session expires) and the tunnel ID (should be static) from the browser and insert it into the command line app provided in this repo using f5vpn-cli -c -h $HOST -z $VPN_ID -s $MRHSESSION
, or equivalently using the nm plugin by adding the VPN ID and the session cookie to /etc/NetworkManager/system-connections/$VPN.nmconnection
I am open to suggestions for somehow supporting the authentication process for such customized servers....
I see, thank you for looking into this so quickly! As I don't intend to use this frequently, I am absolutely fine with some manual work.
I'm not familiar with how nm and this extension work, but would it be possible to have the login happen in the browser instead of a GTK dialog? Much like Slack opens a new browser tab to let you login to another workspace.
I was able to get the MRHSession, but I have 2 problems:
VPN_ID
)?$PATH
and I cannot find any such program withfind
.Since I am on arch, I installed your extension from the networkmanager-f5vpn
AUR package.
Looking at the PKGBUILD
, it seems that it just grabs the source from this repo, then builds and installs it.
It does not set the WITH_CLI_TOOL
option. I edited the PKGBUILD
to also include that cmake
option, but noticed f5vpn-cli
is still not in the path.
It seems that there are no install instructions for it, so a line like
install(TARGETS f5vpn-cli RUNTIME DESTINATION bin)
in CMakeLists.txt
might be what's needed!
I tested it just now, and with the CMake change it does indeed install f5vpn-cli
correctly to /usr/bin
as part of the package.
Remaining problem now is how to acquire the tunnel ID...
I am not that familiar with VPNs so this might be trivial, but it would be great if you could help me out!
how to acquire the tunnel ID...
It's a good question. You might find it somewhere in the html on the page where it requests to launch the proprietary client. Or you may find it with something like curl -b MRHSession=$SESSION 'https://$HOST/vdesk/resource_list.xml?resourcetype=res'
- this is what the auth-dialog
does.
So that returns the following with a valid session:
<res type='resource_list'>
<opts>
<opt type='available_rq' mode='GET' max_uri_size='2048' uri='/vdesk/resource_info_v2.xml' prtn_opt='1'/>
</opts>
<lists>
<list type='network_access'>
<entry type='group_names' param='na_res'>/Common/Network-Access__Service-A__Full</entry>
</list>
</lists>
</res>
What am I looking at here? =D
The ID is /Common/Network-Access__Service-A__Full
. In theory, you could have access to several different tunnels, they would then all be listed here and you would need to choose between them. In practice, I've only ever seen one option.
Thank you! I'll try it as soon as I get back to my arch machine and let you know how it goes.
About suggestions for how to handle customized servers, what do you think about what I suggested earlier?
I'm not familiar with how nm and this extension work, but would it be possible to have the login happen in the browser instead of a GTK dialog? Much like Slack opens a new browser tab to let you login to another workspace.
Is that feasible?
So it looks like I am getting a valid response:
5vpn-cli -c -h apm.nap.gsic.titech.ac.jp -z /Common/Network-Access__Service-A__Full -s <valid_key>
Quickly returns
1bf5bc
connection closed
It looks like the the connection is immediately closed. I figured this might be a permissions issue, and running it with sudo indeed gets me one step further:
<some key>
connection up!
ip route add 0.0.0.0/0 via 1.1.1.1 dev ppp0
resolvconf 131.112.125.58
resolvconf 131.112.181.2
It seems to stay open at this point, however I am not able to access anything with it.
Ideally I would like to use it with the nm addon to connect instead of the CLI tool, and just put the key in config manually.
I can't seem to figure out the correct names to use in the <VPN>.nmconnection
file, specifically those for the MHR_SESSION
and the VPN_ID
.
My current attempt is
[connection]
id=TokyoTechVPN
uuid=a244af62-b86a-4a34-872b-1960885a8f2a
type=vpn
autoconnect=false
permissions=
[vpn]
hostname=apm.nap.gsic.titech.ac.jp
service-type=org.freedesktop.NetworkManager.f5vpn
secrets=263f73f3ea3b914b3da762ee57ad68d8
data={'f5vpn-tunnel-id':'/Common/Network-Access__Service-A__Full'}
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto
[proxy]
(It's an old and thus invalid secret, left it there to show how exactly the config looks)
With this config, it still tries to open the auth-dialog and segfaults.
You need to add to that file:
[vpn-secrets]
f5vpn-session-key=$MRH_SESSION
f5vpn-tunnel-id=$VPN_ID
You can remove secrets
and data
from [vpn]
Thank you!
This is now the nmconnection
file
[connection]
id=TokyoTechVPN
uuid=a244af62-b86a-4a34-872b-1960885a8f2a
type=vpn
autoconnect=false
permissions=
[vpn]
hostname=apm.nap.gsic.titech.ac.jp
service-type=org.freedesktop.NetworkManager.f5vpn
[vpn-secrets]
f5vpn-session-key=263f73f3ea3b914b3da762ee57ad68d8
f5vpn-tunnel-id=/Common/Network-Access__Service-A__Full
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto
[proxy]
I am using a currently valid session key (ie not the same as in the config posted above), but running nmcli connection up TokyoTechVPN
returns
Error: Connection activation failed: No valid secrets
Hint: use 'journalctl -xe NM_CONNECTION=a244af62-b86a-4a34-872b-1960885a8f2a + NM_DEVICE=wlan0' to get more details.
Running the suggested journalctl
yields the following:
Jun 09 17:17:28 x1 NetworkManager[5399]: <info> [1623226648.6392] vpn-connection[0x55edcd91e100,a244af62-b86a-4a34-872b-1960885a8f2a,"TokyoTechVPN",0]: Started the VPN service, PID 5460
Jun 09 17:17:28 x1 NetworkManager[5399]: <info> [1623226648.6480] vpn-connection[0x55edcd91e100,a244af62-b86a-4a34-872b-1960885a8f2a,"TokyoTechVPN",0]: Saw the service appear; activating connection
Jun 09 17:17:28 x1 NetworkManager[5399]: <error> [1623226648.6510] vpn-connection[0x55edcd91e100,a244af62-b86a-4a34-872b-1960885a8f2a,"TokyoTechVPN",0]: plugin NeedSecrets request #1 failed: URL using bad/illegal format or missing URL
Jun 09 17:17:28 x1 NetworkManager[5399]: <info> [1623226648.6524] vpn-connection[0x55edcd91e100,a244af62-b86a-4a34-872b-1960885a8f2a,"TokyoTechVPN",0]: VPN plugin: state changed: stopped (6)
It seems the URL is somehow malformed? Sorry to keep bothering you with this, and thanks again for helping out!
Regarding the command line client; since it is intended for debugging it does not actually modify your routing tables or your DNS settings, just prints the ip route
command and resolv.conf
entries you would need to use:
ip route add 0.0.0.0/0 via 1.1.1.1 dev ppp0
resolvconf 131.112.125.58
resolvconf 131.112.181.2
The fact you got this far means there is no reason it should not work with network manager, which would then handle the routes and dns for you.
I'm not familiar with how nm and this extension work, but would it be possible to have the login happen in the browser instead of a GTK dialog? Much like Slack opens a new browser tab to let you login to another workspace.
Yes, this is feasible, but at least for servers where it isn't necessary I think it would be a step backwards in usability. I'm not very motivated to implement it myself but would accept a PR that did so.
It seems the URL is somehow malformed?
Looks ok to me....is the hostname the exact same hostname you used with f5vpn-cli
? For further debug might need to compile the plugin with WITH_DEBUG
cmake option
Yes, this is feasible, but at least for servers where it isn't necessary I think it would be a step backwards in usability. I'm not very motivated to implement it myself but would accept a PR that did so.
Makes sense. I personally don't need this VPN all that much, but if I feel like learning more about gtk and VPNs I might look into it.
I found the problem with my config... there was a rogue space at the end of the line
hostname=apm.nap.gsic.titech.ac.jp
You can see that in the config I posted.
My user vim settings delete trailing whitespace, but running it with sudo vim
bypasses that config.
Embarrassing stuff...
So I NetworkManager now successfully connects to the VPN - great!
Sadly I still cannot connect to anything - I can't even ping 8.8.8.8
(Google DNS).
Maybe something about the routing?
I can confirm that the VPN works from my phone.
Let me know if this goes beyond the scope of this repo!
Sadly I still cannot connect to anything - I can't even ping 8.8.8.8 (Google DNS). Maybe something about the routing?
Hmm... can you ping the tunnel endpoint 1.1.1.1
? Can you ping the DNS server 131.112.125.58
?
I cannot ping either.
ip route show
returns the following:
default via 1.1.1.1 dev ppp0 proto static metric 50
default via 192.168.1.1 dev wlan0 proto dhcp metric 600
1.1.1.1 dev ppp0 proto kernel scope link src 131.112.9.51 metric 50
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.156 metric 600
Debugging further will get a bit tricky. I would try to get f5vpn-cli
working first. It would probably mean running the proprietary client and comparing them, which could require MITMing yourself to compare the ppp data that goes over ssl. Maybe there is some extra option or behaviour required by this server that openssl+pppd does not implement by default. A bit strange, since the first handshake obviously succeeds...
I'll try and see if I can come up with anything. If I find a specific problem and if that problem is connected with this repo I'll make a new issue, but now I'll close this one. Thanks for all the help!
NB: Web login implemented in 807a7f208e084364fc80b5170223004f42526e48
Hey, first of all thanks for writing this nm extension!
I'm trying to connect to my university's F5 VPN, but do not get a dialog for entering a secret. nm-applet tells me it fails "because there were no valid VPN secrets".
I am running Arch Linux and am on kernel 5.12.9. My WM is i3 (if it helps). I am able to use other VPNs through networkmanager.
dmesg
tells me:I realize this isn't exactly a stack trace and probably not enough to go on, so let know if there is any more info I can get you!