Skip to content
andrew-bibb edited this page Feb 20, 2021 · 31 revisions

NOTE 2016.02.19 VPN Permissions
As of Connman version 1.31 the connman-vpn daemon has been limited to what it can do and where it can go. Your certificate, key, config and user|pass files must be in locations world readable. If you try to connect and the progress bar stops immediately you likely have permissions somewhere on the path to those files not readable. In my Arch Linux installation I had to change the permissions on my home directory from 700 to 755 to make OpenVPN work with Connman version 1.31

Overview

Connman has a separate daemon to manage VPN connections. This daemon will monitor the directory /var/lib/connman-vpn for changes, additions or deletions of provisioning files. At startup and on every file change the daemon will create a standard Connman service from each provisioned VPN file. CMST now has the ability to create and edit these provisioning files and to connect and disconnect the generated services.

Connman also has an internal VPN Manager interface to create connections, but the provisioning file method provides more flexibility and it also appears to be more supported from the Connman end. Because of that the internal VPN Manager interface is not used by CMST.

The Provisioning Editor

The VPN provisioning editor is considered an "Advanced" feature, so to access it you must select the "Advanced Controls" checkbox in the Preferences tab. Once checked the button to access the editor will appear at the bottom of the dialog.

Note that /var/lib/connman-vpn is a directory owned by root, so to access it you must have privileges above those of a standard user. CMST has an internal root helper to allow editing in this directory, but to use it you must be a member of the proper group. The groups are "network" which is used in Arch Linux and is the default, and "netdev" in Slackware. Configuration files are provided for both distributions, but if your distribution requires a different group please open an issue on it and we'll add the files.

Since the root helper is running with elevated privileges it has been written with several limitations on it. It can only operate in /var/lib/connman-vpn and it can only open, save, edit and delete provisioning files ending in .cmst.config. This means if you have provisioning files already in that directory you will not be able to edit them using CMST. Connman will find them and create services from them, CMST will then be able to connect and disconnect the service from the user interface, but you won't be able to edit them using CMST.

The VPN provisioning editor is a simple text editor with a menu bar across the top. Each menu item will assist in creating a line in the provisioning file. Selecting an item from the menu will then open up some sort of dialog to prompt for information, and to the greatest extent possible each answer is validated to make sure that it is the right type. We recommend reading the Connman documentation for the layout and meaning of each item in the file if you want to delve into the weeds.

Creating a New Connection

The good news is you probably won't need to do much or anything with most of the menu items. There are some automated features (junior wizards) accessible from the menus which will walk you through most of the steps in provisioning a connection.

The first menu category, Global, helps with editing the Global section of the file. This section of the provisioning file is actually optional, the menu entries are provided in case someone wants to use them to add the [global] provisioning section.

The remaining five items, OpenConnect, OpenVPN, VPNC, L2TP, PPTP, WireGuard, are used to provision the respective connection type. The topmost item in each menu, Provider, will start prompting for all of the mandatory fields required for each type of connection. You need to know the answers to them, we can't help with that, but once the prompts end all of the mandatory fields will be filled in. If you make a mistake entering data the editor is just that, an editor, so it may be used to correct any input errors. It is likely that you will need to provide one or two additional lines, and the remainder of the menu entries under each heading should help with entering this information.

Mandatory Fields

The following fields are common across all connection types and you will be prompted for each. It would be best to have the answers in hand prior to starting.

Name - This one is easy, you need to provide some sort of name to identify the connection. What you put in this field is up to you.
Example: Connection to corporate network using Cisco VPN.

Host - This is the IP address of the VPN server. If it is not available from your provider you'll need to go hunting. If you have an .opvn file it might appear in there as an entry, or run a "whois" search for the provider domain.
Example: 1.2.3.4

Domain - The domain name for the VPN service. This should be available from your provider. For commercial or advertising supported providers it is likely on their website.
Example: corporate.com

Networks - Networks behind the VPN link can be defined in this field. This is an optional field and may be left blank, or hit cancel in the dialog when it pops up. If there is more than one network then separate them by a comma. Format of the entry is network/netmask/gateway with gateway being optional.
Examples: 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64

Two of the VPN connection types have additional mandatory fields that you will be prompted for when Provider is selected.

VPNC: IPSec ID - This is your group username.

OpenVPN: --ca - The location of the certificate authority file.

OpenVPN: --cert - The location of the local peer's signed certificate.

OpenVPN: --key - The location of the local peer's private key.

Example Files

The examples below are from working provisioning files. They are provisioning a provider known as VPNBook. This is a free provider which we used for testing purposes. We make no recommendation or endorsement of their product or service. If you do choose to use it make sure that you properly consider the possible security implications of putting your trust in a free service. Since it is a free service the passwords are changed frequently and it is likely that the passwords shown below are no longer current.

PPTP Connection

PPTP is known to be insecure, but is still widely used. There is a lot of information available on the internet describing why it is not secure and if it is used the limit of what it should be used for. If you plan to use PPTP please research some of these issues so that you have a proper understanding of the possible security holes.

Connman and CMST will manage the connection, but you still need the programs installed to actually make the connection. In Arch Linux you will need two packages: ppp and pptpclient. Other distributions will need the appropriate packages. Once the packages are installed Connman will manage and configure the connection based on the entries in the provisioning file.

[provider_pptp]
Name = VPNBook test connection using pptp
Type = PPTP
Host = 198.7.62.204
Domain = us1.vpnbook.com
PPTP.User = vpnbook
PPTP.Password = WU3rubre
PPPD.RequirMPPE = yes      

In the example above the first five lines are generated from user responses when Provider PPTP is selected from the menu. The remaining three lines you would need to add individually, either by typing directly into the editor, or by using the menu selections.

CMST does register an agent with the daemon and this agent will pop up to ask you for missing information. For PPTP connections the PPTP.User and PPTP.Password fields are optional in the provisioning file and if not provided the agent will pop up and prompt you for these when you try to make a connection.

OpenVPN Connection

As mentioned above, Connman and CMST will only manage the connection, you still need the software needed to make the connection installed on your system. For Arch Linux this is the package: openvpn. Once that is installed, a provisioning file would look like this:

[provider_openvpn]
Type = OpenVPN
Name = VPNBook with OpenVPN
Host = 192.7.62.204
Domain = us1.vpnbook.com
OpenVPN.CACert = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-tcp80/ca.crt
OpenVPN.Cert = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-tcp80/client.crt
OpenVPN.Key = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-tcp80/client.key
OpenVPN.ConfigFile = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-tcp80/vpnbook-us1-tcp80.conf
OpenVPN.AuthUserPass = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-tcp80/vpnbook-us1-tcp80.up

If you were using Provider OpenVPN from the menu the first eight lines would be filled in from your responses to the program prompts. The last two you would need to enter individually. The OpenVPN.ConfigFile points to a text file which contains additional OpenVPN settings. The last line points to a file containing the username and password (more on that below).

Import an OpenVPN .opvn File

The OpenVPN menu has one additional entry in the top section, Import Configuration. If you were provided with an OpenVPN .opvn file and you wish to use it then select Import Configuration. These files are often available from commercial and advertising supported providers. Having one greatly simplifies provisioning a service.

The .opvn file will contain the keys, certificates, and other information necessary for making a connections. Much of the other information can be entered using the Provisioning Editor, but having it provided to you in the .opvn removes the requirement for you to do it. The wizard will create a .conf file from the supplied .opvn file and both will be copied and and saved. The location of the .conf configuration file will be entered into the provisioning editor automatically.

With the import you will still be prompted for and must provide answers to the Name, Host, Domain and Network questions as described above, but when the import is complete you should have a provisioning file that works.

The Import feature will place the files in a directory inside ~/.local/share/cmst. See the note at the top of the page about permissions, you may need to adjust the permissions so that the path to these files is world readable.

An example of such a file created by the Import Configuration wizard is below.

[provider_openvpn]
Type = OpenVPN
Name = VPN Book_opvn
Host = 198.7.62.204
Domain = us1.vpnbook.com
Networks = 
OpenVPN.ConfigFile = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-udp53/vpnbook-us1-udp53.conf
OpenVPN.AuthUserPass = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-udp53/vpnbook-us1-udp53.up

Usernames and Passwords with OpenVPN

OpenVPN has an option to require entry of username and passwords. The option is --auth-user-pass, and if present without pointing to a user:pass file OpenVPN requires the input of the username and password from stdin. This is not supported by Connman or CMST. If usernames and passwords are required they must be provided in a file. The Import Configuration function will scan the OpenVPN .opvn file looking for the --auth-user-pass option, and if found will prompt you to remove it. The wizard will also prompt you to provide a user name and password. If you choose to do so the entries will be saved in a file and the provisioning entry will automatically be added to the editor. For example, the last line in the two examples above.