Skip to content
andrew-bibb edited this page Jan 24, 2016 · 31 revisions

Note: VPN support is currently only available in the master branch on GitHub. It has not yet been packaged into a release

Overview

Connman has a separate daemon to manage VPN connections. This daemon will monitor the directory /var/lib/connman-vpn for changes, additions or deletions of provisioning files. At startup and on every file change the daemon will create a standard Connman service from each provisioned VPN file. CMST now has the ability to create and edit these provisioning files and to connect and disconnect the generated services.

Connman also has an internal VPN Manager interface to create connections, but the provisioning file method provides more flexibility and it also appears to be more supported from the Connman end. Because of that the internal VPN Manager interface is not used by CMST.

The Provisioning Editor

The VPN provisioning editor is considered an "Advanced" feature, so to access it you must select the "Advanced Controls" checkbox in the Preferences tab. Once checked the button to access the editor will appear at the bottom of the dialog.

Note that /var/lib/connman-vpn is a directory owned by root, so to access it you must have privileges above those of a standard user. CMST has an internal root helper to allow editing in this directory, but to use it you must be a member of the proper group. The groups are "network" which is used in Arch Linux and is the default, and "netdev" in Slackware. Configuration files are provided for both distributions, but if your distribution requires a different group please open an issue on it and we'll add the files.

The VPN provisioning editor is a simple text editor with a menu bar across the top. Each menu item will assist in creating a line in the provisioning file. Selecting an item from the menu will then open up some sort of dialog to prompt for information, and to the greatest extent possible each answer is validated to make sure that it is the right type. We recommend reading the Connman documentation for the layout and meaning of each item in the file if you want to delve into the weeds.

Creating a New Connection

The good news is you probably won't need to do much or anything with most of the menu items. There are some automated features (junior wizards) accessible from the menus which will walk you through most of the steps in provisioning a connection.

The first menu category, Global, helps with editing the Global section of the file. This section of the provisioning file is actually optional, the menu entries are provided in case someone wants to use them to add the [global] provisioning section.

The remaining five items, OpenConnect, OpenVPN, VPNC, L2TP, PPTP, are used to provision the respective connection type. The topmost item in each menu, Provider, will start prompting for all of the mandatory fields required for each type of connection. You need to know the answers to them, we can't help with that, but once the prompts end all of the mandatory fields will be filled in. If you make a mistake entering data the editor is just that, an editor, so it may be used to correct any input errors. It is likely that you will need to provide one or two additional lines, and the remainder of the menu entries under each heading should help with entering this information.

Mandatory Fields

The following fields are common across all connection types and you will be prompted for each. It would be best to have the answers in hand prior to starting.

Name - This one is easy, you need to provide some sort of name to identify the connection. What you put in this field is up to you.
Example: Connection to corporate network using Cisco VPN.

Host - This is the IP address of the VPN server. If it is not available from your provider you'll need to go hunting. If you have an .opvn file it might appear in there as an entry, or run a "whois" search for the provider domain.
Example: 1.2.3.4

Domain - The domain name for the VPN service. This should be availabe from your provider. For commercial or advertising supported providers it is likely on their website.
Example: corporate.com

Networks - Networks behind the VPN link can be defined in this field. This is an optional field and may be left blank, or hit cancel in the dialog when it pops up. If there is more than one network then separate them by a comma. Format of the entry is network/netmask/gateway with gateway being optional.
Examples: 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64

Two of the VPN connection types have additional mandatory fields that you will be prompted for when Provider is selected.

VPNC: IPSec ID - This is your group username.

OpenVPN: --ca - The location of the certificate authority file.

OpenVPN: --cert - The location of the local peer's signed certificate.

OpenVPN: --key - The location of the local peer's private key.

Import an OpenVPN .opvn File

The OpenVPN menu has one additional entry in the top section, Import Configuration. If you were provided with an OpenVPN .opvn file and you wish to use it then select Import Configurtion. These files are often available from commercial and advertising supported providers. Having one greatly simplifies provisioning a service.

All the keys and certificates contained in the file will be extracted and saved, and the configuration options will also be extracted and saved. The locations of these new files will be entered into the provisioning editor automatically.

With the import you will still be prompted for and must provide answers to the Name, Host, Domain and Network questions as described above, but when the import is complete you should have a provisioning file that works.

Example Files

The examples below are from working provisioning files. They are provisioning a provider known as VPNBook. This is a free provider which we used for testing purposes. We make no recommendation or endorsement of their product or service. If you do choose to use it make sure that you properly consider the possible security implications of it being a free service with a server located in northern Virginia. Since it is a free service the passwords are changed frequently and it is likely that the passwords shown below are no longer current.

PPTP Connection

PPTP is known to be insecure, but is still widely used. There is a lot of information available in the internet describing why it is not secure and if it is used the limit of what it should be used for. If you plan to use PPTP please research some of these issues so that you have a proper understanding of the possible security holes.

Connman and CMST will manage the connection, but you still need the programs installed to actually make the connection. In Arch Linux you will need two packages: ppp and pptpclient. Other distributions will need the appropriate packages. Once the packages are installed Connman will manage and configure the connection based on the entries in the provisioning file.

[provider_pptp]
Name = VPNBook test connection using pptp
Type = PPTP
Host = 198.7.62.204
Domain = us1.vpnbook.com
PPTP.User = vpnbook
PPTP.Password = WU3rubre
PPPD.RequirMPPE = yes      

In the example above the first five lines are generated from user responses when Provider PPTP is selected from the menu. The remaining three lines you would need to add individually, either by typing directly into the editor, or by using the menu selections.

OpenVPN Connection

As mentioned above, Connman and CMST will only manage the connection, you still need the software needed to make the connection installed on your system. For Arch Linux this is the package: openvpn. Once that is installed, a provisioning file would look like this:

[provider_openvpn]
Type = OpenVPN
Name = VPNBook with OpenVPN
Host = 192.7.62.204
Domain = us1.vpnbook.com
OpenVPN.CACert = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-tcp80/ca.crt
OpenVPN.Cert = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-tcp80/client.crt
OpenVPN.Key = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-tcp80/client.key
OpenVPN.ConfigFile = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-tcp80/vpnbook-us1-tcp80.conf
OpenVPN.AuthUserPass = /home/andy/.local/share/cmst/openvpn/vpnbook-us1-tcp80/vpnbook-us1-tcp80.up

If you were using Provider OpenVPN from the menu the first eight lines would be filled in from your responses to the program prompts. The last two you would need to enter individually. The OpenVPN.ConfigFile points to a text file which contains additional OpenVPN settings. The last line points to a file containing the username and password.

The configuration above was actually created using the Import Configuration menu entry so only the first four needed to be answered directly, the remainder were automatically generated or generated in response to a yes/no question.

OpenVPN has an option to require entry of username and passwords. The option is --auth-user-pass, and if present without pointing to a user:pass file OpenVPN requires the input of the username and password from stdin. This is not supported by either Connman nor by CMST. If usernames and passwords are required they must be provided in a file. The Import Configuration function will scan the OpenVPN .opvn file looking for the --auth-user-pass option, and if found will prompt you to remove it. The program will also prompt you to provide a user name and password. If you choose to do so the entries will be saved in a file and the provisioning entry will automatically be added to the editor. For example, the last line above.

Clone this wiki locally