NetworkManager vpn eats the CPU

Richard Pickett Richard.Pickett at CSRTechnologies.com
Wed Sep 27 18:37:22 UTC 2006


> I unfortunately can't answer your question, but maybe you can answer
> mine: how do you use the openvpn support in NetworkManager?  I've
> installed NetworkManager-openvpn, but I don't know what to do next.
> Additionally, I only want my openvpn connection to start when I plug my
> wireless card in.

OK, I had to play with this for a little bit to get it to work.

To get the packages `yum install NetworkManager-openvpn`

You have to run your own openvpn server (or my company can sell you access
to their publicly-placed openvpn server, they do this as a service for a
number of clients).

For your vpn server you have to go through the easy-rsa steps and setup
you're your certs. ****** make sure for the server cert you use
build-key-server ******* Whoever first built our keys used the normal
build-key for the server key and NetworkManager's call to openvpn specified
--ns-cert-type server and wouldn't connect to our server until I rebuilt a
new key and restarted the server with it.

The server config looks like this:

<server.conf>
ifconfig-noexec
up /home/openvpn/wireless/vpn-server.up
ifconfig 10.254.252.1 255.255.255.0
port 1194
proto udp
dev tap0
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/india1.crt
key easy-rsa/keys/india1.key  # This file should be kept secret
dh easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.254.252.1 255.255.255.0 10.254.252.2 10.254.252.254
client-config-dir ccd
push "redirect-gateway"
push "dhcp-option DOMAIN csrtechnologies.com"
push "dhcp-option DNS 192.168.1.1"
client-to-client
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status /home/openvpn/wireless/openvpn.status
log-append /home/openvpn/wireless/openvpn.log
verb 3
</server.conf>

india1.* are the cert files generated by the build-key-server script.

Then use build-key for your client certs, copy them over to your client box
and setup NetworkManager like so:

Gateway: IP/dns of your openvpn server
X.509
CA: ca.crt from easy-rsa
Cert: .crt generated by easy-rsa for your PC
Key: .key generated by easy-rsa for your PC
Optional Info: 

Check LZO (if you have comp-lzo on the server side)
Check TAP (if you have tap device on server side)

This config connects up to my server just fine. Additionally you can explore
using tls, use a tcp connection instead of udp (udp transports faster) and
use a cipher.

I've posted to you everything I have done to get it to work. Let me know if
you have any problems.

> (BTW, I didn't know this existed until your post...thanks!)

Isn't that cool? I solved my own problem and my problem introduced you to a
new feature.





More information about the fedora-list mailing list