-
Notifications
You must be signed in to change notification settings - Fork 38
VPN Support
Note: VPN support is currently only available in the master branch on GitHub. It has not yet been packaged into a release
Connman has a separate daemon to manage VPN connections. This daemon will monitor the directory /var/lib/connman-vpn for changes, additions or deletions of provisioning files. At startup and on every file change the daemon will create a standard Connman service from each provisioned VPN file. CMST now has the ability to create and edit these provisioning files and to connect and disconnect the generated services.
Connman also has an internal VPN Manager interface to create connections, but the provisioning file method provides more flexibility and it also appears to be more supported from the Connman end. Because of that the internal VPN Manager interface is not used by CMST.
The VPN provisioning editor is considered an "Advanced" feature, so to access it you must select the "Advanced Controls" checkbox in the Preferences tab. Once checked the button to access the editor will appear at the bottom of the dialog.
Note that /var/lib/connman-vpn is a directory owned by root, so to access it you must have privileges above those of a standard user. CMST has an internal root helper to allow editing in this directory, but to use it you must be a member of the proper group. The groups are "network" which is used in Arch Linux and is the default, and "netdev" in Slackware. Configuration files are provided for both distributions, but if your distribution requires a different group please open an issue on it and we'll add the files.
The VPN provisioning editor is a simple text editor with a menu bar across the top. Each menu item will assist in creating a line in the provisioning file. Selecting an item from the menu will then open up some sort of dialog to prompt for information, and to the greatest extent possible each answer is validated to make sure that it is the right type. We recommend reading the Connman documentation for the layout and meaning of each item in the file if you want to get really into it.
The good news is you probably won't need to do much or anything with most of the menu items. There are some automated features built in which will walk you through most of the steps in provisioning a connection.
The first menu category, Global, helps with editing the Global section of the file. This section is actually optional, but is provided if someone wants to include that section.
The remaining five items, OpenConnect, OpenVPN, VPNC, L2TP, PPTP, are used to provision the respective connection type. The topmost item in each menu, Provider, will start prompting for all of the mandatory fields required for each type of connection. You need to know the answers to them, we can't help with that, but once the prompts end all of the mandatory fields will be filled in. If you make a mistake entering data the editor is just that, an editor, so it may be used to correct any input errors. It is likely that you will need to provide one or two additional lines, and the remainder of the menu entries under each heading should help with entering this information.
The following fields are common across all connection types. It would be best to have the answers in hand prior to starting.
Name - This one is easy, you need to provide some sort of name to identify the connection. What you put in this field is up to you.
Example: Connection to corporate network using Cisco VPN.
Host - This is the IP address of the VPN server. If it is not available from your provider you'll need to go hunting. If you have an .opvn file it might appear in there as an entry, or run a "whois" search for the provider domain.
Example: 1.2.3.4
Domain - The domain name for the VPN service. This should be availabe from your provider. For commercial or advertising supported providers it is likely on their website.
Example: =corporate.com
Networks - Networks behind the VPN link can be defined in this field. This is an optional field and may be left blank, or hit cancel in the dialog when it pops up. If there is more than one network then separate them by a comma. Format of the entry is network/netmask/gateway with gateway being optional.
Examples: 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64
Two of the connection types have additional mandatory fields that will be prompted for when Provider is selected.
VPNC: IPSec ID - This is your group username.
OpenVPN: --ca - The location of the certificate authority file.
OpenVPN: --cert - The location of the local peer's signed certificate.
OpenVPN: --key - The location of the local peer's private key.
The OpenVPN menu has one additional entry in the top section, Import Configuration. If you were provided with an OpenVPN .opvn file and you wish to use it then select Import Configurtion. All the keys and certificates contained in the file will be extracted and saved, and the configuration options will also be extracted and saved. The locations of these new files will be entered into the provisioning editor automatically.
With the import you will still be prompted for and must provide answers to the Name, Host, Domain and Network questions as described above, but when the import is complete you should have a provisioning file that works.