Managing OpenVPN with Network Manger
I just switched back from MacOSX to Ubuntu for work. Mostly for financial reasons. We need more computers at work and a really good PC laptop is just half as expensive as a MacbookPro or iMac. Today I wanted to connect from home to the University's VPN network and I had a look at the instructions provided by the university.
As usually, documentation was virtually absent and what was available was wrong. And exclusively in Finnish (http://www.helsinki.fi/helpdesk/ohjeet/tietoliikenne_ja_etakaytto/yhteyd...). From the image (Hardy Heron) it is clear that this page has not been updated for about at least 6 years (Hardy Heron was realased in the beginning of 2008).
So what do you do if you downloaded and extracted the hy-vpn-config.tar.gz file from https://ohjelmistojakelu.helsinki.fi?
First you need to install a plugin for the Network Manager: sudo apt-get install network-manager-openvpn network-manager-openvon-gnome. Then you go to the Network Manager via the icon in the menu bar on the top right of your Desktop. Below all the available wireless networks, there is an entry "VPN Connections". Follow "VPN Connections" -> "Configure VPN" -> "Add" -> "Import a saved VPN configuration" -> "Create". Then select the "openvpn.conf" from the downloaded and extracted files. After that, fill in the rest of the dialog box: User name, Password. For the CA Certificate, select the "HY-vpn-CA.pem" file from the downloaded files (you should have put it first somewhere safe, e.g. to "/etc/openvpn").
One problem that people are complaining about is the fact that the import does not honor the "redirect-gateway def1" directive and as a consequence you won't be able to connect anywhere (I guess this is due to the Network Manager using dnsmasq and dnsmasq is apparently not smart enough to realize that it should send the queries somewhere else now). That's why people are complaining that Network Manager doesn't work to route all traffic via the VPN network. The box that you need to uncheck for this to work is well hidden: It's in the connection editor dialog under the IPv4 Settings tab -> Routes (at the bottom right) -> "Use this connection only for resources on its network". Why on earth do they have to call it in a way that nobody understands its meaning? Why not to call it "Do not route all traffic through this VPN connection"? I also had to check the box that said "Ignore automatically obtained routes", although I don't know why...
As usual, setting up the OpenVPN sucks and the important tunneling back of VPN traffic needed to be added manually on the OpenVPN server:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
I did it by making an additional file called openvpn2 in the /etc/network/if-up.d/ directory with the following content:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Of course you can still start and stop the VPN via the command line. However, since systemd, the password entry is not straightforward. When you execute sudo systemctl start openvpn.service you need to execute (e.g. in another terminal) sudo systemd-tty-ask-password-agent and enter your password there. That's clearly a kludge until they get a decent password agent...