debcrafters-packages team mailing list archive

Thread
Date

[Bug 2116000] Re: network-manager-openvpn fails to reapply routes after reconnect due to DBus permission denial

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Enverest <2116000@xxxxxxxxxxxxxxxxxx>
Date: Sat, 05 Jul 2025 08:25:45 -0000
Reply-to: Bug 2116000 <2116000@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Description changed:

Actual result:
When VPN client tries to reconnect it fails.

Expected result:
When VPN client tries to reconnect it should reconnect sucessfully.

Steps to Reproduce:
- 1. Use GNOME’s NetworkManager GUI to import a .ovpn file.
+ 1. Use GNOME’s NetworkManager GUI to import a .ovpn file.
(Zaborona VPN in my case. https://zaborona.help/openvpn-client-config/srv0.zaborona-help-TCP_maxroutes.ovpn).
- 2. Connect to the VPN.
- 3. Verify that routes are present. ("ip route show dev tun0")
- 4. Wait wait wait for a reconnect. (I use this command to notice changes 'journalctl --follow --no-tail --since "1 hour ago"')
- 5. Verify that routes are NOT present. ("ip route show dev tun0")
+ 2. In VPN's connection settings (Settings => Network => VPN) "IPv4" tab enable "Use this connection only for resources on its network".
+ 3. Connect to the VPN.
+ 4. Verify that routes are present. ("ip route show dev tun0")
+ 5. Wait wait wait for a reconnect. (I use this command to notice changes 'journalctl --follow --no-tail --since "1 hour ago"')
+ 6. Verify that routes are NOT present. ("ip route show dev tun0")

I have Ubuntu 25.04.
Clean Ubuntu 25.04 install in GNOME Boxes reproduces the issue.
apt-cache policy network-manager-openvpn => 1.12.0-2
-

ChatGPT suggestion below:
🧩 Root Cause: DBus Policy Rejection on Reconnect

At the heart of it is this:

- The nm-openvpn-service-openvpn-helper process (running as nm-
+ The nm-openvpn-service-openvpn-helper process (running as nm-
openvpn) tries to call privileged DBus methods like SetConfig and
SetIp4Config, but gets rejected.

This breaks route injection and IP configuration on reconnect.
🧠 Why It Works on First Connect but Not Reconnect

- Initial connect: NetworkManager launches OpenVPN itself and has full
+ Initial connect: NetworkManager launches OpenVPN itself and has full
DBus access. Everything works.

- Reconnect (after ping-restart): OpenVPN restarts internally and
+ Reconnect (after ping-restart): OpenVPN restarts internally and
invokes the helper, which runs as a sandboxed user (nm-openvpn). That
user lacks DBus permissions to reconfigure the VPN plugin.

--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to network-manager-openvpn in
Ubuntu.
https://bugs.launchpad.net/bugs/2116000

Title:
network-manager-openvpn fails to reapply routes after reconnect due to
DBus permission denial

Status in network-manager-openvpn package in Ubuntu:
New

Bug description:
Actual result:
When VPN client tries to reconnect it fails.

Expected result:
When VPN client tries to reconnect it should reconnect sucessfully.

Steps to Reproduce:
1. Use GNOME’s NetworkManager GUI to import a .ovpn file.
(Zaborona VPN in my case. https://zaborona.help/openvpn-client-config/srv0.zaborona-help-TCP_maxroutes.ovpn).
2. In VPN's connection settings (Settings => Network => VPN) "IPv4" tab enable "Use this connection only for resources on its network".
3. Connect to the VPN.
4. Verify that routes are present. ("ip route show dev tun0")
5. Wait wait wait for a reconnect. (I use this command to notice changes 'journalctl --follow --no-tail --since "1 hour ago"')
6. Verify that routes are NOT present. ("ip route show dev tun0")

I have Ubuntu 25.04.
Clean Ubuntu 25.04 install in GNOME Boxes reproduces the issue.
apt-cache policy network-manager-openvpn => 1.12.0-2

ChatGPT suggestion below:
🧩 Root Cause: DBus Policy Rejection on Reconnect

At the heart of it is this:

The nm-openvpn-service-openvpn-helper process (running as nm-
openvpn) tries to call privileged DBus methods like SetConfig and
SetIp4Config, but gets rejected.

This breaks route injection and IP configuration on reconnect.
🧠 Why It Works on First Connect but Not Reconnect

Initial connect: NetworkManager launches OpenVPN itself and has
full DBus access. Everything works.

Reconnect (after ping-restart): OpenVPN restarts internally and
invokes the helper, which runs as a sandboxed user (nm-openvpn). That
user lacks DBus permissions to reconfigure the VPN plugin.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/2116000/+subscriptions

References

[Bug 2116000] [NEW] network-manager-openvpn fails to reapply routes after reconnect due to DBus permission denial
From: Enverest, 2025-07-04