Have fun setting up OpenVPN tray icon, sucker
-
Let the Linux Hate Month continue!
[Imaginary noob friend who just moved to linux]: Mister, mister, I just installed Debian XFCE and need to connect to multiple openvpn networks my company hosts. How do I get the little widget I had on my Mac and Windows that allows me to do that?
[Wise cartman, linux master in making]: That's easy, my unenlightened simpleton friend. All you need to do is...
- Try the official network manager widget
- It doesn't work
- <google, google>
- It works, but only allows one connection at a time
- <google, google>
- There's no way to fix that
- Google for a "xfce openvpn client multiple connections"
- Realize gopenvpn is the only solution
- Realize it was last updated 3 years ago and there is no suitable binary distribution (luckily it wasn't hosted on google code!)
- Sigh. Well, there are build instructions on the page, so *shrugs*
$ sudo apt-get install libglib2.0-dev libgtk2.0-dev libglade2-dev libgnome-keyring-dev gedit polkit
E: Unable to locate package polkit
- <google, google,
apt-get
tab tab tab>
$ sudo apt-get install libpolkit-agent-1-dev
- Hopefully, the rest of instructions will be easier
$ cd ~/install $ git clone git://gopenvpn.git.sourceforge.net/gitroot/gopenvpn/gopenvpn.git $ cd gopenvpn $ ./autogen.sh bash: ./autogen.sh: No such file or directory
- Okaay... <google, google,
cat INSTALL
,cat README
>
- Build it
$ cd gopenvpn
> $ autoreconf -vi
$ ./configure
$ make- So... they changed the install instructions in the repo. Nice of them to keep the outdated instructions around on their site.
$ autoreconf -vi autoreconf: Entering directory `.' autoreconf: running: autopoint autoreconf: running: aclocal -I m4 autoreconf: configure.ac: tracing autoreconf: configure.ac: not using Libtool autoreconf: running: /usr/bin/autoconf autoreconf: running: /usr/bin/autoheader autoreconf: running: automake --add-missing --copy --no-force automake: warnings are treated as errors configure.ac:25: warning: The 'AM_PROG_MKDIR_P' macro is deprecated, and its use is discouraged. configure.ac:25: You should use the Autoconf-provided 'AC_PROG_MKDIR_P' macro instead, configure.ac:25: and use '$(MKDIR_P)' instead of '$(mkdir_p)'in your Makefile.am files. autoreconf: automake failed with exit status: 1
- So, they treat some warnings as errors? Very useful to leave that for ordinary people who just want to use your stuff and don't care about your development environment.
- <google, google>
- Read wrong forum post and try the fix for outdated version
- Try all combinations of
-W none
-Wnone
- Try
ERRORS=none ./autoreconf -vi
- Try
automake --add-missing --copy --no-force -Wnone
- <google, google>
- Learn more about C programming, make, automake and other crap you vaguely remember and don't care about
subl configure.ac
... AC_PREREQ([2.59]) AC_INIT([gopenvpn], [0.7], [gopenvpn-users@lists.sourceforge.net]) AC_CONFIG_AUX_DIR([.]) AM_INIT_AUTOMAKE([foreign -Wall -Werror]) AM_GNU_GETTEXT_VERSION([0.18.1]) AM_GNU_GETTEXT([external]) ...
- Change
AM_INIT_AUTOMAKE([foreign -Wall -Werror])
toAM_INIT_AUTOMAKE([foreign -Wnone])
$ autoreconf -vi $ ./configure $ make $ sudo make install
- YES! Now just to finish things up...
- Copy openvpn config files to
/etc/openvpn
- Fix permissions
- Hmm, ok, so how do I create an application launcher within my other applications, so it's visible to the entire system?
- <google, google>
$ sudo exo-desktop-item-edit -c -t Application /usr/share/applications/gopenvpn.desktop
- Easy, now I can start the app. And IT WORKS....
- Let me just right click and add my openvpn conf...
-
WTF? Right click off. Right click again.
-
Ok, seems to be working. Now to connect...
- WTF? Couldn't they have equalized these godawful ugly images? I can't live with this wiggly shit, it'll drive me insane
- <google, google>
- Look, on their site they say they have fixed images! ... Oh. These are the same crap.
- <google, google ... searh through forum archives>
- Download archive from an obscure forum post with alternate images
- Figure out where to copy them
- Edit one of the icons so it fits your theme
- Success! Well sort of. That yellow is ugly. But whatever.
And that's how you install openvpn tray icon to your Debian XFCE linux.
-
It works, but only allows one connection at a time
Huh. I never even tried multiple ones, didn't need them... Is that a problem with the tray applet of NetworkManager itself?
-
Huh. I never even tried multiple ones, didn't need them... Is that a problem with the tray applet of NetworkManager itself?
Have no idea. This post is actually a synthesis of a long process of getting this shit to work on multiple iterations of my Debian XFCE. Network manager was an attempt from my last Debian (7.0), I didn't even try it this time around (and I was just setting it up on my new Debian, thus the inspiration for this rant).
All I remember is that when you click the second VPN connection, it disconnects the first. Sometimes that's what you want (networks overlap and all), but if your company has multiple networks that are set up so not to interfere with each other, you're out of luck.
-
onyx@jarvis:~$ nmcli connection up conn1 VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/9) onyx@jarvis:~$ sudo ifconfig ppp0 ppp0 Link encap:Point-to-Point Protocol inet addr:192.168.0.37 P-t-P:192.168.0.33 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1 RX packets:13 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:494 (494.0 B) TX bytes:98 (98.0 B) onyx@jarvis:~$ nmcli connection up conn2 Error: Connection activation failed: Creating object for path '/org/freedesktop/NetworkManager/ActiveConnection/11' failed in libnm-glib. onyx@jarvis:~$ sudo ifconfig ppp0 ppp0: error fetching interface information: Device not found
Well sunnova bitch!
-
Well, we only need to wait until some of the guys behind System.d needs this and they'll rewrite the whole thing.
-
Well, we only need to wait until some of the guys behind System.d needs this and they'll rewrite the whole thing.
I saw network configuration on Arch... I think they already did, at least partially.
-
Those guys will end'up rewritting the kernel or replacing it with Hurd.
-
Huh. I never even tried multiple ones, didn't need them... Is that a problem with the tray applet of NetworkManager itself?
Oh hey look! The Linux answer, "you don't need that!"
Where's that linux trademarks or whatever site, is that still up? Looks like no, damn.
Well, we only need to wait until some of the guys behind System.d needs this and they'll rewrite the whole thing.
They could hardly make it worse.
-
Oh hey look! The Linux answer, "you don't need that!"
I would like to inform your shoulder aliens that they have misread and misinterpreted my post. I have only stated that I never needed that, not that other people don't. I accept and appreciate that other people are different to me and have different needs, outlooks and desires. I did not claim they should all bow down to my will and STFU.
Further, I have conducted a test right after that which concluded that yes, it's a limitation. To which my response was:
Well sunnova bitch!
Is that phrase now used to express approval? I need to know, English is my second language and I do tend to misuse it at times. Any corrections to my use of that phrase are welcome.
-
Onyx: "Let me just quietly say something not totally negative about Linux and be on my w-"
Blakey: "WHAT WAS THAT!?"
-
Pfft. His own fault for thinking I'd read further than the first sentence, or that I'd somehow know what this gibberish means:
onyx@jarvis:~$ nmcli connection up conn1
VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/9)
onyx@jarvis:~$ sudo ifconfig ppp0
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.0.37 P-t-P:192.168.0.33 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:13 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:494 (494.0 B) TX bytes:98 (98.0 B)onyx@jarvis:~$ nmcli connection up conn2
Error: Connection activation failed: Creating object for path '/org/freedesktop/NetworkManager/ActiveConnection/11' failed in libnm-glib.
onyx@jarvis:~$ sudo ifconfig ppp0
ppp0: error fetching interface information: Device not foundCongratulations, look at all those word-like entities that presumably have some meaning to somebody somewhere I guess!
-
and need to connect to multiple openvpn networks my company hosts.
Like @Onyx, I've never had to do anything like this. In fact, my company's VPN (NB: not openvpn) expressly disallows this sort thing. They want you connected to them and them only, which makes a lot of sense to me from a network security POV.
So...when you're connected to multiple things like this:
- Why are you doing this? This sort of thing makes sense to me for, say, something sitting on the DMZ. But that doesn't sound like what's going on here.
- How does it work to access something via one VPN vs another?
-
See and now Boomzilla's just doing it on purpose.
-
See and now Boomzilla's just doing it on purpose.
Eh, what am I doing? If I wanted to troll you, I'd go to some place you were talking about your games and make faux ignorant comments like the stuff you've posted here. There was zero trolling content in my first post.
BRB, my Win7 machine just BSODed.
-
So...when you're connected to multiple things like this:
Why are you doing this? This sort of thing makes sense to me for, say, something sitting on the DMZ. But that doesn't sound like what's going on here.
How does it work to access something via one VPN vs another?We have a VPN inside office. Remote server has its own VPN. Other company we are cooperating with has their own.
Each VPN just grabs a bunch of local IP-s and map them to a remote network.
In my case, one VPN is on 10.10.10.* subnet, the other on 192.168.10.* or something. So they are guaranteed not to overlap.
-
His own fault for thinking I'd read further than the first sentence
I'm sorry, I erringly assumed I can hold you to your own standards.
or that I'd somehow know what this gibberish means
No, I expected anyone interested in genuine discussion who does not understand what that means to ask about it.
Congratulations, look at all those word-like entities that presumably have some meaning to somebody somewhere I guess!
I count at least 4 people, unless they hit like on my post just because I'm that charming.
-
I count at least 4 people, unless they hit like on my post just because I'm that charming.
WELLKNOWNFACT: only bots Like posts. You've been LIED TO.
-
How does it work to access something via one VPN vs another?
Via IP ranges. For example:
192.168.0.0/20 -> VPN 1
192.168.16.0/20 -> VPN 2
192.168.32.0/20 -> VPN 3
Anything else -> Default connectionConcrete example, my home laptop VPN'd to work:
[root@sofa ~]# ip route default via 192.168.0.1 dev wlan0 10.0.0.0/16 dev tun0 scope link 10.1.0.0/16 dev tun0 scope link 10.5.0.0/16 dev tun0 scope link 10.10.0.0/16 dev tun0 scope link 10.18.0.0/16 dev tun0 scope link 10.22.0.0/16 dev tun0 scope link 10.36.0.0/16 dev tun0 scope link 10.58.0.0/16 dev tun0 scope link 10.59.0.0/16 dev tun0 scope link 10.100.0.0/16 dev tun0 scope link 10.120.0.0/16 dev tun0 scope link 10.121.0.0/16 dev tun0 scope link 10.122.0.0/16 dev tun0 scope link 10.125.0.0/16 dev tun0 scope link 10.126.0.0/16 dev tun0 scope link 10.161.0.0/24 dev tun0 scope link 10.238.0.0/16 dev tun0 scope link 10.255.0.0/16 dev tun0 scope link <public office IP address> via 192.168.0.1 dev wlan0 src 192.168.0.3 145.15.244.0/25 dev tun0 scope link 169.254.0.0/16 dev wlan0 scope link metric 1003 172.16.0.0/16 dev tun0 scope link 172.23.0.0/16 dev tun0 scope link 172.23.5.0/24 dev tun0 scope link 172.30.0.0/16 dev tun0 scope link 172.32.1.0/24 dev tun0 scope link 192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.3 192.168.0.0/16 dev tun0 scope link [root@sofa ~]#
wlan0
is my home internet connection,tun0
is the VPN.Adding another VPN would add further rules and another
tun
device.
-
In my case, one VPN is on 10.10.10.* subnet, the other on 192.168.10.* or something. So they are guaranteed not to overlap.
Hmm...interesting. Thanks.
-
Generally multiple VPN's are not a good idea, it really violates the concept of PRIVATE with respect to the endpoint (though the transmittal over the public wire is still private). This is why many VPN clients prevent it, and a few of the more secure Servers also detect it (and force a disconnect).
That being said, there are use-cases that are handy....just remember it is similar to having multiple NIC's on your computer, plugging one into the corporate network and another into some external network... most likely to be a violation of multiple security practices....
-
Hey, @tar....
That sounds on about the same level, to me, as shipping a Makefile with -Wall -Werror included in the default build.
Are you implying that -Wall -Werror is going to break on properly-written portable code?
Change AM_INIT_AUTOMAKE([foreign -Wall -Werror]) to AM_INIT_AUTOMAKE([foreign -Wnone])
You were saying?
-
WHAT WAS I SAYING?!?!?
Are you implying that -Wall -Werror is going to break on properly-written portable code?
properly-written portable
Oh, right....
-
Oops, forgot to write it down...
My point is that "properly-written portable code", in the sense that it will never trigger any warnings on any compiler you ever compile it with, is so low in quantity as to be insignificant.
-
I'm not 100% convinced of that—my C++ code compiles with
-Wall -Werror -Wextra
on Windows, Linux or BSD with pretty much anygcc
from 4.6 onwards, and a reasonably modernclang
(clang
is actually much stricter on template code thangcc
is—if your template code compiles onclang
, it'll compile ongcc
...)Noew, I do have a few
-Wno-
set flags for things such as "unused function parameter" (and I do negotiate with any particular compiler to decide precisely which-Wno-
flags it understands from the set that I test against). And I don't use-Werror
with third party code I depend on (say, SDL, or SQLite). But you can write things like an audio plugin network or an OpenGL renderer under those conditions. It's mildly annoying to have to maintain, but it's doable
-
I'm not 100% convinced of that—my C++ code compiles with -Wall -Werror -Wextra on Windows, Linux or BSD with pretty much any gcc from 4.6 onwards, and a reasonably modern clang (clang is actually much stricter on template code than gcc is—if your template code compiles on clang, it'll compile on gcc...)
That's fine until you have software that uses a deprecated OS API (and where what it is deprecated in favour of totally lacks the functionality you're using, of course; some parts of OSX are exactly like that when you want to do advanced virtualisation of library loading). At that point, you're stuck with having warnings. The best you can usually do in that case is to corral the errors into one file that you build without
-Werror
and turn the flag on for everything else.
-
> 2. Build it
$ cd gopenvpn
$ autoreconf -viThat’s a major pet peeve of mine: Projects that use
automake
, but whose source distribution doesn’t include the generatedconfigure
script, so you have to manually callautogen.sh
,autoreconf
or other mystic incantation.
Filed under: Want clear messages about missing libraries? Ha! Have fun with `AM_CHECK_WHATEVER is not defined`
-
That’s a major pet peeve of mine: Projects that use automake, but whose source distribution doesn’t include the generated configure script, so you have to manually call autogen.sh, autoreconf or other mystic incantation.
We keep that stuff committed in our repo. Yes, that's a bit wrong. No, it's not a catastrophic problem in practice; we don't change that part of the build system very often.
-
I use IntelliJ for pretty much everything I do, and I like to make sure that the little bar on the side is always green - That means I'll go through after I've written code and clean it up as much as possible, then annotate out anything that I can't clean (With comments to indicate why, of course).
-
IMO, -Werror is an important tool, but it belongs in a form of automatic test, not in your default build, especially if you're shipping source.
I also recomment an automatic test to verify your debug build(s) and
-O0
function correctly. All of those should pass with -Werror.
-
-Werror is an important tool, but it belongs in a form of automatic test, not in your default build, especially if you're shipping source.
Yeah, causing downstream maintainers to tear their hair out over a FTBFS due to a compiler version change that introduced some new, possibly-spurious warning is a bad idea.
-
At that point, you're stuck with having warnings.
Doesn't GCC have a #pragma or something to suppress a particular warning/error for a range or compilation unit?
-
You can do stuff like this (pulled out of some macros, which is why it's using
_Pragma
...):_Pragma("GCC diagnostic push") _Pragma("GCC diagnostic ignored \"-Winvalid-offsetof\"") // warny stuff here... _Pragma("GCC diagnostic pop")
-
You can do stuff like this (pulled out of some macros, which is why it's using
_Pragma
...):_Pragma("GCC diagnostic push") _Pragma("GCC diagnostic ignored \"-Winvalid-offsetof\"") // warny stuff here... _Pragma("GCC diagnostic pop") ```</blockquote> [Discoquoting rant goes <del>here</del><ins>everywhere</ins>] Dang, that's ugly. VC++ lets you do:
#pragma warning(push)
#pragma warning(disable 4700) // you have to know what warning 4700 is, of course
// code that generates 4700 here
#pragma warning(pop)
-
It'd probably be more like this if you used
#pragma
:#pragma GCC diagnostic ignored "-Winvalid-offsetof"
I am not sufficiently motivated to test it with a compiler though...
-
I am not sufficiently motivated to test it with a compiler though...
That's still verbose.
-
I guess I don't really have as strong an opinion either way around how different compilers implement non-standard features...
-
I guess I don't really have as strong an opinion either way around how different compilers implement non-standard features...
Are you agnostic on begin vs. {?
-
Pascal is just the worst.
-
OK, now you've actually made me think about it, I think the GCC
#pragma
has a slight edge on the CL#pragma
because you don't have to go on the internet to look up the warning code to see what's being disabled. So that's an advantage which mitigates it being longer...
-
OK, now you've actually made me think about it, I think the GCC #pragma has a slight edge on the CL #pragma because you don't have to go on the internet to look up the warning code to see what's being disabled. So that's an advantage which mitigates it being longer...
Except you have to go look up what that -W string is when it happens[1]. In VC, I see the warning number when compiling, copy/paste, done. (I usually copy/paste the warning text too so I don't have to remember.)
[1] Unless your warning generates that info too. Way too much effort to turn on my mac to see...
Are you agnostic on begin vs. {?
No one is allowed to question the one-true-style! {!
-
Except you have to go look up what that -W string is when it happens[1]. In VC, I see the warning number when compiling, copy/paste, done. (I usually copy/paste the warning text too so I don't have to remember.)
gcc --help -v 2>&1 | grep \-W
(Which is admittelly slightly fiddlier than it needs to be because gcc dumps it's help tostderr
...)
-
gcc --help -v 2>&1 | grep -W (Which is admittelly slightly fiddlier than it needs to be because gcc dumps it's help to stderr...)
VC for the win.
-
CL doesn't even have documentation built in for its warnings. What are you going to do if you're trying to fix your code on a plane, where you don't have internet, eh?
-
The process described is very similar to building Boost with GCC on Windows.
-
What are you going to do if you're trying to fix your code on a plane, where you don't have internet, eh?
Get a life?
Yeah, yeah, look who's talking etc.
-
"I need to be able to work on a plane" is often advanced as a reason that you need to use
git
for source control.Of course, the obvious response to this is "no you don't, that's stupid. You're stupid, and your source control is stupid also..."
-
"I need to be able to work on a plane" is often advanced as a reason that you are a git
Yes.
-
OK, now you've actually made me think about it, I think the GCC #pragma has a slight edge on the CL #pragma because you don't have to go on the internet to look up the warning code to see what's being disabled. So that's an advantage which mitigates it being longer...
TDEMSYR. You'd only be turning off a warning because you already had it, so you'd already know what the number was.
-
What are you going to do if you're trying to fix your code on a plane, where you don't have internet, eh?
If I were foolish enough to do that I'd've installed the offline help.
The one-line messages that come with the number are frequently enough to go on. For example, 4700 above is, IIRC, "use of uninitialized variable" which I happen to remember because it was listed on the MSDN page describing the #pragma syntax.
-
TDEMSYR. You'd only be turning off a warning because you already had it, so you'd already know what the number was.
That's right, because maintenance isn't a thing. Any code I would ever look at would have been written by me.