0

sudo openvpn --config [VPN-NAME].ovpn: works
NetworkManager configuration: doesn't work (while being the same, copypasted config)

[VPN-NAME].ovpn:

dev tun persist-tun persist-key ncp-disable cipher AES-256-CBC auth SHA512 tls-client client resolv-retry infinite remote [hostname] 1194 udp setenv opt block-outside-dns lport 0 verify-x509-name "[hostname]" name auth-user-pass remote-cert-tls server <ca> [CA CERTIFICATE] </ca> <cert> [CERT CERTIFICATE] </cert> <key> [CERT KEY] </key> key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # [TLS-KEY] </tls-auth>

Network Manager configuration:

  • Copypasted certificates and key from .ovpn into descrete files
  • Selected "Connection type", value "Password with Certificates (TLS)"
  • Copypasted gateway and file path(s)
  • Went to "Advanced..."
  • Copypasted [VPN-NAME] in tab "TLS Settings" and selected "Verify name exactly"
  • Selected mode "TLS-Auth", copypasted tls-auth.key path, key direction "Client (1)"

tail -f /var/log/syslog:

debian NetworkManager[648]: <info> [1609951704.7482] audit: op="statistics" arg="refresh-rate-ms" pid=2126 uid=1000 result="success" debian NetworkManager[648]: <info> [1609951706.1485] audit: op="connection-activate" uuid="1afd25e7-f3cd-472d-9a3b-31f1ad390479" name="VPN-NAME" pid=2126 uid=1000 result="success" debian NetworkManager[648]: <info> [1609951706.1505] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: Started the VPN service, PID 6763 debian NetworkManager[648]: <info> [1609951706.1554] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: Saw the service appear; activating connection debian NetworkManager[648]: <info> [1609951706.1591] audit: op="statistics" arg="refresh-rate-ms" pid=2126 uid=1000 result="success" debian NetworkManager[648]: <info> [1609951706.2483] audit: op="statistics" arg="refresh-rate-ms" pid=2126 uid=1000 result="success" debian NetworkManager[648]: <info> [1609951711.8373] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: VPN plugin: state changed: starting (3) debian nm-openvpn[6766]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 debian nm-openvpn[6766]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 debian nm-openvpn[6766]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts debian nm-openvpn[6766]: TCP/UDP: Preserving recently used remote address: [AF_INET]A.B.C.D:1194 debian nm-openvpn[6766]: UDP link local: (not bound) debian nm-openvpn[6766]: UDP link remote: [AF_INET]A.B.C.D:1194 debian nm-openvpn[6766]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay debian nm-openvpn[6766]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay debian NetworkManager[648]: <warn> [1609951772.4259] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: VPN connection: connect timeout exceeded. debian nm-openvpn-serv[6763]: Connect timer expired, disconnecting. debian NetworkManager[648]: <warn> [1609951772.4316] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: VPN plugin: failed: connect-failed (1) debian nm-openvpn[6766]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) debian NetworkManager[648]: <info> [1609951772.4317] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: VPN plugin: state changed: stopping (5) debian nm-openvpn[6766]: TLS Error: TLS handshake failed debian NetworkManager[648]: <info> [1609951772.4317] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: VPN plugin: state changed: stopped (6) debian nm-openvpn[6766]: SIGTERM[hard,tls-error] received, process exiting

OS Environment:
Debian 10 (buster)
Kernel Linux debian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
Network Manager: network-manager/stable,now 1.14.6-2+deb10u1 amd64
OpenVPN Plugin: network-manager-openvpn/stable,now 1.8.10-1 amd64
OpenVPN standalone client (openvpn command):

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10

From the syslog it seems the OpenVPN plugin for Network Manager either uses the underlying openvpn already installed, or has a standalone client it brings with the installation of the plugin itself, which has the same features/capabilities and even version of the standalone openvpn.

Then, it doesn't work (but only from Network Manager, standalone does)...

Improve this question
6
  • I'm not sure that woks with embedded cert and key. Could you try to do nmcli connection import type openvpn file client.ovpn on the "stock" configuration file and see whether that works? You might need to tweak the result though (I, for one, rename the connection afterwards—it gets named after the base name of the config file,—and then do nmcli conn modify client ipv4.never-default yes ipv6.never-default yes). Importing extracts the cert and key material and places them into separate files in the NM configuration directories. Commented Jan 7, 2021 at 10:04
  • I'd also try to increase debug level by a directive in the config file: it's not clear from the output why exactly VPN connection: connect timeout exceeded., which is a message from NM, not ovpn, and it would be interesteing to see more progress output from ovpn itself. Commented Jan 7, 2021 at 10:11
  • @kostix I did increase the verbosity of the connection while issuing the openvpn --config command but not much has changed... (emma.cloud.tabdigital.eu/s/rBKxH98Tc7X8k32). While regarding the NM message I would reply "and that's the strange part I don't understand, since the issue is right with NM, having seen OpenVPN working from commandline multiple times but not once with NM itself". Commented Jan 15, 2021 at 21:19
  • Sorry, I meant increasing the verbosity of openvpn started by the NM plug-in. Is that log file form such connection or from a connection performed by a manual run? Commented Jan 18, 2021 at 12:38
  • Didn't know how to increase verbosity on the connection made by NM, so that was from a manual run to (maybe) help a little more understanding what's wrong... Commented Jan 19, 2021 at 22:31

1 Answer 1

Reset to default
0

The network-manager-openvpn (and possibly network-manager-openvpn-gnome) packages cannot save the tls-auth fields. I'm using Ubuntu 22.04.3 LTS with network-manager-openvpn 1.8.18-1. I imported an OpenVPN configuration file and all fields were filled correctly except those related to tls-auth. Even after editing those fields, the values wouldn't be saved. However, I was able to edit the VPN connection using nmcli, adding values for "ta" (TLS-Auth key file) and "ta-dir" (key direction) to vpn.data. Then, Network Manager successfully connects. The config dialog even shows the correct values; it just can't seem to save them.

I'm not sure about the status of the bug(s). Here's a bug report that claimed the problem was fixed in NetworkManager-openvpn-1.8.8-1.fc29 back in 2018: https://bugzilla.redhat.com/show_bug.cgi?id=1639811

Here's a more recent bug report that describes what I see with nearly the same package versions: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/105

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.