0

sudo openvpn --config [VPN-NAME].ovpn: works
NetworkManager configuration: doesn't work (while being the same, copypasted config)

[VPN-NAME].ovpn:

dev tun
persist-tun
persist-key
ncp-disable
cipher AES-256-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote [hostname] 1194 udp
setenv opt block-outside-dns
lport 0
verify-x509-name "[hostname]" name
auth-user-pass
remote-cert-tls server
<ca>
[CA CERTIFICATE]
</ca>
<cert>
[CERT CERTIFICATE]
</cert>
<key>
[CERT KEY]
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
[TLS-KEY]
</tls-auth>

Network Manager configuration:

  • Copypasted certificates and key from .ovpn into descrete files
  • Selected "Connection type", value "Password with Certificates (TLS)"
  • Copypasted gateway and file path(s)
  • Went to "Advanced..."
  • Copypasted [VPN-NAME] in tab "TLS Settings" and selected "Verify name exactly"
  • Selected mode "TLS-Auth", copypasted tls-auth.key path, key direction "Client (1)"

tail -f /var/log/syslog:

debian NetworkManager[648]: <info>  [1609951704.7482] audit: op="statistics" arg="refresh-rate-ms" pid=2126 uid=1000 result="success"
debian NetworkManager[648]: <info>  [1609951706.1485] audit: op="connection-activate" uuid="1afd25e7-f3cd-472d-9a3b-31f1ad390479" name="VPN-NAME" pid=2126 uid=1000 result="success"
debian NetworkManager[648]: <info>  [1609951706.1505] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: Started the VPN service, PID 6763
debian NetworkManager[648]: <info>  [1609951706.1554] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: Saw the service appear; activating connection
debian NetworkManager[648]: <info>  [1609951706.1591] audit: op="statistics" arg="refresh-rate-ms" pid=2126 uid=1000 result="success"
debian NetworkManager[648]: <info>  [1609951706.2483] audit: op="statistics" arg="refresh-rate-ms" pid=2126 uid=1000 result="success"
debian NetworkManager[648]: <info>  [1609951711.8373] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: VPN plugin: state changed: starting (3)
debian nm-openvpn[6766]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
debian nm-openvpn[6766]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
debian nm-openvpn[6766]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
debian nm-openvpn[6766]: TCP/UDP: Preserving recently used remote address: [AF_INET]A.B.C.D:1194
debian nm-openvpn[6766]: UDP link local: (not bound)
debian nm-openvpn[6766]: UDP link remote: [AF_INET]A.B.C.D:1194
debian nm-openvpn[6766]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
debian nm-openvpn[6766]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
debian NetworkManager[648]: <warn>  [1609951772.4259] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: VPN connection: connect timeout exceeded.
debian nm-openvpn-serv[6763]: Connect timer expired, disconnecting.
debian NetworkManager[648]: <warn>  [1609951772.4316] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: VPN plugin: failed: connect-failed (1)
debian nm-openvpn[6766]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
debian NetworkManager[648]: <info>  [1609951772.4317] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: VPN plugin: state changed: stopping (5)
debian nm-openvpn[6766]: TLS Error: TLS handshake failed
debian NetworkManager[648]: <info>  [1609951772.4317] vpn-connection[0x55ce8e0d02e0,1afd25e7-f3cd-472d-9a3b-31f1ad390479,"VPN-NAME",0]: VPN plugin: state changed: stopped (6)
debian nm-openvpn[6766]: SIGTERM[hard,tls-error] received, process exiting

OS Environment:
Debian 10 (buster)
Kernel Linux debian 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
Network Manager: network-manager/stable,now 1.14.6-2+deb10u1 amd64
OpenVPN Plugin: network-manager-openvpn/stable,now 1.8.10-1 amd64
OpenVPN standalone client (openvpn command):

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10

From the syslog it seems the OpenVPN plugin for Network Manager either uses the underlying openvpn already installed, or has a standalone client it brings with the installation of the plugin itself, which has the same features/capabilities and even version of the standalone openvpn.

Then, it doesn't work (but only from Network Manager, standalone does)...

bryanpedini
  • 1
  • 4
  • I'm not sure that woks with embedded cert and key. Could you try to do `nmcli connection import type openvpn file client.ovpn ` on the "stock" configuration file and see whether that works? You might need to tweak the result though (I, for one, rename the connection afterwards—it gets named after the base name of the config file,—and then do `nmcli conn modify client ipv4.never-default yes ipv6.never-default yes`). Importing extracts the cert and key material and places them into separate files in the NM configuration directories. – kostix Jan 07 '21 at 10:04
  • I'd also try to increase debug level by a directive in the config file: it's not clear from the output why exactly `VPN connection: connect timeout exceeded.`, which is a message from NM, not ovpn, and it would be interesteing to see more progress output from ovpn itself. – kostix Jan 07 '21 at 10:11
  • @kostix I did increase the verbosity of the connection while issuing the `openvpn --config` command but not much has changed... (https://emma.cloud.tabdigital.eu/s/rBKxH98Tc7X8k32). While regarding the NM message I would reply "and that's the strange part I don't understand, since the issue is right with NM, having seen OpenVPN working from commandline multiple times but not once with NM itself". – bryanpedini Jan 15 '21 at 21:19
  • Sorry, I meant increasing the verbosity of `openvpn` started by the NM plug-in. Is that log file form _such_ connection or from a connection performed by a manual run? – kostix Jan 18 '21 at 12:38
  • Didn't know how to increase verbosity on the connection made by NM, so that was from a manual run to (maybe) help a little more understanding what's wrong... – bryanpedini Jan 19 '21 at 22:31
  • Oh, it appears, the NM plugin for OpenVPN [does not support `verb`](https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/blob/master/shared/nm-service-defines.h) so it really appears to be impossible to make an `openvpn` instance it starts to be extra chatty. – kostix Jan 20 '21 at 10:27

1 Answers1

0

The network-manager-openvpn (and possibly network-manager-openvpn-gnome) packages cannot save the tls-auth fields. I'm using Ubuntu 22.04.3 LTS with network-manager-openvpn 1.8.18-1. I imported an OpenVPN configuration file and all fields were filled correctly except those related to tls-auth. Even after editing those fields, the values wouldn't be saved. However, I was able to edit the VPN connection using nmcli, adding values for "ta" (TLS-Auth key file) and "ta-dir" (key direction) to vpn.data. Then, Network Manager successfully connects. The config dialog even shows the correct values; it just can't seem to save them.

I'm not sure about the status of the bug(s). Here's a bug report that claimed the problem was fixed in NetworkManager-openvpn-1.8.8-1.fc29 back in 2018: https://bugzilla.redhat.com/show_bug.cgi?id=1639811

Here's a more recent bug report that describes what I see with nearly the same package versions: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/105

Jonathan Rogers
  • 21
  • 3