Does anyone have any advice for using OpenVPN in Ubuntu 22.04 via Network Manager? I imported my OpenVPN configuration that was exported from IPFire. I can start up the VPN, but routing doesn’t seem to be working correctly. I’m unable to see any of the machines inside my home network. If it matters, this is when using a Verizon MIFI device that my laptop is connected to. In addition, if I do an “what’s my ip?” check, I continue to get the (IPv6) address from Verizon rather than the (IPv4) address of my home network like I would expect.
I am running Network Manager on my laptop running Arch Linux. I just imported my ovpn into the Network Manager applet and selected the .p12 file for CA certificate, User certificate and User private key and everything has just worked for me. This has been working for several years.
This post is currently being written via my laptop as a roadwarrior going into my lan network via OpenVPN and I just confirmed that I am using the IP of my IPFire network, not the local network I am connected to.
When you created the client connection, in the Advanced client options section - routing for the box labelled
“Client has access to these networks on IPFire’s site”
have you got GREEN listed?
Unfortunately, since the VPN is not working I can’t actually look to see how it is configured at home. I’m sure I did something wrong, but unfortunately it appears I may be stuck without this working. Looks like I didn’t do enough validation of my configuration before leaving home.
If I wanted to route traffic to the internet via the VPN, should that work even if I misconfigured the VPN configuration relative to home network?
Unfortunately I am not knowledgeable enough about OpenVPN or Routing to be able to answer this question.
The routing table on my laptop is
default via 10.110.26.5 dev tun0 proto static metric 50
default via 192.168.1.1 dev wlp2s0 proto dhcp src 192.168.1.191 metric 20600
10.110.26.1 via 10.110.26.5 dev tun0 proto static metric 50
10.110.26.5 dev tun0 proto kernel scope link src 10.110.26.6 metric 50
xxx.xxx.xxx.xxx via 192.168.1.1 dev wlp2s0 proto static metric 50
192.168.1.0/24 dev wlp2s0 proto kernel scope link src 192.168.1.191 metric 600
192.168.1.1 dev wlp2s0 proto static scope link metric 50
192.168.26.0/24 via 10.110.26.5 dev tun0 proto static metric 50
192.168.1.x is the network at the location I am currently at. 192.168.26.x is the green network on my IPFire system.
I have had the same problem in the past so now after any changes to OpenVPN or a Core Update I always visit my local supermarket with my laptop and test out the VPN tunnel to confirm it is working.
Coming back around to this again finally. I’m seeing some strange behavior with my Ubuntu 22.10 laptop trying to connect to OpenVPN on IPFire. I’ve created and installed a new client package. When I enable the VPN in Network Manager, it shows that it is connecting. If I actually go browse my home network via VPN it works, however I eventually get the following:
It appears like it is unable to complete the connection despite the fact that things seem to work correctly before this errors occurs. Any suggestions on how to fix this?
FYI… I’m testing this over my phone’s mobile hotspot.
FWIW… Here are the logs from an attempt to connect OpenVPN.
Feb 14 19:56:46 XPS-15-9500 NetworkManager[1206]: <info> [1676426206.2545] vpn[0x558d5df7c6e0,3e4ef5ea-2a93-4eaf-bf57-3c3f7636f070,"xps15-TO-IPFire"]: starting openvpn
Feb 14 19:56:46 XPS-15-9500 NetworkManager[1206]: <info> [1676426206.2553] audit: op="connection-activate" uuid="3e4ef5ea-2a93-4eaf-bf57-3c3f7636f070" name="xps15-TO-IPFire" p>
Feb 14 19:56:46 XPS-15-9500 nm-openvpn[37998]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenV>
Feb 14 19:56:46 XPS-15-9500 nm-openvpn[37998]: OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Feb 14 19:56:46 XPS-15-9500 nm-openvpn[37998]: library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
Feb 14 19:56:46 XPS-15-9500 nm-openvpn[37998]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 14 19:56:46 XPS-15-9500 nm-openvpn[37998]: TCP/UDP: Preserving recently used remote address: [AF_INET]206.146.88.32:1194
Feb 14 19:56:46 XPS-15-9500 nm-openvpn[37998]: UDPv4 link local: (not bound)
Feb 14 19:56:46 XPS-15-9500 nm-openvpn[37998]: UDPv4 link remote: [AF_INET]206.146.88.32:1194
Feb 14 19:56:46 XPS-15-9500 nm-openvpn[37998]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Feb 14 19:56:46 XPS-15-9500 nm-openvpn[37998]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Feb 14 19:57:46 XPS-15-9500 nm-openvpn[37998]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 14 19:57:46 XPS-15-9500 nm-openvpn[37998]: TLS Error: TLS handshake failed
Feb 14 19:57:46 XPS-15-9500 nm-openvpn[37998]: SIGUSR1[soft,tls-error] received, process restarting
Feb 14 19:57:46 XPS-15-9500 NetworkManager[1206]: <warn> [1676426266.6617] vpn[0x558d5df7c6e0,3e4ef5ea-2a93-4eaf-bf57-3c3f7636f070,"xps15-TO-IPFire"]: connect timeout exceeded
Feb 14 19:57:46 XPS-15-9500 nm-openvpn-serv[37994]: Connect timer expired, disconnecting.
Feb 14 19:57:46 XPS-15-9500 nm-openvpn[37998]: SIGTERM[hard,init_instance] received, process exiting
I was able to create another client with a similar configuration for my Android phone and that worked fine. I can’t guarantee I managed to get them set up identically, but they should have been very close.
Your problem is that your client has updated to Openssl-3 branch. To make that work you have to modify the openssl.cnf file on your client to allow the legacy option.
The reason for that is that the android client(s) have built in the legacy option while most of the Linux distributions have left that up to people to adjust for themselves if needed.
The thread above gives more info on what the problem between the openssl versions is.
I finally found some time to try this out and I’ve managed to make some progress, but things are still not working for me. While the VPN appears to be connected (via the top bar icon), I am seeing connection reset errors in the browser and a different set of errors in the logs:
Feb 17 12:05:32 XPS-15-9500 nm-openvpn[9109]: [ipfire.localdomain] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Feb 17 12:05:34 XPS-15-9500 nm-openvpn[9109]: Preserving previous TUN/TAP instance: tun0
Feb 17 12:05:34 XPS-15-9500 nm-openvpn[9109]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --debug 0 9103 --bus-name org.freedesktop.NetworkManager.openvpn.Connect>
Feb 17 12:05:34 XPS-15-9500 nm-openvpn[9109]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Feb 17 12:05:34 XPS-15-9500 nm-openvpn[9109]: net_addr_ptp_v4_del: 10.110.196.14 dev tun0
Feb 17 12:05:34 XPS-15-9500 NetworkManager[1238]: <warn> [1676657134.4461] platform-linux: do-add-ip4-address[18: 10.110.196.14/32,10.110.196.13]: failure 19 (No such device)
Feb 17 12:05:34 XPS-15-9500 NetworkManager[1238]: <info> [1676657134.4551] device (tun0): state change: activated -> unmanaged (reason 'unmanaged', sys-iface-state: 'removed')
Feb 17 12:05:34 XPS-15-9500 NetworkManager[1238]: <warn> [1676657134.4822] dns-sd-resolved[2cc28e465ed360dc]: send-updates SetLinkDomains@15 failed: GDBus.Error:org.freedeskto>
Feb 17 12:05:35 XPS-15-9500 nm-openvpn[9109]: TUN/TAP device tun0 opened
Feb 17 12:05:35 XPS-15-9500 nm-openvpn[9109]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --debug 0 9103 --bus-name org.freedesktop.NetworkManager.openvpn.Connect>
Feb 17 12:05:35 XPS-15-9500 NetworkManager[1238]: <info> [1676657135.5027] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/20)
Feb 17 12:05:35 XPS-15-9500 NetworkManager[1238]: <info> [1676657135.5312] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state:>
Feb 17 12:05:35 XPS-15-9500 nm-openvpn[9109]: Error: negotiated cipher not allowed - AES-256-CBC not in AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Feb 17 12:05:35 XPS-15-9500 nm-openvpn[9109]: OPTIONS ERROR: failed to import crypto options
Feb 17 12:05:35 XPS-15-9500 nm-openvpn[9109]: Failed to open tun/tap interface
Feb 17 12:05:35 XPS-15-9500 nm-openvpn[9109]: SIGUSR1[soft,process-push-msg-failed] received, process restarting
I’m guessing this is a problem with Ubuntu, but I would really appreciate any insights.
