You are not logged in.

#1 2017-04-21 21:05:44

bharath23
Member
Registered: 2017-01-13
Posts: 9

NetworkManager unable to connect to OpenVPN

I am trying to use NetworkManager to connect to OpenVPN and it fails with AUTH_FAILED. If I use the same config file that I used to import the connection from the command line with openvpn client it has no issues of connecting. Any help in resolving this issue is greatly appreciated.

When I check the NetworkManager logs I see the following repeated till the connection times out eventually.

OpenVPN 2.4.1 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2017
Apr 21 13:44:57 budhhipriya nm-openvpn[3943]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.10
Apr 21 13:44:57 budhhipriya nm-openvpn[3943]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Apr 21 13:44:57 budhhipriya nm-openvpn[3943]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 21 13:44:58 budhhipriya nm-openvpn[3943]: TCP/UDP: Preserving recently used remote address: [AF_INET]52.86.82.202:1194
Apr 21 13:44:58 budhhipriya nm-openvpn[3943]: UDP link local: (not bound)
Apr 21 13:44:58 budhhipriya nm-openvpn[3943]: UDP link remote: [AF_INET]52.86.82.202:1194
Apr 21 13:44:58 budhhipriya nm-openvpn[3943]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Apr 21 13:44:58 budhhipriya nm-openvpn[3943]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Apr 21 13:44:58 budhhipriya nm-openvpn[3943]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Apr 21 13:44:58 budhhipriya nm-openvpn[3943]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]52.86.82.202:1194
Apr 21 13:45:00 budhhipriya nm-openvpn[3943]: AUTH: Received control message: AUTH_FAILED
Apr 21 13:45:00 budhhipriya nm-openvpn[3943]: SIGUSR1[soft,auth-failure] received, process restarting
Apr 21 13:45:05 budhhipriya NetworkManager[316]: <info>  [1492807505.2028] vpn-connection[0x21c4420,273f7967-3249-4a62-8dc4-23aeae9e9464,"aws-us-e-1",0]: VPN plugin: requested secrets; state connect (4)
Apr 21 13:45:05 budhhipriya NetworkManager[316]: <info>  [1492807505.2471] keyfile: update /etc/NetworkManager/system-connections/aws-us-e-1 (273f7967-3249-4a62-8dc4-23aeae9e9464,"aws-us-e-1")
Apr 21 13:45:05 budhhipriya nm-openvpn[3943]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Apr 21 13:45:05 budhhipriya nm-openvpn[3943]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 21 13:45:05 budhhipriya nm-openvpn[3943]: TCP/UDP: Preserving recently used remote address: [AF_INET]52.86.82.202:1194
Apr 21 13:45:05 budhhipriya nm-openvpn[3943]: UDP link local: (not bound)
Apr 21 13:45:05 budhhipriya nm-openvpn[3943]: UDP link remote: [AF_INET]52.86.82.202:1194
Apr 21 13:45:05 budhhipriya nm-openvpn[3943]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Apr 21 13:45:05 budhhipriya nm-openvpn[3943]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Apr 21 13:45:05 budhhipriya nm-openvpn[3943]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]52.86.82.202:1194
Apr 21 13:45:07 budhhipriya nm-openvpn[3943]: AUTH: Received control message: AUTH_FAILED
Apr 21 13:45:07 budhhipriya nm-openvpn[3943]: SIGUSR1[soft,auth-failure] received, process restarting

My network manager configuration looks as below

[connection]
id=aws-us-e-1
uuid=273f7967-3249-4a62-8dc4-23aeae9e9464
type=vpn
autoconnect=false
permissions=

[vpn]
ca=/home/bharath/.config/vpn/aws-us-e-1/ca.crt
cert=/home/bharath/.config/vpn/aws-us-e-1/client.crt
cert-pass-flags=0
cipher=AES-128-CBC
connection-type=password-tls
dev=tun
dev-type=tun
key=/home/bharath/.config/vpn/aws-us-e-1/client.key
ns-cert-type=server
password-flags=0
port=1194
remote=useast.prod.vpn.bharath.io
reneg-seconds=604800
ta=/home/bharath/.config/vpn/aws-us-e-1/ta.key
ta-dir=1
username=bharath
service-type=org.freedesktop.NetworkManager.openvpn

[vpn-secrets]
password=<my secret password>

[ipv4]
dns-search=
method=auto
never-default=true

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

Offline

#2 2017-04-22 11:43:03

R00KIE
Forum Moderator
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: NetworkManager unable to connect to OpenVPN

I would start by fixing some of the warnings, such as the mtu setting and the compression setting. Another thing I would look at is if username and password are actually usable when using certificates to authenticate.


R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#3 2017-04-22 15:09:39

bharath23
Member
Registered: 2017-01-13
Posts: 9

Re: NetworkManager unable to connect to OpenVPN

R00KIE wrote:

I would start by fixing some of the warnings, such as the mtu setting and the compression setting. Another thing I would look at is if username and password are actually usable when using certificates to authenticate.

The username and password are usable. When I use the openvpn client to directly connect to the VPN server it works without any issues. Seems like nm-openvpn is not passing the credentials correctly. The warnings exist even when connecting using the openvpn client directly.

Offline

#4 2017-11-20 04:10:47

mlinfoot
Member
From: Toronto, Ontario
Registered: 2017-11-20
Posts: 8

Re: NetworkManager unable to connect to OpenVPN

I am having similar problems. I fixed the warnings to make my settings consistent with the PIA server settings but still get the AUTH_FAILED error. Like the OP, using "openvpn /etc/openvpn/<vpnname>.ovpn works correctly as expected, but fails if initiated from the networkmanager applet. Using the nm-applet, I am prompted for a password. I enter the correct password and am prompted again, and this repeats until I cancel or the applet exits.

Here is my CA Toronto.ovpn file:

client
dev tun
proto udp
remote ca-toronto.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass pia.conf
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ

The corresponding NetworkManager connection file is:

[connection]
id=PIA - CA Toronto
uuid=eb0c00ef-5a9c-4712-ad16-ae343cf60003
type=vpn
autoconnect=false
permissions=user:marshal:;

[vpn]
auth=SHA1
ca=/etc/openvpn/pia-ca.rsa.4096.crt
cipher=BF-CBC
comp-lzo=yes
connection-type=password
dev-type=tun
keysize=128
password-flags=0
port=1197
remote=ca-toronto.privateinternetaccess.com
username=<correct PIA username>
service-type=org.freedesktop.NetworkManager.openvpn

[vpn-secrets]
password=<correct PIA password>

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=ignore

I've read numerous posts, wiki, etc. to no avail. I've tried manually editing the nm connection file, but it just gets rewritten by nm. I'm beginning to think this is a bug in networkmanager-openvpn and wonder if anyone has a working example - one they use successfully to establish a vpn connection via the nm applet.

A snippet of journalctl -u NetworkManager, if it might help: (I was prompted for the password twice before I clicked the "cancel" button)

Nov 19 22:59:04 zenbook NetworkManager[1386]: <info>  [1511150344.2299] vpn-connection[0x557c6f8b32e0,eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto",0]: VPN plugin: requested secrets; state connect 
Nov 19 22:59:06 zenbook NetworkManager[1386]: <info>  [1511150346.0072] settings-connection[0x557c6f6e22b0,eb0c00ef-5a9c-4712-ad16-ae343cf60003]: write: successfully commited (keyfile: update /etc/NetworkManager/system-connections/PIA - CA Toronto (eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto"))
Nov 19 22:59:06 zenbook nm-openvpn[3844]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 19 22:59:06 zenbook nm-openvpn[3844]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 19 22:59:06 zenbook nm-openvpn[3844]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.67.62:1197
Nov 19 22:59:06 zenbook nm-openvpn[3844]: UDP link local: (not bound)
Nov 19 22:59:06 zenbook nm-openvpn[3844]: UDP link remote: [AF_INET]172.98.67.62:1197
Nov 19 22:59:06 zenbook nm-openvpn[3844]: [5413181d7a866ec2edcb0b5f50efed02] Peer Connection Initiated with [AF_INET]172.98.67.62:1197
Nov 19 22:59:07 zenbook nm-openvpn[3844]: AUTH: Received control message: AUTH_FAILED
Nov 19 22:59:07 zenbook nm-openvpn[3844]: SIGUSR1[soft,auth-failure] received, process restarting
Nov 19 22:59:14 zenbook NetworkManager[1386]: <error> [1511150354.0065] vpn-connection[0x557c6f8b32e0,eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto",0]: Failed to request VPN secrets #4: User canceled the secrets request.
Nov 19 22:59:14 zenbook nm-openvpn[3844]: ERROR: could not read Auth username/password/ok/string from management interface
Nov 19 22:59:14 zenbook nm-openvpn[3844]: Exiting due to fatal error
Nov 19 22:59:14 zenbook NetworkManager[1386]: <warn>  [1511150354.0242] vpn-connection[0x557c6f8b32e0,eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto",0]: VPN plugin: failed: connect-failed (1)
Nov 19 22:59:14 zenbook NetworkManager[1386]: <info>  [1511150354.0246] vpn-connection[0x557c6f8b32e0,eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto",0]: VPN plugin: state changed: stopping (5)
Nov 19 22:59:14 zenbook NetworkManager[1386]: <info>  [1511150354.0250] vpn-connection[0x557c6f8b32e0,eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto",0]: VPN plugin: state changed: stopped (6)

Any and all help would be much appreciated.

Offline

#5 2017-11-20 15:35:30

lo1
Member
Registered: 2017-09-25
Posts: 582

Re: NetworkManager unable to connect to OpenVPN

Have you both tried what happens if you set

password-flags=1 #or any other available value

?

Offline

#6 2017-11-20 18:09:02

mlinfoot
Member
From: Toronto, Ontario
Registered: 2017-11-20
Posts: 8

Re: NetworkManager unable to connect to OpenVPN

Yes, I tried password-flags=1 and it made no difference. NetworkManager kept prompting for password until I canceled or it exited.

Offline

#7 2017-11-21 00:30:44

firecat53
Member
From: Lake Stevens, Wa
Registered: 2007-05-14
Posts: 1,501
Website

Re: NetworkManager unable to connect to OpenVPN

Here's the functioning one I'm posting from right now:

[connection]
id=pia_us_seattle
uuid=xxxxx-xxxxxx-xxxxx....
type=vpn
autoconnect=false
permissions=
timestamp=1491679146

[vpn]
auth=SHA256
ca=/etc/openvpn/ca.rsa.4096.crt
cipher=AES-256-CBC
comp-lzo=yes
connection-type=password
password-flags=0
port=501
proto-tcp=yes
remote=us-seattle.privateinternetaccess.com
remote-cert-tls=server
reneg-seconds=0
username=<pia username>
service-type=org.freedesktop.NetworkManager.openvpn

[vpn-secrets]
password=<pia password>

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=eui64
dns-search=
ip6-privacy=0
method=auto

Offline

#8 2017-11-21 17:14:44

mlinfoot
Member
From: Toronto, Ontario
Registered: 2017-11-20
Posts: 8

Re: NetworkManager unable to connect to OpenVPN

@firecat53  Thanks for posting your config. I tried using it (with my user username/password) and it still fails. The only two lines in your config that I couldn't reproduce were in the ivp6 section:

addr-gen-mode=eui64
ip6-privacy=0

I'm beginning to think the problem lies elsewhere - the connections file is fine but the password is not being read/interpreted/processed correctly.  At a loss about where to look or what to do next. Any thoughts/suggestions? Reinstall openvp, networkmanager, and networkmanager-openvpn packages?

Offline

#9 2017-11-21 17:56:10

mlinfoot
Member
From: Toronto, Ontario
Registered: 2017-11-20
Posts: 8

Re: NetworkManager unable to connect to OpenVPN

As I suspected, reinstalling openvp, networkmanager, and networkmanager-openvpn packages had no effect. Problem persists.

Offline

#10 2017-11-21 20:22:45

lo1
Member
Registered: 2017-09-25
Posts: 582

Re: NetworkManager unable to connect to OpenVPN

mlinfoot wrote:

As I suspected, reinstalling openvp, networkmanager, and networkmanager-openvpn packages had no effect. Problem persists.

It would have been a (nice for you) surprise if that was all that you needed.
Would you consider a workaround like an ad hoc dispatcher script to see if NetworkManager can handle it?
Basically it should work if you manage to get it right, though this doesn't really "fix the issue".

Offline

#11 2017-11-21 20:39:02

pr0dukter
Member
Registered: 2017-08-24
Posts: 54

Re: NetworkManager unable to connect to OpenVPN

i had this problem on a recent new install, i installed networkmanager for gtk2 and then switch back to the original

also i have pia and the vpn warnings on openvpn connect are normal, thats how it negotiates the connection (disconcerting), if you turn the verbosity of your logs all the way up you will see this happening (verb 3 or higher i think)

Offline

#12 2017-11-21 20:59:16

mlinfoot
Member
From: Toronto, Ontario
Registered: 2017-11-20
Posts: 8

Re: NetworkManager unable to connect to OpenVPN

@lo1 Thanks for the suggestion. I was about to give up and write a bash script to start/stop openvpn using the .ovpn files in /etc/openvpn -- they work. Not as convenient as nm, but would suffice. Do you have a dispatcher script to share? I'd try that.

@pr0dukter I've seen the warnings in the logs and changing the connection file settings to eliminate them doesn't help with the main authentication failing problem. NetworkManager prompts repeatedly for the username/password even though those are both given in the connection file. And typing the correct values into the promt dialog has no effect.

Offline

#13 2017-11-21 21:06:50

lo1
Member
Registered: 2017-09-25
Posts: 582

Re: NetworkManager unable to connect to OpenVPN

mlinfoot wrote:

Thanks for the suggestion. I was about to give up and write a bash script to start/stop openvpn using the .ovpn files in /etc/openvpn -- they work. Not as convenient as nm, but would suffice. Do you have a dispatcher script to share? I'd try that.

Not really, I don't even use VPN so you're on your own. But that wiki section I posted provides an example script, you just need to change the connection ID and the openvpn-client@configuration, accordingly to your /etc/openvpn/client/yourclient.conf.

Offline

#14 2017-11-21 21:12:24

mlinfoot
Member
From: Toronto, Ontario
Registered: 2017-11-20
Posts: 8

Re: NetworkManager unable to connect to OpenVPN

@lo1 I didn't notice that you linked to the wiki sad  I'll go back to the wiki (again!) and see if a dispatcher script would be any better/easier/ than a simple bash script. Thanks again.

Offline

#15 2017-11-22 02:47:39

mlinfoot
Member
From: Toronto, Ontario
Registered: 2017-11-20
Posts: 8

Re: NetworkManager unable to connect to OpenVPN

Well, this is embarrassing!  Over twenty years working with Linux, both for personal use and installing, configuring, and managing servers in a large IT environment -- I made a rookie mistake and used the wrong password. My sincere apologies to those who spent time thinking about my "problem", answering with suggestions, and providing example configurations. I am so sorry for wasting your valuable time.Hopefully, I can make up for it in some small way by helping the next guy.

Offline

#16 2017-11-22 04:07:25

firecat53
Member
From: Lake Stevens, Wa
Registered: 2007-05-14
Posts: 1,501
Website

Re: NetworkManager unable to connect to OpenVPN

Mlinfoot, no worries...we all do that sometimes! Although it's kinda funny because the error in your logs was 'AUTH_FAILED' smile

Offline

#17 2017-11-22 13:46:28

mlinfoot
Member
From: Toronto, Ontario
Registered: 2017-11-20
Posts: 8

Re: NetworkManager unable to connect to OpenVPN

Kind of you to say firecat53. Embarrassing nonetheless... sad

Offline

Board footer

Powered by FluxBB