OpenVPN through networkmanager-openvpn not working

James2k · 2012-05-02 11:36:01

Hi,

I'm having trouble making a connection to my OpenVPN server using networkmanager-openvpn. I have confirmed that my OpenVPN client config works by running OpenVPN via command line and I am able to get a successful connection and can access machines/devices behind my VPN OK, but when using the networkmanager-openvpn method, I get a successful connection and it seems to configure correctly, but I have no access to machines/devices behind the VPN, attempting to ping gives "Destination Unreachable" and furthermore my entire Internet connection is downed completely, which is odd as I do not tunnel all traffic through my VPN. Not sure what I could be missing, but any help on the matter would be great!

Thanks,

James

Last edited by James2k (2012-05-02 11:44:10)

Gcool · 2012-05-02 11:51:43

Check if there are any differences in the routing table (ip route) when using the cli method vs using networkmanager-openvpn.

James2k · 2012-05-02 12:08:21

Here's the log info from both command line and /var/log/messages.log from networkmanager. I have edited any confidential information i.e. IP address/domain names.

OpenVPN Command Line:

[server] Peer Connection Initiated with [IP REMOVED]:1194
Wed May  2 13:04:47 2012 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed May  2 13:04:49 2012 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway 192.168.1.1,ping 10,ping-restart 120,ifconfig 192.168.1.50 255.255.255.0'
Wed May  2 13:04:49 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed May  2 13:04:49 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed May  2 13:04:49 2012 OPTIONS IMPORT: route-related options modified
Wed May  2 13:04:49 2012 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed May  2 13:04:49 2012 TUN/TAP device tap0 opened
Wed May  2 13:04:49 2012 TUN/TAP TX queue length set to 100
Wed May  2 13:04:49 2012 /usr/sbin/ip link set dev tap0 up mtu 1500
Wed May  2 13:04:49 2012 /usr/sbin/ip addr add dev tap0 192.168.1.50/24 broadcast 192.168.1.255
Wed May  2 13:04:49 2012 GID set to nobody
Wed May  2 13:04:49 2012 UID set to nobody
Wed May  2 13:04:49 2012 Initialization Sequence Completed

Network Manager OpenVPN Plugin:

May  2 12:54:59 arch-vm dbus[365]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May  2 12:55:01 arch-vm NetworkManager[391]: <info> VPN plugin state changed: starting (3)
May  2 12:55:01 arch-vm NetworkManager[391]: <info> VPN connection 'JAMES VPN' (Connect) reply received.
May  2 12:55:01 arch-vm nm-openvpn[1208]: OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Jan  3 2012
May  2 12:55:01 arch-vm nm-openvpn[1208]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
May  2 12:55:01 arch-vm nm-openvpn[1208]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
May  2 12:55:01 arch-vm nm-openvpn[1208]: WARNING: file '/home/james/OpenVPN/james-xps.key' is group or others accessible
May  2 12:55:01 arch-vm nm-openvpn[1208]: UDPv4 link local: [undef]
May  2 12:55:01 arch-vm nm-openvpn[1208]: UDPv4 link remote: [IP REMOVED]:1194
May  2 12:55:02 arch-vm nm-openvpn[1208]: [server] Peer Connection Initiated with  [IP REMOVED]:1194
May  2 12:55:04 arch-vm NetworkManager[391]: <warn> /sys/devices/virtual/net/tap0: couldn't determine device driver; ignoring...
May  2 12:55:04 arch-vm nm-openvpn[1208]: TUN/TAP device tap0 opened
May  2 12:55:04 arch-vm nm-openvpn[1208]: /usr/lib/networkmanager/nm-openvpn-service-openvpn-helper tap0 1500 1573 192.168.1.50 255.255.255.0 init
May  2 12:55:04 arch-vm NetworkManager[391]: <info> VPN connection 'JAMES VPN' (IP Config Get) reply received.
May  2 12:55:04 arch-vm NetworkManager[391]: <info> VPN Gateway: [IP REMOVED]
May  2 12:55:04 arch-vm NetworkManager[391]: <info> Tunnel Device: tap0
May  2 12:55:04 arch-vm NetworkManager[391]: <info> Internal IP4 Address: 192.168.1.50
May  2 12:55:04 arch-vm NetworkManager[391]: <info> Internal IP4 Prefix: 24
May  2 12:55:04 arch-vm NetworkManager[391]: <info> Internal IP4 Point-to-Point Address: 0.0.0.0
May  2 12:55:04 arch-vm NetworkManager[391]: <info> Maximum Segment Size (MSS): 0
May  2 12:55:04 arch-vm NetworkManager[391]: <info> Forbid Default Route: no
May  2 12:55:04 arch-vm NetworkManager[391]: <info> Internal IP4 DNS: 192.168.1.1
May  2 12:55:04 arch-vm NetworkManager[391]: <info> DNS Domain: '(none)'
May  2 12:55:04 arch-vm nm-openvpn[1208]: Initialization Sequence Completed
May  2 12:55:05 arch-vm NetworkManager[391]: <info> VPN connection 'JAMES VPN' (IP Config Get) complete.
May  2 12:55:05 arch-vm NetworkManager[391]: <info> Policy set 'JAMES VPN' (tap0) as default for IPv4 routing and DNS.
May  2 12:55:05 arch-vm NetworkManager[391]: <info> VPN plugin state changed: started (4)
May  2 12:56:33 arch-vm NetworkManager[391]: <warn> (7) failed to find interface name for index
May  2 12:56:33 arch-vm NetworkManager[391]: <warn> (7) failed to find interface name for index
May  2 12:56:33 arch-vm nm-openvpn[1208]: SIGTERM[hard,] received, process exiting
May  2 12:56:34 arch-vm NetworkManager[391]: <info> Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS.
May  2 12:56:34 arch-vm dbus[365]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper)
May  2 12:56:34 arch-vm dbus[365]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'

The only thing I can see wrong at this point is the "WARNING: No server certificate verification method has been enabled". I find this odd as I have this set in my client.conf as ns-cert-type server:

remote mydomain.co.uk 1194
client
dev tap0
proto udp
resolv-retry infinite 
nobind 
persist-key
persist-tun
float
user nobody
group nobody
cipher AES-256-CBC
ca /home/james/OpenVPN/ca.crt
cert /home/james/OpenVPN/james-xps.crt
key /home/james/OpenVPN/james-xps.key
ns-cert-type server
verb 3

My OpenVPN setup uses the bridged method and gives me access to my private network subnet 192.168.1.x at home. OpenVPN clients are leased an IP between 192.168.1.50 - 192.168.1.99 and the DNS server is pushed as 192.168.1.1 so I can use my Local DNS addresses on my home network.

Hope that helps.

Last edited by James2k (2012-05-02 12:12:19)

Gcool · 2012-05-02 12:45:57

Don't see anything in there that would explain connectivity dying completely. Could you post the output of the following (both when using the cli method and the networkmanager method)?

# ip addr
# ip route

James2k · 2012-05-02 12:57:14

Thanks for your reply, here's the output for both methods. Again for safety purposes, [IP REMOVED] = External IP address of my home network.

Not sure if this makes a difference but I run Arch Linux through VirtualBox on a Windows host. I have no network adapter related issues though, NAT works well, just this OpenVPN plugin method through NetworkManager doesn't seem to work very well.

OpenVPN Command Line:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:37:52:e1 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
    inet6 fe80::a00:27ff:fe37:52e1/64 scope link 
       valid_lft forever preferred_lft forever
11: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/ether 66:8f:ac:65:af:c2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.50/24 brd 192.168.1.255 scope global tap0
    inet6 fe80::648f:acff:fe65:afc2/64 scope link 
       valid_lft forever preferred_lft forever

default via 10.0.2.2 dev eth0  proto static 
10.0.2.0/24 dev eth0  proto kernel  scope link  src 10.0.2.15 
192.168.1.0/24 dev tap0  proto kernel  scope link  src 192.168.1.50

Network Manager OpenVPN Plugin:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:37:52:e1 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
    inet6 fe80::a00:27ff:fe37:52e1/64 scope link 
       valid_lft forever preferred_lft forever
12: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/ether ce:eb:fd:1e:98:3a brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.50/24 brd 192.168.1.255 scope global tap0
    inet6 fe80::cceb:fdff:fe1e:983a/64 scope link 
       valid_lft forever preferred_lft forever

default dev tap0  proto static 
10.0.2.0/24 dev eth0  proto kernel  scope link  src 10.0.2.15 
[IP REMOVED] via 10.0.2.2 dev eth0  proto static 
192.168.1.0/24 dev tap0  proto kernel  scope link  src 192.168.1.50

Last edited by James2k (2012-05-02 12:59:24)

Gcool · 2012-05-02 16:04:18

default dev tap0  proto static

In other words, when connecting via networkmanager all your traffic that doesn't go towards the 10.0.2.0/24 subnet is being sent through the vpn tunnel.

I don't know all that much about networkmanager I'm afraid (not a big fan of the package), but do you have any route related settings in the profile you've created? A quick Google search seems to indicate a setting called "Use this connection only for resources on its network" as the possible culprit (needs to be enabled).

James2k · 2012-05-02 17:50:54

Ah yes, good spot! There is such a setting, which is within the IPV4 Section under Route Settings with a checkbox for "Use only for resources on this connection".

I've enabled it this but since have discovered there are further problems with the OpenVPN plugin and connecting to my VPN while within the actual network. OpenVPN via command line continues to work fine.

I'll have to test out things further tomorrow when I'm at work to test the VPN connection properly.

Thanks for your help.

James2k · 2012-05-03 07:55:40

So I've just tried the VPN connection through the Network Manager OpenVPN plugin at work the route has changed to:

default via 10.0.2.2 dev eth0  proto static 
10.0.2.0/24 dev eth0  proto kernel  scope link  src 10.0.2.15 
[IP REMOVED] via 10.0.2.2 dev eth0  proto static 
192.168.1.0/24 dev tap0  proto kernel  scope link  src 192.168.1.51

But unfortunately, I still get "Destination Unreachable" when pinging. Though my general internet connection now works with the VPN Connection active, which is a step in the right direction!

Last edited by James2k (2012-05-03 08:09:27)

mpz · 2012-06-09 01:33:06

Subscribed

I've been trying to setup openvpn for over 3 hours and I'm in same boat; openvpn from CLI works, networkmanager-openvpn connects but everything is unreachable.

lartza · 2013-04-08 16:28:04

I had similar problem, but it was caused by comp lzo being enabled on server and disabled in the network manager gui dialog

For some reason it was only a warning

nm-openvpn[4001]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'

StR@ng3r · 2013-04-09 03:07:07

I am in the same boat. I can succesfully establish a connection when calling openvpn from CLI but NM-Openvpn fails completely. It tells me it is 'connected' but I cannot reach or ping anything. When I wait loooooooong enough, it might close the connection and tell met: Activation of Network Connection failed.

Last edited by StR@ng3r (2013-04-09 03:14:17)

StR@ng3r · 2013-04-10 14:39:56

Is anybody able to do this? Seems to me like it is broken in general.

glenntanner3 · 2016-01-15 04:30:24

I know this is an old thread but for a more recent update, and hopefully it will help someone out there, tunnel in tunnel will not work though network manager. I'm not saying network manager does it wrong, but sometimes less is more and the rite way breaks stuff. The first VPN is established via openconnect (cisco) and the second via openvpn. If anyone works on the networkmanager and sees this, hope this helps and can be added to testing.

Network manager routes (simplified)

default via 192.168.1.1 dev wlo1 proto static metric 600
10.0.0.0/21 dev vpn0 proto static scope link metric 50
10.8.1.1 via 10.8.1.5 dev tun0 proto static metric 50
10.8.1.5 dev tun0 proto kernel scope link src 10.8.1.6 metric 50
10.110.0.0/16 via 10.8.1.5 dev tun0 proto static metric 50
155.229.80.0/22 dev vpn0 proto static scope link metric 50
172.16.96.0/21 dev vpn0 proto static scope link metric 50
172.16.103.51 via 192.168.1.1 dev wlo1 proto static metric 600
192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.131 metric 600

Command line (simplified)

default via 192.168.1.1 dev wlo1 proto static metric 600
10.0.0.0/21 dev tun0 scope link
10.8.1.1 via 10.8.1.5 dev tun1
10.8.1.5 dev tun1 proto kernel scope link src 10.8.1.6
10.110.0.0/16 via 10.8.1.5 dev tun1
( IP ) via 192.168.1.1 dev wlo1 src 192.168.1.131
155.229.80.0/22 dev tun0 scope link
172.16.96.0/21 dev tun0 scope link
192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.131 metric 600

diff

default via 192.168.1.1 dev wlo1 proto static metric 600 default via 192.168.1.1 dev wlo1 proto static metric 600
10.0.0.0/21 dev tun0 scope link    | 10.0.0.0/21 dev vpn0 proto static scope link metric 50
10.8.1.1 via 10.8.1.5 dev tun1    | 10.8.1.1 via 10.8.1.5 dev tun0 proto static metric 50
10.8.1.5 dev tun1 proto kernel scope link src 10.8.1.6    | 10.8.1.5 dev tun0 proto kernel scope link src 10.8.1.6 metric 50
10.110.0.0/16 via 10.8.1.5 dev tun1    | 10.110.0.0/16 via 10.8.1.5 dev tun0 proto static metric 50
( IP ) via 192.168.1.1 dev wlo1 src 192.168.1.131    <
155.229.80.0/22 dev tun0 scope link    | 155.229.80.0/22 dev vpn0 proto static scope link metric 50
172.16.96.0/21 dev tun0 scope link    | 172.16.96.0/21 dev vpn0 proto static scope link metric 50
172.16.96.51 dev tun0 scope link    | 172.16.103.51 via 192.168.1.1 dev wlo1 proto static metric 600
172.16.200.0/22 dev tun0 scope link    | 172.16.200.0/22 dev vpn0 proto static scope link metric 50
192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.131 metric 600 192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.131 metric 600

R00KIE · 2016-01-15 13:49:02

@glenntanner3
Although the information is welcome, you should not necrobump[1]. This information is something that if not already present in the wiki would be a good addition (maybe a bit more terse though). That way someone setting up networkmanager by following the wiki would be aware that tunnel in tunnel would not work. Also the OP does not seem to be having trouble with tunnel in tunnel but just setting up the vpn connection.

You should report this upstream if you want the people developing networkmanager to take note of this use case.

[1] https://wiki.archlinux.org/index.php/Fo … bumping.22

glenntanner3 · 2016-01-15 15:06:46

@ROOKIE
I agree about necrobumping, but it was, i think, the first or second google result. I will see about updating the wiki with a warning.

Arch Linux

#1 2012-05-02 11:36:01

OpenVPN through networkmanager-openvpn not working

#2 2012-05-02 11:51:43

Re: OpenVPN through networkmanager-openvpn not working

#3 2012-05-02 12:08:21

Re: OpenVPN through networkmanager-openvpn not working

#4 2012-05-02 12:45:57

Re: OpenVPN through networkmanager-openvpn not working

#5 2012-05-02 12:57:14

Re: OpenVPN through networkmanager-openvpn not working

#6 2012-05-02 16:04:18

Re: OpenVPN through networkmanager-openvpn not working

#7 2012-05-02 17:50:54

Re: OpenVPN through networkmanager-openvpn not working

#8 2012-05-03 07:55:40

Re: OpenVPN through networkmanager-openvpn not working

#9 2012-06-09 01:33:06

Re: OpenVPN through networkmanager-openvpn not working

#10 2013-04-08 16:28:04

Re: OpenVPN through networkmanager-openvpn not working

#11 2013-04-09 03:07:07

Re: OpenVPN through networkmanager-openvpn not working

#12 2013-04-10 14:39:56

Re: OpenVPN through networkmanager-openvpn not working

#13 2016-01-15 04:30:24

Re: OpenVPN through networkmanager-openvpn not working

#14 2016-01-15 13:49:02

Re: OpenVPN through networkmanager-openvpn not working

#15 2016-01-15 15:06:46

Re: OpenVPN through networkmanager-openvpn not working

Board footer