You are not logged in.

Pages: 1

#1 2019-07-13 09:26:36

tedd
Member
Registered: 2013-02-21
Posts: 26

OpenVPN, NetworkManager and KDE does not recognise tls-crypt option

Posting here because I'm not sure which package to report a bug against.
Description:
Importing a client configuration file generated from an OpenVPN server (v2.4.7) configured with tls-crypt is not pulled in when importing the file into KDE connections.

I have to extract the secret key from the OVPN file manually and save it as a separate file alongside where the GUI saves the other certificates (usually ~/.local/share/networkmanagement/certificates/[client]/[..]), then change in VPN connection > Properties > TLS Settings, Mode to TLS-Crypt and Key File to the saved file.

Until I change the TLS settings, NetworkMananger will try with tls-auth, causing the below error in the server logs, before finally timing out with the below error in the client logs.

Client versions:
  OpenVPN: 2.4.7-1
  networkmanager-openvpn: 1.8.10-1
  kde-cli-tools: 5.16.3-1

Config files:
  Server:

# Automatically generated configuration
daemon ovpn-server2
topology subnet
server [IP] [netmask]
proto udp
port [port]
dev tun22
txqueuelen 1000
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
keepalive 15 60
verb 6
push "route [..]"
duplicate-cn
push "dhcp-option DOMAIN [..]"
push "dhcp-option DNS [..]"
push "redirect-gateway def1"
tls-crypt static.key
ca ca.crt
dh dh.pem
cert server.crt
key server.key
crl-verify crl.pem
script-security 2
up updown.sh
down updown.sh
status-version 2
status status 5

# Custom Configuration
proto udp4

  Client:

client
dev tun
proto udp
remote [my IP] [port]
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
keepalive 15 60
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
[..]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[..]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[..]
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
[..]
-----END OpenVPN Static key V1-----
</tls-crypt>
resolv-retry infinite
nobind

Logs:
  Server:

Jul 13 18:32:41 ovpn-server2[29019]: tls-crypt unwrap error: packet too short
Jul 13 18:32:41 ovpn-server2[29019]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP]:[port]
Jul 13 18:32:43 ovpn-server2[29019]: tls-crypt unwrap error: packet too short
Jul 13 18:32:43 ovpn-server2[29019]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP]:[port]
Jul 13 18:32:47 ovpn-server2[29019]: tls-crypt unwrap error: packet too short
Jul 13 18:32:47 ovpn-server2[29019]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP]:[port]
Jul 13 18:32:55 ovpn-server2[29019]: tls-crypt unwrap error: packet too short
Jul 13 18:32:55 ovpn-server2[29019]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP]:[port]
Jul 13 18:33:12 ovpn-server2[29019]: tls-crypt unwrap error: packet too short
Jul 13 18:33:12 ovpn-server2[29019]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP]:[port]
Jul 13 18:38:56 ovpn-server2[29019]: tls-crypt unwrap error: packet too short
Jul 13 18:38:56 ovpn-server2[29019]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP]:[port]
Jul 13 18:38:58 ovpn-server2[29019]: tls-crypt unwrap error: packet too short
Jul 13 18:38:58 ovpn-server2[29019]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP]:[port]
Jul 13 18:39:03 ovpn-server2[29019]: tls-crypt unwrap error: packet too short
Jul 13 18:39:03 ovpn-server2[29019]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP]:[port]
Jul 13 18:39:10 ovpn-server2[29019]: tls-crypt unwrap error: packet too short
Jul 13 18:39:10 ovpn-server2[29019]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP]:[port]
Jul 13 18:39:27 ovpn-server2[29019]: tls-crypt unwrap error: packet too short
Jul 13 18:39:27 ovpn-server2[29019]: TLS Error: tls-crypt unwrapping failed from [AF_INET][IP]:[port]

  Client:

Jul 13 17:50:29 thinky NetworkManager[505]: <info>  [1563004229.5392] audit: op="statistics" arg="refresh-rate-ms" pid=1078 uid=1000 result="success"
Jul 13 17:51:27 thinky NetworkManager[505]: <warn>  [1563004287.2165] vpn-connection[0x55aa038a4720,2f997080-4f6b-4fb0-b31b-faa3ba843528,"[server domain]",0]: VPN connection: connect timeout exceeded.
Jul 13 17:51:27 thinky nm-openvpn-serv[2720]: Connect timer expired, disconnecting.
Jul 13 17:51:27 thinky nm-openvpn[2723]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 13 17:51:27 thinky nm-openvpn[2723]: TLS Error: TLS handshake failed
Jul 13 17:51:27 thinky nm-openvpn[2723]: SIGUSR1[soft,tls-error] received, process restarting
Jul 13 17:51:27 thinky nm-openvpn[2723]: SIGTERM[hard,init_instance] received, process exiting
Jul 13 17:51:27 thinky NetworkManager[505]: <warn>  [1563004287.2532] vpn-connection[0x55aa038a4720,2f997080-4f6b-4fb0-b31b-faa3ba843528,"[server domain]",0]: VPN plugin: failed: connect-failed (1)
Jul 13 17:51:27 thinky NetworkManager[505]: <info>  [1563004287.2561] vpn-connection[0x55aa038a4720,2f997080-4f6b-4fb0-b31b-faa3ba843528,"[server domain]",0]: VPN plugin: state changed: stopping (5)
Jul 13 17:51:27 thinky NetworkManager[505]: <info>  [1563004287.2572] vpn-connection[0x55aa038a4720,2f997080-4f6b-4fb0-b31b-faa3ba843528,"[server domain]",0]: VPN plugin: state changed: stopped (6)

Connection properties after import of .ovpn file:

https://i.imgur.com/P3Q8nCK.png


moderator edit -- replaced oversized image with link.
Pasting pictures and code

Last edited by 2ManyDogs (2019-07-13 13:46:18)

Offline

#2 2020-11-28 10:55:45

sainf
Member
Registered: 2020-11-28
Posts: 1

Re: OpenVPN, NetworkManager and KDE does not recognise tls-crypt option

I had the same problem, this post should be in the arch openvpn wiki.

Thanks for tedd posting the solution,

Last edited by sainf (2020-11-28 10:56:07)

Offline

Pages: 1

Board footer

Powered by FluxBB