You are not logged in.

Pages: 1

Topic closed

#1 2022-01-15 23:01:40

Marvix
Member
Registered: 2013-10-08
Posts: 150

OpenVPN doesn't connect with wired connections

Messing with OpenVPN, I ended up with breaking wired internet connection.

I have two wired ethernet connections in Network Manager.

One
1. Wired ethernet connecting with my VPN provider, and another
2. Wired ethernet without VPN connection, straight to ISP provider.

Now, both doesn't work. Luckily, wireless connection with or without VPN works, which now I use.

I've tried to set auto-connection with OpenVPN at login and for that I installed protonvpn from AUR, which caused problems with kill switch option. After that, I uninstalled it and ended up with this problem I describe from the beginning.

From systemctl openvpn can't start, only to be enabled.

According to wiki article about Starting OpenVPN, I tried to troubleshoot this, but I can't and I get the below messages.

The certificates are imported through Network Manager.

systemctl start openvpn-client@client.service

Job for openvpn-client@client.service failed because the control process exited with error code.
See "systemctl status openvpn-client@client.service" and "journalctl -xeu openvpn-client@client.service" for details.
systemctl status openvpn-client@client.service

× openvpn-client@client.service - OpenVPN tunnel for client
     Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; disabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Sun 2022-01-16 00:44:12 EET; 27s ago
       Docs: man:openvpn(8)
             [url]https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage[/url]
             [url]https://community.openvpn.net/openvpn/wiki/HOWTO[/url]
    Process: 6230 ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config client.conf (code=e>
   Main PID: 6230 (code=exited, status=1/FAILURE)
        CPU: 26ms

Jan 16 00:44:12 archie systemd[1]: Starting OpenVPN tunnel for client...
Jan 16 00:44:12 archie openvpn[6230]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in>
Jan 16 00:44:12 archie openvpn[6230]: Cannot pre-load keyfile (ta.key)
Jan 16 00:44:12 archie openvpn[6230]: Exiting due to fatal error
Jan 16 00:44:12 archie systemd[1]: openvpn-client@client.service: Main process exited, code=exited, s>
Jan 16 00:44:12 archie systemd[1]: openvpn-client@client.service: Failed with result 'exit-code'.
Jan 16 00:44:12 archie systemd[1]: Failed to start OpenVPN tunnel for client.
journalctl -xeu openvpn-client@client

Jan 15 23:48:30 archie systemd[1]: Starting OpenVPN tunnel for client...
░░ Subject: A start job for unit openvpn-client@client.service has begun execution
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ A start job for unit openvpn-client@client.service has begun execution.
░░ 
░░ The job identifier is 104.
Jan 15 23:48:30 archie openvpn[534]: Options error: Unrecognized option or missing or extra parameter(s) in client.conf:130: block-outside-dns (2.5.5)
Jan 15 23:48:30 archie openvpn[534]: Use --help for more information.
Jan 15 23:48:31 archie systemd[1]: openvpn-client@client.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ An ExecStart= process belonging to unit openvpn-client@client.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 15 23:48:31 archie systemd[1]: openvpn-client@client.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ The unit openvpn-client@client.service has entered the 'failed' state with result 'exit-code'.
Jan 15 23:48:31 archie systemd[1]: Failed to start OpenVPN tunnel for client.
░░ Subject: A start job for unit openvpn-client@client.service has failed
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ A start job for unit openvpn-client@client.service has finished with a failure.
░░ 
░░ The job identifier is 104 and the job result is failed.
Jan 15 23:53:49 archie systemd[1]: Starting OpenVPN tunnel for client...
░░ Subject: A start job for unit openvpn-client@client.service has begun execution
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ A start job for unit openvpn-client@client.service has begun execution.
░░ 
░░ The job identifier is 1449.
Jan 15 23:53:49 archie openvpn[1908]: Options error: Unrecognized option or missing or extra parameter(s) in client.conf:130: block-outside-dns (2.5.5)
Jan 15 23:53:49 archie openvpn[1908]: Use --help for more information.
Jan 15 23:53:49 archie systemd[1]: openvpn-client@client.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ An ExecStart= process belonging to unit openvpn-client@client.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 15 23:53:49 archie systemd[1]: openvpn-client@client.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ The unit openvpn-client@client.service has entered the 'failed' state with result 'exit-code'.
Jan 15 23:53:49 archie systemd[1]: Failed to start OpenVPN tunnel for client.
░░ Subject: A start job for unit openvpn-client@client.service has failed
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ A start job for unit openvpn-client@client.service has finished with a failure.
░░ 
░░ The job identifier is 1449 and the job result is failed.
Jan 15 23:54:10 archie systemd[1]: Starting OpenVPN tunnel for client...
░░ Subject: A start job for unit openvpn-client@client.service has begun execution
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ A start job for unit openvpn-client@client.service has begun execution.
░░ 
░░ The job identifier is 1530.
Jan 15 23:54:10 archie openvpn[1921]: Options error: Unrecognized option or missing or extra parameter(s) in client.conf:130: block-outside-dns (2.5.5)
Jan 15 23:54:10 archie openvpn[1921]: Use --help for more information.
Jan 15 23:54:10 archie systemd[1]: openvpn-client@client.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ An ExecStart= process belonging to unit openvpn-client@client.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 15 23:54:10 archie systemd[1]: openvpn-client@client.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ The unit openvpn-client@client.service has entered the 'failed' state with result 'exit-code'.
Jan 15 23:54:10 archie systemd[1]: Failed to start OpenVPN tunnel for client.
░░ Subject: A start job for unit openvpn-client@client.service has failed
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ A start job for unit openvpn-client@client.service has finished with a failure.
░░ 
░░ The job identifier is 1530 and the job result is failed.
Jan 16 00:32:23 archie systemd[1]: Starting OpenVPN tunnel for client...
░░ Subject: A start job for unit openvpn-client@client.service has begun execution
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ A start job for unit openvpn-client@client.service has begun execution.
░░ 
░░ The job identifier is 32839.
Jan 16 00:32:23 archie openvpn[5282]: Options error: Unrecognized option or missing or extra parameter(s) in client.conf:130: block-outside-dns (2.5.5)
Jan 16 00:32:23 archie openvpn[5282]: Use --help for more information.
Jan 16 00:32:23 archie systemd[1]: openvpn-client@client.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ An ExecStart= process belonging to unit openvpn-client@client.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 16 00:32:23 archie systemd[1]: openvpn-client@client.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ The unit openvpn-client@client.service has entered the 'failed' state with result 'exit-code'.
Jan 16 00:32:23 archie systemd[1]: Failed to start OpenVPN tunnel for client.
░░ Subject: A start job for unit openvpn-client@client.service has failed
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ A start job for unit openvpn-client@client.service has finished with a failure.
░░ 
░░ The job identifier is 32839 and the job result is failed.
Jan 16 00:44:12 archie systemd[1]: Starting OpenVPN tunnel for client...
░░ Subject: A start job for unit openvpn-client@client.service has begun execution
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ A start job for unit openvpn-client@client.service has begun execution.
░░ 
░░ The job identifier is 44012.
Jan 16 00:44:12 archie openvpn[6230]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Jan 16 00:44:12 archie openvpn[6230]: Cannot pre-load keyfile (ta.key)
Jan 16 00:44:12 archie openvpn[6230]: Exiting due to fatal error
Jan 16 00:44:12 archie systemd[1]: openvpn-client@client.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ An ExecStart= process belonging to unit openvpn-client@client.service has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 16 00:44:12 archie systemd[1]: openvpn-client@client.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ The unit openvpn-client@client.service has entered the 'failed' state with result 'exit-code'.
Jan 16 00:44:12 archie systemd[1]: Failed to start OpenVPN tunnel for client.
░░ Subject: A start job for unit openvpn-client@client.service has failed
░░ Defined-By: systemd
░░ Support: [url]https://lists.freedesktop.org/mailman/listinfo/systemd-devel[/url]
░░ 
░░ A start job for unit openvpn-client@client.service has finished with a failure.
░░ 
░░ The job identifier is 44012 and the job result is failed.
systemctl --all

● openvpn-client@client.service                                                                 loaded    failed   failed    OpenVPN tunnel for client
systemctl list-unit-files

openvpn-client@.service                    disabled        disabled
openvpn-server@.service                    indirect        disabled

Offline

#2 2022-01-16 10:48:25

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,489

Re: OpenVPN doesn't connect with wired connections

Marvix wrote:

From systemctl openvpn can't start, only to be enabled.

Enabled only means it will try to start at reboot, troubleshoot it with systemctl start/stop during runtime.
There is a repetitive error in the log regarding "client.conf:130: block-outside-dns". Comment that out and try to start it again.
If it does not work, share your client.conf file (just the statements, redact the privacy related parts like auth-file, keys).

Offline

#3 2022-01-16 15:18:04

Marvix
Member
Registered: 2013-10-08
Posts: 150

Re: OpenVPN doesn't connect with wired connections

I tried to solved it and I copied the openvpn sample from /usr/share/openvpn/examples/client.conf to /etc/openvpn/client/ and the line 130 does not exist anymore. After that I got an error of setting a deprecated

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

and I replaced cipher AES-256-CBC with cipher AES-256-GCM, which worked. So, the unrecommended parameters from /etc/openvpn/client/client.conf, with the previous change, are:

client

dev tun

proto udp

remote my-server-1 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

remote-cert-tls server

tls-auth ta.key 1

cipher AES-256-GCM

verb 3

and now I get this error

journalctl -xeu opevpn-client@client

Jan 16 17:01:57 archie openvpn[5055]: Cannot pre-load keyfile (ta.key)
Jan 16 17:01:57 archie openvpn[5055]: Exiting due to fatal error
Jan 16 17:01:57 archie systemd[1]: openvpn-client@client.service: Main process exited, code=exited, status=1/FAILURE

I will not change anything, in order to avoid a new error and have an never-ending problem.

Offline

#4 2022-01-16 16:38:31

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,489

Re: OpenVPN doesn't connect with wired connections

Are the .key files in the client.conf directory? To be sure, the configuration can contain absolute paths, e.g. /etc/openvpn/client/ta.key
Alternatively, you can paste the key into the .conf file, inside <tls-auth> </tls-auth> tags.

Offline

#5 2022-01-16 16:49:34

-thc
Member
Registered: 2017-03-15
Posts: 775

Re: OpenVPN doesn't connect with wired connections

Your OpenVPN configuration consists of five files: client.conf, ca.crt, client.crt, client.key and ta.key.

The last one is missing or incorrect. A correct TLS Auth key can be opened with a text editor and looks like this:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
......
16 lines of key material (32 chars "0 to f" each)
......
-----END OpenVPN Static key V1-----

Offline

#6 2022-01-16 16:57:40

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,489

Re: OpenVPN doesn't connect with wired connections

I just see the wiki has an article on your provider: https://wiki.archlinux.org/title/ProtonVPN
According to that they supply you with ready made profiles. Perhaps the easiest route to start.

Offline

#7 2022-01-16 20:07:39

Marvix
Member
Registered: 2013-10-08
Posts: 150

Re: OpenVPN doesn't connect with wired connections

Strike0 wrote:

Are the .key files in the client.conf directory? To be sure, the configuration can contain absolute paths, e.g. /etc/openvpn/client/ta.key
Alternatively, you can paste the key into the .conf file, inside <tls-auth> </tls-auth> tags.

No, they are not.The  files,  client.conf and client.conf.save.

sudo ls -a /etc/openvpn/client/

.  ..  client.conf

The only certificate files I have are in ~/.cert/nm-openvpn/ directory, every one I imported through NetworkManager.

...
us-free-01.protonvpn.com.tcp-ca.pem
us-free-01.protonvpn.com.tcp-tls-auth.pem
us-free-02.protonvpn.com.tcp-ca.pem
us-free-02.protonvpn.com.tcp-tls-auth.pem
...
-thc wrote:

Your OpenVPN configuration consists of five files: client.conf, ca.crt, client.crt, client.key and ta.key.

The last one is missing or incorrect. A correct TLS Auth key can be opened with a text editor and looks like this:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
......
16 lines of key material (32 chars "0 to f" each)
......
-----END OpenVPN Static key V1-----

Could is set for ta.key in client.conf the directory ~/.cert/nm-openvpn as absolute path for ta.key ?

Strike0 wrote:

I just see the wiki has an article on your provider: https://wiki.archlinux.org/title/ProtonVPN
According to that they supply you with ready made profiles. Perhaps the easiest route to start.

I saw it too, I tried to copy the *.ovpn client configuration file into /etc/openvpn/client/, and successfully made the authentication, but the problem consists.
Even after reboot, the NetworkManager tries to connect to wired connection without succession.

My question is, how can I use wireless connection and through nm-connection-editor I can set it to use the VPN connection, but in wired not?

Maybe the NetworkManager is messed up when I tried to enable VPN on boot (that I was trying to do) after reading this to https://wiki.archlinux.org/title/OpenVP … figuration .
Also, may be the protonvpn from AUR did messed up too.

Last edited by Marvix (2022-01-16 20:20:27)

Offline

#8 2022-01-16 23:11:27

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,489

Re: OpenVPN doesn't connect with wired connections

Marvix wrote:

Could is set for ta.key in client.conf the directory ~/.cert/nm-openvpn as absolute path for ta.key ?

If you use an absolute path and the respective user's home directory is not encrypted, then you can.

Marvix wrote:

My question is, how can I use wireless connection and through nm-connection-editor I can set it to use the VPN connection, but in wired not?

Why are you changing route? I did not ask at the beginning, but the reason for your original intention to have (1) a wired interface connected to a VPN and another (2) wired connection to the ISP is unclear to me anyway. A usual usecase should be to have external traffic towards the ISP going through the VPN and your local network resources untouched and reachable for your machine (wired).
Why did you want to configure connection (2) in the first place? What sort of external traffic should not go through the VPN? And conversely: Do you have other machines which should route traffic via the VPN?

Offline

#9 2022-01-17 09:52:41

Marvix
Member
Registered: 2013-10-08
Posts: 150

Re: OpenVPN doesn't connect with wired connections

Apparently, the problem isn't OpenVPN, but more general, like Network Manager.

Thank you for your help and mostly for your patience and time.

I' ve opened another thread, in order not to confuse the subject, here.

Offline

#10 2022-01-17 15:34:31

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,334

Re: OpenVPN doesn't connect with wired connections

I'll go ahead and close this thread.  If you should need it reopened, please use the report link and ask the moderators to do so.
Thanks

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

Pages: 1

Topic closed

Board footer

Powered by FluxBB