vpn connects with CLI but not Network Manager

jfabernathy · 2022-12-24 00:10:40

I have a laptop with Archlinux with KDE Desktop Environment. I've installed openssh and openvpn.

My issue is that I'm trying to connect the laptop to my home router using the built-in openvpn server. I've downloaded the .ovpn config file. I've used this config file to connect use Windows 11 and Linux Mint 21.

On this Arch laptop I can connect to the home network use the console command:
sudo openvpn OpenVPN-Config.ovpn

$ sudo openvpn OpenVPN-Config.ovpn
[sudo] password for jim:
2022-12-23 18:43:22 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-12-23 18:43:22 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2022-12-23 18:43:22 OpenVPN 2.5.8 [git:makepkg/0357ceb877687faa+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2022
2022-12-23 18:43:22 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2022-12-23 18:43:23 TCP/UDP: Preserving recently used remote address: [AF_INET6]9999:9999:0:1d:0:1:ac4a:1d4c:1194
2022-12-23 18:43:23 UDP link local: (not bound)
2022-12-23 18:43:23 UDP link remote: [AF_INET6]9999:9999:0:1d:0:1:ac4a:1d4c:1194
2022-12-23 18:43:24 [server] Peer Connection Initiated with [AF_INET6]9999:9999:0:1d:0:1:ac4a:1d4c:1194
2022-12-23 18:43:26 TUN/TAP device tun0 opened
2022-12-23 18:43:26 net_iface_mtu_set: mtu 1500 for tun0
2022-12-23 18:43:26 net_iface_up: set tun0 up
22022-12-23 18:43:26 Initialization Sequence Completed
22-12-23 18:43:26 net_addr_ptp_v4_add: 10.8.0.6 peer 10.8.0.5 dev tun0

However, if use KDE settings > connections and import a VPN connection using the same .ovpn file that connection will not connect. I get some of the same warning either way, but using nm-connection in kde I get errors

Dec 23 18:46:05 macbookpro nm-openvpn[16234]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Dec 23 18:46:05 macbookpro nm-openvpn[16234]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 23 18:46:05 macbookpro nm-openvpn[16234]: TCP/UDP: Preserving recently used remote address: [AF_INET]999.99.99.99:1194
Dec 23 18:46:05 macbookpro nm-openvpn[16234]: UDP link local: (not bound)
Dec 23 18:46:05 macbookpro nm-openvpn[16234]: UDP link remote: [AF_INET]999.99.99.99:1194
Dec 23 18:46:07 macbookpro nm-openvpn[16234]: [server] Peer Connection Initiated with [AF_INET]999.99.99.99:1194
Dec 23 18:46:08 macbookpro nm-openvpn[16234]: OPTIONS ERROR: failed to negotiate cipher with server. Configure --data-ciphers-fallback if you want to connect to this server.
Dec 23 18:46:08 macbookpro nm-openvpn[16234]: ERROR: Failed to apply push options
Dec 23 18:46:08 macbookpro nm-openvpn[16234]: Failed to open tun/tap interface

My system specs:

System:
  Kernel: 6.1.1-arch1-1 arch: x86_64 bits: 64 compiler: gcc v: 12.2.0
    Desktop: KDE Plasma v: 5.26.4 tk: Qt v: 5.15.7 wm: kwin_x11 vt: 1 dm: SDDM
    Distro: Arch Linux
Machine:
  Type: Laptop System: Apple product: MacBookPro8,1 v: 1.0
    serial: <superuser required> Chassis: type: 10 v: Mac-94245B3640C91C81
    serial: <superuser required>
  Mobo: Apple model: Mac-94245B3640C91C81 v: MacBookPro8,1
    serial: <superuser required> UEFI: Apple v: 87.0.0.0.0 date: 06/13/2019
Battery:
  ID-1: BAT0 charge: 22.8 Wh (43.0%) condition: 53.0/62.9 Wh (84.3%)
    volts: 11.1 min: 10.9 model: DP bq20z451 type: Li-ion serial: N/A
    status: discharging cycles: 650
CPU:
  Info: dual core model: Intel Core i5-2415M bits: 64 type: MT MCP
    smt: enabled arch: Sandy Bridge rev: 7 cache: L1: 128 KiB L2: 512 KiB
    L3: 3 MiB
  Speed (MHz): avg: 800 min/max: 800/2900 cores: 1: 800 2: 800 3: 800 4: 800
    bogomips: 18367
  Flags: avx ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
  Device-1: Intel 2nd Generation Core Processor Family Integrated Graphics
    vendor: Apple driver: i915 v: kernel arch: Gen-6 ports: active: LVDS-1
    empty: DP-1, DP-2, DP-3, HDMI-A-1, HDMI-A-2, HDMI-A-3, VGA-1
    bus-ID: 00:02.0 chip-ID: 8086:0126 class-ID: 0300
  Device-2: Apple FaceTime HD Camera (Built-in) type: USB driver: uvcvideo
    bus-ID: 1-2:3 chip-ID: 05ac:8509 class-ID: 0e02 serial: <filter>
  Display: x11 server: X.Org v: 21.1.6 with: Xwayland v: 22.1.7
    compositor: kwin_x11 driver: X: loaded: intel unloaded: modesetting
    alternate: fbdev,vesa dri: i965 gpu: i915 display-ID: :0 screens: 1
  Screen-1: 0 s-res: 1280x800 s-dpi: 96 s-size: 338x211mm (13.31x8.31")
    s-diag: 398mm (15.69")
  Monitor-1: LVDS-1 mapped: LVDS1 model: Apple 0x9cc5 res: 1280x800 hz: 60
    dpi: 112 size: 290x180mm (11.42x7.09") diag: 337mm (13.3") modes: 1280x800
  API: OpenGL v: 3.3 Mesa 22.3.1 renderer: Mesa Intel HD Graphics 3000 (SNB
    GT2) direct render: Yes
Audio:
  Device-1: Intel 6 Series/C200 Series Family High Definition Audio
    driver: snd_hda_intel v: kernel bus-ID: 00:1b.0 chip-ID: 8086:1c20
    class-ID: 0403
  Sound API: ALSA v: k6.1.1-arch1-1 running: yes
  Sound Server-1: PulseAudio v: 16.1 running: yes
  Sound Server-2: PipeWire v: 0.3.63 running: yes
Network:
  Device-1: Broadcom NetXtreme BCM57765 Gigabit Ethernet PCIe driver: tg3
    v: kernel pcie: speed: 2.5 GT/s lanes: 1 port: N/A bus-ID: 02:00.0
    chip-ID: 14e4:16b4 class-ID: 0200
  IF: enp2s0f0 state: down mac: <filter>
  Device-2: Broadcom BCM4331 802.11a/b/g/n driver: wl v: kernel pcie:
    speed: 2.5 GT/s lanes: 1 bus-ID: 03:00.0 chip-ID: 14e4:4331 class-ID: 0280
  IF: wlp3s0 state: up mac: <filter>
Bluetooth:
  Device-1: Apple Bluetooth USB Host Controller type: USB driver: btusb v: 0.8
    bus-ID: 1-1.1.3:8 chip-ID: 05ac:821a class-ID: fe01
  Report: rfkill ID: hci0 rfk-id: 0 state: down bt-service: disabled
    rfk-block: hardware: no software: no address: see --recommends
Drives:
  Local Storage: total: 232.89 GiB used: 10.71 GiB (4.6%)
  ID-1: /dev/sda vendor: Samsung model: SSD 860 EVO 250GB size: 232.89 GiB
    speed: 6.0 Gb/s type: SSD serial: <filter> rev: 4B6Q scheme: GPT
Partition:
  ID-1: / size: 227.88 GiB used: 10.61 GiB (4.7%) fs: ext4 dev: /dev/sda2
  ID-2: /boot size: 299.4 MiB used: 107.6 MiB (35.9%) fs: vfat
    dev: /dev/sda1
Swap:
  Alert: No swap data was found.
Sensors:
  System Temperatures: cpu: 64.0 C mobo: 0.0 C
  Fan Speeds (RPM): N/A
Info:
  Processes: 223 Uptime: 53m wakeups: 2 Memory: 7.68 GiB
  used: 2.45 GiB (31.9%) Init: systemd v: 252 default: graphical Compilers:
  gcc: 12.2.0 clang: 14.0.6 Packages: pm: pacman pkgs: 1105 Shell: Bash
  v: 5.1.16 running-in: konsole inxi: 3.3.24

cfr · 2022-12-24 04:16:45

2022-12-23 18:43:22 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.

and

Dec 23 18:46:08 macbookpro nm-openvpn[16234]: OPTIONS ERROR: failed to negotiate cipher with server. Configure --data-ciphers-fallback if you want to connect to this server.

Did you try this? The difference appears to be that nm is not translating a deprecated configuration option into a non-deprecated one. Since the deprecated option will disappear, the solution is either to switch to a default cipher (I guess) or to configure the cipher in one of the current ways.

See https://github.com/OpenVPN/openvpn/blob … iation.rst for discussion of the various options for different combinations of client and server versions.

jfabernathy · 2022-12-24 11:31:33

I have seen those suggestions and tried to implement them, but I obviously don't know how. I've tried putting the parameter without the -- into /etc/openvpn/client/ and into my .ovpn file when importing. I have not seen any change in behavior. Since the router VPN server cipher is not something I can change, I need to fine where to make the change on the laptop client.

Obviously running openvpn from the command line without any options uses only it's defaults and what's in the OpenVPN-Config.ovpn file and that works. I need figure out where to set the nm options to match. I'm not having any luck finding that.

jfabernathy · 2022-12-24 12:06:52

As a test I create a test.ovpn using my original and changed "cipher AES-128-CBC" to "data-ciphers-fallback AES-128-CBC"

It still worked the the log shows:

[jim@macbookpro ~]$ sudo openvpn test.ovpn 
2022-12-24 06:58:52 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-12-24 06:58:52 OpenVPN 2.5.8 [git:makepkg/0357ceb877687faa+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2022
2022-12-24 06:58:52 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2022-12-24 06:58:52 TCP/UDP: Preserving recently used remote address: [AF_INET6]9999:9999:0:1d:0:1:ac4a:1d4c:1194
2022-12-24 06:58:52 UDP link local: (not bound)
2022-12-24 06:58:52 UDP link remote: [AF_INET6]9999:9999:0:1d:0:1:ac4a:1d4c:1194
2022-12-24 06:58:54 [server] Peer Connection Initiated with [AF_INET6]9999:9999:0:1d:0:1:ac4a:1d4c:1194
2022-12-24 06:58:55 TUN/TAP device tun0 opened
2022-12-24 06:58:55 net_iface_mtu_set: mtu 1500 for tun0
2022-12-24 06:58:55 net_iface_up: set tun0 up
2022-12-24 06:58:55 net_addr_ptp_v4_add: 10.8.0.14 peer 10.8.0.13 dev tun0
2022-12-24 06:58:55 Initialization Sequence Completed

So the original error are gone and now it only has issues with compress that it ignore.

jfabernathy · 2022-12-24 12:13:16

If I try to import the test.ovpn file to make a new test openvpn connection with nm I still get the same errors as before:

Dec 24 07:08:17 macbookpro nm-openvpn[2406]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Dec 24 07:08:17 macbookpro nm-openvpn[2406]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 24 07:08:17 macbookpro nm-openvpn[2406]: TCP/UDP: Preserving recently used remote address: [AF_INET]999.99.29.76:1194
Dec 24 07:08:17 macbookpro nm-openvpn[2406]: UDP link local: (not bound)
Dec 24 07:08:17 macbookpro nm-openvpn[2406]: UDP link remote: [AF_INET]999.99.29.76:1194
Dec 24 07:08:22 macbookpro nm-openvpn[2406]: [server] Peer Connection Initiated with [AF_INET]999.99.29.76:1194
Dec 24 07:08:24 macbookpro nm-openvpn[2406]: OPTIONS ERROR: failed to negotiate cipher with server. Configure --data-ciphers-fallback if you want to connect to this server.
Dec 24 07:08:24 macbookpro nm-openvpn[2406]: ERROR: Failed to apply push options
Dec 24 07:08:24 macbookpro nm-openvpn[2406]: Failed to open tun/tap interface

I find it interesting that nm uses ip4 and cli uses ip6

jfabernathy · 2022-12-24 12:43:18

From what I find on Google searches this is potentially a problem with NetworkManager-openvpn that doesn't support the --data-ciphers and compat-mode so you can't set those in nm when using newer openvpn versions.

on my Arch laptop I have openvpn 2.5.8
on my LM21 laptop I have openvpn 2.5.5

One user reported downgrading openvpn to 2.5.6-1 to solve his problem.

So since this is a fresh install of Arch it only has openvpn 2.5.8. How do I downgrade to 2.5.5 since that is not in my cache?

-thc · 2022-12-24 13:35:16

In the Arch archive you'll find all versions back to 2.4.7: https://archive.archlinux.org/packages/o/openvpn/

Downgrade is possible via

pacman -U openvpn-2.5.5-1-x86_64.pkg.tar.zst

But I would like to shift your attention to the root cause: The outdated cipher used by the OpenVPN server. Ever thought about fixing this?

Slithery · 2022-12-24 13:46:43

Bear in mind that attempting to downgrade a single package may not be possible if it was built on older libraries that no longer exist in the repos.

PARTIAL UPGRADES ARE UNSUPPORTED

jfabernathy · 2022-12-24 13:59:08

-thc wrote:

But I would like to shift your attention to the root cause: The outdated cipher used by the OpenVPN server. Ever thought about fixing this?

Understand, but that would mean replacing a 1 year old WiFi 6 router. Probably cost $200 to replace with no guarantee that it would have a newer openvpn server.

I've thought about using a Raspberry Pi 4 and making it into a VPN server. It's version of openvpn would be controllable by me.

But at the end of the day, every distro I've tested for this issue; only the rolling release ones are too new to work.

I originally thought about only using ssh to one of my home servers and open up the ssh port and use port forwarding in the router. At least the version of ssh would be controllable by me on both ends and scp and ssh both work in that case. But I'd not have web (http) access to some of the servers which I need.

That's why I chose OpenVPN originally.

I guess I could always use the command line option, but that would restrict the use of this laptop to me and not family members who only know the GUI way of doing things.

BTW, I did try the downgrade process, but based on the errors, I'd have to downgrade openssh, etc......

Last edited by jfabernathy (2022-12-24 13:59:27)

jfabernathy · 2022-12-26 04:06:01

I had some success. I disabled VPN on my TP-Link AX50 router, and setup a NAT Forwarding > virtual server (port) forwarding for 1194 to the IP address of my Raspberry PI 4. I installed PiVPN on the RPI4 setup for OpenVPN. It created a .ovpn config file that I could import into Network Manager settings on my Arch laptop. Worked great, so far. I also tested Wireguard. It's faster but there are limited network manager gui options and you need the command line.

Arch Linux

#1 2022-12-24 00:10:40

vpn connects with CLI but not Network Manager

#2 2022-12-24 04:16:45

Re: vpn connects with CLI but not Network Manager

#3 2022-12-24 11:31:33

Re: vpn connects with CLI but not Network Manager

#4 2022-12-24 12:06:52

Re: vpn connects with CLI but not Network Manager

#5 2022-12-24 12:13:16

Re: vpn connects with CLI but not Network Manager

#6 2022-12-24 12:43:18

Re: vpn connects with CLI but not Network Manager

#7 2022-12-24 13:35:16

Re: vpn connects with CLI but not Network Manager

#8 2022-12-24 13:46:43

Re: vpn connects with CLI but not Network Manager

#9 2022-12-24 13:59:08

Re: vpn connects with CLI but not Network Manager

#10 2022-12-26 04:06:01

Re: vpn connects with CLI but not Network Manager

Board footer