Arch Linux

mousse

Member

Registered: 2021-12-10

Posts: 18

Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

Hi, I have trouble connecting as an openvpn client to my university network to access research articles. It only works if I do it with

sudo openvpn --config myvpn.ovpn

but when I import the .ovpn to NetworkManager (with GUI and nmcli c import), I can't start it via GUI or (also with --ask):

nmcli c up myvpn

I keep getting asked for a password, even though it is already provided in /etc/NetworkManager/system-connections/myvpn.nmconnection. When connecting with nmcli, it gives

Warning: password for 'vpn.secrets.cert-pass' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.

My installations:
kde plasma 6, networkmanager, openvpn, networkmanager-openvpn, networkmanager-openconnect, libnm, libnma, libnma-common

The .ovpn file from my uni:

client
remote d-vpn.its.ac.id 40001
remote d-vpn.its.ac.id 40002
remote d-vpn.its.ac.id 40003
remote d-vpn.its.ac.id 40004
remote d-vpn.its.ac.id 40005
proto tcp-client
remote-cert-tls server
dev tun
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
secret
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
secret
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
secret
-----END PRIVATE KEY-----
</key>
# GENERATED at 20241009114457 for secret
setenv UV_CN "secret"
setenv UV_TOKEN "secret"
setenv UV_VERSION 2999 
setenv FRIENDLY_NAME "myITS VPN"
setenv PROFILE_NAME "myITS VPN"
setenv USERNAME "secret"
push-peer-info 

My /etc/NetworkManager/system-connections/myvpn.nmconnection file (the user-name property, I tried with both `username` and `user-name`):

[connection]
id=myvpn
uuid=bdeef1c9-7a8d-4a83-ae32-1ad7370224f5
type=vpn

[vpn]
ca=/path/to/ca.pem
cert=/path/to/cert.pem
cert-pass-flags=0
connection-type=password-tls
dev=tun
float=no
key=/path/to/key.pem
mssfix=no
password-flags=0
proto-tcp=yes
remote=d-vpn.its.ac.id:40001, d-vpn.its.ac.id:40002, d-vpn.its.ac.id:40003, d-vpn.its.ac.id:40004, d-vpn.its.ac.id:40005
remote-cert-tls=server
remote-random=no
tun-ipv6=no
service-type=org.freedesktop.NetworkManager.openvpn
user-name=secret

[vpn-secrets]
cert-pass=i_typed_some_random_string
password=secret

[ipv4]
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

Things I've tried:

• this

• the comment by u/SenranKaguya

• this

• this

Please let me know if you need some log/journal,
Sorry for my bad English, and thank you for your time

Last edited by mousse (2024-10-10 09:09:01)

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

[vpn-secrets]
cert-pass=i_typed_some_random_string

What is this supposed to do?

mousse

Member

Registered: 2021-12-10

Posts: 18

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

What is this supposed to do?

In the GUI, it's the text field for private key password, I read somewhere that I can leave it empty or type anything if I don't need an actual certificate password

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

If you connect with OpenVPN alone, you do not need to enter a certificate password? Only the user/password combination?

mousse

Member

Registered: 2021-12-10

Posts: 18

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

If you connect with OpenVPN alone, you do not need to enter a certificate password? Only the user/password combination?

Yes. It's also the same case when connecting from the Android/Windows OpenVPN client, I'm just asked to enter the VPN username and password

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

Then you should set "Not required" for the certificate password (cert-pass-flags=4).

mousse

Member

Registered: 2021-12-10

Posts: 18

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

Then you should set "Not required" for the certificate password (cert-pass-flags=4).

Tried that already, still nothing.
I noticed something from journalctl -u NetworkManager (with openvpn set to verb 6), if I enter the correct username/password, the log shows

AUTH: Received control message: AUTH_FAILED,(C) "my_username plus some message from the server, saying that connection is lost"

but when I intentionally enter a wrong password:

AUTH: Received control message: AUTH_FAILED,(U) "my_username plus some message from the server saying that the password may be incorrect"

Does that give something? I have no clue

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

I noticed something from journalctl -u NetworkManager (with openvpn set to verb 6) [...]

How did you set this verbosity level?

mousse

Member

Registered: 2021-12-10

Posts: 18

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

How did you set this verbosity level?

Sorry, my bad, I misread an article (just noticed it was a post written by you, lol). I tried adding `verb 6` to the .ovpn and re-import the file, and it does nothing to the .nmconnection file
Do you have any hint on where to look next? or... Should I just keep using the `sudo openvpn` method?

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

I think the additional lines in the OpenVPN config file may be to blame.

This statement

push-peer-info

leads your OpenVPN client to additionally push those

setenv UV_CN "secret"
setenv UV_TOKEN "secret"
setenv UV_VERSION 2999 

to the OpenVPN server.

So you probably have to set those environment variables in the context of the NetworkManager and enable "Push peer info" in the connection editor.

mousse

Member

Registered: 2021-12-10

Posts: 18

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

set those environment variables in the context of the NetworkManager

Thank you. This is maybe the cause.
May I ask how to do it correctly? I tried creating a dispatcher script, following the wiki, with the `vpn-pre-up` condition. The inside block contains code `export`-ing those environment variables
Then I restarted NM and dispatcher, started VPN, and it's still asking for a password. How do I know if it's being picked up by NM?
I already set the user and group permissions for the file as per the wiki, and put it in /etc/NetworkManager/dispatcher.d/pre-up.d/

Edit: I added logger to make sure the script works, and checked journalctl -u NetworkManager-dispatcher.service, and yes it indeed works.

and enable "Push peer info" in the connection editor.

Since it was already in the .ovpn file, and inside the .nmconnection file there is 'push-peer-info=yes', does it work?

Last edited by mousse (2024-10-11 01:19:38)

-thc

Member

Registered: 2017-03-15

Posts: 775

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

Since it was already in the .ovpn file, and inside the .nmconnection file there is 'push-peer-info=yes', does it work?

Your nmconnection file from above does not contain "push-peer-info=yes" - make sure it's set.

May I ask how to do it correctly? I tried [...]

I wrote my advice from a "what I would try to achieve" standpoint. After consulting the Wiki and looking for the context of the running openvpn processes (as a child of nm-openvpn-service which runs as root) I think you have to set them globally via "/etc/environment".

mousse

Member

Registered: 2021-12-10

Posts: 18

Re: Can't connect openvpn with GUI or nmcli, but sudo openvpn .ovpn works

Okay, I did all of your suggestions and re-checked everything, but to no avail.

I guess I'll give up and just keep using the native openvpn for now,
Thank you very much for your help -thc, I learned a lot