Clearly the client cannot reach the server and gives up.
Feb 18 20:30:16 denkbrett NetworkManager[480]: <warn> [1550518216.5941] vpn-connection[0x55e7b4312770,4d556963-d997-450b-963a-2c15c68fd3f2,"vpn",0]: VPN connection: connect timeout exceeded.
Feb 18 20:30:16 denkbrett nm-openvpn-serv[6256]: Connect timer expired, disconnecting.
I tried again and got the same errors. But it cant be a connection error because it works when using openvpn directly via the commandline.
Then best to do is to import the command line configuration into the network manager GUI.
No not networkmanager on commandline just
sudo openvpn vpn.ovpn
Your server configuration has a number of issues:
push options.route, when you have redirect-gateway.compress has security issues, so better disable it.So this still never really worked for me. This is my server config:
verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
sudo openvpn --config vpn.ovpn still works (with errors and wothout hostnames) But networkmanager has this error:
Mär 20 10:20:13 denkbrett NetworkManager[473]: <info> [1553073613.4371] vpn-connection[0x55fa61dbc750,57a75138-7ade-4414-8f61-c6b027687c1c,"vpn2",0]: Started the VPN service, PID 23929
Mär 20 10:20:13 denkbrett NetworkManager[473]: <info> [1553073613.4513] vpn-connection[0x55fa61dbc750,57a75138-7ade-4414-8f61-c6b027687c1c,"vpn2",0]: Saw the service appear; activating connection
Mär 20 10:20:13 denkbrett NetworkManager[473]: <info> [1553073613.4804] vpn-connection[0x55fa61dbc750,57a75138-7ade-4414-8f61-c6b027687c1c,"vpn2",0]: VPN plugin: state changed: starting (3)
Mär 20 10:20:13 denkbrett nm-openvpn[23932]: WARNING: file '/home/janik/.local/share/networkmanagement/certificates/vpn2/private.key' is group or others accessible
Mär 20 10:20:13 denkbrett nm-openvpn[23932]: OpenVPN 2.4.7 [git:makepkg/2b8aec62d5db2c17+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
Mär 20 10:20:13 denkbrett nm-openvpn[23932]: library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.10
Mär 20 10:20:13 denkbrett nm-openvpn[23932]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mär 20 10:20:13 denkbrett nm-openvpn[23932]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mär 20 10:20:13 denkbrett NetworkManager[473]: <info> [1553073613.5408] audit: op="statistics" arg="refresh-rate-ms" pid=840 uid=1000 result="success"
Mär 20 10:20:13 denkbrett nm-openvpn[23932]: TCP/UDP: Preserving recently used remote address: [AF_INET]91.64.46.139:1194
Mär 20 10:20:13 denkbrett nm-openvpn[23932]: UDP link local: (not bound)
Mär 20 10:20:13 denkbrett nm-openvpn[23932]: UDP link remote: [AF_INET]IP
Mär 20 10:20:13 denkbrett nm-openvpn[23932]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mär 20 10:20:28 denkbrett NetworkManager[473]: <info> [1553073628.6131] audit: op="statistics" arg="refresh-rate-ms" pid=840 uid=1000 result="success"
Mär 20 10:21:13 denkbrett NetworkManager[473]: <warn> [1553073673.6886] vpn-connection[0x55fa61dbc750,57a75138-7ade-4414-8f61-c6b027687c1c,"vpn2",0]: VPN connection: connect timeout exceeded.
Mär 20 10:21:13 denkbrett nm-openvpn-serv[23929]: Connect timer expired, disconnecting.
Mär 20 10:21:13 denkbrett nm-openvpn[23932]: SIGTERM[hard,] received, process exiting
Mär 20 10:21:13 denkbrett NetworkManager[473]: <warn> [1553073673.7037] vpn-connection[0x55fa61dbc750,57a75138-7ade-4414-8f61-c6b027687c1c,"vpn2",0]: VPN plugin: failed: connect-failed (1)
Mär 20 10:21:13 denkbrett NetworkManager[473]: <info> [1553073673.7038] vpn-connection[0x55fa61dbc750,57a75138-7ade-4414-8f61-c6b027687c1c,"vpn2",0]: VPN plugin: state changed: stopping (5)
Mär 20 10:21:13 denkbrett NetworkManager[473]: <info> [1553073673.7038] vpn-connection[0x55fa61dbc750,57a75138-7ade-4414-8f61-c6b027687c1c,"vpn2",0]: VPN plugin: state changed: stopped (6)
nmcli --terse connection show vpn2
connection.id:vpn2
connection.uuid:57a75138-7ade-4414-8f61-c6b027687c1c
connection.stable-id:
connection.type:vpn
connection.interface-name:
connection.autoconnect:yes
connection.autoconnect-priority:0
connection.autoconnect-retries:-1
connection.multi-connect:0
connection.auth-retries:-1
connection.timestamp:0
connection.read-only:no
connection.permissions:
connection.zone:
connection.master:
connection.slave-type:
connection.autoconnect-slaves:-1
connection.secondaries:
connection.gateway-ping-timeout:0
connection.metered:unknown
connection.lldp:default
connection.mdns:-1
connection.llmnr:-1
ipv4.method:auto
ipv4.dns:
ipv4.dns-search:
ipv4.dns-options:
ipv4.dns-priority:0
ipv4.addresses:
ipv4.gateway:
ipv4.routes:
ipv4.route-metric:-1
ipv4.route-table:0
ipv4.ignore-auto-routes:no
ipv4.ignore-auto-dns:no
ipv4.dhcp-client-id:
ipv4.dhcp-timeout:0
ipv4.dhcp-send-hostname:yes
ipv4.dhcp-hostname:
ipv4.dhcp-fqdn:
ipv4.never-default:no
ipv4.may-fail:yes
ipv4.dad-timeout:-1
ipv6.method:auto
ipv6.dns:
ipv6.dns-search:
ipv6.dns-options:
ipv6.dns-priority:0
ipv6.addresses:
ipv6.gateway:
ipv6.routes:
ipv6.route-metric:-1
ipv6.route-table:0
ipv6.ignore-auto-routes:no
ipv6.ignore-auto-dns:no
ipv6.never-default:no
ipv6.may-fail:yes
ipv6.ip6-privacy:-1
ipv6.addr-gen-mode:stable-privacy
ipv6.dhcp-duid:
ipv6.dhcp-send-hostname:yes
ipv6.dhcp-hostname:
ipv6.token:
vpn.service-type:org.freedesktop.NetworkManager.openvpn
vpn.user-name:
vpn.data:ca = /home/user/.local/share/networkmanagement/certificates/vpn2/ca.crt, cert = /home/user/.local/share/networkmanagement/certificates/vpn2/cert.crt, cert-pass-flags = 0, connection-type = tls, key = /home/user/.local/share/networkmanagement/certificates/vpn2/private.key, port = 1194, remote = hostname.tld
vpn.secrets:<hidden>
vpn.persistent:no
vpn.timeout:0
proxy.method:none
proxy.browser-only:no
proxy.pac-url:
proxy.pac-script:
Is this valid?
no this is for privacy reasons
Weird, it works fine on Fedora 29 with similar configuration.
Check the port from your client, it should be like this:
# nmap -sU -p1194 hostname.tld
...
PORT STATE SERVICE
1194/udp open|filtered openvpn
PORT STATE SERVICE
1194/udp open|filtered openvpn
otherwise it wouldnt work with the openvpn client
What about tls-crypt option?
If you enable it on the server, your client configuration must use it too.
What do you mean? The certificates are in the client and the server config
If you have this on the server side:
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
You must provide the same key on the client:
tls-crypt /path/to/tls-crypt.key
Its both in the client an the server. But both times inline like this
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
not in a file
Save that to a file:
Open NetworkManager, edit your VPN-connection and specify path to the file.
Still same error.
Mär 22 10:46:47 denkbrett NetworkManager[494]: <info> [1553248007.3655] vpn-connection[0x562ad1676100,6f3093cc-fd82-40d0-ab4f-4d296478d6ef,"vpn2",0]: Started the VPN service, PID 30563
Mär 22 10:46:47 denkbrett NetworkManager[494]: <info> [1553248007.4373] vpn-connection[0x562ad1676100,6f3093cc-fd82-40d0-ab4f-4d296478d6ef,"vpn2",0]: Saw the service appear; activating connection
Mär 22 10:46:47 denkbrett NetworkManager[494]: <info> [1553248007.4628] vpn-connection[0x562ad1676100,6f3093cc-fd82-40d0-ab4f-4d296478d6ef,"vpn2",0]: VPN plugin: state changed: starting (3)
Mär 22 10:46:47 denkbrett nm-openvpn[30569]: WARNING: file '/home/janik/.local/share/networkmanagement/certificates/vpn2/private.key' is group or others accessible
Mär 22 10:46:47 denkbrett nm-openvpn[30569]: OpenVPN 2.4.7 [git:makepkg/2b8aec62d5db2c17+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 19 2019
Mär 22 10:46:47 denkbrett nm-openvpn[30569]: library versions: OpenSSL 1.1.1b 26 Feb 2019, LZO 2.10
Mär 22 10:46:47 denkbrett nm-openvpn[30569]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mär 22 10:46:47 denkbrett nm-openvpn[30569]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mär 22 10:46:47 denkbrett nm-openvpn[30569]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xxx.xx.xxx:1194
Mär 22 10:46:47 denkbrett nm-openvpn[30569]: UDP link local: (not bound)
Mär 22 10:46:47 denkbrett nm-openvpn[30569]: UDP link remote: [AF_INET]xx.xxx.xx.xxx:1194
Mär 22 10:46:47 denkbrett nm-openvpn[30569]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mär 22 10:47:11 denkbrett NetworkManager[494]: <info> [1553248031.8099] audit: op="statistics" arg="refresh-rate-ms" pid=834 uid=1000 result="success"
Mär 22 10:47:16 denkbrett NetworkManager[494]: <info> [1553248036.8267] audit: op="statistics" arg="refresh-rate-ms" pid=834 uid=1000 result="success"
Mär 22 10:47:47 denkbrett NetworkManager[494]: <warn> [1553248067.5649] vpn-connection[0x562ad1676100,6f3093cc-fd82-40d0-ab4f-4d296478d6ef,"vpn2",0]: VPN connection: connect timeout exceeded.
Mär 22 10:47:47 denkbrett nm-openvpn-serv[30563]: Connect timer expired, disconnecting.
Mär 22 10:47:47 denkbrett NetworkManager[494]: <warn> [1553248067.5784] vpn-connection[0x562ad1676100,6f3093cc-fd82-40d0-ab4f-4d296478d6ef,"vpn2",0]: VPN plugin: failed: connect-failed (1)
Mär 22 10:47:47 denkbrett NetworkManager[494]: <info> [1553248067.5784] vpn-connection[0x562ad1676100,6f3093cc-fd82-40d0-ab4f-4d296478d6ef,"vpn2",0]: VPN plugin: state changed: stopping (5)
Mär 22 10:47:47 denkbrett NetworkManager[494]: <info> [1553248067.5784] vpn-connection[0x562ad1676100,6f3093cc-fd82-40d0-ab4f-4d296478d6ef,"vpn2",0]: VPN plugin: state changed: stopped (6)
I think its really weird that openvpn --config vpn2.ovpn works. But still hostnames dont work.
Maybe I just need to use static IPs then or try wireguard or something