Need help connecting to OpenVPN server from Manjaro

Support Network
1

I am using Manjaro KDE.

I installed OpenVPN server on my OpenWrt router (192.168.1.254) and can connect to it using the OpenVPN GUI Client from Windows. How do I make the connection from Manjaro?

In Manjaro I installed:
sudo pacman -S networkmanager-openvpn

I went to System Settings > Network > Connections > and imported the same client key .ovpn file that works in Windows. (I disconnected from the Windows OpenVPN Client first)

I’m not sure what else I am supposed to do with the settings in this tab and in the other tabs?

image
image879×732 61.2 KB

Any help much appreciated,

Flex

1 Like
2

Did you used the Apply bottom and tried to connect to it? If you imported the config, all options form this config will be set.

If it didn’t work, check the journal.

journalctl -u NetworkManager -b --no-hostname --no-pager

The question is of course, why do you need a VPN in your Home Network? You won’t be able to use this VPN from outside your LAN.

3

Thanks @xabbu

Yes I hit apply at the bottom.

Yes I know it’s a VPN within my local LAN… I’m just testing things first to see if I can connect a client to the server.

After I tried to connect the client again it fails and the result of the command…
journalctl -u NetworkManager -b --no-hostname --no-pager

… shows this: (basically a connection timeout)

Jan 04 21:59:32 NetworkManager[450]: <info>  [1641333572.5468] audit: op="connection-activate" uuid="acbd76d7-2e0d-40ed-8286-2b0db7235b2d" name="client1" pid=1029 uid=1000 result="success"
Jan 04 21:59:32 NetworkManager[450]: <info>  [1641333572.5554] vpn-connection[0x564da424c100,acbd76d7-2e0d-40ed-8286-2b0db7235b2d,"client1",0]: Started the VPN service, PID 2484
Jan 04 21:59:32 NetworkManager[450]: <info>  [1641333572.5789] vpn-connection[0x564da424c100,acbd76d7-2e0d-40ed-8286-2b0db7235b2d,"client1",0]: Saw the service appear; activating connection
Jan 04 21:59:32 NetworkManager[450]: <info>  [1641333572.5992] vpn-connection[0x564da424c100,acbd76d7-2e0d-40ed-8286-2b0db7235b2d,"client1",0]: VPN plugin: state changed: starting (3)
Jan 04 21:59:32 NetworkManager[450]: <info>  [1641333572.5992] vpn-connection[0x564da424c100,acbd76d7-2e0d-40ed-8286-2b0db7235b2d,"client1",0]: VPN connection: (ConnectInteractive) reply received
Jan 04 21:59:32 nm-openvpn[2492]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciph
ers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.                                                                                  
Jan 04 21:59:32 nm-openvpn[2492]: WARNING: file '/home/flex/.local/share/networkmanagement/certificates/client1/private.key' is group or others accessible                                                    
 
Jan 04 21:59:32 nm-openvpn[2492]: OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021
Jan 04 21:59:32 nm-openvpn[2492]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Jan 04 21:59:32 nm-openvpn[2492]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.                                                 
 
Jan 04 21:59:32 nm-openvpn[2492]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts                                                                       
 
Jan 04 21:59:32 nm-openvpn[2492]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.254:1194
Jan 04 21:59:32 nm-openvpn[2492]: Attempting to establish TCP connection with [AF_INET]192.168.1.254:1194 [nonblock]
Jan 04 21:59:32 nm-openvpn[2492]: TCP connection established with [AF_INET]192.168.1.254:1194
Jan 04 21:59:32 nm-openvpn[2492]: TCP_CLIENT link local: (not bound)
Jan 04 21:59:32 nm-openvpn[2492]: TCP_CLIENT link remote: [AF_INET]192.168.1.254:1194
Jan 04 21:59:32 nm-openvpn[2492]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jan 04 21:59:32 nm-openvpn[2492]: Connection reset, restarting [0]
Jan 04 21:59:32 nm-openvpn[2492]: SIGUSR1[soft,connection-reset] received, process restarting

THIS REPEATS SEVEN TIMES.... THEN....

Jan 04 22:00:25 NetworkManager[450]: <info>  [1641333625.2666] audit: op="statistics" interface="wlp8s0" ifindex=3 args="0" pid=1029 uid=1000 result="success"
Jan 04 22:00:32 NetworkManager[450]: <warn>  [1641333632.8942] vpn-connection[0x564da424c100,acbd76d7-2e0d-40ed-8286-2b0db7235b2d,"client1",0]: VPN connection: connect timeout exceeded.                      
Jan 04 22:00:32 nm-openvpn-serv[2484]: Connect timer expired, disconnecting.
Jan 04 22:00:32 nm-openvpn[2492]: SIGTERM[hard,init_instance] received, process exiting
Jan 04 22:00:32 NetworkManager[450]: <warn>  [1641333632.8987] vpn-connection[0x564da424c100,acbd76d7-2e0d-40ed-8286-2b0db7235b2d,"client1",0]: VPN plugin: failed: connect-failed (1)                         
Jan 04 22:00:32 NetworkManager[450]: <info>  [1641333632.8988] vpn-connection[0x564da424c100,acbd76d7-2e0d-40ed-8286-2b0db7235b2d,"client1",0]: VPN plugin: state changed: stopping (5)
Jan 04 22:00:32 NetworkManager[450]: <info>  [1641333632.8997] vpn-connection[0x564da424c100,acbd76d7-2e0d-40ed-8286-2b0db7235b2d,"client1",0]: VPN plugin: state changed: stopped (6)

On the server side I use this command before I start the client connection…
root@OPENWRT:/etc/openvpn# logread ; logread -f
And this is the error I get which repeats several times:

Tue Jan  4 21:59:46 2022 daemon.notice openvpn(server)[6508]: TCP connection established with [AF_INET]192.168.1.180:52332
Tue Jan  4 21:59:46 2022 daemon.err openvpn(server)[6508]: 192.168.1.180:52332 TLS Error: could not determine wrapping from [AF_INET]192.168.1.180:52332
Tue Jan  4 21:59:46 2022 daemon.err openvpn(server)[6508]: 192.168.1.180:52332 Fatal TLS error (check_tls_errors_co), restarting

I don’t get that TLS Error - Could not determine wrapping when i use the same Client.ovpn in the OpenVPN GUI Client application in Windows 10.

Maybe it’s something in the Manjaro OpenVPN client that doesn’t support tls-crypt-v2?? I’m just thinking aloud after much googling.

I appreciate any help.

Thank you,

Flex

4

An up to date Manjaro uses OpenVPN 2.5.5. All the options and presets for 2.5 will work. If your OpenVPN Server is very old (Version 2.3), this might be a problem.

Since you imported the config, you also might want to check if in Advanced… → TLS Authentication the correct Mode and Key file is used.

Something you can try before you use the NM Gui, is openvpn in your terminal.

For example

sudo openvpn /path/to/your/config.opvn

This is just for testing, but you can see if the config would work.

For NM, check all the key and cert files the importer created. Then fix this

WARNING: file '/home/.../private.key' is group or others accessible
5

Thanks @xabbu.

My Setup:
OpenWrt 21.02.1, r16325-88151b8303
Raspberry Pi 4 B+

root@OPENWRT:/etc/openvpn# openvpn --version
OpenVPN 2.5.3 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10

I installed OpenVPN on my OpenWrt router using a step by step guide from the OpenWrt website. The end result is a client.ovpn file and a server.conf. I enter the client.ovpn file in to Manjaro Network Manager but actually I don’t think I am doing it correctly. As you mentioned, there is an Advanced Button with a TLS Settings Tab and in there is a place to specify a “Mode” (tls-auth or tls-crypt) and a key file. But I don’t enter anything in there at all.

What am I supposed to put in there? Maybe what I have (tls-crypt-v2 stuff) won’t be compatible anyway? because I have a feeling that my NetworkManager does not support tls-crypt-v2.

[flex@inspiron7520 OpenWrt]$ pacman -Qi networkmanager-openvpn
Name            : networkmanager-openvpn
Version         : 1.8.16-1
Description     : NetworkManager VPN plugin for OpenVPN
Architecture    : x86_64
...
...

This is my client config file… client1.ovpn:

user nobody
group nogroup
dev tun
nobind
client
remote 192.168.1.254 1194 tcp
auth-nocache
remote-cert-tls server
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----

-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

When I enter your command from Konsole Terminal:
sudo openvpn client1.ovpn

This is what I get:

[flex@inspiron7520 OpenWrt]$ sudo openvpn client1.ovpn
[sudo] password for flex: 
2022-01-05 20:27:23 us=303197 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-01-05 20:27:23 us=303397 Current Parameter Settings:
2022-01-05 20:27:23 us=303412   config = 'client1.ovpn'
2022-01-05 20:27:23 us=303421   mode = 0
2022-01-05 20:27:23 us=303429   persist_config = DISABLED
2022-01-05 20:27:23 us=303436   persist_mode = 1
2022-01-05 20:27:23 us=303443   show_ciphers = DISABLED
2022-01-05 20:27:23 us=303455   show_digests = DISABLED
2022-01-05 20:27:23 us=303470   show_engines = DISABLED
2022-01-05 20:27:23 us=303486   genkey = DISABLED
2022-01-05 20:27:23 us=303501   genkey_filename = '[UNDEF]'
2022-01-05 20:27:23 us=303515   key_pass_file = '[UNDEF]'
2022-01-05 20:27:23 us=303529   show_tls_ciphers = DISABLED
2022-01-05 20:27:23 us=303543   connect_retry_max = 0
2022-01-05 20:27:23 us=303556 Connection profiles [0]:
2022-01-05 20:27:23 us=303569   proto = tcp-client
2022-01-05 20:27:23 us=303582   local = '[UNDEF]'
2022-01-05 20:27:23 us=303594   local_port = '[UNDEF]'
2022-01-05 20:27:23 us=303607   remote = '192.168.1.254'
2022-01-05 20:27:23 us=303619   remote_port = '1194'
2022-01-05 20:27:23 us=303631   remote_float = DISABLED
2022-01-05 20:27:23 us=303644   bind_defined = DISABLED
2022-01-05 20:27:23 us=303656   bind_local = DISABLED
2022-01-05 20:27:23 us=303669   bind_ipv6_only = DISABLED
2022-01-05 20:27:23 us=303682   connect_retry_seconds = 5
2022-01-05 20:27:23 us=303694   connect_timeout = 120
2022-01-05 20:27:23 us=303706   socks_proxy_server = '[UNDEF]'
2022-01-05 20:27:23 us=303719   socks_proxy_port = '[UNDEF]'
2022-01-05 20:27:23 us=303732   tun_mtu = 1500
2022-01-05 20:27:23 us=303744   tun_mtu_defined = ENABLED
2022-01-05 20:27:23 us=303756   link_mtu = 1500
2022-01-05 20:27:23 us=303769   link_mtu_defined = DISABLED
2022-01-05 20:27:23 us=303781   tun_mtu_extra = 0
2022-01-05 20:27:23 us=303793   tun_mtu_extra_defined = DISABLED
2022-01-05 20:27:23 us=303806   mtu_discover_type = -1
2022-01-05 20:27:23 us=303818   fragment = 0
2022-01-05 20:27:23 us=303830   mssfix = 1450
2022-01-05 20:27:23 us=303843   explicit_exit_notification = 0
2022-01-05 20:27:23 us=303855   tls_auth_file = '[UNDEF]'
2022-01-05 20:27:23 us=303867   key_direction = not set
2022-01-05 20:27:23 us=303879   tls_crypt_file = '[UNDEF]'
2022-01-05 20:27:23 us=303892   tls_crypt_v2_file = '[INLINE]'
2022-01-05 20:27:23 us=303905 Connection profiles END
2022-01-05 20:27:23 us=303917   remote_random = DISABLED
2022-01-05 20:27:23 us=303929   ipchange = '[UNDEF]'
2022-01-05 20:27:23 us=303942   dev = 'tun'
2022-01-05 20:27:23 us=303954   dev_type = '[UNDEF]'
2022-01-05 20:27:23 us=303966   dev_node = '[UNDEF]'
2022-01-05 20:27:23 us=303978   lladdr = '[UNDEF]'
2022-01-05 20:27:23 us=303990   topology = 1
2022-01-05 20:27:23 us=304002   ifconfig_local = '[UNDEF]'
2022-01-05 20:27:23 us=304015   ifconfig_remote_netmask = '[UNDEF]'
2022-01-05 20:27:23 us=304027   ifconfig_noexec = DISABLED
2022-01-05 20:27:23 us=304039   ifconfig_nowarn = DISABLED
2022-01-05 20:27:23 us=304051   ifconfig_ipv6_local = '[UNDEF]'
2022-01-05 20:27:23 us=304064   ifconfig_ipv6_netbits = 0
2022-01-05 20:27:23 us=304076   ifconfig_ipv6_remote = '[UNDEF]'
2022-01-05 20:27:23 us=304088   shaper = 0
2022-01-05 20:27:23 us=304100   mtu_test = 0
2022-01-05 20:27:23 us=304112   mlock = DISABLED
2022-01-05 20:27:23 us=304125   keepalive_ping = 0
2022-01-05 20:27:23 us=304137   keepalive_timeout = 0
2022-01-05 20:27:23 us=304149   inactivity_timeout = 0
2022-01-05 20:27:23 us=304162   ping_send_timeout = 0
2022-01-05 20:27:23 us=304174   ping_rec_timeout = 0
2022-01-05 20:27:23 us=304186   ping_rec_timeout_action = 0
2022-01-05 20:27:23 us=304199   ping_timer_remote = DISABLED
2022-01-05 20:27:23 us=304211   remap_sigusr1 = 0
2022-01-05 20:27:23 us=304227   persist_tun = DISABLED
2022-01-05 20:27:23 us=304239   persist_local_ip = DISABLED
2022-01-05 20:27:23 us=304252   persist_remote_ip = DISABLED
2022-01-05 20:27:23 us=304264   persist_key = DISABLED
2022-01-05 20:27:23 us=304276   passtos = DISABLED
2022-01-05 20:27:23 us=304289   resolve_retry_seconds = 1000000000
2022-01-05 20:27:23 us=304301   resolve_in_advance = DISABLED
2022-01-05 20:27:23 us=304313   username = 'nobody'
2022-01-05 20:27:23 us=304325   groupname = 'nogroup'
2022-01-05 20:27:23 us=304337   chroot_dir = '[UNDEF]'
2022-01-05 20:27:23 us=304349   cd_dir = '[UNDEF]'
2022-01-05 20:27:23 us=304361   writepid = '[UNDEF]'
2022-01-05 20:27:23 us=304373   up_script = '[UNDEF]'
2022-01-05 20:27:23 us=304385   down_script = '[UNDEF]'
2022-01-05 20:27:23 us=304397   down_pre = DISABLED
2022-01-05 20:27:23 us=304410   up_restart = DISABLED
2022-01-05 20:27:23 us=304422   up_delay = DISABLED
2022-01-05 20:27:23 us=304434   daemon = DISABLED
2022-01-05 20:27:23 us=304446   inetd = 0
2022-01-05 20:27:23 us=304458   log = DISABLED
2022-01-05 20:27:23 us=304471   suppress_timestamps = DISABLED
2022-01-05 20:27:23 us=304483   machine_readable_output = DISABLED
2022-01-05 20:27:23 us=304495   nice = 0
2022-01-05 20:27:23 us=304507   verbosity = 7
2022-01-05 20:27:23 us=304519   mute = 0
2022-01-05 20:27:23 us=304531   gremlin = 0
2022-01-05 20:27:23 us=304543   status_file = '[UNDEF]'
2022-01-05 20:27:23 us=304556   status_file_version = 1
2022-01-05 20:27:23 us=304568   status_file_update_freq = 60
2022-01-05 20:27:23 us=304580   occ = ENABLED
2022-01-05 20:27:23 us=304592   rcvbuf = 0
2022-01-05 20:27:23 us=304605   sndbuf = 0
2022-01-05 20:27:23 us=304617   mark = 0
2022-01-05 20:27:23 us=304629   sockflags = 0
2022-01-05 20:27:23 us=304641   fast_io = DISABLED
2022-01-05 20:27:23 us=304654   comp.alg = 0
2022-01-05 20:27:23 us=304666   comp.flags = 0
2022-01-05 20:27:23 us=304678   route_script = '[UNDEF]'
2022-01-05 20:27:23 us=304691   route_default_gateway = '[UNDEF]'
2022-01-05 20:27:23 us=304703   route_default_metric = 0
2022-01-05 20:27:23 us=304716   route_noexec = DISABLED
2022-01-05 20:27:23 us=304729   route_delay = 0
2022-01-05 20:27:23 us=304740   route_delay_window = 30
2022-01-05 20:27:23 us=304754   route_delay_defined = DISABLED
2022-01-05 20:27:23 us=304768   route_nopull = DISABLED
2022-01-05 20:27:23 us=304781   route_gateway_via_dhcp = DISABLED
2022-01-05 20:27:23 us=304793   allow_pull_fqdn = DISABLED
2022-01-05 20:27:23 us=304817   management_addr = '[UNDEF]'
2022-01-05 20:27:23 us=304843   management_port = '[UNDEF]'
2022-01-05 20:27:23 us=304853   management_user_pass = '[UNDEF]'
2022-01-05 20:27:23 us=304863   management_log_history_cache = 250
2022-01-05 20:27:23 us=304874   management_echo_buffer_size = 100
2022-01-05 20:27:23 us=304884   management_write_peer_info_file = '[UNDEF]'
2022-01-05 20:27:23 us=304894   management_client_user = '[UNDEF]'
2022-01-05 20:27:23 us=304904   management_client_group = '[UNDEF]'
2022-01-05 20:27:23 us=304915   management_flags = 0
2022-01-05 20:27:23 us=304925   shared_secret_file = '[UNDEF]'
2022-01-05 20:27:23 us=304935   key_direction = not set
2022-01-05 20:27:23 us=304945   ciphername = 'BF-CBC'
2022-01-05 20:27:23 us=304955   ncp_enabled = ENABLED
2022-01-05 20:27:23 us=304966   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2022-01-05 20:27:23 us=304976   authname = 'SHA1'
2022-01-05 20:27:23 us=304986   prng_hash = 'SHA1'
2022-01-05 20:27:23 us=305006   prng_nonce_secret_len = 16
2022-01-05 20:27:23 us=305018   keysize = 0
2022-01-05 20:27:23 us=305030   engine = DISABLED
2022-01-05 20:27:23 us=305042   replay = ENABLED
2022-01-05 20:27:23 us=305053   mute_replay_warnings = DISABLED
2022-01-05 20:27:23 us=305066   replay_window = 64
2022-01-05 20:27:23 us=305078   replay_time = 15
2022-01-05 20:27:23 us=305089   packet_id_file = '[UNDEF]'
2022-01-05 20:27:23 us=305101   test_crypto = DISABLED
2022-01-05 20:27:23 us=305113   tls_server = DISABLED
2022-01-05 20:27:23 us=305125   tls_client = ENABLED
2022-01-05 20:27:23 us=305137   ca_file = '[INLINE]'
2022-01-05 20:27:23 us=305148   ca_path = '[UNDEF]'
2022-01-05 20:27:23 us=305160   dh_file = '[UNDEF]'
2022-01-05 20:27:23 us=305172   cert_file = '[INLINE]'
2022-01-05 20:27:23 us=305184   extra_certs_file = '[UNDEF]'
2022-01-05 20:27:23 us=305196   priv_key_file = '[INLINE]'
2022-01-05 20:27:23 us=305208   pkcs12_file = '[UNDEF]'
2022-01-05 20:27:23 us=305219   cipher_list = '[UNDEF]'
2022-01-05 20:27:23 us=305231   cipher_list_tls13 = '[UNDEF]'
2022-01-05 20:27:23 us=305243   tls_cert_profile = '[UNDEF]'
2022-01-05 20:27:23 us=305255   tls_verify = '[UNDEF]'
2022-01-05 20:27:23 us=305267   tls_export_cert = '[UNDEF]'
2022-01-05 20:27:23 us=305278   verify_x509_type = 0
2022-01-05 20:27:23 us=305290   verify_x509_name = '[UNDEF]'
2022-01-05 20:27:23 us=305302   crl_file = '[UNDEF]'
2022-01-05 20:27:23 us=305313   ns_cert_type = 0
2022-01-05 20:27:23 us=305326   remote_cert_ku[i] = 65535
2022-01-05 20:27:23 us=305337   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305349   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305360   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305372   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305384   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305396   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305408   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305420   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305431   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305443   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305455   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305466   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305478   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305490   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305502   remote_cert_ku[i] = 0
2022-01-05 20:27:23 us=305514   remote_cert_eku = 'TLS Web Server Authentication'
2022-01-05 20:27:23 us=305526   ssl_flags = 0
2022-01-05 20:27:23 us=305538   tls_timeout = 2
2022-01-05 20:27:23 us=305549   renegotiate_bytes = -1
2022-01-05 20:27:23 us=305561   renegotiate_packets = 0
2022-01-05 20:27:23 us=305573   renegotiate_seconds = 3600
2022-01-05 20:27:23 us=305585   handshake_window = 60
2022-01-05 20:27:23 us=305597   transition_window = 3600
2022-01-05 20:27:23 us=305609   single_session = DISABLED
2022-01-05 20:27:23 us=305621   push_peer_info = DISABLED
2022-01-05 20:27:23 us=305632   tls_exit = DISABLED
2022-01-05 20:27:23 us=305644   tls_crypt_v2_metadata = '[UNDEF]'
2022-01-05 20:27:23 us=305657   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305668   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305680   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305692   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305704   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305716   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305727   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305739   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305751   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305763   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305775   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305786   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305798   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305811   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305822   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305834   pkcs11_protected_authentication = DISABLED
2022-01-05 20:27:23 us=305847   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305859   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305870   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305882   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305894   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305906   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305917   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305929   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305941   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305953   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305965   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305977   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=305989   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=306000   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=306012   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=306024   pkcs11_private_mode = 00000000
2022-01-05 20:27:23 us=306036   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306047   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306059   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306070   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306082   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306094   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306106   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306118   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306129   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306141   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306153   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306164   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306176   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306188   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306200   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306212   pkcs11_cert_private = DISABLED
2022-01-05 20:27:23 us=306223   pkcs11_pin_cache_period = -1
2022-01-05 20:27:23 us=306235   pkcs11_id = '[UNDEF]'
2022-01-05 20:27:23 us=306247   pkcs11_id_management = DISABLED
2022-01-05 20:27:23 us=306261   server_network = 0.0.0.0
2022-01-05 20:27:23 us=306274   server_netmask = 0.0.0.0
2022-01-05 20:27:23 us=306293   server_network_ipv6 = ::
2022-01-05 20:27:23 us=306304   server_netbits_ipv6 = 0
2022-01-05 20:27:23 us=306317   server_bridge_ip = 0.0.0.0
2022-01-05 20:27:23 us=306330   server_bridge_netmask = 0.0.0.0
2022-01-05 20:27:23 us=306342   server_bridge_pool_start = 0.0.0.0
2022-01-05 20:27:23 us=306355   server_bridge_pool_end = 0.0.0.0
2022-01-05 20:27:23 us=306366   ifconfig_pool_defined = DISABLED
2022-01-05 20:27:23 us=306380   ifconfig_pool_start = 0.0.0.0
2022-01-05 20:27:23 us=306392   ifconfig_pool_end = 0.0.0.0
2022-01-05 20:27:23 us=306405   ifconfig_pool_netmask = 0.0.0.0
2022-01-05 20:27:23 us=306416   ifconfig_pool_persist_filename = '[UNDEF]'
2022-01-05 20:27:23 us=306428   ifconfig_pool_persist_refresh_freq = 600
2022-01-05 20:27:23 us=306440   ifconfig_ipv6_pool_defined = DISABLED
2022-01-05 20:27:23 us=306452   ifconfig_ipv6_pool_base = ::
2022-01-05 20:27:23 us=306464   ifconfig_ipv6_pool_netbits = 0
2022-01-05 20:27:23 us=306476   n_bcast_buf = 256
2022-01-05 20:27:23 us=306488   tcp_queue_limit = 64
2022-01-05 20:27:23 us=306500   real_hash_size = 256
2022-01-05 20:27:23 us=306512   virtual_hash_size = 256
2022-01-05 20:27:23 us=306523   client_connect_script = '[UNDEF]'
2022-01-05 20:27:23 us=306535   learn_address_script = '[UNDEF]'
2022-01-05 20:27:23 us=306546   client_disconnect_script = '[UNDEF]'
2022-01-05 20:27:23 us=306558   client_config_dir = '[UNDEF]'
2022-01-05 20:27:23 us=306570   ccd_exclusive = DISABLED
2022-01-05 20:27:23 us=306582   tmp_dir = '/tmp'
2022-01-05 20:27:23 us=306593   push_ifconfig_defined = DISABLED
2022-01-05 20:27:23 us=306606   push_ifconfig_local = 0.0.0.0
2022-01-05 20:27:23 us=306619   push_ifconfig_remote_netmask = 0.0.0.0
2022-01-05 20:27:23 us=306631   push_ifconfig_ipv6_defined = DISABLED
2022-01-05 20:27:23 us=306644   push_ifconfig_ipv6_local = ::/0
2022-01-05 20:27:23 us=306656   push_ifconfig_ipv6_remote = ::
2022-01-05 20:27:23 us=306668   enable_c2c = DISABLED
2022-01-05 20:27:23 us=306680   duplicate_cn = DISABLED
2022-01-05 20:27:23 us=306691   cf_max = 0
2022-01-05 20:27:23 us=306703   cf_per = 0
2022-01-05 20:27:23 us=306715   max_clients = 1024
2022-01-05 20:27:23 us=306727   max_routes_per_client = 256
2022-01-05 20:27:23 us=306739   auth_user_pass_verify_script = '[UNDEF]'
2022-01-05 20:27:23 us=306751   auth_user_pass_verify_script_via_file = DISABLED
2022-01-05 20:27:23 us=306763   auth_token_generate = DISABLED
2022-01-05 20:27:23 us=306774   auth_token_lifetime = 0
2022-01-05 20:27:23 us=306786   auth_token_secret_file = '[UNDEF]'
2022-01-05 20:27:23 us=306797   port_share_host = '[UNDEF]'
2022-01-05 20:27:23 us=306809   port_share_port = '[UNDEF]'
2022-01-05 20:27:23 us=306821   vlan_tagging = DISABLED
2022-01-05 20:27:23 us=306833   vlan_accept = all
2022-01-05 20:27:23 us=306845   vlan_pvid = 1
2022-01-05 20:27:23 us=306857   client = ENABLED
2022-01-05 20:27:23 us=306869   pull = ENABLED
2022-01-05 20:27:23 us=306880   auth_user_pass_file = '[UNDEF]'
2022-01-05 20:27:23 us=306895 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021
2022-01-05 20:27:23 us=306916 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2022-01-05 20:27:23 us=306988 WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
2022-01-05 20:27:23 us=307001 WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
2022-01-05 20:27:23 us=307675 PRNG init md=SHA1 size=36
2022-01-05 20:27:23 us=307718 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-05 20:27:23 us=307741 Outgoing Control Channel Encryption: CIPHER KEY: d43cbb57 10d7f430 526fa23f 77c07396 d5bb162e 4adec223 ac0cdc00 f35addeb
2022-01-05 20:27:23 us=307755 Outgoing Control Channel Encryption: CIPHER block_size=16 iv_size=16
2022-01-05 20:27:23 us=307780 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-05 20:27:23 us=307800 Outgoing Control Channel Encryption: HMAC KEY: e5b4c942 c9f91925 57564fa8 7391cd96 d82cdb98 565eca54 a6f36dc2 b3ad150d
2022-01-05 20:27:23 us=307811 Outgoing Control Channel Encryption: HMAC size=32 block_size=32
2022-01-05 20:27:23 us=307826 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-05 20:27:23 us=307844 Incoming Control Channel Encryption: CIPHER KEY: fb0eef5e d1662a0d 35f5f5d5 a5f3c0b8 34e3e47d 9a1d5c5c c5bf5373 9e471a1f
2022-01-05 20:27:23 us=307857 Incoming Control Channel Encryption: CIPHER block_size=16 iv_size=16
2022-01-05 20:27:23 us=307874 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-05 20:27:23 us=307892 Incoming Control Channel Encryption: HMAC KEY: c1c1d44f 3e1f7073 1db36d0c 5abb1e42 35e14f0f f7054c51 e8f1afe3 375e24d0
2022-01-05 20:27:23 us=307903 Incoming Control Channel Encryption: HMAC size=32 block_size=32
2022-01-05 20:27:23 us=307918 tls_crypt_adjust_frame_parameters: Adjusting frame parameters for tls-crypt by 56 bytes
2022-01-05 20:27:23 us=307938 PID packet_id_init seq_backtrack=64 time_backtrack=15
2022-01-05 20:27:23 us=307988 PID packet_id_init seq_backtrack=64 time_backtrack=15
2022-01-05 20:27:23 us=308010 PID packet_id_init seq_backtrack=64 time_backtrack=15
2022-01-05 20:27:23 us=308044 PID packet_id_init seq_backtrack=64 time_backtrack=15
2022-01-05 20:27:23 us=308060 Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
2022-01-05 20:27:23 us=308090 MTU DYNAMIC mtu=1450, flags=2, 1623 -> 1450
2022-01-05 20:27:23 us=308120 RESOLVE_REMOTE flags=0x0101 phase=1 rrs=0 sig=-1 status=0
2022-01-05 20:27:23 us=308145 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2022-01-05 20:27:23 us=308171 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
2022-01-05 20:27:23 us=308184 calc_options_string_link_mtu: link-mtu 1623 -> 1543
2022-01-05 20:27:23 us=308207 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
2022-01-05 20:27:23 us=308219 calc_options_string_link_mtu: link-mtu 1623 -> 1543
2022-01-05 20:27:23 us=308238 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,auth SHA1,keysize 128,key-method 2,tls-client'
2022-01-05 20:27:23 us=308249 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,auth SHA1,keysize 128,key-method 2,tls-server'
2022-01-05 20:27:23 us=309885 failed to find GID for group nogroup
2022-01-05 20:27:23 us=309905 Exiting due to fatal error
[flex@inspiron7520 OpenWrt]$

Does that error mean I should create the group: “nogroup” in Manjaro?
When I comment out the first two lines:

#user nobody
#group nogroup

I get an endless output like this… which looks like there is communication between the “openvpn” command in Manjaro command line and the server… although there is no mention of tls-crypt-v2:

.........
.............
................
2022-01-05 20:14:45 us=796537 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021
2022-01-05 20:14:45 us=796556 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2022-01-05 20:14:45 us=797344 PRNG init md=SHA1 size=36
2022-01-05 20:14:45 us=797385 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-05 20:14:45 us=797409 Outgoing Control Channel Encryption: CIPHER KEY: d43cbb57 10d7f430 526fa23f 77c07396 d5bb162e 4adec223 ac0cdc00 f35addeb
2022-01-05 20:14:45 us=797424 Outgoing Control Channel Encryption: CIPHER block_size=16 iv_size=16
2022-01-05 20:14:45 us=797450 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-05 20:14:45 us=797472 Outgoing Control Channel Encryption: HMAC KEY: e5b4c942 c9f91925 57564fa8 7391cd96 d82cdb98 565eca54 a6f36dc2 b3ad150d
2022-01-05 20:14:45 us=797483 Outgoing Control Channel Encryption: HMAC size=32 block_size=32
2022-01-05 20:14:45 us=797496 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-05 20:14:45 us=797514 Incoming Control Channel Encryption: CIPHER KEY: fb0eef5e d1662a0d 35f5f5d5 a5f3c0b8 34e3e47d 9a1d5c5c c5bf5373 9e471a1f
2022-01-05 20:14:45 us=797528 Incoming Control Channel Encryption: CIPHER block_size=16 iv_size=16
2022-01-05 20:14:45 us=797543 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-05 20:14:45 us=797563 Incoming Control Channel Encryption: HMAC KEY: c1c1d44f 3e1f7073 1db36d0c 5abb1e42 35e14f0f f7054c51 e8f1afe3 375e24d0
2022-01-05 20:14:45 us=797573 Incoming Control Channel Encryption: HMAC size=32 block_size=32
2022-01-05 20:14:45 us=797585 tls_crypt_adjust_frame_parameters: Adjusting frame parameters for tls-crypt by 56 bytes
2022-01-05 20:14:45 us=797604 PID packet_id_init seq_backtrack=64 time_backtrack=15
2022-01-05 20:14:45 us=797661 PID packet_id_init seq_backtrack=64 time_backtrack=15
2022-01-05 20:14:45 us=797676 PID packet_id_init seq_backtrack=64 time_backtrack=15
2022-01-05 20:14:45 us=797714 PID packet_id_init seq_backtrack=64 time_backtrack=15
2022-01-05 20:14:45 us=797730 Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
2022-01-05 20:14:45 us=797756 MTU DYNAMIC mtu=1450, flags=2, 1623 -> 1450
2022-01-05 20:14:45 us=797784 RESOLVE_REMOTE flags=0x0101 phase=1 rrs=0 sig=-1 status=0
2022-01-05 20:14:45 us=797798 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2022-01-05 20:14:45 us=797818 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
2022-01-05 20:14:45 us=797831 calc_options_string_link_mtu: link-mtu 1623 -> 1543
2022-01-05 20:14:45 us=797851 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
2022-01-05 20:14:45 us=797863 calc_options_string_link_mtu: link-mtu 1623 -> 1543
2022-01-05 20:14:45 us=797878 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,auth SHA1,keysize 128,key-method 2,tls-client'
2022-01-05 20:14:45 us=797890 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,auth SHA1,keysize 128,key-method 2,tls-server'
2022-01-05 20:14:45 us=797911 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.254:1194
2022-01-05 20:14:45 us=797946 Socket Buffers: R=[131072->131072] S=[16384->16384]
2022-01-05 20:14:45 us=797960 Attempting to establish TCP connection with [AF_INET]192.168.1.254:1194 [nonblock]
2022-01-05 20:14:45 us=804416 TCP connection established with [AF_INET]192.168.1.254:1194
2022-01-05 20:14:45 us=804460 TCP_CLIENT link local: (not bound)
2022-01-05 20:14:45 us=804468 TCP_CLIENT link remote: [AF_INET]192.168.1.254:1194
2022-01-05 20:14:45 us=804503 TCP_CLIENT WRITE [353] to [AF_INET]192.168.1.254:1194: P_CONTROL_HARD_RESET_CLIENT_V3 kid=0 [ ] pid=353 DATA len=339
2022-01-05 20:14:45 us=815010 TCP_CLIENT READ [66] from [AF_INET]192.168.1.254:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=353 DATA len=52
2022-01-05 20:14:45 us=815046 TLS: Initial packet from [AF_INET]192.168.1.254:1194, sid=11c5121a 03a66349
2022-01-05 20:14:45 us=815071 PID_TEST [0] [TLS_WRAP-0] [] 0:0 1641413684:1 t=1641413685[0] r=[0,64,15,0,1] sl=[0,0,64,528]
2022-01-05 20:14:45 us=815107 TCP_CLIENT WRITE [62] to [AF_INET]192.168.1.254:1194: P_ACK_V1 kid=0 [ ]
2022-01-05 20:14:45 us=815224 TCP_CLIENT WRITE [331] to [AF_INET]192.168.1.254:1194: P_CONTROL_V1 kid=0 [ ] pid=865 DATA len=317
2022-01-05 20:14:45 us=844382 TCP_CLIENT READ [1236] from [AF_INET]192.168.1.254:1194: P_CONTROL_V1 kid=0 [ ] pid=609 DATA len=1222
2022-01-05 20:14:45 us=844470 PID_TEST [0] [TLS_WRAP-0] [0] 1641413684:1 1641413684:2 t=1641413685[0] r=[0,64,15,0,1] sl=[63,1,64,528]
2022-01-05 20:14:45 us=845022 TCP_CLIENT WRITE [62] to [AF_INET]192.168.1.254:1194: P_ACK_V1 kid=0 [ ]
2022-01-05 20:14:45 us=845437 TCP_CLIENT READ [1224] from [AF_INET]192.168.1.254:1194: P_CONTROL_V1 kid=0 [ ] pid=865 DATA len=1210
2022-01-05 20:14:45 us=845497 PID_TEST [0] [TLS_WRAP-0] [00] 1641413684:2 1641413684:3 t=1641413685[0] r=[0,64,15,0,1] sl=[62,2,64,528]
2022-01-05 20:14:45 us=845898 VERIFY OK: depth=1, CN=ovpnca
2022-01-05 20:14:45 us=846167 VERIFY KU OK
2022-01-05 20:14:45 us=846192 Validating certificate extended key usage
2022-01-05 20:14:45 us=846207 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-01-05 20:14:45 us=846224 VERIFY EKU OK
2022-01-05 20:14:45 us=846239 VERIFY OK: depth=0, CN=server
2022-01-05 20:14:45 us=846437 TCP_CLIENT READ [71] from [AF_INET]192.168.1.254:1194: P_CONTROL_V1 kid=0 [ ] pid=1121 DATA len=57
2022-01-05 20:14:45 us=846470 PID_TEST [0] [TLS_WRAP-0] [000] 1641413684:3 1641413684:4 t=1641413685[0] r=[0,64,15,0,1] sl=[61,3,64,528]
2022-01-05 20:14:45 us=849979 TCP_CLIENT WRITE [62] to [AF_INET]192.168.1.254:1194: P_ACK_V1 kid=0 [ ]
2022-01-05 20:14:45 us=850080 TCP_CLIENT WRITE [1124] to [AF_INET]192.168.1.254:1194: P_CONTROL_V1 kid=0 [ ] pid=1633 DATA len=1110
2022-01-05 20:14:45 us=850122 TCP_CLIENT WRITE [1112] to [AF_INET]192.168.1.254:1194: P_CONTROL_V1 kid=0 [ ] pid=1889 DATA len=1098
2022-01-05 20:14:45 us=850176 TCP_CLIENT WRITE [433] to [AF_INET]192.168.1.254:1194: P_CONTROL_V1 kid=0 [ ] pid=2145 DATA len=419
2022-01-05 20:14:45 us=871451 TCP_CLIENT READ [62] from [AF_INET]192.168.1.254:1194: P_ACK_V1 kid=0 [ ]
2022-01-05 20:14:45 us=871532 PID_TEST [0] [TLS_WRAP-0] [0000] 1641413684:4 1641413684:5 t=1641413685[0] r=[0,64,15,0,1] sl=[60,4,64,528]
2022-01-05 20:14:45 us=876685 TCP_CLIENT READ [224] from [AF_INET]192.168.1.254:1194: P_CONTROL_V1 kid=0 [ ] pid=1633 DATA len=210
2022-01-05 20:14:45 us=876788 PID_TEST [0] [TLS_WRAP-0] [00000] 1641413684:5 1641413684:6 t=1641413685[0] r=[0,64,15,0,1] sl=[59,5,64,528]
2022-01-05 20:14:45 us=877024 TCP_CLIENT WRITE [62] to [AF_INET]192.168.1.254:1194: P_ACK_V1 kid=0 [ ]
2022-01-05 20:14:45 us=888748 TCP_CLIENT READ [273] from [AF_INET]192.168.1.254:1194: P_CONTROL_V1 kid=0 [ ] pid=1889 DATA len=259
2022-01-05 20:14:45 us=888827 PID_TEST [0] [TLS_WRAP-0] [000000] 1641413684:6 1641413684:7 t=1641413685[0] r=[0,64,15,0,1] sl=[58,6,64,528]
2022-01-05 20:14:45 us=888915 TCP_CLIENT WRITE [62] to [AF_INET]192.168.1.254:1194: P_ACK_V1 kid=0 [ ]
2022-01-05 20:14:45 us=889004 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-01-05 20:14:45 us=889044 [server] Peer Connection Initiated with [AF_INET]192.168.1.254:1194
2022-01-05 20:14:45 us=892201 TCP_CLIENT READ [314] from [AF_INET]192.168.1.254:1194: P_CONTROL_V1 kid=0 [ ] pid=2145 DATA len=300
2022-01-05 20:14:45 us=892288 PID_TEST [0] [TLS_WRAP-0] [0000000] 1641413684:7 1641413684:8 t=1641413685[0] r=[0,64,15,0,1] sl=[57,7,64,528]
2022-01-05 20:14:45 us=892374 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.8.1,dhcp-option DOMAIN lan,redirect-gateway def1,persist-tun,persist-key,route-gateway 192.168.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.8.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2022-01-05 20:14:45 us=892517 OPTIONS IMPORT: timers and/or timeouts modified
2022-01-05 20:14:45 us=892539 OPTIONS IMPORT: --persist options modified
2022-01-05 20:14:45 us=892552 OPTIONS IMPORT: --ifconfig/up options modified
2022-01-05 20:14:45 us=892565 OPTIONS IMPORT: route options modified
2022-01-05 20:14:45 us=892579 OPTIONS IMPORT: route-related options modified
2022-01-05 20:14:45 us=892594 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-01-05 20:14:45 us=892609 OPTIONS IMPORT: peer-id set
2022-01-05 20:14:45 us=892624 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-01-05 20:14:45 us=892638 OPTIONS IMPORT: data channel crypto options modified
2022-01-05 20:14:45 us=892654 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-01-05 20:14:45 us=892677 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 48 bytes
2022-01-05 20:14:45 us=892694 MTU DYNAMIC mtu=1450, flags=2, 1554 -> 1450
2022-01-05 20:14:45 us=892712 Data Channel MTU parms [ L:1554 D:1450 EF:54 EB:406 ET:0 EL:3 ]
2022-01-05 20:14:45 us=892743 Client pre_master: 6474a980 acaaddd4 2762068b 01dbc3e0 152466ef 0891818d 6d13ab7e 3395a761 d3d86b83 eba9ed2b 42b4902b 06b116f8
2022-01-05 20:14:45 us=892769 Client random1: af59cf19 d3582bbd c4af4868 ac9d75a6 0d4f1b7c d97801a1 ff6a0acc da17e0d0
2022-01-05 20:14:45 us=892793 Client random2: 89a6b094 19af4fc6 d06b0e11 cbaa128b 5cd57c76 8cff90b2 e5578eaa 6128619f
2022-01-05 20:14:45 us=892823 Server pre_master: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
2022-01-05 20:14:45 us=892849 Server random1: f0d257ff 8a9e103d 073d4717 9a7b37d5 dba3f760 2f147186 1fb2940c e51572d3
2022-01-05 20:14:45 us=892873 Server random2: 8e8bc028 182087df cdd28416 a82e6699 eb2e440c 26d89a40 d6447e6c 2259b98d
2022-01-05 20:14:45 us=892901 tls1_P_hash sec: 6474a980 acaaddd4 2762068b 01dbc3e0 152466ef 0891818d
2022-01-05 20:14:45 us=892943 tls1_P_hash seed: 4f70656e 56504e20 6d617374 65722073 65637265 74af59cf 19d3582b bdc4af48 68ac9d75 a60d4f1b 7cd97801 a1ff6a0a ccda17e0 d0f0d257 ff8a9e10 3d073d47 
......
........
..........

Now my questions are:

  1. Does networkmanager-openvpn v1.8.16-1 support tls-crypt-v2?
  2. If YES then the problem must be the way I am entering my client1.ovpn config file into NM so it can connect to OpenVPN? How do I use my client1.ovpn file to specify a “Mode” and “Key File” in the TLS Settings tab?
  3. If NO then should I rebuild the key config files using regular tls-crypt which I think NetworkManager supports. If so how do I do that?

Thank you very much,

Flex

6

Yes, but keep in mind the networkmanager-openvpn is just an plugin that adds some GUI- and config-options to NetworkManager. It also adds the ability to NetworkManager to start OpenVPN connections.

Depending on your Desktop Environment (KDE in this case) not all options might be available in the GUI. In these cases you would need to use nmcli to edit the connection, or edit the connections file directly.

In XFCE and Gnome you can choose tls-crypt-v2 and it works.

Untitled
Untitled785×696 65.9 KB

You need to translate the options in your config file to the correct options in your GUI. If a key or certificate file is needed, create a file with just the key or certificate (not the tags <>…</> form your config). The importer can import some options but it has sometimes problems with newer options. In this case you need to do it yourself.
As an example you can check the contend of the files the importer already created.

If you want to use special user in your config, you need to make sure these user are available on your system. In Manjaro and Arch there is a special user called openvpn that should be used for this. However you could use any available user if you want. This is not required. Please note that NM will ignore these options and systemd will fail.

This is normal, openvpn will not log this name.

This looks good but there should after this more lines, like at the end Initialization Sequence Completed. Maybe you did not post all?
However this seems to worked as expected.

Which means you have now two options, configure your NM connections correctly, or use the systemd openvpn-client service to start your OpenVPN connections. If you want to use the systemd service, do not use a config with user and goup options, it will not work.
You can see the Arch Wiki, how to set it up.

https://wiki.archlinux.org/title/OpenVPN#systemd_service_configuration

if you want to use the systemd service or try some manual runs, add

verb 3

to your config. This will print less messages and the output is more readable.

btw., your system is not up to date, update it!

7

@xabbu
Thank you so much for all this amazing help.
Yes it looks like my only problem was that in Manjaro KDE the NetworkManager from the Settings GUI does not properly import the client .ovpn file.
When I used the NM CLI it worked. I used these commands from this webpage.
I had saved the client config file in /home/flex/OpenWrt/client1.ovpn

# cd /home/flex/OpenWrt
# nmcli connection delete client1
# sudo nmcli connection import type openvpn file client1.ovpn
# nmcli connection up client1
# nmcli connection show

I can now connect to the OpenVPN server from inside my LAN and more usefully from outside it too!

I made a group for “nogroup” in Manjaro and that solved that error. Yes I will reduce the verb level now.

What system do you mean that is not up to date? The OpenWrt and OpenVPN I have are the latest available from OpenWrt. I let a Manjaro update go through this evening… almost 1GB.

Thank you,

Flex

1 Like
8

Nice to hear that the connection in NM now works. You should be able to start the connection form the GUI, so the cli was just important to import the config. You also should be able to edit the config, or at lest check the options.

I meant your Manjaro system. Your log showed OpenVPN 2.5.4 , but Manjaro Branch compare showed for the OpenVPN package version 2.5.5 on all branches.

But the important thing is, that it now works.

9

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.