OpenVPN Timedout Cannot Connect

kde
vpn
network-manager
openvpn

#1

Hi there, new Manjaro user here! I am currently trying to connect to my VPN, but for some reason I am unable to because the connection times out. I use OpenVPN as my client and my profile is already imported and configured through the Network Manager. Lastly, I dual boot with Windows 7, and I am able to successfully connect to my VPN using OpenVPN thus thinking its a configuration problem with Manjaro. Below are my specs and the error messages pulled from my logs. Much thanks and I appreciate your help!
Edit: I am able to connect to my VPN via terminal.

Operating System: Manjaro Linux
KDE Plasma Version: 5.15.0
KDE Frameworks Version: 5.55.0
Qt Version: 5.12.1
Kernel Version: 4.19.23-1-MANJARO
OS Type: 64-bit
Processors: 4 × Intel® Core™ i5-3210M CPU @ 2.50GHz
Memory: 3.6 GiB of RAM

Feb 20 19:47:15 ernie-pc NetworkManager[398]: <info>  [1550710035.2798] policy: set 'xfinitywifi' (wlp3s0) as default for IPv4 routing and DNS
Feb 20 19:47:15 ernie-pc NetworkManager[398]: <info>  [1550710035.2842] device (wlp3s0): Activation: successful, device activated.
Feb 20 19:47:18 ernie-pc NetworkManager[398]: <info>  [1550710038.6853] audit: op="connection-activate" uuid="81ceb279-bf9b-474d-bc1b-9a0aa61e9c6b" name="ErnieLinux" pid=1038 uid=1000 result="success"
Feb 20 19:47:18 ernie-pc NetworkManager[398]: <info>  [1550710038.6899] vpn-connection[0x558e319b6380,81ceb279-bf9b-474d-bc1b-9a0aa61e9c6b,"ErnieLinux",0]: Started the VPN service, PID 1589
Feb 20 19:47:18 ernie-pc NetworkManager[398]: <info>  [1550710038.7079] vpn-connection[0x558e319b6380,81ceb279-bf9b-474d-bc1b-9a0aa61e9c6b,"ErnieLinux",0]: Saw the service appear; activating connection
Feb 20 19:47:27 ernie-pc NetworkManager[398]: <info>  [1550710047.0537] vpn-connection[0x558e319b6380,81ceb279-bf9b-474d-bc1b-9a0aa61e9c6b,"ErnieLinux",0]: VPN plugin: state changed: starting (3)
Feb 20 19:47:27 ernie-pc nm-openvpn[1593]: WARNING: file '/home/ernenr1/.local/share/networkmanagement/certificates/ErnieLinux/private.key' is group or others accessible
Feb 20 19:47:27 ernie-pc nm-openvpn[1593]: OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
Feb 20 19:47:27 ernie-pc nm-openvpn[1593]: library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
Feb 20 19:47:27 ernie-pc nm-openvpn[1593]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb 20 19:47:27 ernie-pc nm-openvpn[1593]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 20 19:47:27 ernie-pc nm-openvpn[1593]: TCP/UDP: Preserving recently used remote address: [AF_INET]((---.MY.IP HERE.---)):1345
Feb 20 19:47:27 ernie-pc nm-openvpn[1593]: UDP link local: (not bound)
Feb 20 19:47:27 ernie-pc nm-openvpn[1593]: UDP link remote: [AF_INET]((---.MY.IP HERE.---)):1345
Feb 20 19:47:27 ernie-pc nm-openvpn[1593]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Feb 20 19:48:26 ernie-pc NetworkManager[398]: <warn>  [1550710106.8774] vpn-connection[0x558e319b6380,81ceb279-bf9b-474d-bc1b-9a0aa61e9c6b,"ErnieLinux",0]: VPN connection: connect timeout exceeded.
Feb 20 19:48:26 ernie-pc nm-openvpn-serv[1589]: Connect timer expired, disconnecting.
Feb 20 19:48:26 ernie-pc NetworkManager[398]: <warn>  [1550710106.8860] vpn-connection[0x558e319b6380,81ceb279-bf9b-474d-bc1b-9a0aa61e9c6b,"ErnieLinux",0]: VPN plugin: failed: connect-failed (1)
Feb 20 19:48:26 ernie-pc NetworkManager[398]: <info>  [1550710106.8861] vpn-connection[0x558e319b6380,81ceb279-bf9b-474d-bc1b-9a0aa61e9c6b,"ErnieLinux",0]: VPN plugin: state changed: stopping (5)
Feb 20 19:48:26 ernie-pc NetworkManager[398]: <info>  [1550710106.8862] vpn-connection[0x558e319b6380,81ceb279-bf9b-474d-bc1b-9a0aa61e9c6b,"ErnieLinux",0]: VPN plugin: state changed: stopped (6)
Feb 20 19:48:26 ernie-pc nm-openvpn[1593]: SIGTERM[hard,] received, process exiting
Feb 20 19:48:48 ernie-pc NetworkManager[398]: <info>  [1550710128.0763] settings-connection[0x558e318a3aa0,81ceb279-bf9b-474d-bc1b-9a0aa61e9c6b]: write: successfully updated (keyfile: update /etc/NetworkManager/system-connections/ErnieL>
Feb 20 19:48:48 ernie-pc NetworkManager[398]: <info>  [1550710128.0769] audit: op="connection-update" uuid="81ceb279-bf9b-474d-bc1b-9a0aa61e9c6b" name="ErnieLinux" args="connection.permissions" pid=1038 uid=1000 result="success"

#2

This could be causing the issue. To fix it just execute:

chmod go-rwx '/home/ernenr1/.local/share/networkmanagement/certificates/ErnieLinux/private.key

That will remove read/write/execute access to the file for group and others.


#3

Thank you for the help pixel27! I ran the command to remove read/write/execute access to the file, and the warning message disappeared in the log. However I am now getting a “TLS Error” in my log when I try to connect to my VPN via Network Manager.

Feb 21 11:36:24 ernie-pc NetworkManager[370]: <warn>  [1550766984.7999] vpn-connection[0x55eead2b2770,02c9591f-36e8-42ff-a309-46a8ae9f8b20,"ErnieLinux",0]: VPN connect>
Feb 21 11:36:24 ernie-pc nm-openvpn-serv[8047]: Connect timer expired, disconnecting.
Feb 21 11:36:24 ernie-pc nm-openvpn[8051]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 21 11:36:24 ernie-pc nm-openvpn[8051]: TLS Error: TLS handshake failed
Feb 21 11:36:24 ernie-pc nm-openvpn[8051]: SIGTERM[hard,tls-error] received, process exiting

#4

Have you checked the server is actually reachable?


#5

Just to be sure, is “—.MY.IP HERE.—” your openvpn servers IP?

If you run your own VPN Server, which cipher do you use.

Because the log looks like a simple time out, the server never answered.
I saw something similar with older openvpn server configs. With Openssl 1.1.1 it might be a problem, because many older crypto options have been removed. There was no matching cipher and instead of a TLS error it was just a timeout.


#6

Thank you for the reply xabbu!

To answer your question regarding “—.MY.IP HERE.—”, yes that is my openvpn server IP. I removed it from the post just to be safe incase.

The cipher I am using is a AES-256-CBC. Should I be using a stronger cipher? I thought AES-256-CBC is still standard for the time being?


#7

Hi jonathan! Yes the server is reachable. I can confirm that since I am only able to connect to my VPN via the terminal.


#8

If you can connect via the terminal that means it’s an issue with the configuration you added within Network Manager.

Therefore, check your configuration within Network Manager and make sure it matches whatever you’re using in the terminal.


#9

I believe my .ovpn file matches my Network Manager configuration file. The certificates and private keys also match the .ovpn file.

Network Manager VPN config file:

[connection]
id=ErnieLinux
uuid=XXXXXXXXXXXXXXX
type=vpn
permissions=

[vpn]
auth=SHA256
ca=/home/ernenr1/.local/share/networkmanagement/certificates/ErnieLinux/ca.crt
cert=/home/ernenr1/.local/share/networkmanagement/certificates/ErnieLinux/cert.crt
cert-pass-flags=1
cipher=AES-256-CBC
connection-type=tls
float=no
key=/home/ernenr1/.local/share/networkmanagement/certificates/ErnieLinux/private.key
mssfix=no
port=1345
proto-tcp=no
remote=MY SERVER_IP
remote-cert-tls=server
remote-random=no
tun-ipv6=no
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

OVPN Profile below:

client
dev tun
proto udp
remote MY SERVER_IP 1345
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_cpaOIGWMZAv5FuaK name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
(CA CERTIFICATE REDACTED)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(USER CERTIFICATE REDACTED)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
(PRIVATE KEY REDACTED)
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
(STATIC KEY REDACTED)
-----END OpenVPN Static key V1-----
</tls-crypt>

#10

Yes it is pretty standard. I meant ciphers like Triple-DES or similar. AES with CBC is supported by Openssl 1.1.1.

I don’t see the tls-crypt key in your NM config. Everything else seems close enough.


#11

Thank you for pointing out the tls-crypt. Would this be the proper way of just adding anywhere under “[vpn]” in my NM config with the path to a .key file containing my tls-crypt key? Thank you.

tls-crypt=/home/ernenr1/.local/share/networkmanagement/certificates/ErnieLinux/tls.key

#12

It is really not recommended to edit NM connection files. You should always use the gui or nmcli.

tls-crypt in [vpn] might be enough. But I tried to create a config with an tls-crypt entry and the gui added [vpn-secrets] with no-secret=true.


#13

Thank you very much for helping this newbie xabbu and @jonathon! I got my VPN to connect!
I was unable to connect to my VPN because I was missing my tls-crypt key in my NM config as you have pointed out.
I created the tls-crpyt key file and placed it along with my other keys and certs. Then using the NetworkManager GUI I added the path to the tls-crypt key file.

It turns out the issue causing this whole ordeal was that the VPN import function within the Network Manager GUI did not properly create and reference the tls-crypt key file to authenticate.