Can someone help, i have been having trouble connected with my home universities vpn, for past 15-20days, it is an openvpn connection, so i have been using networkmanager-openvpn to import my config files, and they have worked previously, but for last 15-20 days i get connection timed out, all certificates used are correct, i have tried to connect on cli,
Connection activation failed: The connection attempt timed out
and it suggests to check journalctl logs (nothing erroneous i could find) i am also able to connect with this vpn with my phone (with openvpn official app with same files), and also i am able to connect to proton’s vpns with my laptop, so i guess my device is not completely broken, i have tried to redownload my certificate files, recreating vpn profile, reinstalling networkmanager, nothing worked
Not sure if this applies for your university VPN but with VPN providers an important part of making a successful VPN connection and use it browse the Internet, is that the DNS servers in /etc/resolv.conf are correct. You can check and see any difference of the content of that file, before and after starting the VPN connection.
i dont see a change
I am not sure if you would be able to compare the content of that file on your phone as well ? Maybe with adb and then check the content there (not sure if Android also uses /etc/resolv.conf) ? Or maybe test connecting on a Linux live USB stick and compare ?
@sga I think you have to ask an admin of the university because a timeout is usually a problem on the server side.
but it works over on my phone, so something has to be borked over my end, i have also recently renewed my certificates, that may have something to do with it, since vpn has also not been working pretty much since then
since i forgot to mention it earlier, we have to renew our certificates almost every 6 months, and i renewed them recently (around the time of breakage start, but (i may be misremembering) i think i connected with new certs also, before renewal, the vpn worked both on my phone and laptop, now it only works on phone, i am now trying to use it on a live usb
i tried a live usb (i had a linux mint one) - same error
Your phone is fine with the new certificates but Linux on the desktop is not. #showerthought Would it be possible that both Arch Linux and Linux Mint have software upgraded that is causing the connection failure ? Could it still work if you would use an older LTS Linux version as live USB stick ? Or would the new certificates actually require newer software, like OpenSSL (which is I think a build dependency for OpenVPN) on the desktop ? EDIT: I guess the latter is not the case since Arch Linux is a rolling distribution. But you could ask your IT persons at the university whether they upgraded something ?
with my college, they are not even up to current openvpn versions, if i use a verbose vpn app on phone (open vpn for android on fdroid), i have to use compatibility settings to even connect, they even use older encryption standards and compression settings, what i think is coincidentally something in my system updated which may not work with their current configs, and on my phone it is somehow still working
It may not apply to you but, from my own experience and assuming you are on KDE :
Remove your ethernet connection. Remove your VPN connection. Recreate an ethernet connection then the VPN. Never set ‘autoconnect’.
Before putting your computer to sleep/shutdown, manually disconnect from the VPN.
i am not on kde or ethernet, i also dont do auto connect
#####******************############************** STUFF I HAVE WRITTEN ##############************************* Intentionally not written nicely to be able to distinguish ######################*************************** remote had the my college's vpn domain vpn.coll.eg.e CA had college's certificate file name (in the same dir as config) cert myid.crt key myid.key ############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. ;remote my-server-1 1194 ;remote my-server-2 1194 remote port 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca cert key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ;ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. cipher AES-128-CBC ;cipher BF-CBC # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20 route-method exe route-delay 2 auth-user-pass@sga ok, since you didn’t mention that before, that would be a possible source of error.
Check the logs, but it’s probably related to the deprecation of compression. OpenVPN 2.6 now requires a flag client-side to enable it as it is known to be the cause of too many vulnerabilities.
Add
comp-lzo yes allow-compression yesTo your config and try again. If it still doesn’t work set log level to 4, redact personal info and post the logs.
compression was already enabled in config (the config is given to us by institute), i will reply with logs
i tried to change the verbosity level in config (it was 3, i did with 4 and 6), nothing came, and for some reason, nothing is coming in journalctl logs also
You can try running it directly,
sudo openvpn --config yourconf.ovpnThat will also tell us if NetworkManager is at fault.
2024-05-12 23:51:46 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 2024-05-12 23:51:47 TCP/UDP: Preserving recently used remote address: *********** 2024-05-12 23:51:47 Socket Buffers: R=[212992->212992] S=[212992->212992] 2024-05-12 23:51:47 UDPv4 link local: (not bound) 2024-05-12 23:51:47 UDPv4 link remote: ****************** 2024-05-12 23:51:47 TLS: Initial packet from ************* 2024-05-12 23:51:47 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2024-05-12 23:51:47 VERIFY OK: depth=1, C=IN, *************** 2024-05-12 23:51:47 VERIFY OK: depth=0, C=IN, *************** 2024-05-12 23:51:48 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, peer certificate: 3072 bits RSA, signature: RSA-SHA256, peer temporary key: 1024 bits DH 2024-05-12 23:51:48 [vpn.*******] Peer Connection Initiated with **************** 2024-05-12 23:51:48 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 2024-05-12 23:51:48 TLS: tls_multi_process: initial untrusted session promoted to trusted 2024-05-12 23:51:49 SENT CONTROL [vpn.iitd.ac.in]: 'PUSH_REQUEST' (status=1) 2024-05-12 23:51:49 PUSH: Received control message: ************ 2024-05-12 23:51:49 OPTIONS IMPORT: --ifconfig/up options modified 2024-05-12 23:51:49 OPTIONS IMPORT: route options modified 2024-05-12 23:51:49 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2024-05-12 23:51:49 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server. 2024-05-12 23:51:49 ERROR: Failed to apply push options 2024-05-12 23:51:49 Failed to open tun/tap interface 2024-05-12 23:51:49 SIGUSR1[soft,process-push-msg-failed] received, process restarting 2024-05-12 23:51:49 Restart pause, 1 second(s)this repeats over and over, i killed it, also i tried to connect with our vpn a year or 2 ago this method, and had same/similar errors even back then, and it only used to worked with network manager
sorry for editing it heavily, but would love to not be doxxed
ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.That’s your error. So I think
data-ciphers AES-128-CBCIn your config should resolve this. Basically there’s some issues with CBC and it’s now off by default.
