Can't connect to openVPN

SpeccyMan · April 18, 2018, 7:59pm

Hi. I Can’t connect to openVPN.
Last connection made was in October 2017.
I’m on Tumbleweed and even if i import the openVPN configuration file i can’t establish connection. On Leap, however, it works like a charm!

is there any problem with recent version of networkmanager or openvpn?

Thanks

hendersj · April 18, 2018, 8:10pm

On Wed, 18 Apr 2018 18:06:01 +0000, SpeccyMan wrote:

> Hi. I Can’t connect to openVPN.
> Last connection made was in October 2017.
> I’m on Tumbleweed and even if i import the openVPN configuration file i
> can’t establish connection. On Leap, however, it works like a charm!
>
> is there any problem with recent version of networkmanager or openvpn?
>
> Thanks

Hard to say without more information.

What error messages or log messages do you get when you try to connect?

What server are you trying to connect to - yours, or someone else’s? (If
it’s someone else’s, you might ask them if they’ve made changes you need
to be aware of).

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

SpeccyMan · April 19, 2018, 7:15pm

Hi Jim. Thanks for your reply.

No there were no changes made. I would be aware of them. It’s an internal VPN network.
On Leap it works just fine (no changes made). But on Tumbleweed it used to work ok as well. I’ve made no changes to the connection on Tumbleweed but it suddenly stopped working.

As soon as i press “connect” on networkmanager it disconnects immediately.

Were can i find the log?

hendersj · April 19, 2018, 8:06pm

On Thu, 19 Apr 2018 17:16:01 +0000, SpeccyMan wrote:

> hendersj;2863017 Wrote:
>> On Wed, 18 Apr 2018 18:06:01 +0000, SpeccyMan wrote:
>>
>> > Hi. I Can’t connect to openVPN.
>> > Last connection made was in October 2017.
>> > I’m on Tumbleweed and even if i import the openVPN configuration file
>> i
>> > can’t establish connection. On Leap, however, it works like a charm!
>> >
>> > is there any problem with recent version of networkmanager or
>> > openvpn?
>> >
>> > Thanks
>>
>> Hard to say without more information.
>>
>> What error messages or log messages do you get when you try to connect?
>>
>> What server are you trying to connect to - yours, or someone else’s?
>> (If it’s someone else’s, you might ask them if they’ve made changes you
>> need to be aware of).
>>
>> Jim
>>
>> –
>> Jim Henderson openSUSE Forums Administrator Forum Use Terms &
>> Conditions at http://tinyurl.com/openSUSE-T-C
>
>
> Hi Jim. Thanks for your reply.
>
> No there were no changes made. I would be aware of them. It’s an
> internal VPN network.
> On Leap it works just fine (no changes made). But on Tumbleweed it used
> to work ok as well. I’ve made no changes to the connection on
> Tumbleweed but it suddenly stopped working.
>
> As soon as i press “connect” on networkmanager it disconnects
> immediately.
>
> Were can i find the log?

I’d probably start with dmesg - I don’t have the client installed on a
Linux box at the moment, but dmesg probably will include some output
related to it since NetworkManager is controlling the connection.

Jim

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

knurpht · April 19, 2018, 11:33pm

There was a thread in the factory mailing list about dropping vpnc in favor of openvpn. The archives are searchable, use something like ‘opensuse factory vpnc’.

hendersj · April 20, 2018, 12:02am

On Thu, 19 Apr 2018 21:36:01 +0000, Knurpht wrote:

> There was a thread in the factory mailing list about dropping vpnc in
> favor of openvpn. The archives are searchable, use something like
> ‘opensuse factory vpnc’.

Hmm, I remember that, but that wouldn’t affect someone who’s already
using openVPN, would it?

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

knurpht · April 20, 2018, 12:24am

I’m no VPN user, let alone expert. Just remembered seeing some thread on the factory ML re. VPNC being dropped and people having issues with IPSec

SpeccyMan · May 4, 2018, 6:46pm

Hi all, sorry for taking so long, but “real” life has been hitting me pretty hard lately

I’ve been messing around with this everytime i can…

I removed OpenVPN and reinstalled it again. It apparently solved some of the problems but using **journalctl -xe **i still get this errors:

Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf

and

Failed to start OpenVPN tunneling daemon instance using /etc/openvpn/server.conf

hendersj · May 4, 2018, 8:06pm

On Fri, 04 May 2018 16:56:03 +0000, SpeccyMan wrote:

> Hi all, sorry for taking so long, but “real” life has been hitting me
> pretty hard lately
>
> I’ve been messing around with this everytime i can…
>
> I removed OpenVPN and reinstalled it again. It apparently solved -some-
> of the problems but using *journalctl -xe *i still get this errors:
>
>
> Code:
> --------------------
> Options error: In [CMD-LINE]:1: Error opening configuration file:
> server.conf
> --------------------
>
> and
>
> Code:
> --------------------
> Failed to start OpenVPN tunneling daemon instance using
> /etc/openvpn/server.conf
> --------------------

Does the file indicated exist?

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

SpeccyMan · May 4, 2018, 8:53pm

No. It does not.

I created a new empty file with that name but even with those errors now gone it still does not connect.

SpeccyMan · May 15, 2018, 2:21pm

Upon more tests and research i’m getting this errors:

***
OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak***
***Cannot load certificate file /home/office/openvpnclient/client.crt
***

i also found this at the OpenVPN forum https://forums.openvpn.net/viewtopic.php?t=23979
Since it’s not a bug, does anyone have an idea on how to get around this?

I’m not being able to…

tks

hendersj · May 15, 2018, 5:45pm

On Tue, 15 May 2018 12:26:02 +0000, SpeccyMan wrote:

> Upon more tests and research i’m getting this errors:
>
>
> Code:
> --------------------
> -*
> OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too
> weak*-
> -*Cannot load certificate file /home/office/openvpnclient/client.crt
> *-
> --------------------
>
>
> i also found this at the OpenVPN forum
> https://forums.openvpn.net/viewtopic.php?t=23979 Since it’s not a bug,
> does anyone have an idea on how to get around this?

You need to create a stronger certificate - in recent years, several
certificate types have been deprecated as they’ve been found to have
weaknesses.

There are suggestions in the linked thread as to how to make this change.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

SpeccyMan · May 15, 2018, 6:15pm

yes, i’ve tried to set tls-cipher “DEFAULT:@SECLEVEL=0” but so that it would accept older certificates, but i just can’t seem to figure where should i do this change…

hendersj · May 15, 2018, 10:10pm

On Tue, 15 May 2018 16:16:03 +0000, SpeccyMan wrote:

> yes, i’ve tried to set tls-cipher “DEFAULT:@SECLEVEL=0” but so that it
> would accept older certificates, but i just can’t seem to figure where
> should i do this change…

Have you tried using the suggested easy-rsa scripts to set up the
certificates?

–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

SpeccyMan · May 16, 2018, 5:07pm

No… I really have no idea how or where to do that.
I know there is supposed to also exist, somewhere, an option to “allow unsecure/old certificates”. This should solve the problem but i’ve searched nm5 from bottom to top and just can’t seem to find it.

I’ve also tried to manually add DEFAULT:@SECLEVEL=0 as suggested in the forum to the ovpn import config file with no luck either. I must be doing something wrong but i was not able to figure out what it is yet.

As i also have few free time, any help is very welcome

SpeccyMan · May 24, 2018, 7:42pm

Ok, i really need some light here, cause i’m tired of bumping my head against the wall over this!!!

I must be doing some “#$%&” step wrong somewhere!!!

I went into /etc/openvpn created a client.conf file where i added a single line

tls-cipher DEFAULT:@seclevel=0

i then went into the freaking terminal and entered

service openvpn restart

tried to reconnect with no luck… Please advise how the $%&/ do i make openvpn ignore the new security settings and keep on eating the old certificates

(sorry for all the “$%&/” but i’m about to shot the pc )

d3vnull · May 24, 2018, 11:48pm

Sorry, I can’t help with regression to weaker keys. Here is a link for creation of keys and setup:

https://en.opensuse.org/SDB:OpenVPN_Installation_and_Setup

SpeccyMan · June 11, 2018, 7:32pm

While not needing it anymore, here’s the solution to anyone else who still needs a temporary fix:

In **/etc/NetworkManager/system-connections
**
add tls-cipher=DEFAULT:@SECLEVEL=0 under the VPN section

Please note that everyone says this is not a solution, but a **last resource, temporary fix **just until new certificates get regenerated!!!