After upgrade to 15.6, cannot connect to Sonic VPN

System is KDE plasma. After upgrade to 15.6, connecting to Sonic VPN (ovpn.sonic.net) asks for a password, then fails with correct account password. Connection settings are exactly the same as 15.5, which never asked for a password, and connected easily. 15.6 will connect to PIA VPN.
Network info is:

howard@X201-oS15KDE:~> inxi -Nna
Network:
  Device-1: Intel 82577LM Gigabit Network vendor: Lenovo driver: e1000e
    v: kernel port: 1820 bus-ID: 00:19.0 chip-ID: 8086:10ea class-ID: 0200
  IF: eth0 state: down mac: 5c:ff:35:0c:fd:16
  Device-2: Intel Centrino Advanced-N 6200 driver: iwlwifi v: kernel pcie:
    gen: 1 speed: 2.5 GT/s lanes: 1 bus-ID: 02:00.0 chip-ID: 8086:4239
    class-ID: 0280
  IF: wlan1 state: up mac: 00:23:14:7c:83:e4
  IF-ID-1: tun0 state: unknown speed: 10000 Mbps duplex: full mac: N/A
howard@X201-oS15KDE:~> 

What’s with the password requirement for Sonic in 15.6 NetworkManager?
Thanks,
Howard

Just did read this topic and I assuming Internet access without your VPN is working I think it is a similar problem.

So can you provide your Network Manager log using “sudo journalctl -fu NetworkManager”?

Internet connection works without VPN, and with PIA VPN. Problem is not connecting to Sonic VPN after upgrade to 15.6.

Thanks for the reference, but it is not the same issue. The Sonic ovpn file does not contain the word “keysize” anywhere.

I have two laptops side-by-side, one with 15.5 (using NetworkManager 1.38.6-150500.3.2.1 and openvpn 2.5.6-150400.3.6.1) this one with 15.6 (using NetworkManager 1.44.2-150600.3.2.1 and openvpn 2.6.8-150600.1.5).

Both machines have exactly the same Sonic profile in NetworkManager. The 15.5 machine connects to Sonic correctly. The 15.6 machine asks for a password, then fails with everything I have tried.

Network Manager log after trying to connect to Sonic is:

howard@X201-oS15KDE:~> sudo journalctl -fu NetworkManager
[sudo] password for root: 
Aug 11 13:52:18 X201-oS15KDE nm-openvpn[4624]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Aug 11 13:52:18 X201-oS15KDE nm-openvpn[4624]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]157.131.224.199:1194
Aug 11 13:52:19 X201-oS15KDE nm-openvpn[4624]: AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
Aug 11 13:52:19 X201-oS15KDE nm-openvpn[4624]: SIGUSR1[soft,auth-failure] received, process restarting
Aug 11 13:52:22 X201-oS15KDE NetworkManager[1260]: <warn>  [1723409542.9964] vpn[0x5566aadf71b0,f594ef50-e208-4604-be11-308ce8a62c60,"Sonic"]: secrets: failed to request VPN secrets #4: User canceled the secrets request.
Aug 11 13:52:23 X201-oS15KDE nm-openvpn[4624]: ERROR: could not read Auth username/password/ok/string from management interface
Aug 11 13:52:23 X201-oS15KDE nm-openvpn[4624]: Exiting due to fatal error
Aug 11 13:52:30 X201-oS15KDE NetworkManager[1260]: <info>  [1723409550.2374] audit: op="statistics" interface="eth0" ifindex=2 args="500" pid=4767 uid=1000 result="success"
Aug 11 13:52:30 X201-oS15KDE NetworkManager[1260]: <info>  [1723409550.2402] audit: op="statistics" interface="wlan1" ifindex=3 args="500" pid=4767 uid=1000 result="success"
Aug 11 13:52:30 X201-oS15KDE NetworkManager[1260]: <info>  [1723409550.3434] audit: op="statistics" interface="wlan1" ifindex=3 args="500" pid=4767 uid=1000 result="success"
^C
howard@X201-oS15KDE:~> 

Any idea what is wrong with the 15.6 versions?
Thank you.

There was recent discussion that OpenVPN now ignores ciphers and needs data-ciphers. Could be your case.

Some progress. I edited the ovpn file, adding “data-cipher AES-128-CBC” so it reads:

# Extra user-defined configuration
cipher  AES-128-CBC
data-cipher AES-128-CBC
## -----BEGIN RSA SIGNATURE-----

I saved it with a new name and imported it into NetworkManager. When it tries to connect, there is no longer a request for a password, but it times out without connecting.

Network Manager log after trying to connect to Sonic is:

howard@X201-oS15KDE:~> sudo journalctl -fu NetworkManager
[sudo] password for root: 
Aug 12 10:52:24 X201-oS15KDE nm-openvpn[9510]: SIGUSR1[soft,server_poll] received, process restarting
Aug 12 10:52:24 X201-oS15KDE nm-openvpn[9510]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 12 10:52:24 X201-oS15KDE nm-openvpn[9510]: TCP/UDP: Preserving recently used remote address: [AF_INET]157.131.224.200:1194
Aug 12 10:52:24 X201-oS15KDE nm-openvpn[9510]: UDPv4 link local: (not bound)
Aug 12 10:52:24 X201-oS15KDE nm-openvpn[9510]: UDPv4 link remote: [AF_INET]157.131.224.200:1194
Aug 12 10:52:25 X201-oS15KDE NetworkManager[1256]: <info>  [1723485145.0902] audit: op="statistics" interface="wlan1" ifindex=3 args="2000" pid=3924 uid=1000 result="success"
Aug 12 10:52:25 X201-oS15KDE NetworkManager[1256]: <info>  [1723485145.0968] audit: op="statistics" interface="wlan1" ifindex=3 args="500" pid=4873 uid=1000 result="success"
Aug 12 10:52:42 X201-oS15KDE NetworkManager[1256]: <warn>  [1723485162.9718] vpn[0x5645514ed020,30e4e55a-071e-47a0-8d81-867995136cff,"Sonic-data2"]: connect timeout exceeded
Aug 12 10:52:42 X201-oS15KDE nm-openvpn-serv[9504]: Connect timer expired, disconnecting.
Aug 12 10:52:42 X201-oS15KDE nm-openvpn[9510]: SIGTERM[hard,] received, process exiting
^C
howard@X201-oS15KDE:~>

What else needs changing?
Thanks,
Howard

Can you locate the .ovpn file you are using and try from the command line:

openvpn --verb 4 <.ovpn file>

And share the log?

That did not work:

howard@X201-oS15KDE:~/Downloads> openvpn --verb 4 Sonic-data2.ovpn
Absolute path to 'openvpn' is '/usr/sbin/openvpn', so running it may require superuser privileges (eg. root).
howard@X201-oS15KDE:~/Downloads> sudo openvpn --verb 4 Sonic-data2.ovpn
[sudo] password for root: 
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: verb (2.6.8)
Use --help for more information.
howard@X201-oS15KDE:~/Downloads>

Regards,
Howard

That happens when you write down something you remembered yourself and not checking, yes, that is missing an argument, try adding --config:

sudo openvpn --verb 4 --config <.ovpn file>

That got something:

howard@X201-oS15KDE:~/Downloads> sudo openvpn --verb 4 --config Sonic-data2.ovpn
[sudo] password for root: 
Options error: Unrecognized option or missing or extra parameter(s) in Sonic-data2.ovpn:199: data-cipher (2.6.8)
Use --help for more information.
howard@X201-oS15KDE:~/Downloads> 

Interesting,
Howard

Likely the same issue as here, just remove line 199 of Sonic-data2.ovpn

The Sonic issue is different from the one you cite for Express vpn. Sonic ovpn files do not contain the word keysize anywhere.

I deleted line 199, with data-cipher, deleted the existing NM Sonic-data2 connection and created a new one by importing the revised ovpn file. It times out, does not connect.

I did get:

howard@X201-oS15KDE:~/Downloads> sudo openvpn --verb 4 --config Sonic-data2.ovpn
[sudo] password for root: 
2024-08-13 09:04:57 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-08-13 09:04:57 OpenVPN 2.6.8 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
2024-08-13 09:04:57 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Enter Auth Username: 
Failed to query password: Timer expired
Enter Auth Password: ********                
2024-08-13 09:07:56 ERROR: Failed retrieving username or password
2024-08-13 09:07:56 Exiting due to fatal error
howard@X201-oS15KDE:~/Downloads>

Note the “s” at the end of “data-ciphers”. That was not there previously. I put back a line “data-ciphers AES-128-CBC” and then get:

howard@X201-oS15KDE:~/Downloads> sudo openvpn --verb 4 --config Sonic-data2.ovpn
2024-08-13 09:08:24 OpenVPN 2.6.8 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
2024-08-13 09:08:24 library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Enter Auth Username: candh_sfo
Enter Auth Password: ********                
2024-08-13 09:08:59 TCP/UDP: Preserving recently used remote address: [AF_INET]157.131.224.199:1194
2024-08-13 09:08:59 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-08-13 09:08:59 UDPv4 link local: (not bound)
2024-08-13 09:08:59 UDPv4 link remote: [AF_INET]157.131.224.199:1194
2024-08-13 09:08:59 TLS: Initial packet from [AF_INET]157.131.224.199:1194, sid=0d5d982a 6bee9b78
2024-08-13 09:08:59 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-08-13 09:08:59 VERIFY OK: depth=1, CN=OpenVPN CA
2024-08-13 09:08:59 VERIFY KU OK
2024-08-13 09:08:59 Validating certificate extended key usage
2024-08-13 09:08:59 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-08-13 09:08:59 VERIFY EKU OK
2024-08-13 09:08:59 VERIFY OK: depth=0, CN=OpenVPN Server
2024-08-13 09:08:59 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2024-08-13 09:08:59 [OpenVPN Server] Peer Connection Initiated with [AF_INET]157.131.224.199:1194
2024-08-13 09:08:59 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-08-13 09:08:59 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-08-13 09:09:00 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
2024-08-13 09:09:00 AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
2024-08-13 09:09:00 SIGTERM[soft,auth-failure] received, process exiting
howard@X201-oS15KDE:~/Downloads> 

Again, cipher negotiation failed.

Puzzling,
Howard

Okay, can you try this trick:

Great, data-ciphers-fallback AES-128-CBC works.
Best regards,
Howard

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.