All: The way I finally had to do this was to open konsole and do it from the command line once I got my “.ovpn” file from the ISP. I just installed openvpn using YaST, then did the command line startup (below). After starting it, I tested my IP address with Firefox and it shows the VPN address, so I know it is working (I’m also using NetworkManager, but not for the VPN part - NM doesn’t seem to know there’s a VPN running, but the system does… also, I can’t find a way to enter the “.ovpn” file into NetworkManager or in the YaST VPN setup tool).
The problem with this solution is that I don’t know how to automate the process. I guess I could have backgrounded it - but maybe there’s a initialization daemon or something I can invoke to make the startup automatic right after booting. Anyone know? Also, it might be useful to have kwallet store the username and password. I noticed there was a NetworkManager-openvpn package, but I haven’t figured out how to use that yet (especially with the “.ovpn” file).
patti@linux:~/Desktop/ISOs/00_VPN> sudo openvpn provider_file.ovpn
[sudo] password for root:
Fri Nov 30 21:08:11 2018 OpenVPN 2.4.3 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 20 2017
Fri Nov 30 21:08:11 2018 library versions: OpenSSL 1.1.0i-fips 14 Aug 2018, LZO 2.10
Enter Auth Username: **********
Enter Auth Password: **********
Fri Nov 30 21:08:37 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]***.***.***.***:****
Fri Nov 30 21:08:37 2018 Attempting to establish TCP connection with [AF_INET]***.***.***.***:**** [nonblock]
Fri Nov 30 21:08:38 2018 TCP connection established with [AF_INET]174.128.226.18:501
Fri Nov 30 21:08:38 2018 TCP_CLIENT link local: (not bound)
Fri Nov 30 21:08:38 2018 TCP_CLIENT link remote: [AF_INET]174.128.226.18:501
Fri Nov 30 21:08:38 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Nov 30 21:08:39 2018 [9336ebb85cd160ac7db71525a55797d7] Peer Connection Initiated with [AF_INET]***.***.***.***:****
Fri Nov 30 21:08:40 2018 TUN/TAP device tun0 opened
Fri Nov 30 21:08:40 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Nov 30 21:08:40 2018 /bin/ip link set dev tun0 up mtu 1500
Fri Nov 30 21:08:40 2018 /bin/ip addr add dev tun0 local 10.35.1.10 peer 10.35.1.9
Fri Nov 30 21:08:40 2018 Initialization Sequence Completed
Since you are using NetworkManager, you’re best advised to create/manage the OpenVPN connection using NM as well IMO. You could try importing the .ovpn file using
sudo nmcli connection import type openvpn /path/to/your.ovpn
The VPN connection should then be present in your connection list…
User Certificate /etc/openvpn/client1.crt
CA Certificate /etc/openvpn/ca.crt
Private Key /etc/openvpn/client1.key
The .ovpn file is a plain text file conataining with the required certifiacates and key embedded, and can extract these manually
All text between ‘<ca>’ and '</ca>'will be used to create ‘**ca.crt’;
All text between ‘<cert>’ and ‘</cert>’ will be used to create ‘**client.crt’;
All text between ‘<key>’ and ‘</key>’ will be used to create ‘**client.key’.
A user has written a nice little script to do the necessary
Part of the problem may be that my .ovpn file only has
<ca>
-----BEGIN CERTIFICATE-----
<crl-verify>
-----BEGIN X509 CRL-----
…and the only appearance of the word “key” is “persist-key”
from the command line, openvpn seems to be able to use the .ovpn file, and NM can import the .ovpn file (instead of creating an openvpn connection, I “Import VPN connection”) - but it cannot seem to connect. I note it imports it as a connection type “password,” and it appears to use only the CA certificate.
Unfortunately, that means there’s some unexpected parameter (or perhaps sysntax) in the file. Without further inspection it would not be obvious about whether NM is mishandling this file, or if the file has some provider-specific ‘custom’ parameters within it.
FWIW, there’s an example ‘created’ .ovpn file shown in this howto.
I note that the is used by some VPN providers for the provision of Certificate Revocation Lists (to help with identifying compromised/revoked server certificates and prevent MITM attacks). There are a number of bug reports describing this issue, and in particular I found this upstream bug report that seems to be pertinent… https://bugzilla.gnome.org/show_bug.cgi?id=782309
It looks like there is a fix implemented upstream, but it doesn’t appear to have been applied with the NM version used in Leap 15. I had a quick look at the changelog for the ‘NetworkManager-openvpn’ package used in Leap 15 and I don’t see that bug #782309 referenced…
rpm -q --changelog NetworkManager-openvpn
You might want to consider raising an openSUSE bug report, or add to the upstream bug report perhaps.
Thank you deano - I thought it might be something like that with NM. I’ll keep fiddling around with it. For now, just running openvpn from the command line seems to work correctly - the openvpn executable appears to know how to deal with the format/setup implied by my “.ovpn” file. The browser and command line both use the “tun0” port which openvpn creates from a command line invocation.
If you’re always going to want this VPN activated upon the underlying ethernet connection, then you could consider automating the activation via the use of a NetworkManager dispatcher script…
Been awhile since I’ve set up a vPN using NM,
But, somewhere inmy fuzzy memory I seem to remember that
If you’re asked to import a certificate, then you just point to the file and as long as the file is in a supported format (eg PEM) then it should import without a problem.
If you’re asked to provide the certificate (ie not import a file but asking for the certificate contents), then you need to open up the file and copy/paste the certificate <between the tags> and <not including the tags>. That may be your issue.
Of course, I’m just relying on memory of this quirk from long ago, and may not apply to your situation.
Thanks - yes, I found the import part (instead of choosing to create a new Openvpn connection, you choose “Other -> import VPN connection” and it seems import without error), but the resulting connection doesn’t actually do anything when selecting “connect.” So NM seems to go through the effort of storing credentials, but can’t connect.
Invoking openvpn from the command line (with my .ovpn file as an argument) seems to work. Using the NM dispatcher seems complicated. I haven’t tried that approach yet. Maybe something I’m missing with NM which will make it work will become obvious…
Can you open the log using “sudo journalctl -b” and search for lines starting with “nm-openvpn”, if you tried multiple times, check the time and find the last group.
For me (successful connection, addresses removed) that shows:
nm-openvpn[4677]: OpenVPN 2.4.6 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
nm-openvpn[4677]: library versions: OpenSSL 1.1.0h-fips 27 Mar 2018, LZO 2.10
nm-openvpn[4677]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
nm-openvpn[4677]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
NetworkManager[1474]: <info> [1544342297.0470] audit: op="statistics" arg="refresh-rate-ms" pid=2270 uid=1000 result="success"
nm-openvpn[4677]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx.:xxx
nm-openvpn[4677]: UDP link local: (not bound)
nm-openvpn[4677]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx.:xxx
nm-openvpn[4677]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
NetworkManager[1474]: <info> [1544342297.0549] audit: op="statistics" arg="refresh-rate-ms" pid=2270 uid=1000 result="success"
nm-openvpn[4677]: [openvpn.xxxxxx.com] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx.:xxx
nm-openvpn[4677]: TUN/TAP device tun0 opened
nm-openvpn[4677]: /usr/lib/nm-openvpn-service-openvpn-helper --debug 0 4674 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_5 --tun -- tun0 1500 1553 yyy.yyy.yyy.yyy zzz.zzz.zzz.zzz init
NetworkManager[1474]: <info> [2744374303.6513] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/5)
systemd-udevd[4683]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
NetworkManager[1474]: <info> [2744374303.6596] vpn-connection[0x564963f18360,3bbf61c5-0581-4945-9282-e32421048112,"Connection Name",0]: VPN connection: (IP Config Get) reply received.
nm-openvpn[4677]: GID set to nm-openvpn
nm-openvpn[4677]: UID set to nm-openvpn
nm-openvpn[4677]: Initialization Sequence Completed
Very likely for you there will be some error listed, if it makes sense, try to solve it yourself, if not please post that output (with address remove and between code tags)
