I’ve had this setup for openVPN for years on Network Manager and other than the odd cert. needing to be updated, has always worked. Now it won’t start. Looking at the logs I get these errors:
Jul 13 19:07:55 quark nm-openvpn[71598]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.6.10)
Jul 13 19:07:55 quark nm-openvpn[71598]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
Jul 13 19:07:55 quark nm-openvpn[71598]: ERROR: Failed to apply push options
Jul 13 19:07:55 quark nm-openvpn[71598]: Failed to open tun/tap interface
I have no idea how to, or know even if it’s possible, to modify some config files to fix these errors. I guess I could learn to launch openVPN from the command line so not going through NM and I could learn the settings for files in /etc/openvpn for that but I would rather just get it back to working through NM if possible.
Of the two errors: ... [PUSH-OPTIONS]:4 ... I would image just an entry in a config file could fix it
and ...('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305')... I don’t really get because AES-256-CBC is, and has been selected for a very long time. However, when I looked at the list of ciphers I saw two lines with the words and & some other 3 letter word-I don't remember which clearly are not ciphers so I suspect there is a bug or corrupt file somewhere messing it up knowing what cipher is being selected.
You can post full output of nmcli connection show ... or the file in /etc/NetworkManager/system-connections/ (the names are normally derived from the connections names).
I see your [vpn] section has already “cipher=AES-256-CBC” but the error has “Add the server’s cipher (‘AES-256-CBC’) to --data-ciphers (currently ‘AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305’) if you want to connect to this server.”, notice data-ciphers instead of cipher.
Then found:
So it looks like ciphers should be replaced by data-ciphers for more recent version. Can you give that a try?
I would add data-ciphers instead of replacing cipher. I believe --cipher is still used by OpenVPN, just not for TLS negotiation, so it is better to leave it.
Fyi the openvpn parameter for TLS negotiation is --tls-cipher. The --cipher parameter is only relevant for the data channel it does not affect the TLS negotiaition. Maybe this snippet from the man page could be helpful
# man openvpn
.......
--cipher alg
This option should not be used any longer in TLS mode and still exists for two reasons:
• compatibility with old configurations still carrying it around;
• allow users connecting to OpenVPN peers older than 2.6.0 to have --cipher configured the same way as the remote counterpart.
This can avoid MTU/frame size warnings.
Before 2.4.0, this option was used to select the cipher to be configured on the data channel, however, later versions usually
ignored this directive in favour of a negotiated cipher. Starting with 2.6.0, this option is always ignored in TLS mode when it
comes to configuring the cipher and will only control the cipher for --secret pre-shared-key mode (note: this mode is deprecated
and strictly not recommended).
If you wish to specify the cipher to use on the data channel, please see --data-ciphers (for regular negotiation) and --data-ci-
phers-fallback (for a fallback option when the negotiation cannot take place because the other peer is old or has negotiation
disabled).
To see ciphers that are available with OpenVPN, use the --show-ciphers option.
Set alg to none to disable encryption.
......
--data-ciphers cipher-list
Restrict the allowed ciphers to be negotiated to the ciphers in cipher-list. cipher-list is a colon-separated list of ciphers,
and defaults to AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 when Chacha20-Poly1305 is available and otherwise
AES-256-GCM:AES-128-GCM.
For servers, the first cipher from cipher-list that is also supported by the client will be pushed to clients that support ci-
pher negotiation.
For more details see the chapter on Data channel cipher negotiation. Especially if you need to support clients with OpenVPN
versions older than 2.4!
Starting with OpenVPN 2.6 a cipher can be prefixed with a ? to mark it as optional. This allows including ciphers in the list
that may not be available on all platforms. E.g. AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305 would only enable Chacha20-Poly1305
if the underlying SSL library (and its configuration) supports it.
Cipher negotiation is enabled in client-server mode only. I.e. if --mode is set to server (server-side, implied by setting
--server ), or if --pull is specified (client-side, implied by setting --client).
If no common cipher is found during cipher negotiation, the connection is terminated. To support old clients/old servers that do
not provide any cipher negotiation support see --data-ciphers-fallback.
If --compat-mode is set to a version older than 2.5.0 the cipher specified by --cipher will be appended to --data-ciphers if not
already present.
This list is restricted to be 127 chars long after conversion to OpenVPN ciphers.
This option was called --ncp-ciphers in OpenVPN 2.4 but has been renamed to --data-ciphers in OpenVPN 2.5 to more accurately re-
flect its meaning.
(the UUID is different because I tried creating the VPN setup from scratch in the NM UI to see if it did anything different in the parameters but nothing useful came of it)
it gives this error:
Error: invalid property 'data-ciphers': 'data-ciphers' not among [service-type, user-name, data, secrets, persistent, timeout].
I looked for data-cyphers in yast software management and couldn’t find anything to install.
when trying to connect with data-cyphers it now gives:
Jul 26 16:21:04 quark NetworkManager[523111]: <info> [1722036064.0206] vpn[0x560a332554a0,4239f78c-3d76-4714-b7da-f679dbb012b7,"SmartDNSProxy"]: starting openvpn
Jul 26 16:21:04 quark NetworkManager[523111]: <info> [1722036064.0215] audit: op="connection-activate" uuid="4239f78c-3d76-4714-b7da-f679dbb012b7" name="SmartDNSProxy" pid=38600 uid=1000 result="success"
Jul 26 16:21:04 quark kded6[38442]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: NetworkManager::VpnConnection::NeedAuth
Jul 26 16:21:04 quark kded6[38442]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark systemsettings[517816]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark plasmashell[38600]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark kded6[38442]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark systemsettings[517816]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark plasmashell[38600]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark kded6[38442]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: NetworkManager::VpnConnection::Connecting
Jul 26 16:21:04 quark nm-openvpn[524462]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jul 26 16:21:04 quark nm-openvpn[524462]: OpenVPN 2.6.10 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
Jul 26 16:21:04 quark nm-openvpn[524462]: library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Jul 26 16:21:04 quark nm-openvpn[524462]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 26 16:21:04 quark nm-openvpn[524462]: TCP/UDP: Preserving recently used remote address: [AF_INET]46.166.143.132:1194
Jul 26 16:21:04 quark nm-openvpn[524462]: UDPv4 link local: (not bound)
Jul 26 16:21:04 quark nm-openvpn[524462]: UDPv4 link remote: [AF_INET]46.166.143.132:1194
Jul 26 16:21:04 quark nm-openvpn[524462]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jul 26 16:22:03 quark NetworkManager[523111]: <warn> [1722036123.9555] vpn[0x560a332554a0,4239f78c-3d76-4714-b7da-f679dbb012b7,"SmartDNSProxy"]: connect timeout exceeded
Jul 26 16:22:03 quark nm-openvpn-serv[524456]: Connect timer expired, disconnecting.
Jul 26 16:22:03 quark nm-openvpn[524462]: event_wait : Interrupted system call (fd=-1,code=4)
Jul 26 16:22:03 quark nm-openvpn[524462]: SIGTERM received, sending exit notification to peer
Jul 26 16:22:04 quark nm-openvpn[524462]: SIGTERM[soft,exit-with-notification] received, process exiting
Yes, I was mistaken. VPN specific properties are the value of vpn.data top-level property which is a dictionary of (name, value). nmcli itself has no visibility into which additional names are supported. I am not sure if it possible to change/add just a single item using nmcli or it always must be the full set.