OpenVPN stopped working on network manager

I’ve had this setup for openVPN for years on Network Manager and other than the odd cert. needing to be updated, has always worked. Now it won’t start. Looking at the logs I get these errors:

Jul 13 19:07:55 quark nm-openvpn[71598]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.6.10)
Jul 13 19:07:55 quark nm-openvpn[71598]: OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
Jul 13 19:07:55 quark nm-openvpn[71598]: ERROR: Failed to apply push options
Jul 13 19:07:55 quark nm-openvpn[71598]: Failed to open tun/tap interface

I have no idea how to, or know even if it’s possible, to modify some config files to fix these errors. I guess I could learn to launch openVPN from the command line so not going through NM and I could learn the settings for files in /etc/openvpn for that but I would rather just get it back to working through NM if possible.

Of the two errors: ... [PUSH-OPTIONS]:4 ... I would image just an entry in a config file could fix it

and ...('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305')... I don’t really get because AES-256-CBC is, and has been selected for a very long time. However, when I looked at the list of ciphers I saw two lines with the words and & some other 3 letter word-I don't remember which clearly are not ciphers so I suspect there is a bug or corrupt file somewhere messing it up knowing what cipher is being selected.

Any help appreciated.

You didn’t share your config file, but do you have the following entry in included in your .ovpn file?

data-ciphers AES-256-CBC

This might be of relevance:
https://community.openvpn.net/openvpn/wiki/CipherNegotiation

AFAIU, the block-outside-dns directive is for windows hosts, so can be ignored.

Show your actual connection profile.

Where is it? I just set it up through Network Manager and have no idea where the config files for it are.

You can post full output of nmcli connection show ... or the file in /etc/NetworkManager/system-connections/ (the names are normally derived from the connections names).

Here’s the configuration.

[connection]
id=SmartDNSProxy VPN
uuid=9ab42d89-c778-4b02-9fc7-edac30b5c0ae
type=vpn
permissions=user:reg:;

[vpn]
auth=SHA256
ca=/etc/ssl/smart-dns-proxy/serverlocation.crt
cipher=AES-256-CBC
connection-type=password
dev-type=tun
float=no
mssfix=no
password-flags=1
port=1194
proto-tcp=no
remote=nl-am-smart.serverlocation.co
remote-cert-tls=server
remote-random=no
ta=/etc/ssl/smart-dns-proxy/tls.crt
ta-dir=1
tun-ipv6=no
username=RegWorkstationVPN
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
dns=54.229.171.243;54.183.15.10;8.8.8.8;8.8.4.4;
ignore-auto-dns=true
may-fail=false
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=auto

[proxy]

I see your [vpn] section has already “cipher=AES-256-CBC” but the error has “Add the server’s cipher (‘AES-256-CBC’) to --data-ciphers (currently ‘AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305’) if you want to connect to this server.”, notice data-ciphers instead of cipher.

Then found:

So it looks like ciphers should be replaced by data-ciphers for more recent version. Can you give that a try?

@Reg_gie You can directly edit this file.

systemctl stop NetworkManager.service
edit file
systemctl start NetworkManager.service

I would add data-ciphers instead of replacing cipher. I believe --cipher is still used by OpenVPN, just not for TLS negotiation, so it is better to leave it.

Or you can use nmcli to modify connection.

nmcli connection modify 9ab42d89-c778-4b02-9fc7-edac30b5c0ae vpn.data-ciphers AES-256-CBC

Fyi the openvpn parameter for TLS negotiation is --tls-cipher. The --cipher parameter is only relevant for the data channel it does not affect the TLS negotiaition. Maybe this snippet from the man page could be helpful

# man openvpn
.......
 --cipher alg
              This option should not be used any longer in TLS mode and still exists for two reasons:

              • compatibility with old configurations still carrying it around;

              • allow users connecting to OpenVPN peers older than 2.6.0 to have --cipher configured the same way as the  remote  counterpart.
                This can avoid MTU/frame size warnings.

              Before  2.4.0,  this  option was used to select the cipher to be configured on the data channel, however, later versions usually
              ignored this directive in favour of a negotiated cipher.  Starting with 2.6.0, this option is always ignored in TLS mode when it
              comes to configuring the cipher and will only control the cipher for --secret pre-shared-key mode (note: this mode is deprecated
              and strictly not recommended).

              If you wish to specify the cipher to use on the data channel, please see --data-ciphers (for regular negotiation) and --data-ci-
              phers-fallback  (for  a  fallback option when the negotiation cannot take place because the other peer is old or has negotiation
              disabled).

              To see ciphers that are available with OpenVPN, use the --show-ciphers option.

              Set alg to none to disable encryption.

  ......  
              
  --data-ciphers cipher-list
              Restrict  the  allowed ciphers to be negotiated to the ciphers in cipher-list. cipher-list is a colon-separated list of ciphers,
              and   defaults   to   AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305   when   Chacha20-Poly1305   is    available    and    otherwise
              AES-256-GCM:AES-128-GCM.

              For  servers,  the first cipher from cipher-list that is also supported by the client will be pushed to clients that support ci-
              pher negotiation.

              For more details see the chapter on Data channel cipher negotiation.  Especially if you need to  support  clients  with  OpenVPN
              versions older than 2.4!

              Starting  with  OpenVPN  2.6 a cipher can be prefixed with a ? to mark it as optional. This allows including ciphers in the list
              that may not be available on all platforms.  E.g. AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305 would only enable Chacha20-Poly1305
              if the underlying SSL library (and its configuration) supports it.

              Cipher  negotiation  is  enabled  in  client-server  mode only. I.e. if --mode is set to server (server-side, implied by setting
              --server ), or if --pull is specified (client-side, implied by setting --client).

              If no common cipher is found during cipher negotiation, the connection is terminated. To support old clients/old servers that do
              not provide any cipher negotiation support see --data-ciphers-fallback.

              If --compat-mode is set to a version older than 2.5.0 the cipher specified by --cipher will be appended to --data-ciphers if not
              already present.

              This list is restricted to be 127 chars long after conversion to OpenVPN ciphers.

              This option was called --ncp-ciphers in OpenVPN 2.4 but has been renamed to --data-ciphers in OpenVPN 2.5 to more accurately re-
              flect its meaning.

If I change the line
cipher=AES-256-CBC to data-ciphers=AES-256-CBC it still doesn’t connect but it tries.

If I do this line:

nmcli connection modify 4239f78c-3d76-4714-b7da-f679dbb012b7 vpn.data-ciphers AES-256-CBC

(the UUID is different because I tried creating the VPN setup from scratch in the NM UI to see if it did anything different in the parameters but nothing useful came of it)

it gives this error:

Error: invalid property 'data-ciphers': 'data-ciphers' not among [service-type, user-name, data, secrets, persistent, timeout].

I looked for data-cyphers in yast software management and couldn’t find anything to install.

when trying to connect with data-cyphers it now gives:

Jul 26 16:21:04 quark NetworkManager[523111]: <info>  [1722036064.0206] vpn[0x560a332554a0,4239f78c-3d76-4714-b7da-f679dbb012b7,"SmartDNSProxy"]: starting openvpn
Jul 26 16:21:04 quark NetworkManager[523111]: <info>  [1722036064.0215] audit: op="connection-activate" uuid="4239f78c-3d76-4714-b7da-f679dbb012b7" name="SmartDNSProxy" pid=38600 uid=1000 result="success"
Jul 26 16:21:04 quark kded6[38442]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::NeedAuth
Jul 26 16:21:04 quark kded6[38442]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark systemsettings[517816]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark plasmashell[38600]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark kded6[38442]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark systemsettings[517816]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark plasmashell[38600]: kf.networkmanagerqt: void NetworkManager::ConnectionPrivate::onPropertiesChanged(const QVariantMap&) Unhandled property "VersionId"
Jul 26 16:21:04 quark kded6[38442]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::Connecting
Jul 26 16:21:04 quark nm-openvpn[524462]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jul 26 16:21:04 quark nm-openvpn[524462]: OpenVPN 2.6.10 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]
Jul 26 16:21:04 quark nm-openvpn[524462]: library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
Jul 26 16:21:04 quark nm-openvpn[524462]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 26 16:21:04 quark nm-openvpn[524462]: TCP/UDP: Preserving recently used remote address: [AF_INET]46.166.143.132:1194
Jul 26 16:21:04 quark nm-openvpn[524462]: UDPv4 link local: (not bound)
Jul 26 16:21:04 quark nm-openvpn[524462]: UDPv4 link remote: [AF_INET]46.166.143.132:1194
Jul 26 16:21:04 quark nm-openvpn[524462]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jul 26 16:22:03 quark NetworkManager[523111]: <warn>  [1722036123.9555] vpn[0x560a332554a0,4239f78c-3d76-4714-b7da-f679dbb012b7,"SmartDNSProxy"]: connect timeout exceeded
Jul 26 16:22:03 quark nm-openvpn-serv[524456]: Connect timer expired, disconnecting.
Jul 26 16:22:03 quark nm-openvpn[524462]: event_wait : Interrupted system call (fd=-1,code=4)
Jul 26 16:22:03 quark nm-openvpn[524462]: SIGTERM received, sending exit notification to peer
Jul 26 16:22:04 quark nm-openvpn[524462]: SIGTERM[soft,exit-with-notification] received, process exiting

Finally got it. It seems since I last tried my IP address changed so I had to go to my VPN provider and update my IP address.

Also, I noticed that when I add DNS entries through my NM UI that it doesn’t go into the config file so I had to add:

dns=54.229.171.243;54.183.15.10;

manually.

Yes, I was mistaken. VPN specific properties are the value of vpn.data top-level property which is a dictionary of (name, value). nmcli itself has no visibility into which additional names are supported. I am not sure if it possible to change/add just a single item using nmcli or it always must be the full set.

It is possible

nmcli connection modify testvpn +vpn.data data-ciphers=AES-256-CBC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.