OpenVPN via NetworkManager timeouts; works through openvpn client

Hey there,

When using openvpn client directly, from command line (as root), the connection to VPN server works just fine. When attempting to connect via NetworkManager, it times out.

Both configurations use same keys, hosts etc. Both record in journal UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194 to the same host.

Network Manager starts openvpn service, and receives:
NetworkManager[2019]: <info> VPN connection ‘Some VPN’ (ConnectInteractive) reply received.

But eventually fails with:
NetworkManager[2019]: <warn> VPN connection ‘Some VPN’ connect timeout exceeded.

Is there know issue with this?
Some special permission?
AppArmor policy that has to be set?
Is it failing because it is (ConnectInteractive) interactive and hides some user input?

openSUSE Leap 42.1; fresh install

Ok, so changing to TCP 443 worked. Means that user nm-openvpn is prohibited from opening connection to non standard ports. How does one configure this in openSUSE?

Examine the NetworkManager log for more information. Open a terminal and do

sudo journalctl -fu NetworkManager

then attempt to activate the VPN connection. That might yield more clues.

Good catch!. Not sure about this.

I’m using KDE Plasma NM front-end and don’t see where to add a custom gateway port, but this option apparently exists in the Gnome NM front-end via ‘Advanced’ in the VPN tab. You could try using the Gnome front-end for configuration instead (provided by NetworkManager-gnome).

There were no errors apart from final timeout. When looking at output of

/usr/lib/nm-openvpn-service --debug

All I see is constant attempt to initiate UDP connection.

I am pretty sure it is permission thing. Not sure how to figure it out. Could it be AppArmor/Firewall thing? I have no custom policies/rules.

Didn’t you already establish this was due to not being able to use a non-standard port?

Sorry, I used that term incorrectly. I meant non standard such as 80, 443, etc. I was trying to use fairly standard for OpenVPN UDP port 1194 which appears to be either blocked by default (why would outgoing connection be blocked by default) or prevented by some policy.

The location for setting a custom gateway port in KDE Plasma NetworkManager is at:
Connection Editor > Add > openVPN > Tab: VPN (openvpn), button labeled “Advanced” > Tab: General. It is the first parameter that can be edited. Many parameters can be edited from this location, including:

  • Custom gateway port
  • Custom tunnel MTU
  • Custom UDP fragment size
  • Use custom renegotiation interval
  • Set virtual device type (TUN/TAP)
  • Use LZO compression
  • Use TCP connection
  • Restrict TCP maximum segment size (MSS)
  • Randomize remote hosts

Other tabs avaiable throught the “Advanced” button include:

  • Security (choose cypher, custom cypher key size, and HMAC authentication type)
  • TLS Settings (Subject Match, Verify peer (server signature), Use additional TLS authrntication (key file, key direction)
  • Proxies (Proxy Type (Not Required, HYYP, SOCKS), Server Address, Port, option: retry indefinately when error occour, Proxy Username, Proxy Password)

FWIW, I am using a custom port value of 53 as I write this post, and it works properly.