I have been trying to set up openvpn through clearos's tools but every attempted connection times out:
syslog:
Connectivity is fine with everything else (SSH, HTTPS) and I checked, both UDP and TCP were automatically added to the incoming firewall. I tried connecting with the client both with the firewall on and allow rules and with the firewall (temporarily, obviously) down. Still nothing. So my next thought was dropped packets
tcpdump -ni enp3s0 udp and port 1194
Nothing there. I also checked and there are no notifications from openvpn in the messages log. Considering this is a stock clearos openvpn setup and the client is using the imported .ovpn I am at a complete loss.
syslog:
Dec 04 18:34:25 linux-och7 NetworkManager[1686]: <info> [1543970065.9911] audit: op="connection-activate" uuid="bceca81f-199f-42a6-b8e6-f16669c40ab1" name="kalawchicago.com" pid=2648 uid=1000 result="success"
Dec 04 18:34:26 linux-och7 NetworkManager[1686]: <info> [1543970066.0018] vpn-connection[0x55e595c2c830,bceca81f-199f-42a6-b8e6-f16669c40ab1,"******",0]: Started the VPN service, PID 21915
Dec 04 18:34:26 linux-och7 NetworkManager[1686]: <info> [1543970066.0131] vpn-connection[0x55e595c2c830,bceca81f-199f-42a6-b8e6-f16669c40ab1,"*******",0]: Saw the service appear; activating connection
Dec 04 18:34:26 linux-och7 NetworkManager[1686]: <info> [1543970066.0594] vpn-connection[0x55e595c2c830,bceca81f-199f-42a6-b8e6-f16669c40ab1,"*******",0]: VPN plugin: state changed: starting (3)
Dec 04 18:34:26 linux-och7 NetworkManager[1686]: <info> [1543970066.0595] vpn-connection[0x55e595c2c830,bceca81f-199f-42a6-b8e6-f16669c40ab1,"*******",0]: VPN connection: (ConnectInteractive) reply received
Dec 04 18:34:26 linux-och7 nm-openvpn[21918]: OpenVPN 2.4.3 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 20 2017
Dec 04 18:34:26 linux-och7 nm-openvpn[21918]: library versions: OpenSSL 1.1.0g-fips 2 Nov 2017, LZO 2.10
Dec 04 18:34:26 linux-och7 nm-openvpn[21918]: WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Dec 04 18:34:26 linux-och7 nm-openvpn[21918]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 04 18:34:31 linux-och7 nm-openvpn[21918]: TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Dec 04 18:34:31 linux-och7 nm-openvpn[21918]: UDP link local: (not bound)
Dec 04 18:34:31 linux-och7 nm-openvpn[21918]: UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Dec 04 18:34:31 linux-och7 nm-openvpn[21918]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Dec 04 18:35:26 linux-och7 NetworkManager[1686]: <warn> [1543970126.5358] vpn-connection[0x55e595c2c830,bceca81f-199f-42a6-b8e6-f16669c40ab1,"*********",0]: VPN connection: connect timeout exceeded.
Dec 04 18:35:26 linux-och7 nm-openvpn-serv[21915]: Connect timer expired, disconnecting.
Dec 04 18:35:26 linux-och7 nm-openvpn[21918]: SIGTERM[hard,] received, process exiting
Dec 04 18:35:26 linux-och7 NetworkManager[1686]: <warn> [1543970126.5415] vpn-connection[0x55e595c2c830,bceca81f-199f-42a6-b8e6-f16669c40ab1,"*********",0]: VPN plugin: failed: connect-failed (1)
Dec 04 18:35:26 linux-och7 NetworkManager[1686]: <info> [1543970126.5415] vpn-connection[0x55e595c2c830,bceca81f-199f-42a6-b8e6-f16669c40ab1,"**********",0]: VPN plugin: state changed: stopping (5)
Dec 04 18:35:26 linux-och7 NetworkManager[1686]: <info> [1543970126.5415] vpn-connection[0x55e595c2c830,bceca81f-199f-42a6-b8e6-f16669c40ab1,"**********",0]: VPN plugin: state changed: stopped (6)
Connectivity is fine with everything else (SSH, HTTPS) and I checked, both UDP and TCP were automatically added to the incoming firewall. I tried connecting with the client both with the firewall on and allow rules and with the firewall (temporarily, obviously) down. Still nothing. So my next thought was dropped packets
tcpdump -ni enp3s0 udp and port 1194
* * * *
20 packets captured
21 packets received by filter
0 packets dropped by kernel
Nothing there. I also checked and there are no notifications from openvpn in the messages log. Considering this is a stock clearos openvpn setup and the client is using the imported .ovpn I am at a complete loss.
In VPN
Share this post:
Accepted Answer
Figured it out. Networkmanager requires the auth mode to be TLS with user, not just TLS and key password. It will not prompt the user for a login (at least in gnome shell) but instead just time out. This is contra the official clearos documentation, so someone might want to look into that. The doc also has instructions for a deprecated version of the windows client, which uses a different import and setup method.
Responses (4)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
In general the docs don't cover client configs because it is like hitting a moving target and requires us to have access to all sorts of different clients. It is similar for e-mail set up. We can't hope to cover all e-mail clients on all platforms. As you've seen it is also difficult when websites reorganise and break your links.
OpenVPN for Windows - I've fixed the link, but I don't see anything wrong with the instructions. If you use the Import Profile method you run in to difficulties as it does not import your certificates. There is a note to that effect in the instructions. You can get round it either by moving the certificates into the correct folder after the import, or by changing your opvn file to incorporate the certificates in it. Again it is in the instructions. I don't otherwise see where the instructions are different. They are only for a single point earlier release of the client. If you see any errors, please let me know and I'll fix them.
NetworkManager - this is like hitting a moving target and it also depends on which distro, applet and shell you use to administer it and how the distro handles key chains. Did you import the ovpn profile or attempt to manually configure it through the GUI? Really you need to refer to your own app's documentation but I believe importing the profile should work. I don't have anything to test with here. I think the instructions you see in the docs are relatively old and for Ubuntu, but you are running OpenSUSE. If you can provide a full set of instructions based on importing the profile, I can try and incorporate them.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »