Configuring Linux VPN connecction

Advanced feature discussion, beta programs and unsupported "Labs" features.
15 posts Page 2 of 2
by forest » Mon Feb 20, 2017 11:41 pm
For anyone else who comes across this thread, various versions of NetworkManager-openvpn have various bugs that can cause failures when importing sonic's .ovpn files. Here are the ones I remember:

  • Old-ish versions failed to import these inline sections: <ca> <cert> <key> <tls-auth>. Workaround: Copy those sections into separate files and replace them in the .ovpn config with the equivalent one-line directives referring to those new files.
  • Recent versions fail to import comp-lzo no. Workaround: Either set "Use LZO data compression" to "yes" in NetworkManager's OpenVPN Advanced... dialog, or use nmcli to modify the VPN connection after it has been imported, setting the lzo option to no-by-default.
  • Current versions fail to import key-direction 1 under some circumstances. Workaround: Set "Key Direction" to "1" in NetworkManager's OpenVPN Advanced... dialog.

It's worth noting that DNS leaks have been widely reported by NetworkManager-openvpn users. Getting it right is especially tricky because of the interactions between NetworkManager bugs, differing system configurations, and ancillary resolver layers like Dnsmasq. If you're concerned about the domain names you visit being exposed even when you're on the VPN, you better run some tests to find out what's really happening on the wire.
by dennisobrien » Sat Apr 08, 2017 1:20 pm
dsgsonic wrote:
That worked like a charm, thanks.

I think I figured out how to use Network Manager (Ubuntu) -- by cutting/pasting various parts of client.ovpn file into separate user, cert, key and TLS files and direction 1. I may do a post showing this.

If you do have a solution I think a blog post would help a lot of people.

I have the command line version working fine, but I have not been able to get it working via an entry in network manager. Following some suggestions, I commented out the line in the .ovpn file:

Code: Select all

reneg-sec 604800

and was then able to import the key via network manager. (Without this line commented out, network manager gave a very unhelpful message that the plugin did not support import.)

Basic steps to create the VPN connection:
[list=]Open Network Manger
Add -> Interface VPN -> Create...
Choose a VPN Connection Type: Import a saved VPN configuration...
Browse the the modified .ovpn file.
Added my username to the entry but left the password blank.

I now have a VPN entry "sonic.client" but when I choose it, I'm prompted for my password then I see the lock icon appear and disappear on the nm-applet icon. Following /var/log/syslog I see this:

Code: Select all

AUTH: Received control message: AUTH_FAILED

But I'm using the same credentials that work in the command line openvpn client. Adding the username password to the VPN entry does not work. In fact, the password seems to be forgotten after saving which makes me thing this is (yet another) bug in Network Manager.

I'm probably 95% of the way there. If anyone can help with this last 5% I'd appreciate it!

by drew.phillips » Wed Apr 12, 2017 7:59 pm
dennisobrien wrote:
I'm probably 95% of the way there. If anyone can help with this last 5% I'd appreciate it!

Hi Dennis,

Hopefully these screenshots will help. This is my exact setup (Mint 18.1 Serena, network-manager-openvpn version 1.1.93-1ubuntu1.1).

Connection settings for VPN tab (fill in username, optionally save password or prompt every time)

Advanced menu

General Tab

Security Tab

TLS Authentication Tab

Everything else is left at the default.

Just to re-iterate some basics for those who may stumble upon this.

The keys referenced in the first image are extracted from the client.ovpn file you get when going to, entering your credentials, selecting "Login" from the dropdown, and then downloading your user-locked profile (yourself).

Ignore all the lines beginning with a "#" - these are comments and irrelevant.

First, extract and save the contents of the CA certificate to a file. This is the data inside the <ca>...</ca> tags. The content saved to the file should include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. This is saved as sonic-ca.crt.

Next, extract the user certificate, found in the <cert></cert> tags. This is saved as

Then, get the user certificate private key found in the <key></key> tags. This is saved as

Finally :) grab the TLS auth key found just below the "key-direction 1" line, inside the <tls-auth></tls-auth> tags. Save the content starting from -----BEGIN OpenVPN Static key V1----- and ending with -----END OpenVPN Static key V1-----.

With those certificates and the settings shown above, the connection should work.

One important thing to keep in mind is, the above certificate and key is locked to your Sonic account with the VPN server. All this means is, whatever user you logged in with and downloaded the VPN config with is who you should auth as. Auth will fail if you tried to use a different Sonic account name and password (even if it is correct).

I hope that helps, let me know if it works for you.

That said, I still like connecting the VPN from the command line more that NM by using "sudo openvpn --config client.ovpn". You can make it such that you don't have to type your account password every time if you want by adding a line to your config like "auth-user-pass /home/you/sonic-credentials.txt". In the credentials file, put your username on the first line and password on the second. chmod the file to 400 so no one else on the system can read it and you're set. The main reason for this is because I know the OpenVPN client honors every option in the file, connects security, and minimizes the risk of DNS leaks.

Good luck!
Drew Phillips
Programmer / System Operations,
by saturnine » Thu Jul 13, 2017 12:21 am
Thank you for the detailed help! That is just the kind of post we non-tech types need to configure our Linux systems; however, it didn't work. After following the steps I go to my network icon in the system try and click on it, turn on the new vpn connection, and my external ipaddress doesn't change, nor does my location or AT&T as my provider. If I launch open vpn from the command line these things all change. Any idea what I'm missing?
by drew.phillips » Thu Jul 13, 2017 9:01 am
Does it give any indication as to whether or not the connection failed or succeeded?

If you open a terminal and run the command "tail -f /var/log/syslog" (without quotes) and then try connecting you should see quite a bit of detail as to what's happening.

If you're still unable to connect do you mind posting that log output from syslog?

Drew Phillips
Programmer / System Operations,
15 posts Page 2 of 2

Who is online

In total there are 3 users online :: 0 registered, 0 hidden and 3 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 3 guests