Openvpn Configuration/Access Issue

Stephen Morris samorris at netspace.net.au
Sun Feb 28 20:40:35 UTC 2016 

On 27/02/16 11:21, Ed Greshko wrote:
>
> On 02/27/16 07:34, Stephen Morris wrote:
>> On 26/02/16 19:36, Ed Greshko wrote:
>>> On 02/26/16 15:58, Stephen Morris wrote:
>>>> On 26/02/16 08:42, Rick Stevens wrote:
>>>>> On 02/25/2016 01:35 PM, Stephen Morris wrote:
>>>>>> Hi,
>>>>>>
>>>>>>        I am trying to my vpn service provider using instructions they
>>>>>> provide for Ubuntu Mint as the only information they provide for Linux.
>>>>>> When I go into Networkmanager and create a new Openvpn connection and
>>>>>> try to connect to it, I get a popup saying the connection failed and one
>>>>>> of the messages seems to be indicating that I am missing a plugin.
>>>>>>
>>>>>>        As far as I can see I have every Networkmanager vpn plugin
>>>>>> installed, so I am at a loss trying to understand the message. Is
>>>>>> anybody able to shed any light on what/where I need to look to try to
>>>>>> identify what the connection issues are?
>>>>> Please include the EXACT error message you're getting. It may not be
>>>>> a NetworkMangler plugin you're missing--rather an openvpn module or
>>>>> OpenSSL module.
>>>> Below is all the messages appearing in the notification dialog when the connection
>>>> fails, in the order they are displayed from top to bottom.
>>>>
>>>> Failed to activate connection
>>>> Device failed
>>>> Failed to deactivate connection
>>>> Connection updated
>>>> Missing VPN plugin
>>>> Failed to update connection
>>>> Connection removed
>>>> Connection added
>>>> Failed to remove connection
>>>> Failed to get secrets
>>>> Connection deactivated
>>>> Connection activated
>>>> Failed to add connection
>>>> Failed to request scan
>>>>
>>> If you do
>>>
>>> journalctl -b 0 -l --unit=NetworkManager
>> I issued this command and found the following messages which means I will now need to
>> play around with the configuration to resolve, particularly the certificate issue, as a
>> certificate to use is specified in the client.
>>
>> Feb 27 10:27:44 localhost.localdomain nm-openvpn[2542]: OpenVPN 2.3.10
>> x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan
>> 4 2016
>> Feb 27 10:27:44 localhost.localdomain nm-openvpn[2542]: library versions: OpenSSL
>> 1.0.2f-fips  28 Jan 2016, LZO 2.08
>> Feb 27 10:27:44 localhost.localdomain nm-openvpn[2542]: WARNING: No server certificate
>> verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more
>> info.
>> Feb 27 10:27:44 localhost.localdomain nm-openvpn[2542]: NOTE: the current
>> --script-security setting may allow this configuration to call user-defined scripts
>> Feb 27 10:27:44 localhost.localdomain nm-openvpn[2542]: WARNING: normally if you use
>> --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1557)
>> Feb 27 10:27:44 localhost.localdomain nm-openvpn[2542]: NOTE: UID/GID downgrade will be
>> delayed because of --client, --pull, or --up-delay
>> Feb 27 10:27:44 localhost.localdomain nm-openvpn[2542]: UDPv4 link local: [undef]
>> Feb 27 10:27:44 localhost.localdomain nm-openvpn[2542]: UDPv4 link remote:
>> [AF_INET]45.58.127.234:443
>> Feb 27 10:27:46 localhost.localdomain nm-openvpn[2542]: WARNING: 'link-mtu' is used
>> inconsistently, local='link-mtu 1614', remote='link-mtu 1557'
>> Feb 27 10:27:46 localhost.localdomain nm-openvpn[2542]: WARNING: 'tun-mtu' is used
>> inconsistently, local='tun-mtu 1557', remote='tun-mtu 1500'
>> Feb 27 10:27:46 localhost.localdomain nm-openvpn[2542]: [VPN] Peer Connection Initiated
>> with [AF_INET]45.58.127.234:443
>> Feb 27 10:27:49 localhost.localdomain nm-openvpn[2542]: TUN/TAP device tun0 opened
>> Feb 27 10:27:49 localhost.localdomain nm-openvpn[2542]:
>> /usr/libexec/nm-openvpn-service-openvpn-helper --tun -- tun0 1557 1614 10.10.8.10
>> 10.10.8.9 init
>>
>>> Do you get better info?
>>>
>>> Here is an example of a successful openvpn connection...
>>>
>>> http://paste.fedoraproject.org/329720/47555814/
>>>
>> Is the information you have shown in the link above an excerpt from syslog?
> No, it is the output from journalctl on my system with a working openVPN connection.
>
> The warning about "server certificate" is only a warning.  I don't use that option/feature
> and there is no problem.
Having set a security option that I think has gotten rid of the 
certificate message, I think NetworkManager is trying to provide some 
protection against server spoofing, albeit without a physical 
certificate from the server is fairly limited.

Apart from the speed degradation issues, I now have to resolve an issue 
with the flash based browser game, and the two non-browser online games, 
that I am playing at the moment, refusing to allow connection if the vpn 
is active.

regards,
Steve
>
>> Having found some information around how I need to configure the NetworkManager
>> connection I now have the vpn connection working.
>> The messages I have shown above that I didn't understand, was all because of my
>> stupidity. The button I clicked on in the connection failure notification also shows the
>> same thing when clicked on in the successful connection notification. What I now think
>> it was, is that these are things that NetworkManager knows how to detect, and it was
>> asking how I wanted notification of those messages if they occurred.
>> Sorry for all the trouble I put people to due to my lack of understanding of something,
>> that in hindsight should have been obvious to me as to what it was.
>>
>> Having got the interface working, its performance potentially explains why the cost of
>> lifetime membership was dropped from $1000US to $40US.
>>
> Good that you have it working.
>

More information about the users mailing list