On Feb 18, 2017 3:03 AM, "Ed Greshko" <ed.greshko@greshko.com> wrote:
On 02/18/17 14:38, InvalidPath wrote:
> Well thats just it.. on linux IDK where the correct location is.  I
> tried placing it and the ca.crt in the same folder, then specifying
> the entire path in the .ovpn and both times the gui prompted me, do I
> want to copy them to /home/user/etc/etc and I chose yes.  But the
> connection times out in either case.


First of all....  Many people on this list, myself included, would
appreciate it if you'd put your responses below the text is the reply.
It makes for easier reading

With Networkmanager it is best to put them under their own directory
under...

~/.local/share/networkmanagement/certificates

For example.....

[egreshko@meimei certificates]$ pwd
/home/egreshko/.local/share/networkmanagement/certificates

[egreshko@meimei certificates]$ ls
AU-Sydney-S1       US-Los-Angeles-S3    US-San-Jose-S1
US-Kansas-City-S1  US-New-York-City-S1  US-Seattle-S1

Showing I have 6 connections defined.

[egreshko@meimei certificates]$ ls -Z US-Kansas-City-S1
unconfined_u:object_r:home_cert_t:s0 ca.crt
unconfined_u:object_r:home_cert_t:s0 cert.crt
unconfined_u:object_r:home_cert_t:s0 private.key
unconfined_u:object_r:home_cert_t:s0 tls_auth.key

Shows the key files for that one connection and their selinux contents.

Do Not "move" the cert files to their new locations but copy them.  If
you move them they will not have the selinux context and you'll have to
take a second step to restore the context.

Then, when you try connecting you should check the journal (using
journalctl) to see if the connection is made and/or if there are any errors.

A successful connection would look like something similar to this....

[egreshko@meimei ~]$ cat openvpn
Feb 18 17:03:56 meimei.greshko.com nm-openvpn[32673]: OpenVPN 2.3.14
x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH]
[IPv6] built on Dec  7 2016
Feb 18 17:03:56 meimei.greshko.com nm-openvpn[32673]: library versions:
OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.08
Feb 18 17:03:56 meimei.greshko.com nm-openvpn[32673]: WARNING: No server
certificate verification method has been enabled.  See
http://openvpn.net/howto.html#mitm for more info.
Feb 18 17:03:56 meimei.greshko.com nm-openvpn[32673]: NOTE: the current
--script-security setting may allow this configuration to call
user-defined scripts
Feb 18 17:03:56 meimei.greshko.com nm-openvpn[32673]: Control Channel
Authentication: using
'/home/egreshko/.local/share/networkmanagement/certificates/US-Seattle-S1/tls_auth.key'
as a OpenVPN static key file
Feb 18 17:03:57 meimei.greshko.com nm-openvpn[32673]: NOTE: UID/GID
downgrade will be delayed because of --client, --pull, or --up-delay
Feb 18 17:03:57 meimei.greshko.com nm-openvpn[32673]: UDPv4 link local:
[undef]
Feb 18 17:03:57 meimei.greshko.com nm-openvpn[32673]: UDPv4 link remote:
[AF_INET]69.4.227.18:53
Feb 18 17:04:00 meimei.greshko.com nm-openvpn[32673]: [isvpn.net] Peer
Connection Initiated with [AF_INET]69.4.227.18:53
Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error:
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2:
topology-subnet (2.3.14)
Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error:
option 'mssfix' cannot be used in this context ([PUSH-OPTIONS])
Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error:
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6:
dhcp-pre-release (2.3.14)
Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error:
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:7:
dhcp-renew (2.3.14)
Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error:
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:8:
dhcp-release (2.3.14)
Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error:
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:14:
register-dns (2.3.14)
Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error:
Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:15:
block-ipv6 (2.3.14)
Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: TUN/TAP device
tun0 opened
Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]:
/usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 32667
--bus-name org.freedesktop.NetworkManager.openvpn.Connection_9 --tun --
tun0 1500 1570 25.0.8.4 255.255.255.0 init
Feb 18 17:04:07 meimei.greshko.com nm-openvpn[32673]: GID set to nm-openvpn
Feb 18 17:04:07 meimei.greshko.com nm-openvpn[32673]: UID set to nm-openvpn
Feb 18 17:04:07 meimei.greshko.com nm-openvpn[32673]: Initialization
Sequence Completed
Feb 18 17:04:12 meimei.greshko.com nm-openvpn[32673]: SIGTERM received,
sending exit notification to peer
Feb 18 17:04:13 meimei.greshko.com nm-openvpn[32673]:
SIGTERM[soft,exit-with-notification] received, process exiting



--
Fedora Users List - The place to go to get others to do the work for you
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org


Sorry Ed.. with the default being at the top for so many devices and apps it didn't even cross my mind.


~/.local/share/networkmanagement/certificates this is exactly where Network Manager prompts me to copy the cert to.  So with that in mine that's when I tried removing the full path, here's an example:

dev tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote x.x.x.x.x 34447 udp
lport 0
auth-user-pass
ca /home/bhart/Documents/VPN_CONFIG/config/xxxx-fw-1-udp-34447-ca.crt
tls-auth /home/bhart/Documents/VPN_CONFIG/config/xxxx-fw-1-udp-34447-tls.key 1
ns-cert-type server
comp-lzo adaptive
 

But then once they're copied to that other location I decided that maybe I should remove those paths.  It didn't change things.

➜  certificates ll
total 8.0K
-rw-r--r-- 1 bhart bhart 1.4K Feb 17 07:12 xxxx-fw-1-udp-34447-config_gntc-fw-1-udp-34447-ca.crt
-rw-r--r-- 1 bhart bhart  657 Feb 17 07:12 xxxx-fw-1-udp-34447-config_gntc-fw-1-udp-34447-tls.key


So journalctl -xe right now shows  :

Feb 18 08:23:27 localhost.localdomain NetworkManager[1297]: <info>  [1487431407.9972] keyfile: update /etc/NetworkManager/system-connections/xxxx-fw-1-udp-34447-config (d550859
Feb 18 08:23:27 localhost.localdomain NetworkManager[1297]: <info>  [1487431407.9976] audit: op="connection-update" uuid="d550859e-f14a-40b5-8ab0-64b3a13d8ef3" name="xxxx-fw-1-
Feb 18 08:23:29 localhost.localdomain kde5-nm-connection-editor[5001]: QDBusObjectPath: invalid path ""
Feb 18 08:23:29 localhost.localdomain NetworkManager[1297]: <info>  [1487431409.6901] audit: op="connection-activate" uuid="d550859e-f14a-40b5-8ab0-64b3a13d8ef3" name="xxxx-fw-
Feb 18 08:23:29 localhost.localdomain NetworkManager[1297]: <info>  [1487431409.6927] vpn-connection[0x55ade43bb2f0,d550859e-f14a-40b5-8ab0-64b3a13d8ef3,"xxxx-fw-1-udp-34447-co
Feb 18 08:23:29 localhost.localdomain NetworkManager[1297]: <info>  [1487431409.6990] vpn-connection[0x55ade43bb2f0,d550859e-f14a-40b5-8ab0-64b3a13d8ef3,"xxxx-fw-1-udp-34447-co
Feb 18 08:23:29 localhost.localdomain kdeinit5[2289]: plasma-nm: Unhandled VPN connection state change:  2
Feb 18 08:23:29 localhost.localdomain kdeinit5[2289]: plasma-nm: Unhandled VPN connection state change:  3
Feb 18 08:23:29 localhost.localdomain NetworkManager[1297]: <info>  [1487431409.7264] vpn-connection[0x55ade43bb2f0,d550859e-f14a-40b5-8ab0-64b3a13d8ef3,"xxxx-fw-1-udp-34447-co
Feb 18 08:23:29 localhost.localdomain nm-openvpn[5401]: Options error: If you use one of --cert or --key, you must use them both


This is confusing.. according to the .ovpn file this connection should be using auth-user-pass but then without specifying password with TLS how does the key file get used?  (I did attempt connection with just password set and it fails with:

Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more in
Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: UDPv4 link local: [undef]
Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: UDPv4 link remote: [AF_INET]72.174.102.34:34447
Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: VERIFY ERROR: depth=0, error=certificate signature failure: C=US, ST=MT, O=$organization, OU=Operations, CN=xxxx-v
Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: TLS_ERROR: BIO read tls_read_plaintext error
Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: TLS Error: TLS object -> incoming plaintext read error
Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: TLS Error: TLS handshake failed
Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: SIGUSR1[soft,tls-error] received, process restarting

Which is even more confusing because this config file works perfectly with the Windows OpenVPN client. So there must be some difference in how the clients use this file because teh certificate is valid.  I did goto the link in this error log and it's really not much help since the server certificate and actually the entire config was generated from pfSense.

Thanks