18
submitted 6 months ago by sga@lemmy.ml to c/archlinux@lemmy.ml

Can someone help, i have been having trouble connected with my home universities vpn, for past 15-20days, it is an openvpn connection, so i have been using networkmanager-openvpn to import my config files, and they have worked previously, but for last 15-20 days i get connection timed out, all certificates used are correct, i have tried to connect on cli,

Connection activation failed: The connection attempt timed out

and it suggests to check journalctl logs (nothing erroneous i could find) i am also able to connect with this vpn with my phone (with openvpn official app with same files), and also i am able to connect to proton's vpns with my laptop, so i guess my device is not completely broken, i have tried to redownload my certificate files, recreating vpn profile, reinstalling networkmanager, nothing worked

top 19 comments
sorted by: hot top controversial new old
[-] lemmyreader@lemmy.ml 4 points 6 months ago

Not sure if this applies for your university VPN but with VPN providers an important part of making a successful VPN connection and use it browse the Internet, is that the DNS servers in /etc/resolv.conf are correct. You can check and see any difference of the content of that file, before and after starting the VPN connection.

[-] sga@lemmy.ml 2 points 6 months ago
[-] lemmyreader@lemmy.ml 2 points 6 months ago

I am not sure if you would be able to compare the content of that file on your phone as well ? Maybe with adb and then check the content there (not sure if Android also uses /etc/resolv.conf) ? Or maybe test connecting on a Linux live USB stick and compare ?

[-] markus@hubzilla.markusgarlichs.de 3 points 6 months ago

@sga I think you have to ask an admin of the university because a timeout is usually a problem on the server side.

[-] sga@lemmy.ml 3 points 6 months ago

but it works over on my phone, so something has to be borked over my end, i have also recently renewed my certificates, that may have something to do with it, since vpn has also not been working pretty much since then

[-] sga@lemmy.ml 2 points 6 months ago

since i forgot to mention it earlier, we have to renew our certificates almost every 6 months, and i renewed them recently (around the time of breakage start, but (i may be misremembering) i think i connected with new certs also, before renewal, the vpn worked both on my phone and laptop, now it only works on phone, i am now trying to use it on a live usb

[-] sga@lemmy.ml 2 points 6 months ago

i tried a live usb (i had a linux mint one) - same error

[-] lemmyreader@lemmy.ml 1 points 6 months ago* (last edited 6 months ago)

Your phone is fine with the new certificates but Linux on the desktop is not. #showerthought Would it be possible that both Arch Linux and Linux Mint have software upgraded that is causing the connection failure ? Could it still work if you would use an older LTS Linux version as live USB stick ? Or would the new certificates actually require newer software, like OpenSSL (which is I think a build dependency for OpenVPN) on the desktop ? EDIT: I guess the latter is not the case since Arch Linux is a rolling distribution. But you could ask your IT persons at the university whether they upgraded something ?

[-] sga@lemmy.ml 1 points 6 months ago

with my college, they are not even up to current openvpn versions, if i use a verbose vpn app on phone (open vpn for android on fdroid), i have to use compatibility settings to even connect, they even use older encryption standards and compression settings, what i think is coincidentally something in my system updated which may not work with their current configs, and on my phone it is somehow still working

[-] Ashiette@lemmy.world 2 points 6 months ago

It may not apply to you but, from my own experience and assuming you are on KDE :

Remove your ethernet connection. Remove your VPN connection. Recreate an ethernet connection then the VPN. Never set 'autoconnect'.

Before putting your computer to sleep/shutdown, manually disconnect from the VPN.

[-] sga@lemmy.ml 1 points 6 months ago

i am not on kde or ethernet, i also dont do auto connect

[-] markus@hubzilla.markusgarlichs.de 1 points 6 months ago

@sga ok, since you didn't mention that before, that would be a possible source of error.

[-] sga@lemmy.ml 1 points 6 months ago

#####******************############**************
STUFF I HAVE WRITTEN
##############*************************
Intentionally not written nicely to be able to distinguish
######################***************************
remote had the my college's vpn domain vpn.coll.eg.e
CA had college's certificate file name (in the same dir as config)
cert myid.crt
key myid.key


##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
;remote my-server-2 1194
remote 
port 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca 
cert 
key 

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
;cipher BF-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

route-method exe
route-delay 2

auth-user-pass
[-] Max_P@lemmy.max-p.me 1 points 6 months ago

Check the logs, but it's probably related to the deprecation of compression. OpenVPN 2.6 now requires a flag client-side to enable it as it is known to be the cause of too many vulnerabilities.

Add

comp-lzo yes
allow-compression yes

To your config and try again. If it still doesn't work set log level to 4, redact personal info and post the logs.

[-] sga@lemmy.ml 1 points 6 months ago

compression was already enabled in config (the config is given to us by institute), i will reply with logs

[-] sga@lemmy.ml 1 points 6 months ago

i tried to change the verbosity level in config (it was 3, i did with 4 and 6), nothing came, and for some reason, nothing is coming in journalctl logs also

[-] Max_P@lemmy.max-p.me 1 points 6 months ago

You can try running it directly, sudo openvpn --config yourconf.ovpn

That will also tell us if NetworkManager is at fault.

[-] sga@lemmy.ml 1 points 6 months ago* (last edited 6 months ago)
2024-05-12 23:51:46 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-05-12 23:51:47 TCP/UDP: Preserving recently used remote address: ***********
2024-05-12 23:51:47 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-05-12 23:51:47 UDPv4 link local: (not bound)
2024-05-12 23:51:47 UDPv4 link remote: ******************
2024-05-12 23:51:47 TLS: Initial packet from *************
2024-05-12 23:51:47 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-05-12 23:51:47 VERIFY OK: depth=1, C=IN, ***************
2024-05-12 23:51:47 VERIFY OK: depth=0, C=IN, ***************
2024-05-12 23:51:48 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, peer certificate: 3072 bits RSA, signature: RSA-SHA256, peer temporary key: 1024 bits DH
2024-05-12 23:51:48 [vpn.*******] Peer Connection Initiated with ****************
2024-05-12 23:51:48 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-05-12 23:51:48 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-05-12 23:51:49 SENT CONTROL [vpn.iitd.ac.in]: 'PUSH_REQUEST' (status=1)
2024-05-12 23:51:49 PUSH: Received control message: ************
2024-05-12 23:51:49 OPTIONS IMPORT: --ifconfig/up options modified
2024-05-12 23:51:49 OPTIONS IMPORT: route options modified
2024-05-12 23:51:49 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-05-12 23:51:49 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2024-05-12 23:51:49 ERROR: Failed to apply push options
2024-05-12 23:51:49 Failed to open tun/tap interface
2024-05-12 23:51:49 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2024-05-12 23:51:49 Restart pause, 1 second(s)

this repeats over and over, i killed it, also i tried to connect with our vpn a year or 2 ago this method, and had same/similar errors even back then, and it only used to worked with network manager

sorry for editing it heavily, but would love to not be doxxed

[-] Max_P@lemmy.max-p.me 3 points 6 months ago
ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.

That's your error. So I think

data-ciphers AES-128-CBC

In your config should resolve this. Basically there's some issues with CBC and it's now off by default.

this post was submitted on 12 May 2024
18 points (100.0% liked)

Arch Linux

7175 readers
1 users here now

The beloved lightweight distro

founded 4 years ago
MODERATORS