Cannot connect to OpenVPN using Gnome

Hi.

While I can connect to an OpenVPN server using command line (using openvpn command), I cannot connect to it using Gnome (neither via the top panel nor Network options in Settings).
When I try to connect using Gnome, it immediately shows me a notification that the connection cannot be established and disconnects. Also, I should note that the problem is system-wide; I tried another user, but no luck.

Things I tried so far, but didn’t work:

  • Reinstalling openvpn, NetworkManager-openvpn and NetworkManager-openvpn-gnome packages.
  • Removing /var/cache directory.
  • Re-adding the VPNs after removing .config, .cache and .cert directories.

Here is the related output of journalctl -u NetworkManager -r:

Jan 03 20:31:36 machitgarha NetworkManager[1053]: <info>  [1578070896.8569] vpn-connection[0x55d277726510,00b99905-3880-444b-bd75-ed5e882c1d8f,"Canada UDP",0]: VPN plugin: state changed: stopped (6)
Jan 03 20:31:36 machitgarha NetworkManager[1053]: <info>  [1578070896.8565] vpn-connection[0x55d277726510,00b99905-3880-444b-bd75-ed5e882c1d8f,"Canada UDP",0]: VPN plugin: state changed: stopping (5)
Jan 03 20:31:36 machitgarha NetworkManager[1053]: <warn>  [1578070896.8564] vpn-connection[0x55d277726510,00b99905-3880-444b-bd75-ed5e882c1d8f,"Canada UDP",0]: VPN plugin: failed: connect-failed (1)
Jan 03 20:31:36 machitgarha NetworkManager[1053]: <warn>  [1578070896.8563] vpn-connection[0x55d277726510,00b99905-3880-444b-bd75-ed5e882c1d8f,"Canada UDP",0]: VPN plugin: failed: connect-failed (1)
Jan 03 20:31:36 machitgarha NetworkManager[1053]: <info>  [1578070896.6973] vpn-connection[0x55d277726510,00b99905-3880-444b-bd75-ed5e882c1d8f,"Canada UDP",0]: VPN connection: (ConnectInteractive) reply received
Jan 03 20:31:36 machitgarha NetworkManager[1053]: <info>  [1578070896.6972] vpn-connection[0x55d277726510,00b99905-3880-444b-bd75-ed5e882c1d8f,"Canada UDP",0]: VPN plugin: state changed: starting (3)
Jan 03 20:31:34 machitgarha NetworkManager[1053]: <info>  [1578070894.8390] vpn-connection[0x55d277726510,00b99905-3880-444b-bd75-ed5e882c1d8f,"Canada UDP",0]: Saw the service appear; activating connection
Jan 03 20:31:34 machitgarha NetworkManager[1053]: <info>  [1578070894.2316] vpn-connection[0x55d277726510,00b99905-3880-444b-bd75-ed5e882c1d8f,"Canada UDP",0]: Started the VPN service, PID 53133
Jan 03 20:31:33 machitgarha NetworkManager[1053]: <info>  [1578070893.9544] audit: op="connection-activate" uuid="00b99905-3880-444b-bd75-ed5e882c1d8f" name="Canada UDP" pid=1851 uid=1000 result="success"

Note: The Gnome integrated VPN service was working before making some changes to some packages (or whatever change), however, from somewhere, it started not to work.

Thanks in advance!

It works (Gnome side). Did your used “Import from file…”?

Please, see:

Yes, I’ve used “Import from file…” option. Just doesn’t work.
EDIT: Using sudo dnf upgrade does not help anything. Unfortunately.

It is Fedora 31 on your machine?

Yes. I’m using Fedora 31.

The last guess for a while: did your rebooted after refreshing the configs, or tried another user? Maybe it is just some “cache” that persist log-offs (in RAM)…

Yes. I’ve rebooted many times from that time, and as I mentioned, I tried another user. Still doesn’t work.
Thanks for paying attention! :slight_smile:

If you want someone to keep helping you, avoid being sarcastic. They are spending their time for you, no personal gain. People are trying to help, the least you can do is be courteous.

P.S. These problems are never simple. I had a similar problem and it took some time and the help of other more knowledgeable people to discover I had to relabel stuff.

I hope you find out what is wrong.

@gbonnema I didn’t want to be sarcastic, I wasn’t and won’t be. I just appreciated his help. I think you got me wrong. Reviewing the whole discussion, I cannot find any impoliteness from myself; tell your meaning clearly (I think you didn’t understand my writings, or maybe I’ve written badly).

1 Like

TL;DR

Changing SELinux status to permissive or disabled just fixed the problem.

More details

After reviewing the output of journalctl -u NetworkManager -r, I found the following lines more related to the problem:

Jan 06 17:47:57 machitgarha nm-openvpn[9924]: Use --help for more information.
Jan 06 17:47:57 machitgarha nm-openvpn[9924]: Options error: Please correct these errors.
Jan 06 17:47:57 machitgarha nm-openvpn[9924]: Options error: --key fails with '/home/machitgarha/.cert/nm-openvpn/vpnbook-ca222-udp25000-key.pem': Permission denied (errno=13)
Jan 06 17:47:57 machitgarha nm-openvpn[9924]: WARNING: cannot stat file '/home/machitgarha/.cert/nm-openvpn/vpnbook-ca222-udp25000-key.pem': Permission denied (errno=13)
Jan 06 17:47:57 machitgarha nm-openvpn[9924]: Options error: --cert fails with '/home/machitgarha/.cert/nm-openvpn/vpnbook-ca222-udp25000-cert.pem': Permission denied (errno=13)
Jan 06 17:47:57 machitgarha nm-openvpn[9924]: Options error: --ca fails with '/home/machitgarha/Vpns/OpenVpn/vpnbook-ca222-udp25000-ca.pem': Permission denied (errno=13)

First, I thought it was related to file permissions. However, after searching for some time, I found this useful question on Unix & Linux forum and realized that the problem is related to SELinux.

Finally, using the following command, I set the SELinux status to permissive:

setenforce Permissive

, and to make it permanent, I changed SELINUX=enforcing to SELINUX=permissive in /etc/sysconfig/selinux file.

Hopefully, now Gnome integrated OpenVPN tool works!
Hope it helps someone!

1 Like

It was the sentences “… as I mentioned … Thanks for paying attention” that made me think you were being sarcastic. If that was not the intention: my bad. I apologize.

2 Likes

You may have solved the symptom, but the cause is still there. Making SElinux permissive or disabled is like opening your door to prevent someone from complaining if they forgot their key. You just seriously decreased security.

It looks like you have the same problem I had: the files have the wrong security label, you need to relabel some specific part of your files. Let me check if I can find the bug I posted and someone told me how to relabel and what to relabel.

EDIT: The bug is a redhat bug and the link is https://bugzilla.redhat.com/show_bug.cgi?id=1774678. The solution said:
"Hi,

Please run:
# restorecon -Rv /home/gbonnema/.cert/

To fix labels of cert files.

Thanks,
Lukas.
"

You will have to run that as root though. and of course use your own specific directory names, not gbonnema.

3 Likes

Fun time. I’ve just remembered one topic on the another forum: “How to defeat the SELinux in Fedora?”

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.