OpenVPN "Activation of network connection failed" in Fedora 37

I’ve recently upgraded from Fedora 36 to Fedora 37 and when trying to connect to a VPN I get an “Activation of network connection failed”. My internet connection is working properly and I had no issues connecting before the upgrade.

This is the output from sudo openvpn --config ~/my_config_file.ovpn --auth-user-pass ~/.vpnuser.txt

2022-11-22 10:59:51 OpenVPN 2.5.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2022
2022-11-22 10:59:51 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
🔐 Enter Auth Password:              
2022-11-22 10:59:55 TCP/UDP: Preserving recently used remote address: [AF_INET]193.175.8.21:1194
2022-11-22 10:59:55 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-11-22 10:59:55 UDP link local: (not bound)
2022-11-22 10:59:55 UDP link remote: [AF_INET]193.175.8.21:1194
2022-11-22 11:00:55 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2022-11-22 11:00:55 TLS Error: TLS handshake failed
2022-11-22 11:00:55 SIGUSR1[soft,tls-error] received, process restarting
2022-11-22 11:00:55 Restart pause, 5 second(s)

Please let me know if any further information is needed.

The same command works for me in F37, but I get
TLS: Initial packet from [AF_INET]nnn.nnn.nnn.nnn:5060, sid=90c508bb 6f10fe7b

I do not see any reason why it should not work after upgrade, unless the connection fails due to more stringent TLS cryptography, but the log asks to check connectivity.
Does the server have more address/port combinations?

Sorry that I have no further tips for troubleshooting, except for a tcpdump on the network interface on port 1194 or host remotehost to see whether at least some packet comes back.

1 Like
  1. Were you trying to connect to a commercial VPN service provider such as NordVPN, ExpressVPN, etc.?

If your answer is Yes, then you should get in touch with their technical support staff. You are a paid customer and it is their obligation to provide you with solutions, no?

  1. For all questions and issues concerning OpenVPN, may I suggest that you post your questions in this mailing list. They are answered by experienced users and developers of OpenVPN. In fact one of the developers is a contributor and maintainer of OpenVPN package for Fedora.

Have you checked openvpn’s FAQ for this error? Please check if any of the problems listed apply to your situation: https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/

I assume it’s a firewall issue. You need to punch a hole for UDP:1194

Is this the .ovpn file that you are using? https://vpn.pks.mpg.de/conf/MPIPKS.ovpn (https://vpn.pks.mpg.de/)

Of course it is good to check the firewall, but normally connection tracking, both in the router and in the Linux firewall, should take care to allow “related” packets from the ovpn server and keep the channel open. It is only important to have keep-alive packets, otherwise the channel closes after a while and traffic originating from the server will be blocked.

If the ovpn file is the one you mention, you could try to remove the remote udp line and force TCP/443 connection. A too strong firewall might dislike UDP, but TCP 443 is used for normal HTTPS traffic, so web browsing will be no fun if that is blocked.