Openvpn through GUI on Fedora 34 desktop

Hi everyone!

I recently installed fedora on my main machine. I’m a first time Linux user.

I’m trying to connect to an OpenVPN server I have running somewhere. I tried doing this by going to settings > Network > VPN “+” > Import from file. After selecting the .ovpn file I fill in the User name and Password. I then “add” and try to connect. This does not work. After 30-60 seconds I get a notification saying “connection failed, activation of network connection failed”.

Through similar steps I got all this working on windows previously, which I used for a long time.

A user in this thread seems to have an issue that is similar to mine: Cannot connect to OpenVPN using Gnome - #9 by machitgarha. I ran sudo restorecon -Rv /home//.cert/ as suggested by Guus Bonnema. This did not seem to solve my issue. I rebooted after this (I saw someone else also suggest this cause something might be in cache :thinking:).

To summarize, I have two questions:

  • How can I get openvpn working (through the Gnome GUI)?
  • How can I, in the future, figure out problems such as these more efficiently without immediately needing to ask on places like this?

Thanks a lot for putting in your time!

Edit: SOLUTION

What went wrong?
My OpenVPN server seems to talk to its clients (my fedora machine) using TLS 1.0.

What helped?
After using journalctl -f I was able to read the error message and turn to setting “TLS min version” to 1.0 under advanced settings.

What I don’t know yet; TLS version 1.0 seems to be insecure, this is obviously bad. I guess OpenVPN has another encryption layer, hence I am curious if it is safe to use version 1.0.

1 Like

It works for me out of the box on Fedora 34 when importing VPN profile by a non-root user.
A reboot was never required, and fixing SELinux labels appears to be no longer required.
It should be some other problem, so you’d best collect and analyze the VPN connection log.

1 Like

Hi, thanks a lot for your reply @vgaetera!

After searching around on the internet I looked in /var/log/ for anything resembling an openvpn or vpn log, but could not find anything. Am I looking in the wrong place?

Again, thanks for your time

1 Like

You can start capturing logs like this:

journalctl -f

See also: Viewing logs in Fedora :: Fedora Docs

1 Like

That is really cool! Helps diagnosing the problem a lot!

What the problem seems to be is this:

TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only

These are the “advanced settings”, I assume this must all have been created when I imported the .ovpn file.

You put me on the right track for sure! I will try to figure out what TLS is and what version my server is running. (Maybe I can upgrade it to a newer one).

I really appreciate you putting in the time, thanks!

1 Like

Hey!

I now have a general understanding of what TLS is. What instantly fixed the problem is setting TLS min version to 1.0. Wikipedia tells me 1.0 and 1.1 are deemed insecure now. I wonder if using TLS 1.0 is dumb.

Note that if I set TLS min version to 1.1, the connection does not work.

Hence I now can get my vpn working again, but ended up with a new question: is using TLS 1.0 secure, when connecting to an OpenVPN server?

I will also make sure to edit my original post to summarize what went wrong and what helped me diagnose the problem. Again many thanks to @vgaetera for seriously pushing me into the right direction.

1 Like

General security related questions are not Fedora specific, so it’s best to ask elsewhere:
webserver - Should I disable TLS 1.0 on my servers? - Information Security Stack Exchange

However, you don’t really need to care about it if you use an up-to-date Fedora release.
Assuming that both client and server rely on security defaults and upgrade regularly.

This task is safe enough to delegate to the OpenVPN and crypto-policies maintainers:
Overview - rpms/crypto-policies - src.fedoraproject.org

1 Like