I recently installed fedora on my main machine. I’m a first time Linux user.
I’m trying to connect to an OpenVPN server I have running somewhere. I tried doing this by going to settings > Network > VPN “+” > Import from file. After selecting the .ovpn file I fill in the User name and Password. I then “add” and try to connect. This does not work. After 30-60 seconds I get a notification saying “connection failed, activation of network connection failed”.
Through similar steps I got all this working on windows previously, which I used for a long time.
A user in this thread seems to have an issue that is similar to mine: Cannot connect to OpenVPN using Gnome - #9 by machitgarha. I ran sudo restorecon -Rv /home//.cert/ as suggested by Guus Bonnema. This did not seem to solve my issue. I rebooted after this (I saw someone else also suggest this cause something might be in cache ).
To summarize, I have two questions:
- How can I get openvpn working (through the Gnome GUI)?
- How can I, in the future, figure out problems such as these more efficiently without immediately needing to ask on places like this?
Thanks a lot for putting in your time!
What went wrong?
My OpenVPN server seems to talk to its clients (my fedora machine) using TLS 1.0.
journalctl -f I was able to read the error message and turn to setting “TLS min version” to 1.0 under advanced settings.
What I don’t know yet; TLS version 1.0 seems to be insecure, this is obviously bad. I guess OpenVPN has another encryption layer, hence I am curious if it is safe to use version 1.0.
It works for me out of the box on Fedora 34 when importing VPN profile by a non-root user.
A reboot was never required, and fixing SELinux labels appears to be no longer required.
It should be some other problem, so you’d best collect and analyze the VPN connection log.
Hi, thanks a lot for your reply @vgaetera!
After searching around on the internet I looked in /var/log/ for anything resembling an openvpn or vpn log, but could not find anything. Am I looking in the wrong place?
Again, thanks for your time
You can start capturing logs like this:
See also: Viewing logs in Fedora :: Fedora Docs
That is really cool! Helps diagnosing the problem a lot!
What the problem seems to be is this:
TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
These are the “advanced settings”, I assume this must all have been created when I imported the .ovpn file.
You put me on the right track for sure! I will try to figure out what TLS is and what version my server is running. (Maybe I can upgrade it to a newer one).
I really appreciate you putting in the time, thanks!
I now have a general understanding of what TLS is. What instantly fixed the problem is setting TLS min version to 1.0. Wikipedia tells me 1.0 and 1.1 are deemed insecure now. I wonder if using TLS 1.0 is dumb.
Note that if I set TLS min version to 1.1, the connection does not work.
Hence I now can get my vpn working again, but ended up with a new question: is using TLS 1.0 secure, when connecting to an OpenVPN server?
I will also make sure to edit my original post to summarize what went wrong and what helped me diagnose the problem. Again many thanks to @vgaetera for seriously pushing me into the right direction.
General security related questions are not Fedora specific, so it’s best to ask elsewhere:
webserver - Should I disable TLS 1.0 on my servers? - Information Security Stack Exchange
However, you don’t really need to care about it if you use an up-to-date Fedora release.
Assuming that both client and server rely on security defaults and upgrade regularly.
This task is safe enough to delegate to the OpenVPN and crypto-policies maintainers:
Overview - rpms/crypto-policies - src.fedoraproject.org
Even I had faced this problem with Fedora, but the issue turned out to be SELinux related. SELinux was not allowing NetworkManager to access
chcon -R -t NetworkManager_var_run_t ~/.cert/nm-openvpn
Solved the problem temporarily.
For a more permanent solution run
semanage fcontext -a -t NetworkManager_var_run_t ~/.cert/nm-openvpn
restorecon -v ~/.cert/nm-openvpn