Unable to connect to OpenVPN using nmcli

Hi!
I’m playing around with Fedora IoT 35 on a Raspberry Pi 4. It is working great otherwise, but I cannot seem to connect to my VPN. It is the same VPN I use from my desktop running Fedora Silverblue 35. There I have set it up using the GUI and now I’m trying to use nmcli.

Here is what I have done so far:

  • Installed NetworkManager-openvpn as an overlay package
  • Imported the *.ovpn file (same as I used on the desktop) with sudo nmcli connection import type openvpn file nasse.ovpn
  • Set username for authentication: sudo nmcli con mod nasse vpn.user-name <USERNAME>
  • Tried to set the password (but apparently failed)

I have tried to set the password like this: sudo nmcli con mod nasse vpn.secrets "password=<PASSWORD>". The command completes without any complaint but the secret is never added to the connection details as seen with nmcli con show nasse --show-secrets.

I have also tried to tell it to ask for the password and to use passwd-file. This is what happens:

$ sudo nmcli --ask con up nasse                                                                                                                                                                                                                                                                              
[sudo] password for USERNAME:                                                                                                                                   
                                                                                                                                                                                                                                                                                                                              
(process:39671): nm-WARNING **: 19:27:49.366: Failed to spawn the auth dialogFailed to execute child process “/usr/libexec/nm-openvpn-auth-dialog” (No such file or directory)                                                                                                                                                
                                                                                                                                                                                                                                                                                                                              
A password is required to connect to 'nasse'.                                                                                                                                                                                                                                                                                 
Password (vpn.secrets.password): ••••••••••••                                                                                                                                                                                                                                                                                 
Error: Connection activation failed: Unknown reason                                                                                                                                                                                                                                                                           
Hint: use 'journalctl -xe NM_CONNECTION=fa5b3805-4f8b-409a-bad2-44a70ff804c9 + NM_DEVICE=wlan0' to get more details.

In journalctl I can see the following:

Nov 25 11:45:07 merry NetworkManager[1185]: <info>  [1637840707.2736] vpn-connection[0xaaab0e490560,883a7d8d-52b2-4b30-b092-8b2101343491,"nasse",0]: Started the VPN service, PID 27813                                                                                                                                       
Nov 25 11:45:07 merry NetworkManager[1185]: <info>  [1637840707.2916] vpn-connection[0xaaab0e490560,883a7d8d-52b2-4b30-b092-8b2101343491,"nasse",0]: Saw the service appear; activating connection                                                                                                                            
Nov 25 11:45:20 merry NetworkManager[1185]: <info>  [1637840720.6225] vpn-connection[0xaaab0e490560,883a7d8d-52b2-4b30-b092-8b2101343491,"nasse",0]: VPN plugin: state changed: starting (3)                                                                                                                                  
Nov 25 11:45:20 merry NetworkManager[1185]: <info>  [1637840720.6227] vpn-connection[0xaaab0e490560,883a7d8d-52b2-4b30-b092-8b2101343491,"nasse",0]: VPN connection: (ConnectInteractive) reply received                                                                                                                      
Nov 25 11:45:20 merry NetworkManager[1185]: <warn>  [1637840720.6358] vpn-connection[0xaaab0e490560,883a7d8d-52b2-4b30-b092-8b2101343491,"nasse",0]: VPN plugin: failed: connect-failed (1)                                                                                                                                   
Nov 25 11:45:20 merry NetworkManager[1185]: <warn>  [1637840720.6370] vpn-connection[0xaaab0e490560,883a7d8d-52b2-4b30-b092-8b2101343491,"nasse",0]: VPN plugin: failed: connect-failed (1)                                                                                                                                   
Nov 25 11:45:20 merry NetworkManager[1185]: <info>  [1637840720.6374] vpn-connection[0xaaab0e490560,883a7d8d-52b2-4b30-b092-8b2101343491,"nasse",0]: VPN plugin: state changed: stopping (5)                                                                                                                                  
Nov 25 11:45:20 merry NetworkManager[1185]: <info>  [1637840720.6378] vpn-connection[0xaaab0e490560,883a7d8d-52b2-4b30-b092-8b2101343491,"nasse",0]: VPN plugin: state changed: stopped (6)                                                                                                                                   
Nov 25 11:45:20 merry NetworkManager[1185]: <info>  [1637840720.6408] vpn-connection[0xaaab0e490560,883a7d8d-52b2-4b30-b092-8b2101343491,"nasse",0]: VPN service disappeared

I don’t know how to continue, what to look at. Any suggestions?

2 Likes

Compare the NetworkManager configs on both systems:

sudo head -v -n -0 /etc/NetworkManager/system-connections/*
2 Likes

Thank you!
There were 2 things different (except the uuid): the path to the certificate and the tls-cipher. The cipher was for some reason missing on the desktop but I was pretty sure this was not the issue, so I checked the certificate.
On the rpi, it was under /root/.cert/nm-openvpn/ and on the desktop it was in my home dir (/var/home/<username>/.cert/nm-openvpn). I suspected some permission problem so I thought why not try to copy it to my home dir and change the path. Well, I didn’t even get that far before I found that I already had a cert in the home dir also! So I just changed the path and then it worked! :partying_face:

I’m not sure why this happened, could it be some confusion about what user to use when using sudo? Like it would import the *.ovpn file as root but then set up the connection with my user?

1 Like

Yep, this is a known issue when importing a VPN profile with sudo:
1977268 – nm-openvpn applies incorrect SELinux labels when importing a VPN profile

2 Likes