this post was submitted on 12 May 2024
18 points (100.0% liked)

Arch Linux

7777 readers
1 users here now

The beloved lightweight distro

founded 4 years ago
MODERATORS
 

Can someone help, i have been having trouble connected with my home universities vpn, for past 15-20days, it is an openvpn connection, so i have been using networkmanager-openvpn to import my config files, and they have worked previously, but for last 15-20 days i get connection timed out, all certificates used are correct, i have tried to connect on cli,

Connection activation failed: The connection attempt timed out

and it suggests to check journalctl logs (nothing erroneous i could find) i am also able to connect with this vpn with my phone (with openvpn official app with same files), and also i am able to connect to proton's vpns with my laptop, so i guess my device is not completely broken, i have tried to redownload my certificate files, recreating vpn profile, reinstalling networkmanager, nothing worked

you are viewing a single comment's thread
view the rest of the comments
[–] Max_P@lemmy.max-p.me 1 points 6 months ago (5 children)

Check the logs, but it's probably related to the deprecation of compression. OpenVPN 2.6 now requires a flag client-side to enable it as it is known to be the cause of too many vulnerabilities.

Add

comp-lzo yes
allow-compression yes

To your config and try again. If it still doesn't work set log level to 4, redact personal info and post the logs.

[–] sga@lemmy.ml 1 points 6 months ago (1 children)

compression was already enabled in config (the config is given to us by institute), i will reply with logs

[–] sga@lemmy.ml 1 points 6 months ago (1 children)

i tried to change the verbosity level in config (it was 3, i did with 4 and 6), nothing came, and for some reason, nothing is coming in journalctl logs also

[–] Max_P@lemmy.max-p.me 1 points 6 months ago (1 children)

You can try running it directly, sudo openvpn --config yourconf.ovpn

That will also tell us if NetworkManager is at fault.

[–] sga@lemmy.ml 1 points 6 months ago* (last edited 6 months ago) (1 children)
2024-05-12 23:51:46 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2024-05-12 23:51:47 TCP/UDP: Preserving recently used remote address: ***********
2024-05-12 23:51:47 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-05-12 23:51:47 UDPv4 link local: (not bound)
2024-05-12 23:51:47 UDPv4 link remote: ******************
2024-05-12 23:51:47 TLS: Initial packet from *************
2024-05-12 23:51:47 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-05-12 23:51:47 VERIFY OK: depth=1, C=IN, ***************
2024-05-12 23:51:47 VERIFY OK: depth=0, C=IN, ***************
2024-05-12 23:51:48 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, peer certificate: 3072 bits RSA, signature: RSA-SHA256, peer temporary key: 1024 bits DH
2024-05-12 23:51:48 [vpn.*******] Peer Connection Initiated with ****************
2024-05-12 23:51:48 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-05-12 23:51:48 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-05-12 23:51:49 SENT CONTROL [vpn.iitd.ac.in]: 'PUSH_REQUEST' (status=1)
2024-05-12 23:51:49 PUSH: Received control message: ************
2024-05-12 23:51:49 OPTIONS IMPORT: --ifconfig/up options modified
2024-05-12 23:51:49 OPTIONS IMPORT: route options modified
2024-05-12 23:51:49 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-05-12 23:51:49 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2024-05-12 23:51:49 ERROR: Failed to apply push options
2024-05-12 23:51:49 Failed to open tun/tap interface
2024-05-12 23:51:49 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2024-05-12 23:51:49 Restart pause, 1 second(s)

this repeats over and over, i killed it, also i tried to connect with our vpn a year or 2 ago this method, and had same/similar errors even back then, and it only used to worked with network manager

sorry for editing it heavily, but would love to not be doxxed

[–] Max_P@lemmy.max-p.me 3 points 6 months ago
ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.

That's your error. So I think

data-ciphers AES-128-CBC

In your config should resolve this. Basically there's some issues with CBC and it's now off by default.

load more comments (3 replies)