Help required, Certain VPN does not connect and times out

Can someone help, i have been having trouble connected with my home universities vpn, for past 15-20days, it is an openvpn connection, so i have been using networkmanager-openvpn to import my config files, and they have worked previously, but for last 15-20 days i get connection timed out, all certificates used are correct, i have tried to connect on cli,


<span style="color:#323232;">Connection activation failed: The connection attempt timed out
</span>

and it suggests to check journalctl logs (nothing erroneous i could find) i am also able to connect with this vpn with my phone (with openvpn official app with same files), and also i am able to connect to proton’s vpns with my laptop, so i guess my device is not completely broken, i have tried to redownload my certificate files, recreating vpn profile, reinstalling networkmanager, nothing worked

sga, 

<span style="color:#323232;">
</span><span style="color:#323232;">#####******************############**************
</span><span style="color:#323232;">STUFF I HAVE WRITTEN
</span><span style="color:#323232;">##############*************************
</span><span style="color:#323232;">Intentionally not written nicely to be able to distinguish
</span><span style="color:#323232;">######################***************************
</span><span style="color:#323232;">remote had the my college's vpn domain vpn.coll.eg.e
</span><span style="color:#323232;">CA had college's certificate file name (in the same dir as config)
</span><span style="color:#323232;">cert myid.crt
</span><span style="color:#323232;">key myid.key
</span><span style="color:#323232;">
</span><span style="color:#323232;">
</span><span style="color:#323232;">##############################################
</span><span style="color:#323232;"># Sample client-side OpenVPN 2.0 config file #
</span><span style="color:#323232;"># for connecting to multi-client server.     #
</span><span style="color:#323232;">#                                            #
</span><span style="color:#323232;"># This configuration can be used by multiple #
</span><span style="color:#323232;"># clients, however each client should have   #
</span><span style="color:#323232;"># its own cert and key files.                #
</span><span style="color:#323232;">#                                            #
</span><span style="color:#323232;"># On Windows, you might want to rename this  #
</span><span style="color:#323232;"># file so it has a .ovpn extension           #
</span><span style="color:#323232;">##############################################
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Specify that we are a client and that we
</span><span style="color:#323232;"># will be pulling certain config file directives
</span><span style="color:#323232;"># from the server.
</span><span style="color:#323232;">client
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Use the same setting as you are using on
</span><span style="color:#323232;"># the server.
</span><span style="color:#323232;"># On most systems, the VPN will not function
</span><span style="color:#323232;"># unless you partially or fully disable
</span><span style="color:#323232;"># the firewall for the TUN/TAP interface.
</span><span style="color:#323232;">;dev tap
</span><span style="color:#323232;">dev tun
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Windows needs the TAP-Win32 adapter name
</span><span style="color:#323232;"># from the Network Connections panel
</span><span style="color:#323232;"># if you have more than one.  On XP SP2,
</span><span style="color:#323232;"># you may need to disable the firewall
</span><span style="color:#323232;"># for the TAP adapter.
</span><span style="color:#323232;">;dev-node MyTap
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Are we connecting to a TCP or
</span><span style="color:#323232;"># UDP server?  Use the same setting as
</span><span style="color:#323232;"># on the server.
</span><span style="color:#323232;">;proto tcp
</span><span style="color:#323232;">proto udp
</span><span style="color:#323232;">
</span><span style="color:#323232;"># The hostname/IP and port of the server.
</span><span style="color:#323232;"># You can have multiple remote entries
</span><span style="color:#323232;"># to load balance between the servers.
</span><span style="color:#323232;">;remote my-server-1 1194
</span><span style="color:#323232;">;remote my-server-2 1194
</span><span style="color:#323232;">remote 
</span><span style="color:#323232;">port 1194
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Choose a random host from the remote
</span><span style="color:#323232;"># list for load-balancing.  Otherwise
</span><span style="color:#323232;"># try hosts in the order specified.
</span><span style="color:#323232;">;remote-random
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Keep trying indefinitely to resolve the
</span><span style="color:#323232;"># host name of the OpenVPN server.  Very useful
</span><span style="color:#323232;"># on machines which are not permanently connected
</span><span style="color:#323232;"># to the internet such as laptops.
</span><span style="color:#323232;">resolv-retry infinite
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Most clients don't need to bind to
</span><span style="color:#323232;"># a specific local port number.
</span><span style="color:#323232;">nobind
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Downgrade privileges after initialization (non-Windows only)
</span><span style="color:#323232;">;user nobody
</span><span style="color:#323232;">;group nobody
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Try to preserve some state across restarts.
</span><span style="color:#323232;">persist-key
</span><span style="color:#323232;">persist-tun
</span><span style="color:#323232;">
</span><span style="color:#323232;"># If you are connecting through an
</span><span style="color:#323232;"># HTTP proxy to reach the actual OpenVPN
</span><span style="color:#323232;"># server, put the proxy server/IP and
</span><span style="color:#323232;"># port number here.  See the man page
</span><span style="color:#323232;"># if your proxy server requires
</span><span style="color:#323232;"># authentication.
</span><span style="color:#323232;">;http-proxy-retry # retry on connection failures
</span><span style="color:#323232;">;http-proxy [proxy server] [proxy port #]
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Wireless networks often produce a lot
</span><span style="color:#323232;"># of duplicate packets.  Set this flag
</span><span style="color:#323232;"># to silence duplicate packet warnings.
</span><span style="color:#323232;">;mute-replay-warnings
</span><span style="color:#323232;">
</span><span style="color:#323232;"># SSL/TLS parms.
</span><span style="color:#323232;"># See the server config file for more
</span><span style="color:#323232;"># description.  It's best to use
</span><span style="color:#323232;"># a separate .crt/.key file pair
</span><span style="color:#323232;"># for each client.  A single ca
</span><span style="color:#323232;"># file can be used for all clients.
</span><span style="color:#323232;">ca 
</span><span style="color:#323232;">cert 
</span><span style="color:#323232;">key 
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Verify server certificate by checking
</span><span style="color:#323232;"># that the certicate has the nsCertType
</span><span style="color:#323232;"># field set to "server".  This is an
</span><span style="color:#323232;"># important precaution to protect against
</span><span style="color:#323232;"># a potential attack discussed here:
</span><span style="color:#323232;">#  http://openvpn.net/howto.html#mitm
</span><span style="color:#323232;">#
</span><span style="color:#323232;"># To use this feature, you will need to generate
</span><span style="color:#323232;"># your server certificates with the nsCertType
</span><span style="color:#323232;"># field set to "server".  The build-key-server
</span><span style="color:#323232;"># script in the easy-rsa folder will do this.
</span><span style="color:#323232;">;ns-cert-type server
</span><span style="color:#323232;">
</span><span style="color:#323232;"># If a tls-auth key is used on the server
</span><span style="color:#323232;"># then every client must also have the key.
</span><span style="color:#323232;">tls-auth ta.key 1
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Select a cryptographic cipher.
</span><span style="color:#323232;"># If the cipher option is used on the server
</span><span style="color:#323232;"># then you must also specify it here.
</span><span style="color:#323232;">cipher AES-128-CBC
</span><span style="color:#323232;">;cipher BF-CBC
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Enable compression on the VPN link.
</span><span style="color:#323232;"># Don't enable this unless it is also
</span><span style="color:#323232;"># enabled in the server config file.
</span><span style="color:#323232;">comp-lzo
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Set log file verbosity.
</span><span style="color:#323232;">verb 3
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Silence repeating messages
</span><span style="color:#323232;">;mute 20
</span><span style="color:#323232;">
</span><span style="color:#323232;">route-method exe
</span><span style="color:#323232;">route-delay 2
</span><span style="color:#323232;">
</span><span style="color:#323232;">auth-user-pass
</span>
Max_P,
@Max_P@lemmy.max-p.me avatar

Check the logs, but it’s probably related to the deprecation of compression. OpenVPN 2.6 now requires a flag client-side to enable it as it is known to be the cause of too many vulnerabilities.

Add


<span style="color:#323232;">comp-lzo yes
</span><span style="color:#323232;">allow-compression yes
</span>

To your config and try again. If it still doesn’t work set log level to 4, redact personal info and post the logs.

sga,

compression was already enabled in config (the config is given to us by institute), i will reply with logs

sga,

i tried to change the verbosity level in config (it was 3, i did with 4 and 6), nothing came, and for some reason, nothing is coming in journalctl logs also

Max_P,
@Max_P@lemmy.max-p.me avatar

You can try running it directly, sudo openvpn --config yourconf.ovpn

That will also tell us if NetworkManager is at fault.

sga, (edited ) 

<span style="color:#323232;">2024-05-12 23:51:46 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
</span><span style="color:#323232;">2024-05-12 23:51:47 TCP/UDP: Preserving recently used remote address: ***********
</span><span style="color:#323232;">2024-05-12 23:51:47 Socket Buffers: R=[212992->212992] S=[212992->212992]
</span><span style="color:#323232;">2024-05-12 23:51:47 UDPv4 link local: (not bound)
</span><span style="color:#323232;">2024-05-12 23:51:47 UDPv4 link remote: ******************
</span><span style="color:#323232;">2024-05-12 23:51:47 TLS: Initial packet from *************
</span><span style="color:#323232;">2024-05-12 23:51:47 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
</span><span style="color:#323232;">2024-05-12 23:51:47 VERIFY OK: depth=1, C=IN, ***************
</span><span style="color:#323232;">2024-05-12 23:51:47 VERIFY OK: depth=0, C=IN, ***************
</span><span style="color:#323232;">2024-05-12 23:51:48 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, peer certificate: 3072 bits RSA, signature: RSA-SHA256, peer temporary key: 1024 bits DH
</span><span style="color:#323232;">2024-05-12 23:51:48 [vpn.*******] Peer Connection Initiated with ****************
</span><span style="color:#323232;">2024-05-12 23:51:48 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
</span><span style="color:#323232;">2024-05-12 23:51:48 TLS: tls_multi_process: initial untrusted session promoted to trusted
</span><span style="color:#323232;">2024-05-12 23:51:49 SENT CONTROL [vpn.iitd.ac.in]: 'PUSH_REQUEST' (status=1)
</span><span style="color:#323232;">2024-05-12 23:51:49 PUSH: Received control message: ************
</span><span style="color:#323232;">2024-05-12 23:51:49 OPTIONS IMPORT: --ifconfig/up options modified
</span><span style="color:#323232;">2024-05-12 23:51:49 OPTIONS IMPORT: route options modified
</span><span style="color:#323232;">2024-05-12 23:51:49 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
</span><span style="color:#323232;">2024-05-12 23:51:49 OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
</span><span style="color:#323232;">2024-05-12 23:51:49 ERROR: Failed to apply push options
</span><span style="color:#323232;">2024-05-12 23:51:49 Failed to open tun/tap interface
</span><span style="color:#323232;">2024-05-12 23:51:49 SIGUSR1[soft,process-push-msg-failed] received, process restarting
</span><span style="color:#323232;">2024-05-12 23:51:49 Restart pause, 1 second(s)
</span>

this repeats over and over, i killed it, also i tried to connect with our vpn a year or 2 ago this method, and had same/similar errors even back then, and it only used to worked with network manager

sorry for editing it heavily, but would love to not be doxxed

Max_P,
@Max_P@lemmy.max-p.me avatar 

<span style="color:#323232;">ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
</span>

That’s your error. So I think


<span style="color:#323232;">data-ciphers AES-128-CBC
</span>

In your config should resolve this. Basically there’s some issues with CBC and it’s now off by default.

sga,

since i forgot to mention it earlier, we have to renew our certificates almost every 6 months, and i renewed them recently (around the time of breakage start, but (i may be misremembering) i think i connected with new certs also, before renewal, the vpn worked both on my phone and laptop, now it only works on phone, i am now trying to use it on a live usb

sga,

i tried a live usb (i had a linux mint one) - same error

lemmyreader, (edited )

Your phone is fine with the new certificates but Linux on the desktop is not. Would it be possible that both Arch Linux and Linux Mint have software upgraded that is causing the connection failure ? Could it still work if you would use an older LTS Linux version as live USB stick ? Or would the new certificates actually require newer software, like OpenSSL (which is I think a build dependency for OpenVPN) on the desktop ? EDIT: I guess the latter is not the case since Arch Linux is a rolling distribution. But you could ask your IT persons at the university whether they upgraded something ?

sga,

with my college, they are not even up to current openvpn versions, if i use a verbose vpn app on phone (open vpn for android on fdroid), i have to use compatibility settings to even connect, they even use older encryption standards and compression settings, what i think is coincidentally something in my system updated which may not work with their current configs, and on my phone it is somehow still working

Ashiette,

It may not apply to you but, from my own experience and assuming you are on KDE :

Remove your ethernet connection. Remove your VPN connection. Recreate an ethernet connection then the VPN. Never set ‘autoconnect’.

Before putting your computer to sleep/shutdown, manually disconnect from the VPN.

sga,

i am not on kde or ethernet, i also dont do auto connect

markus,

@sga ok, since you didn't mention that before, that would be a possible source of error.

markus,

@sga I think you have to ask an admin of the university because a timeout is usually a problem on the server side.

sga,

but it works over on my phone, so something has to be borked over my end, i have also recently renewed my certificates, that may have something to do with it, since vpn has also not been working pretty much since then

lemmyreader,

Not sure if this applies for your university VPN but with VPN providers an important part of making a successful VPN connection and use it browse the Internet, is that the DNS servers in /etc/resolv.conf are correct. You can check and see any difference of the content of that file, before and after starting the VPN connection.

sga,

i dont see a change

lemmyreader,

I am not sure if you would be able to compare the content of that file on your phone as well ? Maybe with adb and then check the content there (not sure if Android also uses /etc/resolv.conf) ? Or maybe test connecting on a Linux live USB stick and compare ?

  • All
  • Subscribed
  • Moderated
  • Favorites
  • archlinux@lemmy.ml
  • DreamBathrooms
  • mdbf
  • ngwrru68w68
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • osvaldo12
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • InstantRegret
  • tacticalgear
  • anitta
  • ethstaker
  • provamag3
  • cisconetworking
  • tester
  • GTA5RPClips
  • cubers
  • everett
  • modclub
  • megavids
  • normalnudes
  • Leos
  • JUstTest
  • lostlight
  • All magazines
    •