I’m hitting this too, and TinCanTech’s link actually helped me quite a bit.
OpenVPN client: Community Edition, specifically OpenVPN-2.5.3-I601-arm64.msi
Client OS: Microsoft Windows [Version 10.0.22000.160] (current Insider Preview Dev; yes, ARM64)
OpenVPN server: free tier of vpnbook.com, US1 region
I have confirmed this same config and OpenVPN version works on x64 and ARM64 Windows 10.
I don’t have access to the server config, but I don’t think that actually matters here since the log file shows a problem very early on.
Here’s the client configuration I’m using:
Client config
client
dev tun3
proto tcp
remote x.x.x.x 80
remote y.y.y.y 80
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
comp-lzo
verb 3
cipher AES-128-CBC
fast-io
pull
route-delay 2
redirect-gateway
<ca>
——BEGIN CERTIFICATE——
——END CERTIFICATE——
</ca>
<cert>
——BEGIN CERTIFICATE——
——END CERTIFICATE——
</cert>
<key>
——BEGIN RSA PRIVATE KEY——
——END RSA PRIVATE KEY——
</key>
When I use this to connect, I get a modal dialog with the text in the name of this thread and this in the log it links to, just like the OP:
Client Log
2021-08-24 15:15:39 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless «allow-compression yes» is also set.
2021-08-24 15:15:39 DEPRECATED OPTION: —cipher set to ‘AES-128-CBC’ but missing in —data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore —cipher for cipher negotiations. Add ‘AES-128-CBC’ to —data-ciphers or change —cipher ‘AES-128-CBC’ to —data-ciphers-fallback ‘AES-128-CBC’ to silence this warning.
2021-08-24 15:15:39 Flag ‘def1’ added to —redirect-gateway (iservice is in use)
2021-08-24 15:15:39 OpenVPN 2.5.3 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 17 2021
2021-08-24 15:15:39 Windows version 10.0 (Windows 10 or greater) 64bit
2021-08-24 15:15:39 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021-08-24 15:15:39 ERROR: Failed retrieving username or password
2021-08-24 15:15:39 Exiting due to fatal error
Searching for «Failed retrieving username or password» and «arm64 openvpn», I found this issue which is what I am hitting:
https://community.openvpn.net/openvpn/ticket/1418
There’s a fix coming soon:
https://patchwork.openvpn.net/patch/1871/
If your system isn’t ARM64 and you’re not on a Windows Insider Program version of Windows, then this likely doesn’t apply to you. :/
Содержание
- OpenVPN Support Forum
- Windows 11 — ERROR: Failed retrieving username or password
- Windows 11 — ERROR: Failed retrieving username or password
- Re: Windows 11 — connecting to management interface failed
- Re: Windows 11 — connecting to management interface failed
- Re: Windows 11 — connecting to management interface failed
- Re: Windows 11 — connecting to management interface failed
- Re: Windows 11 — connecting to management interface failed
- Re: Windows 11 — connecting to management interface failed
- Re: Windows 11 — connecting to management interface failed
- Создание ключей и сертификатов в Easy-rsa 3.0.3 для OpenVPN
- OpenVPN Support Forum
- Save username only and prompt for password
- Save username only and prompt for password
- Re: Save username only and prompt for password
- Re: Save username only and prompt for password
- Re: Save username only and prompt for password
- Re: Save username only and prompt for password
- Re: Save username only and prompt for password
- Re: Save username only and prompt for password
- OpenVPN Support Forum
- Save username only and prompt for password
- Save username only and prompt for password
- Re: Save username only and prompt for password
- Re: Save username only and prompt for password
- Re: Save username only and prompt for password
- Re: Save username only and prompt for password
- Re: Save username only and prompt for password
- Re: Save username only and prompt for password
OpenVPN Support Forum
Community Support Forum
Windows 11 — ERROR: Failed retrieving username or password
Windows 11 — ERROR: Failed retrieving username or password
Post by irvaragon » Sun Jul 11, 2021 4:47 pm
This is what I am getting, no username/pwd prompt window to enter credentials:
Windows 11 arm64 using arm64 installation from community.
2021-07-11 09:40:27 OpenVPN 2.5.3 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 17 2021
2021-07-11 09:40:27 Windows version 10.0 (Windows 10 or greater) 64bit
2021-07-11 09:40:27 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021-07-11 09:40:27 ERROR: Failed retrieving username or password
2021-07-11 09:40:27 Exiting due to fatal error
Any help would be appreciated.
Re: Windows 11 — connecting to management interface failed
Post by TinCanTech » Sun Jul 11, 2021 6:57 pm
Re: Windows 11 — connecting to management interface failed
Post by hmartinez82 » Fri Aug 13, 2021 5:07 am
Re: Windows 11 — connecting to management interface failed
Post by TinCanTech » Fri Aug 13, 2021 12:28 pm
Re: Windows 11 — connecting to management interface failed
Post by javier.cardaba@basetis.com » Mon Aug 23, 2021 10:14 am
Re: Windows 11 — connecting to management interface failed
Post by toroidalblob » Tue Aug 24, 2021 10:55 pm
I’m hitting this too, and TinCanTech’s link actually helped me quite a bit.
OpenVPN client: Community Edition, specifically OpenVPN-2.5.3-I601-arm64.msi
Client OS: Microsoft Windows [Version 10.0.22000.160] (current Insider Preview Dev; yes, ARM64)
OpenVPN server: free tier of vpnbook.com, US1 region
I have confirmed this same config and OpenVPN version works on x64 and ARM64 Windows 10.
I don’t have access to the server config, but I don’t think that actually matters here since the log file shows a problem very early on.
Here’s the client configuration I’m using:
When I use this to connect, I get a modal dialog with the text in the name of this thread and this in the log it links to, just like the OP:
Searching for «Failed retrieving username or password» and «arm64 openvpn», I found this issue which is what I am hitting:
There’s a fix coming soon:
If your system isn’t ARM64 and you’re not on a Windows Insider Program version of Windows, then this likely doesn’t apply to you. :/
Re: Windows 11 — connecting to management interface failed
Post by TinCanTech » Tue Aug 24, 2021 11:16 pm
Also, your post looks to be accurate to me. Thank you, a second time.
Re: Windows 11 — connecting to management interface failed
Post by TinCanTech » Tue Aug 24, 2021 11:22 pm
I have moved this up to Testing Branch because this is testing in action.
And updated the subject, for what it is worth.
Источник
Создание ключей и сертификатов в Easy-rsa 3.0.3 для OpenVPN
Решил поставить сервер OpenVPN, нашел хороший мануал:
Выполнит только первые две команды:
Произвел следующие действия:
не пойму, как сгенерировать server.crt и какая команда заменяет ./build-key client в Easy-rsa 2?
Все ли я делаю правильно?
2. Создали ключ и сигн-реквест для server0. Получили server0.key и server0.req.
3. Подписали сигн-реквест для server0. Получили server0.crt
Для клиента возможны 2 варианта (первый предпочтительнее):
1. На клиентской машине:
2. Делаем все на машине CA и пересылаем .key и .crt клиенту.
Да, спасибо, уже разобрался.
Но правда после генерации ключей и сертификатов и установки подключения на клиенте — не подключается: https://ibb.co/h5B0Ob
на стороне сервера все включено, порт 1194 открыт, чего может не хватать ему?
Конфиг клиентского подключения:
Где ошибки-то при подключении?
Выложи конфиги клиента и сервера и логи подключения с обеих сторон.
Ip видно. Если ты этого не хочешь, лучше закрась.
нет не вижу суслика )) что не так?
конфиги и логи немного позже выложу, в дороге сейчас
А я вот не вижу что «на стороне сервера . порт 1194 открыт»
Мне за вас каждую какашку править? TCP != UDP. Вы прописали для tcp а у клиента «proto udp»
Опа, может вы еще и правила не загружаете.
# Completed on Sun Jan 28 03:26:44 2018
Показывайте выхлоп команды iptables-save а не сохраненного файлика
Ну вот так с «первой частью балета» (fw) разобрались.
Остались конфиги и логи. Как сервера так и клиента.
Еще, из дэжавю, были проблемы при разных версиях клиента и сервера.
лог /etc/openvpn/openvpn-status.log пусто!
где то еще есть логи на сервере? В /var/log, никакого openvpn.log нет.
На клиенте лог сессии:
версия клиента OpenVPN GUI: v 11.8.0.0 — графический интерфейс (под винду) версия сервера: OpenVPN 2.4.4 (на centos7)
еще заметил такую штуку. Стартую сервер openvpn:
проходит минута. проверяю еще раз статус:
но даже когда active (running) ничего не меняется, с клиента не подключается с одними и теми же логами.
Добавь sudo, чтобы в статусе кусок лога был.
Конфиги будут?
Для логов opvn добавьте в конфиг log-append path-to-log-file
Добавь sudo, чтобы в статусе кусок лога был.
Еще, забить за систему. Запустить
Добавь sudo, чтобы в статусе кусок лога был.
вот полный лог статуса:
ERROR: Failed retrieving username or password
Кто пароль вводить будет для ключа?
Кто пароль вводить будет для ключа?
да, кстати прописал в конфиге:
Только не понятно, в какой момент этот пароль нужно вводить. В момент подключения пароль не требует. Я сделал клиентский ключ без пароля.
В момент запуска OpenVPN у меня сейчас вот что происходит, набираю:
Не нужно такому учить, лучше показать как с нормальным логом настраивать.
В догонку к паролям.
Для клиента:
cipher AES-256-CBC
tls-auth
убрать
comp-lzo
или вернуть на сервере
Не соглашусь. Зачастую при первичной отладке, удобнее видеть что сразу пишет в консоль. Реально удобнее, что бы понимать почему тебя послали, чем отдельно таилить логи и демонов перезапускать.
Это не только к ovpn относиться. А если добавлять всякие —debug так вообще вкуснотеево.
Как пароль то ввести при запуске сервера openvpn? )))
Перегенерите все сначала и без паролей. Честно говоря, за долгие годы, для серверных мне в голову не приходило задавать пароли. Только для клиентов делаю, по необходимости.
он при старте видимо требует пароль от ca.crt, который создается командой:
Чувак, возьми уже SoftEther.
Пароль на ca.crt можно убрать openssl’ом, статей полно.
Сертификаты (ca.crt — это сертификат) паролем не защищаются, паролем защижается приватный ключ. Ты видимо сгенерировал ключ клиента с паролем. Заново сгенерируй ключ и сертификат клиента. Можно конечно из ключа защищенного паролем получить ключ без пароля, но проще перегенерируй.
Просто новичкам лучше сразу обьяснять итоговую конфигурацию, а то они и так путаются.
Сертификаты (ca.crt — это сертификат) паролем не защищаются, паролем защижается приватный ключ. Ты видимо сгенерировал ключ клиента с паролем. Заново сгенерируй ключ и сертификат клиента. Можно конечно из ключа защищенного паролем получить ключ без пароля, но проще перегенерируй.
нет, на клиента точно генерировал без пароля, с указанием ключа nopass и при генерации пароль не запращивал, а вот именно на этой команде:
На этой команде ты защитил паролем приватный ключ(ca.key если не ошибаюсь) своего цетра сертификации (ca). Этот пароль у тебя запрашивался, когда ты подписывал сертификат клиента данным ключем(ca.key) после его генерирования.
да, наверное так.
Пробуй сгенерировать сериификат и ключ клиента заново. Когда запросит пароль, просто нажми enter.
все перегенерил заного.
Предыдущая проблема ушла, но появилась новая )).
В логах клиента ничего не изменилось, валится на том же этапе подключения с теми же локами.
Источник
OpenVPN Support Forum
Community Support Forum
Save username only and prompt for password
Save username only and prompt for password
Post by marcolino7 » Wed Nov 28, 2012 11:04 pm
Hi,
i just seached into forum and over google but i found no solution.
In my config file i have auth-user-pass parameter and client prompt me for user and password.
I would like to save ONLY the username and promped for password each time i connect.
It’s is possible? I’, running openvpn2.2.2 on windows 7 32 bit.
Re: Save username only and prompt for password
Post by marcolino7 » Tue Dec 04, 2012 4:19 pm
Re: Save username only and prompt for password
Post by CourtK » Tue Apr 16, 2013 7:53 pm
Re: Save username only and prompt for password
Post by janjust » Wed Apr 17, 2013 8:19 am
Re: Save username only and prompt for password
Post by stefan2k1 » Tue Sep 22, 2015 12:58 pm
is there any news here? I would like to save only the username and not the password. Has this function been implemented now?
Re: Save username only and prompt for password
Post by dishcandanty » Tue Jan 19, 2016 9:18 pm
Re: Save username only and prompt for password
Post by rseiler » Sun Aug 21, 2016 1:53 am
Re the last poster, does that definitely work with the Linux client? It doesn’t work with the Windows client.
If you just have the single line, it’ll come back right away with an error («Connecting to [username] has failed.»). If you create a newline after it, it does the same. Perhaps there’s some other nuance to this.
The manual seems to agree with you though. Could it be in reference to Linux only?
Authenticate with server using username/password. up is a file containing username/password on 2 lines. If the password line is missing, OpenVPN will prompt for one.
Источник
OpenVPN Support Forum
Community Support Forum
Save username only and prompt for password
Save username only and prompt for password
Post by marcolino7 » Wed Nov 28, 2012 11:04 pm
Hi,
i just seached into forum and over google but i found no solution.
In my config file i have auth-user-pass parameter and client prompt me for user and password.
I would like to save ONLY the username and promped for password each time i connect.
It’s is possible? I’, running openvpn2.2.2 on windows 7 32 bit.
Re: Save username only and prompt for password
Post by marcolino7 » Tue Dec 04, 2012 4:19 pm
Re: Save username only and prompt for password
Post by CourtK » Tue Apr 16, 2013 7:53 pm
Re: Save username only and prompt for password
Post by janjust » Wed Apr 17, 2013 8:19 am
Re: Save username only and prompt for password
Post by stefan2k1 » Tue Sep 22, 2015 12:58 pm
is there any news here? I would like to save only the username and not the password. Has this function been implemented now?
Re: Save username only and prompt for password
Post by dishcandanty » Tue Jan 19, 2016 9:18 pm
Re: Save username only and prompt for password
Post by rseiler » Sun Aug 21, 2016 1:53 am
Re the last poster, does that definitely work with the Linux client? It doesn’t work with the Windows client.
If you just have the single line, it’ll come back right away with an error («Connecting to [username] has failed.»). If you create a newline after it, it does the same. Perhaps there’s some other nuance to this.
The manual seems to agree with you though. Could it be in reference to Linux only?
Authenticate with server using username/password. up is a file containing username/password on 2 lines. If the password line is missing, OpenVPN will prompt for one.
Источник
[+] There is a problem starting openvpn. Please, check nohup.out for details
Fri Mar 2 16:24:08 2018 WARNING: file ‘pass.txt’ is group or others accessible
Fri Mar 2 16:24:08 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 10 2017
Fri Mar 2 16:24:08 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Fri Mar 2 16:24:08 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Mar 2 16:24:08 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]198.7.62.204:53
Fri Mar 2 16:24:08 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Mar 2 16:24:08 2018 UDP link local: (not bound)
Fri Mar 2 16:24:08 2018 UDP link remote: [AF_INET]198.7.62.204:53
Fri Mar 2 16:24:08 2018 TLS: Initial packet from [AF_INET]198.7.62.204:53, sid=e2750a10 0c5ce314
Fri Mar 2 16:24:08 2018 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Fri Mar 2 16:24:09 2018 VERIFY OK: depth=1, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
Fri Mar 2 16:24:09 2018 VERIFY OK: depth=0, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, emailAddress=admin@vpnbook.com
Fri Mar 2 16:24:11 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Fri Mar 2 16:24:11 2018 [vpnbook.com] Peer Connection Initiated with [AF_INET]198.7.62.204:53
Fri Mar 2 16:24:13 2018 SENT CONTROL [vpnbook.com]: ‘PUSH_REQUEST’ (status=1)
Fri Mar 2 16:24:13 2018 AUTH: Received control message: AUTH_FAILED
Fri Mar 2 16:24:13 2018 SIGTERM[soft,auth-failure] received, process exiting
Fri Mar 2 16:32:16 2018 WARNING: file ‘pass.txt’ is group or others accessible
Fri Mar 2 16:32:16 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 10 2017
Fri Mar 2 16:32:16 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Fri Mar 2 16:32:57 2018 ERROR: Failed retrieving username or password
Fri Mar 2 16:32:57 2018 Exiting due to fatal error
Fri Mar 2 16:34:20 2018 WARNING: file ‘pass.txt’ is group or others accessible
Fri Mar 2 16:34:20 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 10 2017
Fri Mar 2 16:34:20 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Fri Mar 2 16:35:50 2018 ERROR: Failed retrieving username or password
Fri Mar 2 16:35:50 2018 Exiting due to fatal error
Mon Mar 5 16:43:16 2018 WARNING: file ‘pass.txt’ is group or others accessible
Mon Mar 5 16:43:16 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 10 2017
Mon Mar 5 16:43:16 2018 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Installation
-
Put client configuration into
/etc/openvpn/client/
-
Start openvpn services
systemctl start openvpn-client@config-name systemctl status openvpn-client@config-name systemctl enable openvpn-client@config-name
NOTE: `openvpn-client@` service doesn’t contain `restart`.
The result of failed openvpn daemon looks like:
systemctl status openvpn-client@config-name ... Active: activating (auto-restart) since Mon 2020-10-19 15:50:36 CEST; 15s ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 19630 (code=exited, status=0/SUCCESS) ...
To make sure your VPN is running:
systemctl edit openvpn-client@config-name
and enter following config:
[Service] Restart=always RestartSec=300
systemctl daemon-reload
issue
openvpn[281925]: Failed to query password: Timer expired openvpn[281924]: ERROR: Failed retrieving username or password
Solution:
- /etc/systemd/system/openvpn-client@.service.d/askpass.conf
-
[Service] ExecStart= ExecStart=/usr/sbin/openvpn --suppress-timestamps --askpass --nobind --config %i.conf
Deprecated
-
Put client configuration into /etc/openvpn/client.conf
-
Enable autostart ALL or specified configs in
/etc/default/openvpn
-
Generate systemd services from openvon configs
systemctl daemon-reload
-
Start openvpn services
systemct start openvpn
Certifcates
-
CA has to be with
X509v3 Key Usage: Certificate Sign, CRL Sign
. Without
CRL Sign
latest version of OpenVPN doesn’t allow to use CRL.-
basicConstraints = CA:TRUE (critical)
-
nsCertType = sslCA # restrict the usage
-
keyUsage = keyCertSign, cRLSign
-
subjectKeyIdentifier = hash
-
authorityKeyIdentifier = keyid:always,issuer:always
-
-
OpenVPN Server
-
basicConstraints = CA:FALSE
-
subjectKeyIdentifier = hash
-
authorityKeyIdentifier = keyid,issuer
-
nsCertType = server # restrict the usage
-
keyUsage = digitalSignature, keyEncipherment
-
extendedKeyUsage = serverAuth # restrict the usage
-
-
OpenVPN Client
-
basicConstraints = CA:FALSE
-
subjectKeyIdentifier = hash
-
authorityKeyIdentifier = keyid,issuer
-
nsCertType = client # restrict the usage
-
keyUsage = digitalSignature # restrict the usage
-
extendedKeyUsage = clientAuth
-
Configuration
Routing
route directive adds normal routes to the Kernel table. It routes the packet from kernel to OpenVPN.
iroute directive adds routes to internal OpenVPN table. It routes the packets to specified clients.
Subnets behind client
In normal scenario, each VPN client is the final endpoint. But sometimes, there are additional networks behind client.
-
Client side (or CCD directory — per client). There are networks 192.168.22.0/24 and fcaa::/64 behind client:
iroute 192.168.22.0/24 iroute-ipv6 fcaa::/64
* Server configuration
route 192.168.22.0/24 route-ipv6 fcaa::/64
Username support
IPv6
Troubleshooting
Error: “write to TUN/TAP : Invalid argument (code=22)”.
Cause: one side use LZO compression, second side not.
Solution: “comp-lzo no” on both sides.
Note:
this is a bug: the server pushes out ‘comp-lzo’ to the client but this is not picked up, because the client does not have ‘comp-lzo’ configured in the client config (all according to man page). The bug is , that when the client reconnects that it then does honor the ‘comp-lzo’ pushed out from the server. The client should either consistently refuse ‘comp-lzo’ or it should consistently accept this option as pushed out by the server.
Error: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13).
Exiting due to fatal error
Use persist-key and persist-tun.
Cause: on VPS platform /dev/net/tun has only root permisstion. So openvpn should be started as root user.
Error: unsupported protocol
Cause: Modern OpenSSL (like 1.1.1) config forbids TLSv1
Solution:
- /etc/ssl/openssl.cnf
-
MinProtocol = TLSv1
Error: File transfer stuck
Cause: File transfer are using maximum packet size, which probably cannot fit to MTU limitataions
Solution: Not tested, try params like:
# On one side of connection mssfix 1400 # MTU on tunX interface # has to be set on both sides tun-mtu 1400
More:
rsyslog
- /etc/rsyslog.d/20-ovpn.conf
-
if $programname startswith 'ovpn-' then /var/log/openvpn/ovpn.log & ~
mkdir /var/log/openvpn chown syslog /var/log/openvpv
- /etc/logrotate.d/openvpn
-
/var/log/openvpn/*.log { weekly size 100M rotate 4 compress delaycompress missingok notifempty create 640 syslog adm }
Create p12 package for android
openssl pkcs12 -export -in user.crt -inkey user.key -certfile ca.crt -name user -out user.p12
I am having similar problems. I fixed the warnings to make my settings consistent with the PIA server settings but still get the AUTH_FAILED error. Like the OP, using «openvpn /etc/openvpn/<vpnname>.ovpn works correctly as expected, but fails if initiated from the networkmanager applet. Using the nm-applet, I am prompted for a password. I enter the correct password and am prompted again, and this repeats until I cancel or the applet exits.
Here is my CA Toronto.ovpn file:
client
dev tun
proto udp
remote ca-toronto.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass pia.conf
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ
The corresponding NetworkManager connection file is:
[connection]
id=PIA - CA Toronto
uuid=eb0c00ef-5a9c-4712-ad16-ae343cf60003
type=vpn
autoconnect=false
permissions=user:marshal:;
[vpn]
auth=SHA1
ca=/etc/openvpn/pia-ca.rsa.4096.crt
cipher=BF-CBC
comp-lzo=yes
connection-type=password
dev-type=tun
keysize=128
password-flags=0
port=1197
remote=ca-toronto.privateinternetaccess.com
username=<correct PIA username>
service-type=org.freedesktop.NetworkManager.openvpn
[vpn-secrets]
password=<correct PIA password>
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=ignore
I’ve read numerous posts, wiki, etc. to no avail. I’ve tried manually editing the nm connection file, but it just gets rewritten by nm. I’m beginning to think this is a bug in networkmanager-openvpn and wonder if anyone has a working example — one they use successfully to establish a vpn connection via the nm applet.
A snippet of journalctl -u NetworkManager, if it might help: (I was prompted for the password twice before I clicked the «cancel» button)
Nov 19 22:59:04 zenbook NetworkManager[1386]: <info> [1511150344.2299] vpn-connection[0x557c6f8b32e0,eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto",0]: VPN plugin: requested secrets; state connect
Nov 19 22:59:06 zenbook NetworkManager[1386]: <info> [1511150346.0072] settings-connection[0x557c6f6e22b0,eb0c00ef-5a9c-4712-ad16-ae343cf60003]: write: successfully commited (keyfile: update /etc/NetworkManager/system-connections/PIA - CA Toronto (eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto"))
Nov 19 22:59:06 zenbook nm-openvpn[3844]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 19 22:59:06 zenbook nm-openvpn[3844]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 19 22:59:06 zenbook nm-openvpn[3844]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.67.62:1197
Nov 19 22:59:06 zenbook nm-openvpn[3844]: UDP link local: (not bound)
Nov 19 22:59:06 zenbook nm-openvpn[3844]: UDP link remote: [AF_INET]172.98.67.62:1197
Nov 19 22:59:06 zenbook nm-openvpn[3844]: [5413181d7a866ec2edcb0b5f50efed02] Peer Connection Initiated with [AF_INET]172.98.67.62:1197
Nov 19 22:59:07 zenbook nm-openvpn[3844]: AUTH: Received control message: AUTH_FAILED
Nov 19 22:59:07 zenbook nm-openvpn[3844]: SIGUSR1[soft,auth-failure] received, process restarting
Nov 19 22:59:14 zenbook NetworkManager[1386]: <error> [1511150354.0065] vpn-connection[0x557c6f8b32e0,eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto",0]: Failed to request VPN secrets #4: User canceled the secrets request.
Nov 19 22:59:14 zenbook nm-openvpn[3844]: ERROR: could not read Auth username/password/ok/string from management interface
Nov 19 22:59:14 zenbook nm-openvpn[3844]: Exiting due to fatal error
Nov 19 22:59:14 zenbook NetworkManager[1386]: <warn> [1511150354.0242] vpn-connection[0x557c6f8b32e0,eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto",0]: VPN plugin: failed: connect-failed (1)
Nov 19 22:59:14 zenbook NetworkManager[1386]: <info> [1511150354.0246] vpn-connection[0x557c6f8b32e0,eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto",0]: VPN plugin: state changed: stopping (5)
Nov 19 22:59:14 zenbook NetworkManager[1386]: <info> [1511150354.0250] vpn-connection[0x557c6f8b32e0,eb0c00ef-5a9c-4712-ad16-ae343cf60003,"PIA - CA Toronto",0]: VPN plugin: state changed: stopped (6)
Any and all help would be much appreciated.