[F41] VPN not connecting

Hi!
I am having problems with establishing VPN connection. On F40 the same configuration was working without any problems, and on F41 connection does not work. My configuration looks like this (in /etc/NetworkManager/system-connections/****@*****.nmconnection):

[connection]
id=*****@*******
uuid=b68630a7-9206-4a53-bcf0-fe117bcf9505
type=vpn
autoconnect=false
permissions=user:****:;

[vpn]
allow-compression=asym
auth=SHA256
ca=/home/****/.cert/nm-openvpn/*****@*****.pem
cert=/home/****/.cert/nm-openvpn/*****@*****.pem
cert-pass-flags=0
challenge-response-flags=2
data-ciphers=AES-128-CBC
cipher=AES-128-CBC
comp-lzo=adaptive
connection-type=password-tls
dev=tun
dev-type=tun
key=/home/*****/.cert/nm-openvpn/*****@*******.pem
password-flags=1
remote=*****:15443
reneg-seconds=0
tls-cipher=DEFAULT:@SECLEVEL=0
username=*****
verify-x509-name=subject:C=**, L=*****, O=*****, CN=*****, emailAddress=******
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
method=auto

[ipv6]
addr-gen-mode=default
method=auto

[proxy]

When trying to connect journalctl prints the following:

OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.2.2 4 Jun 2024, LZO 2.10
DCO version: N/A
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
TCP/UDP: Preserving recently used remote address: [AF_INET]********:***
UDPv4 link local: (not bound)
UDPv4 link remote: [AF_INET]********:***
NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
VERIFY ERROR: depth=0, error=certificate signature failure: C=**, L=*******, O=******, CN=*******, emailAddress=*******, serial=*******
OpenSSL: error:0A000086:SSL routines::certificate verify failed:
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
TCP/UDP: Preserving recently used remote address: [AF_INET]********:***
UDPv4 link local: (not bound)
UDPv4 link remote: [AF_INET]********:***
VERIFY ERROR: depth=0, error=certificate signature failure: C=**, L=*******, O=******, CN=*******, emailAddress=*******, serial=*******
OpenSSL: error:0A000086:SSL routines::certificate verify failed:
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting

This looks like the likely cause of the problem.

I would check that your certificates can be read by openvpn’s service.

I had the same issue and have spent some time running openvpn under strace to try to spot the difference between F40 and F41.

This resolved the issue for me and I hope it will help you as well:

  • Open /usr/share/crypto-policies/DEFAULT/opensslcnf.txt
  • Set rh-allow-sha1-signatures to yes

The correct way to allow SHA-1 using crypto-policies:

sudo update-crypto-policies --set DEFAULT:SHA1

Otherwise your customization will be lost on upgrade.

3 Likes

Yes, this is it! This solves my problem.
Thank you! :beer:

1 Like