Networkmanager-openvpn bug (?) in Fedora 38

Hi,

I’ve caught what I think may be a bug while trying out Fedora 38.

In Fedora 37, I can use my VPN (Ivacy) with no issues, importing openvpn configs from the provided file. In Fedora 38, following the same process, attempted connections always time out.

I notice that in Fedora 38, networkmanager-openvpn has upgraded to 1:10-2. I couldn’t find a way to downgrade the package (I’m a relative newbie to Fedora) but I was able to reproduce the issue in an Arch-based distro and downgrade the package to 1.10-1, whereupon, everything worked again. (I suppose this means the issue is upstream of Fedora itself.)

What to do? I can go back to Fedora 37, but only until that reached EOL. How do I downgrade the package in Fedora 38? It doesn’t look like other package versions are available. Do I need to access a different repo?

2 Likes

I’ve tested OpenVPN imported to NetworkManager on Fedora 38, and it works at least with 443/TCP, so maybe your problem is elsewhere, try different servers, port/protocol.

Yes, it’s possible that my VPN provider isn’t supporting it, maybe the newer version enforces stricter protocols? Given we’re talking about support for Linux, I suppose my provider will get around to it as soon as… when is the next Olympics?

Hence my question about downgrading, because I know that will work right now.
Edited to add: I have tried different servers, and tried password only and password-with-certificate protocols.

Check the logs!

Fedora 37 has about 6 months for that. Hopefully the issue with your vpn either with F38 or your vpn provider will be fixed long before the EOL for F37.

Might be relevant:

Apr 13 19:45:08 localhost-live nm-openvpn[11603]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 13 19:45:08 localhost-live nm-openvpn[11603]: OpenSSL: error:0A00018F:SSL routines::ee key too small
Apr 13 19:45:08 localhost-live nm-openvpn[11603]: Cannot load certificate file /home/liveuser/.cert/nm-openvpn/Netherlands-Amsterdam-UDP-cert.pem
Apr 13 19:45:08 localhost-live nm-openvpn[11603]: Exiting due to fatal error
Apr 13 19:45:08 localhost-live NetworkManager[2086]: <warn>  [1681429508.0638] vpn[0x561d5bdb9330,3ea9f30e-4426-42a1-8f62-89e40df031ff,"Netherlands-Amsterdam-UDP"]: dbus: failure: connect-failed (1)
Apr 13 19:45:08 localhost-live NetworkManager[2086]: <warn>  [1681429508.0638] vpn[0x561d5bdb9330,3ea9f30e-4426-42a1-8f62-89e40df031ff,"Netherlands-Amsterdam-UDP"]: dbus: failure: connect-failed (1)
1 Like

OpenVPN: unable to connect after upgrade do F38 - #2 by vgaetera

I tried both policies (in root, with restarts), but neither worked. It did produce a different result in the log:

Apr 14 14:00:43 localhost-live nm-openvpn[4410]: OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-256-GCM') to --data-ciphers (currently 'AES-256-CBC') if you want to connect to this server.
Apr 14 14:00:43 localhost-live nm-openvpn[4410]: ERROR: Failed to apply push options
Apr 14 14:00:43 localhost-live nm-openvpn[4410]: Failed to open tun/tap interface
Apr 14 14:00:43 localhost-live nm-openvpn[4410]: SIGUSR1[soft,process-push-msg-failed] received, process restarting
Apr 14 14:00:55 localhost-live NetworkManager[1655]: <warn>  [1681444855.9028] vpn[0x55c30cfe6680,7e6a9908-4bbd-44ca-941e-f712c9302217,"Australia-Melbourne-TCP"]: connect timeout exceeded
Apr 14 14:00:55 localhost-live nm-openvpn-serv[4400]: Connect timer expired, disconnecting.
Apr 14 14:00:55 localhost-live nm-openvpn[4410]: SIGTERM[hard,init_instance] received, process exiting

I have the same problem. This occurs if the OpenVPN server is configured on UDP port 1194. But this is the default for many OPENVPN servers. Does anyone already have a resolution on this matter?

I typed the command below as root and it worked perfectly:

update-crypto-policies --set DEFAULT:FEDORA32

Ran across the same, trying to load a ovpn file tcp version into the network manager.
Just a heads up, am able to load a wireguard file, works flawlessly.
The linux god made it so to do it, maybe the dialogue part that asks file to load needs an extra tweak to load the ovpn file now(networkmanager), after all, why are we using openvpn?
Wireguard is a work of art.
It shouldn’t be an issue with a comercial like nord or mulavad

I just upgraded Fedora 37 to 38. I have exactly the same problem. I reinstalled both NetworkManager and openvpn. I reimported the vendor certs packages… still no success with either UDP or TCP connections. I verified the password used matches the vendor provided password. I reported this bug to bugzilla as URGENT.

Have you tried this?

1: sudo update-crypto-policies --set DEFAULT:FEDORA32

I experienced the same issue after upgrading to F38 from F37. I am using an Azure P2S VPN Gateway, and everything worked previously. I tried to lower the crypto policies and even compiled/signed the OPVN-DCO modules thinking it would make a difference, but each time, the connection would reset into an endless loop. I tried different ports and switched between TCP and UDP, and nothing worked. I resolved the connection issue by grabbing the OpenVPN rpm from Koji (OpenVPN-2.5.9-1.fc37.x86_64.rpm), running dnf downgrade openvpn-2.5.9-1.fc37.x86_64.rpm, restart NetworkManager (sudo systemctl restart NetworkManager), and everything started working again.

The link is here:
https://koji.fedoraproject.org/koji/buildinfo?buildID=2152946

I will have to keep an eye on this; from the logs, it’s hard to tell if it’s Azure a side issue or OpenVPN.

I did and it didn’t work for me.

From “Kevin Burns via Fedora Discussion” <notifications@fedoraproject.discoursemail.com>
To gzickert@comcast.net
Date 4/25/2023 9:09:39 AM
Subject Re: Networkmanager-openvpn bug (?) in Fedora 38 [Fedora] openvpn f38 f37

Thanks for your immediate response. I downloaded your link, installed and restarted NetworkManager per your instructions. Unfortunately it didn’t work. You put me onto a solution that did work. I entered “sudo dnf downgrade --releasever=37 NetworkManager NetworkManager-openvpn openvpn” which downgraded all NetworkManager dependancies and openvpn. I rebooted my system and I was able to reconnect to my vpn. Thanks to all who provided assistance with this issue.