It is unclear to me which part of this tutorial you may have followed.
This tutorial is very outdated and should not be followed. It has you editing a system file to insert the path to a custom configuration file. I would instead recommend using the intended mechanism of systemd unit parameterization.
OpenVPN on Fedora has an parameterized unit file for openvpn-client. To use it with an instance name of vpn-intranet you would place your OpenVPN configuration in /etc/openvpn/client/vpn-intranet.conf. Then you can start the service using systemctl start openvpn-client@vpn-intranet.
It also has you write stuff into /etc/resolv.conf. On a default Fedora installation this file is managed by systemd-resolved and will likely get overwritten every time you connect to a different network through NetworkManager.
Also, the log you provided doesn’t have enough information to see if there is an error or what the error may be.
You might want to check the full log using journalctl -u openvpn.
If you suspect a SELinux error ensure that both the config file as well as the certificate files are appropriately labelled such that OpenVPN is allowed to read them. The second tutorial actually includes that step.
If NetworkManager-openvpn is failing you can check journalctl -u NetworkManager. If you want to follow the log live as you connect you can use journalctl -u NetworkManager -f.
I’m guessing your issue is either a mismatch of settings between server and client or the use of outdated cryptographic ciphers/digests, such as AES-128-CBC and MD5.
It is unclear to me which part of this tutorial you followed
I followed these steps :
iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
iptables -A FORWARD -i eth1 -o tun+ -m state --state ESTABLISHED,RELATED -j ACCEPT
And
The default ‘openvpn’ service references udp port 1194
firewall-cmd --add-service=openvpn
Add the network interface to the default zone (e.g. “FedoraServer” for Fedora Server)
firewall-cmd --add-interface=tun0 --permanent
Allow intra-zone forwarding for the default zone
firewall-cmd --add-forward --permanent
Allow masquerading (Network address translation - NAT) for the default zone
firewall-cmd --add-masquerade --permanent
Reload FirewallD to check the bootup behaviour
firewall-cmd --reload
Show the complete current config
firewall-cmd --list-
This tutorial is very outdated and should not be followed.
Yes, I should not have followed this guide.
I’ll check the logs later.
I’m guessing your issue is either a mismatch of settings between server and client or the use of outdated cryptographic ciphers/digests, such as AES-128-CBC and MD5.
It’s an option. There has been several changes made to the vpn conf and I doubt this is the latest one.
avril 30 18:02:40 cyprien-lenovo-yoga nm-openvpn[9138]: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
avril 30 18:02:40 cyprien-lenovo-yoga nm-openvpn[9138]: OpenVPN 2.5.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 16 2023
avril 30 18:02:40 cyprien-lenovo-yoga nm-openvpn[9138]: library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
avril 30 18:02:40 cyprien-lenovo-yoga nm-openvpn[9138]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
avril 30 18:02:40 cyprien-lenovo-yoga nm-openvpn[9138]: TCP/UDP: Preserving recently used remote address: [AF_INET]81.255.194.33:1194
avril 30 18:02:40 cyprien-lenovo-yoga nm-openvpn[9138]: Attempting to establish TCP connection with [AF_INET]81.255.194.33:1194 [nonblock]
avril 30 18:02:40 cyprien-lenovo-yoga nm-openvpn[9138]: TCP connection established with [AF_INET]81.255.194.33:1194
avril 30 18:02:40 cyprien-lenovo-yoga nm-openvpn[9138]: TCP_CLIENT link local: (not bound)
avril 30 18:02:40 cyprien-lenovo-yoga nm-openvpn[9138]: TCP_CLIENT link remote: [AF_INET]81.255.194.33:1194
avril 30 18:02:40 cyprien-lenovo-yoga nm-openvpn[9138]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
avril 30 18:02:41 cyprien-lenovo-yoga nm-openvpn[9138]: [OVPN-SERVER] Peer Connection Initiated with [AF_INET]81.255.194.33:1194
avril 30 18:02:53 cyprien-lenovo-yoga nm-openvpn[9138]: AUTH: Received control message: AUTH_FAILED, user ctaque authentication failed
avril 30 18:02:53 cyprien-lenovo-yoga nm-openvpn[9138]: SIGUSR1[soft,auth-failure] received, process restarting
AUTH_FAILED: that indeed looks like credentials. Are you using a commercial/business server or are you trying to setup your own VPN? login.conf should contain two lines with username and password, but on the server there should be a script for verification active. There is an auth-pam.pl script example as starting point. No idea whether this “auth MD5” makes sense or causes problems.
Further: there is “redirect-gateway def1” which routes all traffic through the VPN. But It is a bit remarkable that a client tells the server to change it routes with push “redirect-gateway def1”.
But it is in the tutorial.
Do you not need to have, apart from the ca certificate, a client certificate and key?
The iptables and firewall-cmd stuff is a bit double, firewall-cmd is the modern one, but be sure that tun0 is assigned to the same zone as the zone you want to forward to.
A nasty thing is /proc/sys/net/ipv4/ip_forward. Should be one, otherwise there is no forwarding at all. Probably firewall-cmd masquerade takes care of it, but please check. Notethat this whole stuff is only necessary if you want to route your LAN over the VPN, but it IS necessary on the VPN server if you want to access internet from clients via the VPN.