Can't connect to my home router with OpenVPN

I have a fresh install of EOS-Plama on my dual-booting laptop and I’m trying to connect the laptop to my home router from a cellphone hotspot connection using OpenVPN. My router is connected via Cable modem to the internet and is an TP-Link Archer AX50 with built-in OpenVPN server.

I can use the same OpenVPN-config.ovpn provided by the router to connect using Windows 11 on my laptop but not with EOS-Plasma. I have done this with Ubuntu 22.04 in the past but recently moved to EOS.

I’m using nm-openvpn in settings to inport the .ovpn file.

I have a portion of a log that has been edited to distort my IP address:

Dec 18 15:41:45 jim-dell-xps nm-openvpn[5065]: WARNING: file '/home/jim/.local/share/networkmanagement/certificates/OpenVPN-Config/private.key' is group or others accessible
Dec 18 15:41:45 jim-dell-xps nm-openvpn[5065]: OpenVPN 2.5.8 [git:makepkg/0357ceb877687faa+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2022
Dec 18 15:41:45 jim-dell-xps nm-openvpn[5065]: library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
Dec 18 15:41:45 jim-dell-xps nm-openvpn[5065]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Dec 18 15:41:45 jim-dell-xps nm-openvpn[5065]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 18 15:41:45 jim-dell-xps nm-openvpn[5065]: TCP/UDP: Preserving recently used remote address: [AF_INET]999.99.99.99:1194
Dec 18 15:41:45 jim-dell-xps nm-openvpn[5065]: UDP link local: (not bound)
Dec 18 15:41:45 jim-dell-xps nm-openvpn[5065]: UDP link remote: [AF_INET]999.99.99.99:1194
Dec 18 15:41:45 jim-dell-xps nm-openvpn[5065]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Dec 18 15:41:45 jim-dell-xps nm-openvpn[5065]: TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.1:1194[2], expected peer address: [AF_INET]999.99.99.99:1194 (allow this incoming source address/port by removing --remote or adding --float)
Dec 18 15:41:47 jim-dell-xps nm-openvpn[5065]: TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.1:1194[2], expected peer address: [AF_INET]999.99.99.99:1194 (allow this incoming source address/port by removing --remote or adding --float)
Dec 18 15:41:48 jim-dell-xps nm-openvpn[5065]: TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.1:1194[2], expected peer address: [AF_INET]999.99.99.99:1194 (allow this incoming source address/port by removing --remote or adding --float)
Dec 18 15:41:51 jim-dell-xps nm-openvpn[5065]: TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.1:1194[2], expected peer address: [AF_INET]999.99.99.99:1194 (allow this incoming source address/port by removing --remote or adding --float)
Dec 18 15:41:51 jim-dell-xps nm-openvpn[5065]: TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.1:1194[2], expected peer address: [AF_INET]999.99.99.99:1194 (allow this incoming source address/port by removing --remote or adding --float)
Dec 18 15:41:59 jim-dell-xps nm-openvpn[5065]: TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.1:1194[2], expected peer address: [AF_INET]999.99.99.99:1194 (allow this incoming source address/port by removing --remote or adding --float)
Dec 18 15:41:59 jim-dell-xps nm-openvpn[5065]: TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.1:1194[2], expected peer address: [AF_INET]999.99.99.99:1194 (allow this incoming source address/port by removing --remote or adding --float)
Dec 18 15:42:15 jim-dell-xps nm-openvpn[5065]: TCP/UDP: Incoming packet rejected from [AF_INET]192.168.0.1:1194[2], expected peer address: [AF_INET]999.99.99.99:1194 (allow this incoming source address/port by removing --remote or adding --float)
Dec 18 15:42:45 jim-dell-xps nm-openvpn[5065]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 18 15:42:45 jim-dell-xps nm-openvpn[5065]: TLS Error: TLS handshake faile

999.99.99.99 is the IP address of my DDNS service that reflects traffic to my router.

inxi data below:

System:
  Kernel: 6.0.12-arch1-1 arch: x86_64 bits: 64 compiler: gcc v: 12.2.0
    Desktop: KDE Plasma v: 5.26.4 tk: Qt v: 5.15.7 wm: kwin_x11 vt: 1 dm: SDDM
    Distro: EndeavourOS base: Arch Linux
Machine:
  Type: Laptop System: Dell product: XPS 15 9500 v: N/A
    serial: <superuser required> Chassis: type: 10 serial: <superuser required>
  Mobo: Dell model: 05XYW7 v: A00 serial: <superuser required> UEFI: Dell
    v: 1.19.0 date: 09/06/2022
Battery:
  ID-1: BAT0 charge: 61.6 Wh (78.1%) condition: 78.9/84.3 Wh (93.6%)
    volts: 11.8 min: 11.4 model: SMP DELL 70N2F95 type: Li-poly serial: <filter>
    status: discharging
CPU:
  Info: 6-core model: Intel Core i7-10750H bits: 64 type: MT MCP smt: enabled
    arch: Comet Lake rev: 2 cache: L1: 384 KiB L2: 1.5 MiB L3: 12 MiB
  Speed (MHz): avg: 1927 high: 2600 min/max: 800/5000 cores: 1: 828 2: 2600
    3: 2600 4: 800 5: 800 6: 2600 7: 800 8: 2600 9: 2600 10: 2600 11: 1697
    12: 2600 bogomips: 62431
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
  Device-1: Intel CometLake-H GT2 [UHD Graphics] vendor: Dell driver: i915
    v: kernel arch: Gen-9.5 ports: active: eDP-1 empty: DP-1,DP-2,DP-3
    bus-ID: 00:02.0 chip-ID: 8086:9bc4 class-ID: 0300
  Device-2: NVIDIA TU117M [GeForce GTX 1650 Ti Mobile] vendor: Dell
    driver: nvidia v: 525.60.11 arch: Turing pcie: speed: 2.5 GT/s lanes: 8
    bus-ID: 01:00.0 chip-ID: 10de:1f95 class-ID: 0302
  Device-3: Realtek Integrated_Webcam_HD type: USB driver: uvcvideo
    bus-ID: 1-11:3 chip-ID: 0bda:5510 class-ID: fe01 serial: <filter>
  Display: x11 server: X.Org v: 21.1.6 compositor: kwin_x11 driver: X:
    loaded: intel,nvidia unloaded: modesetting alternate: fbdev,nouveau,nv,vesa
    dri: i965 gpu: i915 display-ID: :0 screens: 1
  Screen-1: 0 s-res: 1920x1200 s-dpi: 96 s-size: 508x317mm (20.00x12.48")
    s-diag: 599mm (23.57")
  Monitor-1: eDP-1 mapped: eDP1 model: Sharp 0x14d1 res: 1920x1200 hz: 60
    dpi: 143 size: 340x210mm (13.39x8.27") diag: 396mm (15.6") modes: 1920x1200
  API: OpenGL v: 4.6 Mesa 22.3.1 renderer: Mesa Intel UHD Graphics (CML GT2)
    direct render: Yes
Audio:
  Device-1: Intel Comet Lake PCH cAVS vendor: Dell driver: snd_hda_intel
    v: kernel bus-ID: 00:1f.3 chip-ID: 8086:06c8 class-ID: 0403
  Sound API: ALSA v: k6.0.12-arch1-1 running: yes
  Sound Server-1: PulseAudio v: 16.1 running: no
  Sound Server-2: PipeWire v: 0.3.63 running: yes
Network:
  Device-1: Intel Comet Lake PCH CNVi WiFi vendor: Rivet Networks
    driver: iwlwifi v: kernel bus-ID: 00:14.3 chip-ID: 8086:06f0 class-ID: 0280
  IF: wlan0 state: up mac: <filter>
Bluetooth:
  Device-1: Intel AX201 Bluetooth type: USB driver: btusb v: 0.8
    bus-ID: 1-14:4 chip-ID: 8087:0026 class-ID: e001
  Report: rfkill ID: hci0 rfk-id: 0 state: down bt-service: disabled
    rfk-block: hardware: no software: no address: see --recommends
Drives:
  Local Storage: total: 1.38 TiB used: 8.03 GiB (0.6%)
  ID-1: /dev/nvme0n1 vendor: Micron model: 2200S NVMe 512GB size: 476.94 GiB
    speed: 31.6 Gb/s lanes: 4 type: SSD serial: <filter> rev: 22001070
    temp: 38.9 C scheme: GPT
  ID-2: /dev/nvme1n1 vendor: Crucial model: CT1000P1SSD8 size: 931.51 GiB
    speed: 31.6 Gb/s lanes: 4 type: SSD serial: <filter> rev: P3CR021
    temp: 40.9 C scheme: GPT
Partition:
  ID-1: / size: 476.64 GiB used: 8.03 GiB (1.7%) fs: btrfs dev: /dev/nvme0n1p2
  ID-2: /boot/efi size: 299.4 MiB used: 608 KiB (0.2%) fs: vfat
    dev: /dev/nvme0n1p1
  ID-3: /home size: 476.64 GiB used: 8.03 GiB (1.7%) fs: btrfs
    dev: /dev/nvme0n1p2
  ID-4: /var/log size: 476.64 GiB used: 8.03 GiB (1.7%) fs: btrfs
    dev: /dev/nvme0n1p2
Swap:
  ID-1: swap-1 type: zram size: 7.51 GiB used: 0 KiB (0.0%) priority: 100
    dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 48.0 C pch: 39.0 C mobo: 42.0 C
  Fan Speeds (RPM): cpu: 0 fan-2: 0
Info:
  Processes: 292 Uptime: 35m wakeups: 2517 Memory: 7.51 GiB
  used: 2.4 GiB (31.9%) Init: systemd v: 252 default: graphical Compilers:
  gcc: 12.2.0 Packages: pm: pacman pkgs: 1040 Shell: Bash v: 5.1.16
  running-in: konsole inxi: 3.3.24

This may be a Desktop Environment issue with Plasma and it’s nm-openvpn interface. Here’s something that did work.

1. On my phone, I turned off WiFi and put the phone in Hotspot mode.
2. On my EOS-Plasma laptop, I connected the WiFi to my Hotspot on my phone.
3. open a console and did:

sudo openvpn OpenVPN-Config.ovpn

Where OPenVPN-Config.ovpn is the config file I downloaded from my Router, the same one that worked on Windows 11.

As long as this console was running I had access to my servers connected to my home router.

I just need to figure out how to make Plasma DE handle this.

Since I can connect using the console command and not network-manager in KDE it tells me I’m missing some package in KDE. I’ve been testing with another distro, Linux Mint 21.1 and it works fine there. I just create a connection by importing the .ovpn file and open the connection. I’m guessing there is something that LM21 has installed for NM in Cinnamon that EOS KDE isn’t installing by default.

Any idea what that could be? I’d really like to run KDE Plasma on this laptop, but connecting via Openvpn is critical for a Laptop on the road.

This maybe more of a Core EOS issue or missing package. I tried another laptop with EOS XFCE4 on it and and I could import the .ovpn file without issues but same problem with not connecting with that vpn connection information.

Have you tried fixing this issue?

I’m sorry, but I really don’t understand that issue. Didn’t know it was an error.

Try this:

sudo chown jim /home/jim/.local/share/networkmanagement/certificates/OpenVPN-Config/private.key
chmod go-rwx /home/jim/.local/share/networkmanagement/certificates/OpenVPN-Config/private.key

I’ll check that. I’m trying to compare my working LM21.1 system and a EOS-KDE system. Both laptops. I’ll have to spin up EOS-KDE on a laptop to check out the answer to your question. I did notice that on the LM21.1 system where openvpn client works, that the directory for the private.key is in owned by me but it’s in ~/.cert/nm-manager.

More in a while.

On a fresh install of EOS-KDE I copied on the .ovpn config file and imported it. Connection to my VPN failed as before and without doing any permission changes this is what I see:

[jim@jim-macbookpro ~]$ ls -l .local/share/networkmanagement/certificates//OpenVPN-Config/
total 12
-rw-r--r-- 1 jim jim 1326 Dec 22 08:33 ca.crt
-rw-r--r-- 1 jim jim 1415 Dec 22 08:33 cert.crt
-rw-r--r-- 1 jim jim  916 Dec 22 08:33 private.key

So I think the permissions ok??

Okay, I did do your chmod and then tried to connect and got these errors:

Dec 22 08:56:00 jim-macbookpro nm-openvpn[11066]: OPTIONS ERROR: failed to negotiate cipher with server. Configure --data-ciphers-fallback if you wa
nt to connect to this server.
Dec 22 08:56:00 jim-macbookpro nm-openvpn[11066]: ERROR: Failed to apply push options
Dec 22 08:56:00 jim-macbookpro nm-openvpn[11066]: Failed to open tun/tap interface

This is probably the issue.

I looked at the log on my LM21 laptop to see what it says during a successful connection:
Dec 22 11:12:37 jim-XPS-15-9500 nm-openvpn[6199]: DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
So both LM21 and EOS have newer Openvpn than the TP-Link Archer AX50
has. I still don’t know how to fix this in EOS.

https://forums.openvpn.net/viewtopic.php?t=33536

Edit: Maybe you can find your answer with this?

Thanks, I think they mean for me to edit my ovpn file before importing it. However, I have not found the combination that will fix this.

Did you not try this?

Have you tried this:

image622×650 22.6 KB

: OPTIONS ERROR: failed to negotiate cipher with server. Configure --data-ciphers-fallback if you want to connect to this server.
jim-macbookpro nm-openvpn[4176]: ERROR: Failed to apply push options
jim-macbookpro nm-openvpn[4176]: Failed to open tun/tap interface

I get this error no matter what I do. The instructions keep saying --data-ciphers-fallback but there is no – in the .ovpn so I’ve left it off.

same results with the drop down

I guess I’m not getting the over ridding parameter into the right place. I’ve been putting them into my config.ovpn file prior to importing them. I’m wondering it maybe they should go into a config file, maybe in /etc/openvpn/client?

I need to reset my thinking. Here’s what works as I mentioned above:

If I connect my EOS-KDE laptop’s WiFi to my cellphones Hotspot. I can connect to my home router using the same OpenVPN-Config.ovpn file I use to Import a OpenVPN connection on Windows and LinuxMint 21.1

However, I can’t import that file on EOS-KDE I have to do the following console command and it works perfectly. I changed the IP address but everything else is the same. Note the same warning I’ve seen before but no changes related to that.

I just can’t import that connection using KDE nn-networkmanager and have it work.

$ sudo openvpn OpenVPN-Config.ovpn 
[sudo] password for jim: 
2022-12-23 06:16:06 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-12-23 06:16:06 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2022-12-23 06:16:06 OpenVPN 2.5.8 [git:makepkg/0357ceb877687faa+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2022
2022-12-23 06:16:06 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2022-12-23 06:16:06 TCP/UDP: Preserving recently used remote address: [AF_INET]999.99.99.99:1194
2022-12-23 06:16:06 UDP link local: (not bound)
2022-12-23 06:16:06 UDP link remote: [AF_INET]999.99.99.99:1194
2022-12-23 06:16:08 [server] Peer Connection Initiated with [AF_INET]999.99.99.99:1194
2022-12-23 06:16:09 TUN/TAP device tun0 opened
2022-12-23 06:16:09 net_iface_mtu_set: mtu 1500 for tun0
2022-12-23 06:16:09 net_iface_up: set tun0 up
2022-12-23 06:16:09 net_addr_ptp_v4_add: 10.8.0.6 peer 10.8.0.5 dev tun0
2022-12-23 06:16:09 Initialization Sequence Completed