RE: OpenVPN setup does not offer what i need for my vpn server....

@arubislander said in OpenVPN setup does not offer what i need for my vpn server....:

@jagdtigger Do you have an Ubuntu Desktop PC you could configure your VPN on and see if it works? Preferably one running the very same base version as the UT you have on your device. So 20.04 or 24.04.

Once you get that set-up in a satisfactory manner, you could then export the configuration to a .ovpn file, which you could then install with nmcli on UT.

Sorry for the long radio silence, i was practically zombie the whole week. ATM i do not have any machines that run ubuntu, but my router does have a ovpn export. Here is a redacted version:

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
auth SHA512
tls-client
client
resolv-retry infinite
remote domain port udp4
setenv opt block-outside-dns
nobind
verify-x509-name "some-name" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify
redirect-gateway def1
<ca>
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN EC PRIVATE KEY-----
<snip>
-----END EC PRIVATE KEY-----
</key>
<tls-crypt>
#
# <snip> bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<snip>
-----END OpenVPN Static key V1-----
</tls-crypt>

/EDIT
Nope, it wont connect. Errors in vpn server log:

TLS Error: tls-crypt unwrapping failed from [AF_INET]<phone_ip>
tls-crypt unwrap error: packet too short

(And yes im trying to connect over cellular not local wifi.)

@Vlad-Nirky
Every other client, including this phone with the openvpn app when it was running android connected just fine so i have doubts about the server causing it.
Server log:

Oct 26 11:23:17	openvpn	68034	openvpn server 'ovpns1' user '<phone>' address '<phone_ip>:2866' - connected
Oct 26 11:23:17	openvpn	89539	MULTI_sva: push_ifconfig_ipv6 <ip6>
Oct 26 11:23:16	openvpn	63105	openvpn server 'ovpns1' user '<phone>' address '<phone_ip>:2866' - connecting
Oct 26 11:23:16	openvpn	89539	phone/<phone_ip>:2866 MULTI_sva: push_ifconfig_ipv6 <ip6>
Oct 26 11:23:16	openvpn	89539	phone/<phone_ip>:2866 MULTI_sva: pool returned IPv4=10.125.220.2, IPv6=<ip6>
Oct 26 11:23:15	openvpn	5699	user '<phone>' authenticated
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 [phone] Peer Connection Initiated with [AF_INET]<phone_ip>:2866
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_COMP_STUBv2=1
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_COMP_STUB=1
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_LZO_STUB=1
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_PROTO=990
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_CIPHERS=AES-256-GCM:CHACHA20-POLY1305
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_MTU=1600
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_TCPNL=1
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_PLAT=linux
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_VER=2.6.14

Phone console output (usb adb shell):

phablet@ubuntu-phablet:~/Documents/vpn$ sudo openvpn --config ./main-vpn.ovpn
2025-10-26 11:23:09 Unrecognized option or missing or extra parameter(s) in ./main-vpn.ovpn:11: block-outside-dns (2.6.14)
2025-10-26 11:23:09 OpenVPN 2.6.14 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-10-26 11:23:09 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
2025-10-26 11:23:09 DCO version: N/A
Enter Auth Username: <phone>
Enter Auth Password: ••••••••••              
2025-10-26 11:23:15 TCP/UDP: Preserving recently used remote address: [AF_INET]<server>
2025-10-26 11:23:15 UDPv4 link local: (not bound)
2025-10-26 11:23:15 UDPv4 link remote: [AF_INET]<server>
2025-10-26 11:23:15 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-10-26 11:23:15 [openvpn_server-cr] Peer Connection Initiated with [AF_INET]<server>
2025-10-26 11:23:17 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.6.14)
2025-10-26 11:23:17 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: register-dns (2.6.14)
2025-10-26 11:23:17 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2025-10-26 11:23:17 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2025-10-26 11:23:17 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2025-10-26 11:23:17 sitnl_send: rtnl: generic error (-101): Network is unreachable
2025-10-26 11:23:17 TUN/TAP device tun0 opened
2025-10-26 11:23:17 net_iface_mtu_set: mtu 1500 for tun0
2025-10-26 11:23:17 net_iface_up: set tun0 up
2025-10-26 11:23:17 net_addr_v4_add: <ip4> dev tun0
2025-10-26 11:23:17 net_iface_mtu_set: mtu 1500 for tun0
2025-10-26 11:23:17 net_iface_up: set tun0 up
2025-10-26 11:23:17 net_addr_v6_add: <ip6> dev tun0
2025-10-26 11:23:17 Initialization Sequence Completed

The network unreachable error is odd, but right now the main issue is that the nmcli+ntplan combo is royally screwing up the config itself when imported or when forced to add user+pass in the gui....

@gpatel-fr
I was aware from the getgo ubuntu does stupid things like NM+NP, not to mention their obsession with their failing app packaging format.....
Anyway as i said above i think it does something iffy with the config. The tls-crypt option missing inside the netplan yaml even though it was there before import i think is a pretty good indicator of that.

@Vlad-Nirky
Did your method with the nmcli import command (only had to add the user+pass in the UT GUI), still get timeout on the phone and the same errors in openvpn log. And i think i know why. Seems like nmcli has its own mind and omitted settings from the imported config....
Original

client
remote '<domain>'
tun-ipv6
cert '/home/phablet/Documents/vpn/phone.crt'
key '/home/phablet/Documents/vpn/phone.key'
ca '/home/phablet/Documents/vpn/server.crt'
auth-user-pass
dev tun
dev-type tun
proto udp
port <port>
tls-crypt '/home/phablet/Documents/vpn/tls.key'
tls-version-min '1.3' or-highest
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nm-openvpn
group nm-openvpn

Imported:

root@ubuntu-phablet:/home/phablet/Documents/vpn# cat /etc/netplan/90-NM-f1365f35-54fb-432f-8a95-fd811aafd906.yaml 
network:
  version: 2
  nm-devices:
    NM-f1365f35-54fb-432f-8a95-fd811aafd906:
      renderer: NetworkManager
      networkmanager:
        uuid: "f1365f35-54fb-432f-8a95-fd811aafd906"
        name: "main-vpn"
        passthrough:
          connection.type: "vpn"
          vpn.ca: "/home/phablet/Documents/vpn/server.crt"
          vpn.cert: "/home/phablet/Documents/vpn/phone.crt"
          vpn.cert-pass-flags: "1"
          vpn.connection-type: "password-tls"
          vpn.dev: "tun"
          vpn.dev-type: "tun"
          vpn.key: "/home/phablet/Documents/vpn/phone.key"
          vpn.password-flags: "1"
          vpn.port: "<port>"
          vpn.remote: "<domain>"
          vpn.username: "<user>"
          vpn.service-type: "org.freedesktop.NetworkManager.openvpn"
          ipv4.method: "auto"
          ipv6.addr-gen-mode: "default"
          ipv6.method: "auto"
          proxy._: ""

No wonder the server has tls errors, the tls-crypt option is missing.

@arubislander said in OpenVPN setup does not offer what i need for my vpn server....:

Do you have an Ubuntu Desktop PC you could configure your VPN on and see if it works? Preferably one running the very same base version as the UT you have on your device. So 20.04 or 24.04.

Sorry for the long radio silence, something come up. Copied over the yaml file from netplan as is leaving content and name unchanged (minus the cert and key paths). It wont show up in settings under VPN, not even a reboot makes it appear.....

Sorry for doubleposting, couldnt edit previous.

Ubuntu 24.04 finished installing. Set up vpn and works, but no export button (or im blind again(......

@arubislander said in OpenVPN setup does not offer what i need for my vpn server....:

@jagdtigger What version of UT are you on? And what channel?

24.04-1.x/arm64/android9plus/stable, the phone is a Fairphone 4.

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

@jagdtigger
I'm testing the VPN as well.
If I get better results, I'll let you know...

Thanks. Im installing ubuntu 24.04.3 on a minipc i have lying around for messing around.

@arubislander said in OpenVPN setup does not offer what i need for my vpn server....:

@jagdtigger Do you have an Ubuntu Desktop PC you could configure your VPN on and see if it works? Preferably one running the very same base version as the UT you have on your device. So 20.04 or 24.04.

Once you get that set-up in a satisfactory manner, you could then export the configuration to a .ovpn file, which you could then install with nmcli on UT.

Sorry for the long radio silence, i was practically zombie the whole week. ATM i do not have any machines that run ubuntu, but my router does have a ovpn export. Here is a redacted version:

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-256-GCM
auth SHA512
tls-client
client
resolv-retry infinite
remote domain port udp4
setenv opt block-outside-dns
nobind
verify-x509-name "some-name" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify
redirect-gateway def1
<ca>
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN EC PRIVATE KEY-----
<snip>
-----END EC PRIVATE KEY-----
</key>
<tls-crypt>
#
# <snip> bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<snip>
-----END OpenVPN Static key V1-----
</tls-crypt>

/EDIT
Nope, it wont connect. Errors in vpn server log:

TLS Error: tls-crypt unwrapping failed from [AF_INET]<phone_ip>
tls-crypt unwrap error: packet too short

(And yes im trying to connect over cellular not local wifi.)

Hello all!

Sorry about the vague title but didnt really know how to condense the issue down into a few words. So i have an openvpn server, it specifically uses aes-gcm or chacha-poly for encryption and tls-key both ways. Sadly none of this is available in the wizard. Tried to use a confid file from the cmd line and it did connect but nothing got through. Is there a way to get it done without breaking things?

Im pretty much at a loss here, if it was a regular PC running linux id start poking around on my own but im very unfamiliar with UT and its potential quirks and peculiarities......