UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    OpenVPN setup does not offer what i need for my vpn server....

    Scheduled Pinned Locked Moved Unsolved Support
    21 Posts 4 Posters 228 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • J Offline
        jagdtigger
        last edited by

        Hello all!

        Sorry about the vague title but didnt really know how to condense the issue down into a few words. So i have an openvpn server, it specifically uses aes-gcm or chacha-poly for encryption and tls-key both ways. Sadly none of this is available in the wizard. Tried to use a confid file from the cmd line and it did connect but nothing got through. Is there a way to get it done without breaking things?

        Im pretty much at a loss here, if it was a regular PC running linux id start poking around on my own but im very unfamiliar with UT and its potential quirks and peculiarities......

        arubislanderA 1 Reply Last reply Reply Quote 0
        • arubislanderA Offline
          arubislander @jagdtigger
          last edited by arubislander

          @jagdtigger Do you have an Ubuntu Desktop PC you could configure your VPN on and see if it works? Preferably one running the very same base version as the UT you have on your device. So 20.04 or 24.04.

          Once you get that set-up in a satisfactory manner, you could then export the configuration to a .ovpn file, which you could then install with nmcli on UT.

          πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
          Happily running Ubuntu Touch
          JingPad (24.04-1.x daily)
          OnePlus Nord N10 5G (24.04-2.x daily)
          PinePhone OG (20.04)
          Meizu Pro 5 (16.04 DEV)
          Google Pixel 3a

          J 1 Reply Last reply Reply Quote 0
          • J Offline
            jagdtigger @arubislander
            last edited by jagdtigger

            @arubislander said in OpenVPN setup does not offer what i need for my vpn server....:

            @jagdtigger Do you have an Ubuntu Desktop PC you could configure your VPN on and see if it works? Preferably one running the very same base version as the UT you have on your device. So 20.04 or 24.04.

            Once you get that set-up in a satisfactory manner, you could then export the configuration to a .ovpn file, which you could then install with nmcli on UT.

            Sorry for the long radio silence, i was practically zombie the whole week. ATM i do not have any machines that run ubuntu, but my router does have a ovpn export. Here is a redacted version:

            dev tun
            persist-tun
            persist-key
            data-ciphers AES-256-GCM:CHACHA20-POLY1305
            data-ciphers-fallback AES-256-GCM
            auth SHA512
            tls-client
            client
            resolv-retry infinite
            remote domain port udp4
            setenv opt block-outside-dns
            nobind
            verify-x509-name "some-name" name
            auth-user-pass
            remote-cert-tls server
            explicit-exit-notify
            redirect-gateway def1
            <ca>
            -----BEGIN CERTIFICATE-----
            <snip>
            -----END CERTIFICATE-----
            </ca>
            <cert>
            -----BEGIN CERTIFICATE-----
            <snip>
            -----END CERTIFICATE-----
            </cert>
            <key>
            -----BEGIN EC PRIVATE KEY-----
            <snip>
            -----END EC PRIVATE KEY-----
            </key>
            <tls-crypt>
            #
            # <snip> bit OpenVPN static key
            #
            -----BEGIN OpenVPN Static key V1-----
            <snip>
            -----END OpenVPN Static key V1-----
            </tls-crypt>
            
            

            /EDIT
            Nope, it wont connect. Errors in vpn server log:

            TLS Error: tls-crypt unwrapping failed from [AF_INET]<phone_ip>
            tls-crypt unwrap error: packet too short
            

            (And yes im trying to connect over cellular not local wifi.)

            arubislanderA Vlad NirkyV 2 Replies Last reply Reply Quote 1
            • arubislanderA Offline
              arubislander @jagdtigger
              last edited by

              @jagdtigger What version of UT are you on? And what channel?

              πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
              Happily running Ubuntu Touch
              JingPad (24.04-1.x daily)
              OnePlus Nord N10 5G (24.04-2.x daily)
              PinePhone OG (20.04)
              Meizu Pro 5 (16.04 DEV)
              Google Pixel 3a

              J 1 Reply Last reply Reply Quote 0
              • Vlad NirkyV Offline
                Vlad Nirky @jagdtigger
                last edited by

                @jagdtigger
                I'm testing the VPN as well.
                If I get better results, I'll let you know...

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jagdtigger @arubislander
                  last edited by jagdtigger

                  @arubislander said in OpenVPN setup does not offer what i need for my vpn server....:

                  @jagdtigger What version of UT are you on? And what channel?

                  24.04-1.x/arm64/android9plus/stable, the phone is a Fairphone 4.

                  @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

                  @jagdtigger
                  I'm testing the VPN as well.
                  If I get better results, I'll let you know...

                  Thanks. Im installing ubuntu 24.04.3 on a minipc i have lying around for messing around.

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    jagdtigger
                    last edited by

                    Sorry for doubleposting, couldnt edit previous.

                    Ubuntu 24.04 finished installing. Set up vpn and works, but no export button (or im blind again(......

                    arubislanderA Vlad NirkyV 2 Replies Last reply Reply Quote 0
                    • arubislanderA Offline
                      arubislander @jagdtigger
                      last edited by

                      @jagdtigger Indeed, there is no export function in NetworkManager. Also it seems that Ubuntu has transitioned to using netplan at some point.

                      In any case, you can find your VPN config either in /etc/NetworkManager/system-connections/ or else in /etc/netplan/.

                      Both locations are writeable by root on UT, so you could try copying over the correct file(s).

                      πŸ‡¦πŸ‡Ό πŸ‡³πŸ‡± πŸ‡ΊπŸ‡Έ πŸ‡ͺπŸ‡Έ
                      Happily running Ubuntu Touch
                      JingPad (24.04-1.x daily)
                      OnePlus Nord N10 5G (24.04-2.x daily)
                      PinePhone OG (20.04)
                      Meizu Pro 5 (16.04 DEV)
                      Google Pixel 3a

                      1 Reply Last reply Reply Quote 0
                      • Vlad NirkyV Offline
                        Vlad Nirky @jagdtigger
                        last edited by Vlad Nirky

                        @jagdtigger
                        So i'm here at the moment...

                        root@ubuntu-phablet:/home/phablet# systemctl status openvpn
                        ● openvpn.service - OpenVPN service
                             Loaded: loaded (/usr/lib/systemd/system/openvpn.service; enabled; preset: enabled)
                             Active: active (exited) since Fri 2025-10-24 01:18:32 CEST; 7h ago
                               Docs: man:openvpn(8)
                           Main PID: 2661 (code=exited, status=0/SUCCESS)
                        
                        oct. 24 01:18:32 ubuntu-phablet systemd[1]: Starting openvpn.service - OpenVPN service...
                        oct. 24 01:18:32 ubuntu-phablet systemd[1]: Finished openvpn.service - OpenVPN service.
                        root@ubuntu-phablet:/home/phablet# systemctl status NetworkManager
                        ● NetworkManager.service - Network Manager
                             Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; preset: enabled)
                             Active: active (running) since Fri 2025-10-24 01:18:32 CEST; 7h ago
                               Docs: man:NetworkManager(8)
                           Main PID: 1827 (NetworkManager)
                             Memory: 18.3M ()
                             CGroup: /system.slice/NetworkManager.service
                                     β”œβ”€1827 /usr/sbin/NetworkManager --no-daemon
                                     └─4263 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --cache-size=0 --clear-on-reload --conf-f>
                        
                        oct. 24 08:15:32 ubuntu-phablet nm-openvpn[17986]: TCP/UDP: Preserving recently used remote address: [AF_INET]81.240.167.171:1194
                        oct. 24 08:15:32 ubuntu-phablet nm-openvpn[17986]: UDPv4 link local: (not bound)
                        oct. 24 08:15:32 ubuntu-phablet nm-openvpn[17986]: UDPv4 link remote: [AF_INET]81.240.167.171:1194
                        oct. 24 08:15:32 ubuntu-phablet nm-openvpn[17986]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
                        oct. 24 08:16:32 ubuntu-phablet nm-openvpn[17986]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
                        oct. 24 08:16:32 ubuntu-phablet nm-openvpn[17986]: TLS Error: TLS handshake failed
                        oct. 24 08:16:32 ubuntu-phablet nm-openvpn[17986]: SIGUSR1[soft,tls-error] received, process restarting
                        oct. 24 08:16:33 ubuntu-phablet NetworkManager[1827]: <warn>  [1761286593.0199] vpn[0x55b74dbb70,4bab2c8f-7db8-4723-ac46-e0f3bd1de606,"sarbacane.test.be"]: connect timeout exceeded
                        oct. 24 08:16:33 ubuntu-phablet nm-openvpn-serv[17980]: Connect timer expired, disconnecting.
                        oct. 24 08:16:33 ubuntu-phablet nm-openvpn[17986]: SIGTERM[hard,init_instance] received, process exiting
                        
                        Vlad NirkyV 1 Reply Last reply Reply Quote 0
                        • Vlad NirkyV Offline
                          Vlad Nirky @Vlad Nirky
                          last edited by

                          root@ubuntu-phablet:/etc/netplan# cat 90-NM-911859dd-e65a-42d2-9ac7-3c5641807798.yaml 
                          network:
                            version: 2
                            nm-devices:
                              NM-911859dd-e65a-42d2-9ac7-3c5641807798:
                                renderer: NetworkManager
                                networkmanager:
                                  uuid: "911859dd-e65a-42d2-9ac7-3c5641807798"
                                  name: "sarbacane.ddns.net"
                                  passthrough:
                                    connection.type: "vpn"
                                    connection.autoconnect: "false"
                                    connection.permissions: "user:jll:;"
                                    vpn.auth: "SHA256"
                                    vpn.ca: "/home/phablet/.cert/nm-openvpn/jll-ca.pem"
                                    vpn.cert: "/home/phablet/.cert/nm-openvpn/jll-cert.pem"
                                    vpn.cert-pass-flags: "0"
                                    vpn.cipher: "AES-256-CBC"
                                    vpn.connection-type: "tls"
                                    vpn.dev: "tun"
                                    vpn.key: "/home/phablet/.cert/nm-openvpn/jll-key.pem"
                                    vpn.remote: "sarbacane.test.be:1194"
                                    vpn.remote-cert-tls: "server"
                                    vpn.tls-crypt: "/home/jll/.cert/nm-openvpn/jll-tls-crypt.pem"
                                    vpn.tls-version-min: "1.2"
                                    vpn.verify-x509-name: "name:rpi3_9b0ae2d9-f297-4706-ab24-8a9d63b3a51f"
                                    vpn.ta: "/home/phablet/.cert/nm-openvpn/jll-tls-crypt.pem"
                                    vpn.service-type: "org.freedesktop.NetworkManager.openvpn"
                                    ipv4.method: "auto"
                                    ipv6.addr-gen-mode: "default"
                                    ipv6.method: "auto"
                                    proxy._: ""
                          
                          Vlad NirkyV 1 Reply Last reply Reply Quote 0
                          • Vlad NirkyV Offline
                            Vlad Nirky @Vlad Nirky
                            last edited by Vlad Nirky

                            Hmm, I see an error in my file, I left /home/jll for the TLS...
                            I'll change it to /home/phablet and test again.

                            Vlad NirkyV 1 Reply Last reply Reply Quote 0
                            • Vlad NirkyV Offline
                              Vlad Nirky @Vlad Nirky
                              last edited by

                              Well, the VPN seems to be connected, but only when my Wi-Fi is active...
                              As soon as I have access to Wi-Fi elsewhere, I will continue my tests.
                              Fingers crossed.

                              Vlad NirkyV 1 Reply Last reply Reply Quote 0
                              • Vlad NirkyV Offline
                                Vlad Nirky @Vlad Nirky
                                last edited by

                                I must continue searching because, after restarting, the modified VPN configuration in /etc/netplan is no longer available.

                                Vlad NirkyV 1 Reply Last reply Reply Quote 0
                                • Vlad NirkyV Offline
                                  Vlad Nirky @Vlad Nirky
                                  last edited by

                                  Well, changing the file doesn't help.
                                  I'm now trying on the PC configured nmcli connection export jll > jll.nmconnection
                                  and on the phone sudo nmcli connection import type openvpn file jll.nmconnection
                                  So far, it's not working... 🀣

                                  Vlad NirkyV 1 Reply Last reply Reply Quote 0
                                  • Vlad NirkyV Offline
                                    Vlad Nirky @Vlad Nirky
                                    last edited by

                                    It's progressing, I can connect via network manager now but I don't have an IP address in my local network...

                                    G 1 Reply Last reply Reply Quote 0
                                    • G Online
                                      gpatel-fr @Vlad Nirky
                                      last edited by

                                      @Vlad-Nirky

                                      I must fail to understand what you mean and if yes I apologize for that in advance, what is troubling me is that it's not OpenVpn's (or any VPN) job to provide a local IP address, it's the local network stack.
                                      So if your local network is 192.168.0.x, the local Wifi router will give your system say you local IP address 192.168.0.20, the Vpn local address will be 192.168.99.18, le distant Vpn address (OpenVpn gateway) 192.168.99.17, for a distant local network of say 192.168.20.x. In my example, the 192.168.99.x come from the distant OpenVpn server configuration.

                                      Vlad NirkyV 2 Replies Last reply Reply Quote 0
                                      • Vlad NirkyV Offline
                                        Vlad Nirky @gpatel-fr
                                        last edited by

                                        @gpatel-fr
                                        Yes and the serveur config is working with my pc Fedora 42 and NetworkManager.
                                        The VPN serveur is not my routeur but a rpi 3 running openvpn.
                                        I have tried sudo openvpn --config /home/phablet/jll.ovpn --verb 4
                                        The vpn is up and tun0 created.
                                        but i can't ping my local network.
                                        I have had ping success when i added sudo ip route add 192.168.128.0/23 dev tun0
                                        It's look like (i'm not a network expert) the NM don't add the route for some reason on the phone (confinment or bug) and the NM on my PC does it.

                                        G 1 Reply Last reply Reply Quote 0
                                        • Vlad NirkyV Offline
                                          Vlad Nirky @gpatel-fr
                                          last edited by

                                          @gpatel-fr
                                          Tesing is uneasy because i can't connect via ssh on the phone and have to d all through terminal on the phone... 😒

                                          1 Reply Last reply Reply Quote 0
                                          • G Online
                                            gpatel-fr @Vlad Nirky
                                            last edited by

                                            @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

                                            The VPN serveur is not my routeur but a rpi 3 running openvpn.

                                            if this means that both your client and the server use the same network configuration, I don't think it can work. For routing to pass through the VPN, the client network and the server network should be different. That could be done with manual IP configuration at least on your test server (the Pi if I understand correctly).

                                            Vlad NirkyV 1 Reply Last reply Reply Quote 0
                                            • Vlad NirkyV Offline
                                              Vlad Nirky @gpatel-fr
                                              last edited by

                                              @gpatel-fr
                                              I must have expressed myself poorly.
                                              The tunnel created tun0 has an address of 10.238.198.3.
                                              By adding the route, I can access my 192.168.128.0/23 network.
                                              On my PC, NetworkManager does the job: it opens the connection, receives an IP for the VPN, and adds the route (this is configured by my user's .ovpn, which I imported).
                                              Under UT, there is no .ovpn import. Configuration via the NetworkManager interface does not work (or I cannot get it to work). I exported the NetworkManager configuration from my PC with nmcli connection export and re-imported it into UT via nmcli connection import.
                                              Roughly speaking, it should contain what is in the .ovpn file.
                                              I added the TLS key password.
                                              The connection is established, I have a tun0 created with an IP address of 10.238.198.x, but pinging my 192.168.128.x network does not work even if I add the route so that my access to 192.168.128.0/23 is via tun0.
                                              However, if I do the same thing by launching the VPN via OpenVPN using the .ovpn and adding the same route as before, the tun0 tunnel is created and I can ping the machines on my network.

                                              G 1 Reply Last reply Reply Quote 0
                                              • First post
                                                Last post