OpenVPN setup does not offer what i need for my vpn server....

arubislander

@jagdtigger Indeed, there is no export function in NetworkManager. Also it seems that Ubuntu has transitioned to using netplan at some point.

In any case, you can find your VPN config either in /etc/NetworkManager/system-connections/ or else in /etc/netplan/.

Both locations are writeable by root on UT, so you could try copying over the correct file(s).

Vlad Nirky

@jagdtigger
So i'm here at the moment...

root@ubuntu-phablet:/home/phablet# systemctl status openvpn
● openvpn.service - OpenVPN service
     Loaded: loaded (/usr/lib/systemd/system/openvpn.service; enabled; preset: enabled)
     Active: active (exited) since Fri 2025-10-24 01:18:32 CEST; 7h ago
       Docs: man:openvpn(8)
   Main PID: 2661 (code=exited, status=0/SUCCESS)

oct. 24 01:18:32 ubuntu-phablet systemd[1]: Starting openvpn.service - OpenVPN service...
oct. 24 01:18:32 ubuntu-phablet systemd[1]: Finished openvpn.service - OpenVPN service.
root@ubuntu-phablet:/home/phablet# systemctl status NetworkManager
● NetworkManager.service - Network Manager
     Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-10-24 01:18:32 CEST; 7h ago
       Docs: man:NetworkManager(8)
   Main PID: 1827 (NetworkManager)
     Memory: 18.3M ()
     CGroup: /system.slice/NetworkManager.service
             ├─1827 /usr/sbin/NetworkManager --no-daemon
             └─4263 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --cache-size=0 --clear-on-reload --conf-f>

oct. 24 08:15:32 ubuntu-phablet nm-openvpn[17986]: TCP/UDP: Preserving recently used remote address: [AF_INET]81.240.167.171:1194
oct. 24 08:15:32 ubuntu-phablet nm-openvpn[17986]: UDPv4 link local: (not bound)
oct. 24 08:15:32 ubuntu-phablet nm-openvpn[17986]: UDPv4 link remote: [AF_INET]81.240.167.171:1194
oct. 24 08:15:32 ubuntu-phablet nm-openvpn[17986]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
oct. 24 08:16:32 ubuntu-phablet nm-openvpn[17986]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
oct. 24 08:16:32 ubuntu-phablet nm-openvpn[17986]: TLS Error: TLS handshake failed
oct. 24 08:16:32 ubuntu-phablet nm-openvpn[17986]: SIGUSR1[soft,tls-error] received, process restarting
oct. 24 08:16:33 ubuntu-phablet NetworkManager[1827]: <warn>  [1761286593.0199] vpn[0x55b74dbb70,4bab2c8f-7db8-4723-ac46-e0f3bd1de606,"sarbacane.test.be"]: connect timeout exceeded
oct. 24 08:16:33 ubuntu-phablet nm-openvpn-serv[17980]: Connect timer expired, disconnecting.
oct. 24 08:16:33 ubuntu-phablet nm-openvpn[17986]: SIGTERM[hard,init_instance] received, process exiting

Vlad Nirky

root@ubuntu-phablet:/etc/netplan# cat 90-NM-911859dd-e65a-42d2-9ac7-3c5641807798.yaml 
network:
  version: 2
  nm-devices:
    NM-911859dd-e65a-42d2-9ac7-3c5641807798:
      renderer: NetworkManager
      networkmanager:
        uuid: "911859dd-e65a-42d2-9ac7-3c5641807798"
        name: "sarbacane.ddns.net"
        passthrough:
          connection.type: "vpn"
          connection.autoconnect: "false"
          connection.permissions: "user:jll:;"
          vpn.auth: "SHA256"
          vpn.ca: "/home/phablet/.cert/nm-openvpn/jll-ca.pem"
          vpn.cert: "/home/phablet/.cert/nm-openvpn/jll-cert.pem"
          vpn.cert-pass-flags: "0"
          vpn.cipher: "AES-256-CBC"
          vpn.connection-type: "tls"
          vpn.dev: "tun"
          vpn.key: "/home/phablet/.cert/nm-openvpn/jll-key.pem"
          vpn.remote: "sarbacane.test.be:1194"
          vpn.remote-cert-tls: "server"
          vpn.tls-crypt: "/home/jll/.cert/nm-openvpn/jll-tls-crypt.pem"
          vpn.tls-version-min: "1.2"
          vpn.verify-x509-name: "name:rpi3_9b0ae2d9-f297-4706-ab24-8a9d63b3a51f"
          vpn.ta: "/home/phablet/.cert/nm-openvpn/jll-tls-crypt.pem"
          vpn.service-type: "org.freedesktop.NetworkManager.openvpn"
          ipv4.method: "auto"
          ipv6.addr-gen-mode: "default"
          ipv6.method: "auto"
          proxy._: ""

Vlad Nirky

Hmm, I see an error in my file, I left /home/jll for the TLS...
I'll change it to /home/phablet and test again.

Vlad Nirky

Well, the VPN seems to be connected, but only when my Wi-Fi is active...
As soon as I have access to Wi-Fi elsewhere, I will continue my tests.
Fingers crossed.

Vlad Nirky

I must continue searching because, after restarting, the modified VPN configuration in /etc/netplan is no longer available.

Vlad Nirky

Well, changing the file doesn't help.
I'm now trying on the PC configured nmcli connection export jll > jll.nmconnection
and on the phone sudo nmcli connection import type openvpn file jll.nmconnection
So far, it's not working...

Vlad Nirky

It's progressing, I can connect via network manager now but I don't have an IP address in my local network...

gpatel-fr

@Vlad-Nirky

I must fail to understand what you mean and if yes I apologize for that in advance, what is troubling me is that it's not OpenVpn's (or any VPN) job to provide a local IP address, it's the local network stack.
So if your local network is 192.168.0.x, the local Wifi router will give your system say you local IP address 192.168.0.20, the Vpn local address will be 192.168.99.18, le distant Vpn address (OpenVpn gateway) 192.168.99.17, for a distant local network of say 192.168.20.x. In my example, the 192.168.99.x come from the distant OpenVpn server configuration.

Vlad Nirky

@gpatel-fr
Yes and the serveur config is working with my pc Fedora 42 and NetworkManager.
The VPN serveur is not my routeur but a rpi 3 running openvpn.
I have tried sudo openvpn --config /home/phablet/jll.ovpn --verb 4
The vpn is up and tun0 created.
but i can't ping my local network.
I have had ping success when i added sudo ip route add 192.168.128.0/23 dev tun0
It's look like (i'm not a network expert) the NM don't add the route for some reason on the phone (confinment or bug) and the NM on my PC does it.

Vlad Nirky

@gpatel-fr
Tesing is uneasy because i can't connect via ssh on the phone and have to d all through terminal on the phone...

gpatel-fr

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

The VPN serveur is not my routeur but a rpi 3 running openvpn.

if this means that both your client and the server use the same network configuration, I don't think it can work. For routing to pass through the VPN, the client network and the server network should be different. That could be done with manual IP configuration at least on your test server (the Pi if I understand correctly).

Vlad Nirky

@gpatel-fr
I must have expressed myself poorly.
The tunnel created tun0 has an address of 10.238.198.3.
By adding the route, I can access my 192.168.128.0/23 network.
On my PC, NetworkManager does the job: it opens the connection, receives an IP for the VPN, and adds the route (this is configured by my user's .ovpn, which I imported).
Under UT, there is no .ovpn import. Configuration via the NetworkManager interface does not work (or I cannot get it to work). I exported the NetworkManager configuration from my PC with nmcli connection export and re-imported it into UT via nmcli connection import.
Roughly speaking, it should contain what is in the .ovpn file.
I added the TLS key password.
The connection is established, I have a tun0 created with an IP address of 10.238.198.x, but pinging my 192.168.128.x network does not work even if I add the route so that my access to 192.168.128.0/23 is via tun0.
However, if I do the same thing by launching the VPN via OpenVPN using the .ovpn and adding the same route as before, the tun0 tunnel is created and I can ping the machines on my network.

gpatel-fr

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

I must have expressed myself poorly.

fact is, these VPN network configurations are a bit intricate and difficult to explain, remotely there is only one way to make them really clear: a diagram.

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

adds the route

if you have to add a route manually, there is something cheesy. Normally in simple cases OpenVpn handles all the routing automatically.

@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

if I do the same thing by launching the VPN via OpenVPN using the .ovpn and adding the same route as before, the tun0 tunnel is created and I can ping the machines on my network

I take it that you confirmed that the tunnel is opened and working by taking a look at the openvpn interface statistics on the server (your PI if I understand correctly is in all case the test server right ?)
Something like
ip stats show dev tun0
to ensure that your packets are really passing by the Vpn.

My favourite test in case of Openvpn problems is pinging from each side the opposite Openvpn address, it could be 10.238.198.1 from one side and 10.238.198.2 from the other side (to be checked with ip a on both sides, the inet and the peer should be the same but reversed of course)

On a standard Linux, Openvpn logs to syslog and it can be really interesting to take a look at it, I don't have yet a phone to check what happens on UT. Routing can get really tricky with Openvpn, even by looking at syslog, sometimes it may be necessary to set

sudo sysctl net.ipv4.conf.all.log_martians=1

because by default this kind of problem is not sent to syslog. That's typically the case where it's necessary to add a route manually (I had this problem when running Openvpn in a lxd container)..

zakafx

I am glad that I found this thread. I also wanted to have remote access to my network while on the go so I enabled open VPN on my network. I actually use wireguard, but since there is no wireguard support in settings, I decided to use openvpn just for Ubuntu touch.

I followed the guide that's on the Ubuntu touch website, extracting all of the keys and information required to set this up. However, while I am able to establish a connection, I cannot ping anything at all, my route out to the internet as well as to internal network devices is dead.

I thought perhaps my configuration was wrong, so to verify everything was fine, I downloaded the OpenVPN app on my regular phone (android) and imported the profile that was created from my router (I used this exact profile to extract keys from above). Once it connected, everything just worked.

I'll follow this thread in case there are additional instructions I need to implement.

gpatel-fr

@zakafx said in OpenVPN setup does not offer what i need for my vpn server....:

I followed the guide that's on the Ubuntu touch website, extracting all of the keys and information required to set this up. However, while I am able to establish a connection, I cannot ping anything at all, my route out to the internet as well as to internal network devices is dead.

sorry I can't help you more but my phone under UT is still in the near future :-). I'd advise you to run the commands I gave in my previous message and post the result, with possibly a schema of your network to make things more clear.

zakafx

@gpatel-fr I just arrived back from a work trip so perhaps this weekend ill play around and report back. ill add a route manually and see what happens!

Vlad Nirky

@gpatel-en
Thank you for these explanations. Interesting...
I will look into it further.
I will keep you informed.

OtaDr

Dobrý den, používám internetový proxy s OVPN (projekt IPFire) a telefon s UT 24.04 (Pixel 3Axl).VPN funguje jak pro přístup k lokální síti, tak jako proxy pro přístup například k webu z mobilního telefonu. (Byly problémy s typem šifrování na straně serveru ovpn.)

I will add:
On the server side, I changed the encryption type from AES-GCM 256-bit to CBC 256-bit, and
then added the PKCS12 certificate to the phone...

MrT10001

In the Xenial days I used VPN Editor which worked great for NordVPN. I don't know if it will work on Focal or Noble, may need an upgrade, but it had more tweaks to get things going.