OpenVPN setup does not offer what i need for my vpn server....
-
@gpatel-fr
I think a have something interresting in the openvpn server log (as you expected)After phone connexion to VPN root@rpi3:/var/log# cat openvpn.log Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 TLS: Initial packet from [AF_INET]188.5.220.190:1210, sid=e5f0bc02 623c1eb2 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY OK: depth=1, CN=Easy-RSA CA Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY KU OK Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Validating certificate extended key usage Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY EKU OK Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY OK: depth=0, CN=phde Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_VER=2.6.14 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_PLAT=linux Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_TCPNL=1 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_MTU=1600 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_CIPHERS=AES-256-CBC Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_PROTO=990 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_LZO_STUB=1 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_COMP_STUB=1 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_COMP_STUBv2=1 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1557' Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1' Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 [phde] Peer Connection Initiated with [AF_INET]188.5.220.190:1210 Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: new connection by client 'phde' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI_sva: pool returned IPv4=10.238.198.2, IPv6=(Not enabled) Oct 26 07:14:56 rpi3 ovpn-server[11385]: OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/phde Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: Learn: 10.238.198.3 -> phde/188.5.220.190:1210 Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: primary virtual IP for phde/188.5.220.190:1210: 10.238.198.3 Oct 26 07:14:56 rpi3 ovpn-server[11385]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Oct 26 07:14:56 rpi3 ovpn-server[11385]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:14:56 rpi3 ovpn-server[11385]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Oct 26 07:14:56 rpi3 ovpn-server[11385]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:14:56 rpi3 ovpn-server[11385]: SENT CONTROL [phde]: 'PUSH_REPLY,dhcp-option DNS 10.238.198.1,block-outside-dns,redirect-gateway def1,route-gateway 10.238.198.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.238.198.3 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1) Oct 26 07:14:56 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed Oct 26 07:15:00 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed Oct 26 07:15:07 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed Oct 26 07:15:21 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed After PC connexion to VPN ///Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 TLS: Initial packet from [AF_INET]188.5.220.190:1898, sid=0bfa998b 8f16b815 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY OK: depth=1, CN=Easy-RSA CA Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY KU OK Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Validating certificate extended key usage Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY EKU OK Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY OK: depth=0, CN=phde Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_VER=2.6.15 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_PLAT=linux Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_TCPNL=1 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_MTU=1600 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_NCP=2 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_PROTO=990 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_LZO_STUB=1 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_COMP_STUB=1 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_COMP_STUBv2=1 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 [phde] Peer Connection Initiated with [AF_INET]188.5.220.190:1898 Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI_sva: pool returned IPv4=10.238.198.2, IPv6=(Not enabled) Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/phde Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI: Learn: 10.238.198.3 -> phde/188.5.220.190:1898 Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI: primary virtual IP for phde/188.5.220.190:1898: 10.238.198.3 Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Data Channel: using negotiated cipher 'AES-256-GCM' Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 SENT CONTROL [phde]: 'PUSH_REPLY,dhcp-option DNS 10.238.198.1,block-outside-dns,redirect-gateway def1,route-gateway 10.238.198.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.238.198.3 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1) Oct 26 07:25:29 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 PUSH: Received control message: 'PUSH_REQUEST' -
@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:
overriding but not wiping out the original default gateway.
I see. I have never seen this kind of configuration where road warriors are getting their internet access routed through the server, it has always been a theoretical thing because the combined download speed of several road warriors can't exceed a fraction of the upload speed of the server - and for a small business in my country, getting a 'business quality' connection of even 40Mbits/s is expensive and not worth the extra control that this is providing, hence routing access like that would make for a miserable performance for each road warrior whose personal network download performance would often exceed the total upload speed of the server.
So this is outside of my experience with Openvpn
-
@gpatel-fr
VPN or OVPN, if it does not route to the required network, it will be on the router side. It depends on how you are able to experiment and what your options are. If you have the option to build a router from a PC, I personally have had good experience (and tested functionality with "UT") with https://www.ipfire.org. It is Linux, so a lot of things can be configured there. / Unlike a routerβa company, a brand, a box where even the instructions tend to be brief....Translated with DeepL.com (free version)
-
@OtaDr @gpatel-fr
Openvpn is a cherry pick on my pihole rpi server...
The first goal was to anonymize the DNS so i have installed pihole and unbound.
The vpn is for rare take over from outdoor UT developpers to debug issue on my hardware.I thing there is some issue in the packet decryption.
This issue don't seem to happen when i launch openvpn manually on the phone (to be confirmed) so i have something to look out there.The openvpn are not in the same version on the different parts
[jll @ rpi3 - 07:44:11 ] ~ > openvpn --version OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Aug 25 2025 library versions: OpenSSL 1.1.1w 11 Sep 2023, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no [jll @ fedora - 07:42:40 ] ~ > openvpn --version OpenVPN 2.6.15 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] library versions: OpenSSL 3.2.6 30 Sep 2025, LZO 2.10 DCO version: N/A Originally developed by James Yonan Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no phablet@ubuntu-phablet:~$ openvpn --version OpenVPN 2.6.14 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10 DCO version: N/A Originally developed by James Yonan Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no -
@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:
Authenticate/Decrypt packet error: packet HMAC authentication failed
looks like a mismatch for the ta.key file.
@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:
'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
should have the same value for client and server...how that can be possible if you generated the config for the phone from the working config on the PC ?
-
I don't know if you are still struggling with this OpenVpn configuration, it seems that the default configuration generated with PIVpn assumes that every access should be routed by the server, if you have as a symptom that all Internet access is lost after launching the VPN this could be a reason, routing everything through the server is often not what is wanted anyway. Try to use easy-openvpn-server instead, from what I remember it generates a more usable configuration.
-
@gpatel-fr
Solved.
Add this in nmconnection file before import.
cipher AES-256-CBC
cipher AES-256-GCM
auth SHA256
ncp-disableCritical lines in your Ubuntu Touch log
WARNING: βauthβ is used inconsistently, local=βauth SHA256β, remote=βauth SHA1β
phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
The server uses SHA256 authentication
The Ubuntu Touch client uses SHA1 authentication
Result: the HMACs of the data packets do not match β rejection.Why does Fedora work?
Fedora (OpenVPN 2.6.15 with AEAD/DCO) does not need separate βauthβ because AES-256-GCM mode already includes authentication in the encryption.
Ubuntu Touch, on the other hand, still forces an older mode (AES-256-CBC + SHA1 authentication). -
Thanks for your help !
-
@Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:
Fedora (OpenVPN 2.6.15 with AEAD/DCO) does not need separate βauthβ because AES-256-GCM mode already includes authentication in the encryption.
probably a mismatch in Openvpn versions, they have this habit of changing some parameters meaning. Nice wrap-up, thanks for the explanation.
-
@Vlad-Nirky
Did your method with the nmcli import command (only had to add the user+pass in the UT GUI), still get timeout on the phone and the same errors in openvpn log. And i think i know why. Seems like nmcli has its own mind and omitted settings from the imported config....
Originalclient remote '<domain>' tun-ipv6 cert '/home/phablet/Documents/vpn/phone.crt' key '/home/phablet/Documents/vpn/phone.key' ca '/home/phablet/Documents/vpn/server.crt' auth-user-pass dev tun dev-type tun proto udp port <port> tls-crypt '/home/phablet/Documents/vpn/tls.key' tls-version-min '1.3' or-highest nobind auth-nocache script-security 2 persist-key persist-tun user nm-openvpn group nm-openvpnImported:
root@ubuntu-phablet:/home/phablet/Documents/vpn# cat /etc/netplan/90-NM-f1365f35-54fb-432f-8a95-fd811aafd906.yaml network: version: 2 nm-devices: NM-f1365f35-54fb-432f-8a95-fd811aafd906: renderer: NetworkManager networkmanager: uuid: "f1365f35-54fb-432f-8a95-fd811aafd906" name: "main-vpn" passthrough: connection.type: "vpn" vpn.ca: "/home/phablet/Documents/vpn/server.crt" vpn.cert: "/home/phablet/Documents/vpn/phone.crt" vpn.cert-pass-flags: "1" vpn.connection-type: "password-tls" vpn.dev: "tun" vpn.dev-type: "tun" vpn.key: "/home/phablet/Documents/vpn/phone.key" vpn.password-flags: "1" vpn.port: "<port>" vpn.remote: "<domain>" vpn.username: "<user>" vpn.service-type: "org.freedesktop.NetworkManager.openvpn" ipv4.method: "auto" ipv6.addr-gen-mode: "default" ipv6.method: "auto" proxy._: ""No wonder the server has tls errors, the tls-crypt option is missing.
-
@jagdtigger
I imagine it also depends on the VPN server and its configuration...
This works for me.phablet@ubuntu-phablet:~$ cat /home/phablet/Documents/KeePass/phde.nmconnection client remote '<my_server>.ddns.net' 1194 cert '/home/phablet/.cert/nm-openvpn/phde-cert.pem' key '/home/phablet/.cert/nm-openvpn/phde-key.pem' ca '/home/phablet/.cert/nm-openvpn/phde-ca.pem' cipher AES-256-GCM auth SHA256 ncp-disable dev tun proto udp remote-cert-tls server verify-x509-name rpi3_9b0ae2d9-f297-4706-ab24-8b9d63b3a51f name tls-crypt '/home/phablet/.cert/nm-openvpn/phde-tls-crypt.pem' tls-version-min '1.2' nobind auth-nocache script-security 2 persist-key persist-tun user nm-openvpn group nm-openvpn route 192.168.128.0 255.255.254.0 -
oh well TIL that Ubuntu is patching network-manager to backup the network configuration changes to netplan. I was sticking to the old advice 'either netplan OR network-manager'.
For your information, network manager is a Gnome thing and wants nothing to do with netplan that is an Ubuntu thing. Since Ubuntu mostly uses Gnome, this patching tries to make for a better config since network manager is deeply integrated into Gnome. Adding OpenVpn and Ubuntu Touch (that don't use Gnome) is not making things much clearer in the corner cases unfortunately.
So I don't find the idea of getting a netplan config invalid or fighting with Network Manager particularly surprising.
I have no idea if just editing the netplan file and restarting netplan with sudo netplan apply will 'stick' in UT. -
@Vlad-Nirky
Every other client, including this phone with the openvpn app when it was running android connected just fine so i have doubts about the server causing it.
Server log:Oct 26 11:23:17 openvpn 68034 openvpn server 'ovpns1' user '<phone>' address '<phone_ip>:2866' - connected Oct 26 11:23:17 openvpn 89539 MULTI_sva: push_ifconfig_ipv6 <ip6> Oct 26 11:23:16 openvpn 63105 openvpn server 'ovpns1' user '<phone>' address '<phone_ip>:2866' - connecting Oct 26 11:23:16 openvpn 89539 phone/<phone_ip>:2866 MULTI_sva: push_ifconfig_ipv6 <ip6> Oct 26 11:23:16 openvpn 89539 phone/<phone_ip>:2866 MULTI_sva: pool returned IPv4=10.125.220.2, IPv6=<ip6> Oct 26 11:23:15 openvpn 5699 user '<phone>' authenticated Oct 26 11:23:15 openvpn 89539 <phone_ip>:2866 [phone] Peer Connection Initiated with [AF_INET]<phone_ip>:2866 Oct 26 11:23:15 openvpn 89539 <phone_ip>:2866 peer info: IV_COMP_STUBv2=1 Oct 26 11:23:15 openvpn 89539 <phone_ip>:2866 peer info: IV_COMP_STUB=1 Oct 26 11:23:15 openvpn 89539 <phone_ip>:2866 peer info: IV_LZO_STUB=1 Oct 26 11:23:15 openvpn 89539 <phone_ip>:2866 peer info: IV_PROTO=990 Oct 26 11:23:15 openvpn 89539 <phone_ip>:2866 peer info: IV_CIPHERS=AES-256-GCM:CHACHA20-POLY1305 Oct 26 11:23:15 openvpn 89539 <phone_ip>:2866 peer info: IV_MTU=1600 Oct 26 11:23:15 openvpn 89539 <phone_ip>:2866 peer info: IV_TCPNL=1 Oct 26 11:23:15 openvpn 89539 <phone_ip>:2866 peer info: IV_PLAT=linux Oct 26 11:23:15 openvpn 89539 <phone_ip>:2866 peer info: IV_VER=2.6.14Phone console output (usb adb shell):
phablet@ubuntu-phablet:~/Documents/vpn$ sudo openvpn --config ./main-vpn.ovpn 2025-10-26 11:23:09 Unrecognized option or missing or extra parameter(s) in ./main-vpn.ovpn:11: block-outside-dns (2.6.14) 2025-10-26 11:23:09 OpenVPN 2.6.14 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] 2025-10-26 11:23:09 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10 2025-10-26 11:23:09 DCO version: N/A Enter Auth Username: <phone> Enter Auth Password: β’β’β’β’β’β’β’β’β’β’ 2025-10-26 11:23:15 TCP/UDP: Preserving recently used remote address: [AF_INET]<server> 2025-10-26 11:23:15 UDPv4 link local: (not bound) 2025-10-26 11:23:15 UDPv4 link remote: [AF_INET]<server> 2025-10-26 11:23:15 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2025-10-26 11:23:15 [openvpn_server-cr] Peer Connection Initiated with [AF_INET]<server> 2025-10-26 11:23:17 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.6.14) 2025-10-26 11:23:17 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: register-dns (2.6.14) 2025-10-26 11:23:17 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results 2025-10-26 11:23:17 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results 2025-10-26 11:23:17 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results 2025-10-26 11:23:17 sitnl_send: rtnl: generic error (-101): Network is unreachable 2025-10-26 11:23:17 TUN/TAP device tun0 opened 2025-10-26 11:23:17 net_iface_mtu_set: mtu 1500 for tun0 2025-10-26 11:23:17 net_iface_up: set tun0 up 2025-10-26 11:23:17 net_addr_v4_add: <ip4> dev tun0 2025-10-26 11:23:17 net_iface_mtu_set: mtu 1500 for tun0 2025-10-26 11:23:17 net_iface_up: set tun0 up 2025-10-26 11:23:17 net_addr_v6_add: <ip6> dev tun0 2025-10-26 11:23:17 Initialization Sequence CompletedThe network unreachable error is odd, but right now the main issue is that the nmcli+ntplan combo is royally screwing up the config itself when imported or when forced to add user+pass in the gui....
@gpatel-fr
I was aware from the getgo ubuntu does stupid things like NM+NP, not to mention their obsession with their failing app packaging format.....
Anyway as i said above i think it does something iffy with the config. The tls-crypt option missing inside the netplan yaml even though it was there before import i think is a pretty good indicator of that. -
@jagdtigger do you have VoLTE enabled? For me, it somehow affects VPN connections and I need to disable it for VPN to work.
-
@Luksus
voLTE is always enabled for me (Xiaomi Redi Note 9 Pro 24.04 Stable (at the moment))
No effect on VPN connections -
@Vlad-Nirky thanks for the info, then it may be my mobile provider which causes the issue.
-
Had a bit of time playing with this. Looks like when i add the needed luser+pass UT borks the config.
After import but before edit in gui:root@ubuntu-phablet:/home/phablet/Documents/vpn# cat /etc/netplan/90-NM-52d84ad9-6e22-45a6-b0cc-77e6639f57dc.yaml network: version: 2 nm-devices: NM-52d84ad9-6e22-45a6-b0cc-77e6639f57dc: renderer: NetworkManager networkmanager: uuid: "52d84ad9-6e22-45a6-b0cc-77e6639f57dc" name: "main-vpn" passthrough: connection.type: "vpn" vpn.ca: "/home/phablet/Documents/vpn/server.crt" vpn.cert: "/home/phablet/Documents/vpn/phone.crt" vpn.connection-type: "password-tls" vpn.dev: "tun" vpn.dev-type: "tun" vpn.key: "/home/phablet/Documents/vpn/phone.key" vpn.password-flags: "1" vpn.port: "<port>" vpn.remote: "<domain>" vpn.tls-crypt: "/home/phablet/Documents/vpn/tls.key" vpn.tls-version-min: "1.3" vpn.tls-version-min-or-highest: "yes" vpn.tun-ipv6: "yes" vpn.service-type: "org.freedesktop.NetworkManager.openvpn" ipv4.method: "auto" ipv6.addr-gen-mode: "default" ipv6.method: "auto" proxy._: ""After adding user+pass:
root@ubuntu-phablet:/home/phablet/Documents/vpn# cat /etc/netplan/90-NM-52d84ad9-6e22-45a6-b0cc-77e6639f57dc.yaml network: version: 2 nm-devices: NM-52d84ad9-6e22-45a6-b0cc-77e6639f57dc: renderer: NetworkManager networkmanager: uuid: "52d84ad9-6e22-45a6-b0cc-77e6639f57dc" name: "main-vpn" passthrough: connection.type: "vpn" vpn.ca: "/home/phablet/Documents/vpn/server.crt" vpn.cert: "/home/phablet/Documents/vpn/phone.crt" vpn.cert-pass-flags: "1" vpn.connection-type: "password-tls" vpn.dev: "tun" vpn.dev-type: "tun" vpn.key: "/home/phablet/Documents/vpn/phone.key" vpn.password-flags: "1" vpn.port: "<port>" vpn.remote: "<domain>" vpn.username: "phone" vpn.service-type: "org.freedesktop.NetworkManager.openvpn" ipv4.method: "auto" ipv6.addr-gen-mode: "default" ipv6.method: "auto" proxy._: ""Emtyied the file then inserted the origynal config, reboot, then trying to connect with nmcli:
phablet@ubuntu-phablet:~$ sudo su - [sudo] password for phablet: root@ubuntu-phablet:~# nano /etc/netplan/90-NM-52d84ad9-6e22-45a6-b0cc-77e6639f57dc.yaml root@ubuntu-phablet:~# nmcli con up id main-vpn --ask A password is required to connect to 'main-vpn'. Password (vpn.secrets.password): β’β’β’β’β’β’β’β’β’β’ Error: Connection activation failed: The VPN service stopped unexpectedly Hint: use 'journalctl -xe NM_CONNECTION=52d84ad9-6e22-45a6-b0cc-77e6639f57dc + NM_DEVICE=ril_0' to get more details.Output from yournalctl from the last line:
Nov 03 19:44:41 ubuntu-phablet NetworkManager[1855]: <info> [1762195481.3645] manager: (ril_0): new Broadband device (/org/freedesktop/NetworkManager/Devices/8) Nov 03 19:44:41 ubuntu-phablet NetworkManager[1855]: <info> [1762195481.3696] device (ril_0): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'external') Nov 03 19:44:41 ubuntu-phablet NetworkManager[1855]: <info> [1762195481.3704] device (ril_0): modem state 'initializing' Nov 03 19:45:22 ubuntu-phablet NetworkManager[1855]: <info> [1762195522.7025] device (ril_0): state change: unavailable -> disconnected (reason 'modem-available', sys-iface-state: 'managed') Nov 03 19:45:22 ubuntu-phablet NetworkManager[1855]: <info> [1762195522.7151] device (ril_0): Activation: starting connection 'Vodafone HU' (45cef972-7709-52f9-90a2-6b67d193ddf6) Nov 03 19:45:22 ubuntu-phablet NetworkManager[1855]: <info> [1762195522.7154] device (ril_0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed') Nov 03 19:45:23 ubuntu-phablet NetworkManager[1855]: <info> [1762195523.3959] device (ril_0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed') Nov 03 19:45:23 ubuntu-phablet NetworkManager[1855]: <info> [1762195523.4014] device (ril_0): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed') Nov 03 19:45:23 ubuntu-phablet NetworkManager[1855]: <warn> [1762195523.4075] device (ril_0): retrieving IP configuration failed: modem IP method unsupported Nov 03 19:45:23 ubuntu-phablet NetworkManager[1855]: <info> [1762195523.4530] device (ril_0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'managed') Nov 03 19:45:23 ubuntu-phablet NetworkManager[1855]: <info> [1762195523.5092] device (ril_0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'managed') Nov 03 19:45:23 ubuntu-phablet NetworkManager[1855]: <info> [1762195523.5101] device (ril_0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'managed') Nov 03 19:45:23 ubuntu-phablet NetworkManager[1855]: <info> [1762195523.5122] device (ril_0): Activation: successful, device activated. Nov 03 19:46:05 ubuntu-phablet NetworkManager[1855]: <info> [1762195565.5396] vpn[0x55b0078e60,52d84ad9-6e22-45a6-b0cc-77e6639f57dc,"main-vpn"]: starting openvpnNot much, lets see what journalctl -e had to offer:
Nov 03 19:54:14 ubuntu-phablet NetworkManager[1855]: <info> [1762196054.8404] agent-manager: agent[75085e56325963a9,:1.110/nmcli-connect/0]: agent registered Nov 03 19:54:14 ubuntu-phablet NetworkManager[1855]: <info> [1762196054.8451] vpn[0x55b0071c60,52d84ad9-6e22-45a6-b0cc-77e6639f57dc,"main-vpn"]: starting openvpn Nov 03 19:54:14 ubuntu-phablet NetworkManager[1855]: <info> [1762196054.8475] audit: op="connection-activate" uuid="52d84ad9-6e22-45a6-b0cc-77e6639f57dc" name="main-vpn" pid=5266 uid=0 result="success" Nov 03 19:54:19 ubuntu-phablet NetworkManager[5278]: 2025-11-03 19:54:19 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Nov 03 19:54:19 ubuntu-phablet nm-openvpn[5278]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback ple> Nov 03 19:54:19 ubuntu-phablet nm-openvpn[5278]: WARNING: file '/home/phablet/Documents/vpn/phone.key' is group or others accessible Nov 03 19:54:19 ubuntu-phablet nm-openvpn[5278]: OpenVPN 2.6.14 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] Nov 03 19:54:19 ubuntu-phablet nm-openvpn[5278]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10 Nov 03 19:54:19 ubuntu-phablet nm-openvpn[5278]: DCO version: N/A Nov 03 19:54:19 ubuntu-phablet nm-openvpn[5278]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 03 19:54:19 ubuntu-phablet nm-openvpn[5278]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 03 19:54:19 ubuntu-phablet nm-openvpn[5278]: Insufficient key material or header text not found in file '[[INLINE]]' (0/128/256 bytes found/min/max) Nov 03 19:54:19 ubuntu-phablet nm-openvpn[5278]: Exiting due to fatal error Nov 03 19:54:19 ubuntu-phablet NetworkManager[1855]: <warn> [1762196059.3200] vpn[0x55b0071c60,52d84ad9-6e22-45a6-b0cc-77e6639f57dc,"main-vpn"]: dbus: failure: connect-failed (1) Nov 03 19:54:19 ubuntu-phablet NetworkManager[1855]: <warn> [1762196059.3222] vpn[0x55b0071c60,52d84ad9-6e22-45a6-b0cc-77e6639f57dc,"main-vpn"]: dbus: failure: connect-failed (1) Nov 03 19:54:19 ubuntu-phablet lomiri-indicator-network-service[4655]: Debug: VPN Connection Failed "The VPN connection 'main-vpn' failed." ((null):0, (null)) Nov 03 19:54:19 ubuntu-phablet lomiri-indicator-network-service[4655]: Debug: VPN Connection Failed "The VPN connection 'main-vpn' failed because the VPN service stopped unexpectedly." ((null):0, (null))Im out of ideas at this point.....
-
Finally found the issue, for some reason the tls key was wrong (dont even ask, have no idea how that happened)........
@Luksus
Didnt rebbot after turning volte off but doesnt seem to effect the vpn./edit
Well ping doesnt go through the tunnel but normal web traffic does, openvpn could really have a bit more clearer error messages. Like "Invalid tls key" or something instead of and obtuse " Insufficient key material or header text not found in file '[[INLINE]]' "..... -
J jagdtigger has marked this topic as solved
