UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    OpenVPN setup does not offer what i need for my vpn server....

    Scheduled Pinned Locked Moved Unsolved Support
    47 Posts 7 Posters 891 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • Vlad NirkyV Offline
        Vlad Nirky @OtaDr
        last edited by Vlad Nirky

        @OtaDr @gpatel-fr
        Openvpn is a cherry pick on my pihole rpi server...
        The first goal was to anonymize the DNS so i have installed pihole and unbound.
        The vpn is for rare take over from outdoor UT developpers to debug issue on my hardware.

        I thing there is some issue in the packet decryption.
        This issue don't seem to happen when i launch openvpn manually on the phone (to be confirmed) so i have something to look out there.

        The openvpn are not in the same version on the different parts

        [jll @ rpi3 - 07:44:11 ]  ~ 
> openvpn --version
OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Aug 25 2025
library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

[jll @ fedora - 07:42:40 ]  ~ 
> openvpn --version
OpenVPN 2.6.15 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.2.6 30 Sep 2025, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

phablet@ubuntu-phablet:~$ openvpn --version
OpenVPN 2.6.14 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no
        1 Reply Last reply Reply Quote 0
        • G Online
          gpatel-fr @Vlad Nirky
          last edited by

          @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

          Authenticate/Decrypt packet error: packet HMAC authentication failed

          looks like a mismatch for the ta.key file.

          @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

          'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'

          should have the same value for client and server...how that can be possible if you generated the config for the phone from the working config on the PC ?

          1 Reply Last reply Reply Quote 0
          • G Online
            gpatel-fr @zakafx
            last edited by

            @zakafx

            I don't know if you are still struggling with this OpenVpn configuration, it seems that the default configuration generated with PIVpn assumes that every access should be routed by the server, if you have as a symptom that all Internet access is lost after launching the VPN this could be a reason, routing everything through the server is often not what is wanted anyway. Try to use easy-openvpn-server instead, from what I remember it generates a more usable configuration.

            Vlad NirkyV 2 Replies Last reply Reply Quote 0
            • Vlad NirkyV Offline
              Vlad Nirky @gpatel-fr
              last edited by Vlad Nirky

              @gpatel-fr
              Solved.
              Add this in nmconnection file before import.
              cipher AES-256-CBC
              cipher AES-256-GCM
              auth SHA256
              ncp-disable

              Critical lines in your Ubuntu Touch log
              WARNING: ‘auth’ is used inconsistently, local=‘auth SHA256’, remote=‘auth SHA1’
              phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
              The server uses SHA256 authentication
              The Ubuntu Touch client uses SHA1 authentication
              Result: the HMACs of the data packets do not match → rejection.

              Why does Fedora work?

              Fedora (OpenVPN 2.6.15 with AEAD/DCO) does not need separate “auth” because AES-256-GCM mode already includes authentication in the encryption.
              Ubuntu Touch, on the other hand, still forces an older mode (AES-256-CBC + SHA1 authentication).

              G 1 Reply Last reply Reply Quote 0
              • Vlad NirkyV Offline
                Vlad Nirky @gpatel-fr
                last edited by

                @gpatel-fr @OtaDr @gpatel-fr

                Thanks for your help !

                1 Reply Last reply Reply Quote 0
                • G Online
                  gpatel-fr @Vlad Nirky
                  last edited by

                  @Vlad-Nirky said in OpenVPN setup does not offer what i need for my vpn server....:

                  Fedora (OpenVPN 2.6.15 with AEAD/DCO) does not need separate “auth” because AES-256-GCM mode already includes authentication in the encryption.

                  probably a mismatch in Openvpn versions, they have this habit of changing some parameters meaning. Nice wrap-up, thanks for the explanation.

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    jagdtigger @Vlad Nirky
                    last edited by jagdtigger

                    @Vlad-Nirky
                    Did your method with the nmcli import command (only had to add the user+pass in the UT GUI), still get timeout on the phone and the same errors in openvpn log. And i think i know why. Seems like nmcli has its own mind and omitted settings from the imported config....
                    Original

                    client
remote '<domain>'
tun-ipv6
cert '/home/phablet/Documents/vpn/phone.crt'
key '/home/phablet/Documents/vpn/phone.key'
ca '/home/phablet/Documents/vpn/server.crt'
auth-user-pass
dev tun
dev-type tun
proto udp
port <port>
tls-crypt '/home/phablet/Documents/vpn/tls.key'
tls-version-min '1.3' or-highest
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nm-openvpn
group nm-openvpn

                    Imported:

                    root@ubuntu-phablet:/home/phablet/Documents/vpn# cat /etc/netplan/90-NM-f1365f35-54fb-432f-8a95-fd811aafd906.yaml 
network:
  version: 2
  nm-devices:
    NM-f1365f35-54fb-432f-8a95-fd811aafd906:
      renderer: NetworkManager
      networkmanager:
        uuid: "f1365f35-54fb-432f-8a95-fd811aafd906"
        name: "main-vpn"
        passthrough:
          connection.type: "vpn"
          vpn.ca: "/home/phablet/Documents/vpn/server.crt"
          vpn.cert: "/home/phablet/Documents/vpn/phone.crt"
          vpn.cert-pass-flags: "1"
          vpn.connection-type: "password-tls"
          vpn.dev: "tun"
          vpn.dev-type: "tun"
          vpn.key: "/home/phablet/Documents/vpn/phone.key"
          vpn.password-flags: "1"
          vpn.port: "<port>"
          vpn.remote: "<domain>"
          vpn.username: "<user>"
          vpn.service-type: "org.freedesktop.NetworkManager.openvpn"
          ipv4.method: "auto"
          ipv6.addr-gen-mode: "default"
          ipv6.method: "auto"
          proxy._: ""

                    No wonder the server has tls errors, the tls-crypt option is missing.

                    Vlad NirkyV G 2 Replies Last reply Reply Quote 0
                    • Vlad NirkyV Offline
                      Vlad Nirky @jagdtigger
                      last edited by Vlad Nirky

                      @jagdtigger
                      I imagine it also depends on the VPN server and its configuration...
                      This works for me.

                      phablet@ubuntu-phablet:~$ cat /home/phablet/Documents/KeePass/phde.nmconnection 
client
remote '<my_server>.ddns.net' 1194
cert '/home/phablet/.cert/nm-openvpn/phde-cert.pem'
key '/home/phablet/.cert/nm-openvpn/phde-key.pem'
ca '/home/phablet/.cert/nm-openvpn/phde-ca.pem'
cipher AES-256-GCM
auth SHA256
ncp-disable
dev tun
proto udp
remote-cert-tls server
verify-x509-name rpi3_9b0ae2d9-f297-4706-ab24-8b9d63b3a51f name
tls-crypt '/home/phablet/.cert/nm-openvpn/phde-tls-crypt.pem'
tls-version-min '1.2'
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nm-openvpn
group nm-openvpn
route 192.168.128.0 255.255.254.0
                      J 1 Reply Last reply Reply Quote 0
                      • G Online
                        gpatel-fr @jagdtigger
                        last edited by

                        @jagdtigger

                        oh well TIL that Ubuntu is patching network-manager to backup the network configuration changes to netplan. I was sticking to the old advice 'either netplan OR network-manager'.

                        For your information, network manager is a Gnome thing and wants nothing to do with netplan that is an Ubuntu thing. Since Ubuntu mostly uses Gnome, this patching tries to make for a better config since network manager is deeply integrated into Gnome. Adding OpenVpn and Ubuntu Touch (that don't use Gnome) is not making things much clearer in the corner cases unfortunately.
                        So I don't find the idea of getting a netplan config invalid or fighting with Network Manager particularly surprising.
                        I have no idea if just editing the netplan file and restarting netplan with sudo netplan apply will 'stick' in UT.

                        1 Reply Last reply Reply Quote 0
                        • J Offline
                          jagdtigger @Vlad Nirky
                          last edited by jagdtigger

                          @Vlad-Nirky
                          Every other client, including this phone with the openvpn app when it was running android connected just fine so i have doubts about the server causing it.
                          Server log:

                          Oct 26 11:23:17	openvpn	68034	openvpn server 'ovpns1' user '<phone>' address '<phone_ip>:2866' - connected
Oct 26 11:23:17	openvpn	89539	MULTI_sva: push_ifconfig_ipv6 <ip6>
Oct 26 11:23:16	openvpn	63105	openvpn server 'ovpns1' user '<phone>' address '<phone_ip>:2866' - connecting
Oct 26 11:23:16	openvpn	89539	phone/<phone_ip>:2866 MULTI_sva: push_ifconfig_ipv6 <ip6>
Oct 26 11:23:16	openvpn	89539	phone/<phone_ip>:2866 MULTI_sva: pool returned IPv4=10.125.220.2, IPv6=<ip6>
Oct 26 11:23:15	openvpn	5699	user '<phone>' authenticated
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 [phone] Peer Connection Initiated with [AF_INET]<phone_ip>:2866
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_COMP_STUBv2=1
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_COMP_STUB=1
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_LZO_STUB=1
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_PROTO=990
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_CIPHERS=AES-256-GCM:CHACHA20-POLY1305
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_MTU=1600
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_TCPNL=1
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_PLAT=linux
Oct 26 11:23:15	openvpn	89539	<phone_ip>:2866 peer info: IV_VER=2.6.14

                          Phone console output (usb adb shell):

                          phablet@ubuntu-phablet:~/Documents/vpn$ sudo openvpn --config ./main-vpn.ovpn
2025-10-26 11:23:09 Unrecognized option or missing or extra parameter(s) in ./main-vpn.ovpn:11: block-outside-dns (2.6.14)
2025-10-26 11:23:09 OpenVPN 2.6.14 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-10-26 11:23:09 library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
2025-10-26 11:23:09 DCO version: N/A
Enter Auth Username: <phone>
Enter Auth Password: ••••••••••              
2025-10-26 11:23:15 TCP/UDP: Preserving recently used remote address: [AF_INET]<server>
2025-10-26 11:23:15 UDPv4 link local: (not bound)
2025-10-26 11:23:15 UDPv4 link remote: [AF_INET]<server>
2025-10-26 11:23:15 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-10-26 11:23:15 [openvpn_server-cr] Peer Connection Initiated with [AF_INET]<server>
2025-10-26 11:23:17 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:3: block-outside-dns (2.6.14)
2025-10-26 11:23:17 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: register-dns (2.6.14)
2025-10-26 11:23:17 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2025-10-26 11:23:17 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2025-10-26 11:23:17 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2025-10-26 11:23:17 sitnl_send: rtnl: generic error (-101): Network is unreachable
2025-10-26 11:23:17 TUN/TAP device tun0 opened
2025-10-26 11:23:17 net_iface_mtu_set: mtu 1500 for tun0
2025-10-26 11:23:17 net_iface_up: set tun0 up
2025-10-26 11:23:17 net_addr_v4_add: <ip4> dev tun0
2025-10-26 11:23:17 net_iface_mtu_set: mtu 1500 for tun0
2025-10-26 11:23:17 net_iface_up: set tun0 up
2025-10-26 11:23:17 net_addr_v6_add: <ip6> dev tun0
2025-10-26 11:23:17 Initialization Sequence Completed

                          The network unreachable error is odd, but right now the main issue is that the nmcli+ntplan combo is royally screwing up the config itself when imported or when forced to add user+pass in the gui....

                          @gpatel-fr
                          I was aware from the getgo ubuntu does stupid things like NM+NP, not to mention their obsession with their failing app packaging format.....
                          Anyway as i said above i think it does something iffy with the config. The tls-crypt option missing inside the netplan yaml even though it was there before import i think is a pretty good indicator of that.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post