@Luksus
voLTE is always enabled for me (Xiaomi Redi Note 9 Pro 24.04 Stable (at the moment))
No effect on VPN connections
Posts
-
RE: OpenVPN setup does not offer what i need for my vpn server....
-
RE: OpenVPN setup does not offer what i need for my vpn server....
@jagdtigger
I imagine it also depends on the VPN server and its configuration...
This works for me.phablet@ubuntu-phablet:~$ cat /home/phablet/Documents/KeePass/phde.nmconnection client remote '<my_server>.ddns.net' 1194 cert '/home/phablet/.cert/nm-openvpn/phde-cert.pem' key '/home/phablet/.cert/nm-openvpn/phde-key.pem' ca '/home/phablet/.cert/nm-openvpn/phde-ca.pem' cipher AES-256-GCM auth SHA256 ncp-disable dev tun proto udp remote-cert-tls server verify-x509-name rpi3_9b0ae2d9-f297-4706-ab24-8b9d63b3a51f name tls-crypt '/home/phablet/.cert/nm-openvpn/phde-tls-crypt.pem' tls-version-min '1.2' nobind auth-nocache script-security 2 persist-key persist-tun user nm-openvpn group nm-openvpn route 192.168.128.0 255.255.254.0 -
RE: OpenVPN setup does not offer what i need for my vpn server....
Thanks for your help !
-
RE: OpenVPN setup does not offer what i need for my vpn server....
@gpatel-fr
Solved.
Add this in nmconnection file before import.
cipher AES-256-CBC
cipher AES-256-GCM
auth SHA256
ncp-disableCritical lines in your Ubuntu Touch log
WARNING: ‘auth’ is used inconsistently, local=‘auth SHA256’, remote=‘auth SHA1’
phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
The server uses SHA256 authentication
The Ubuntu Touch client uses SHA1 authentication
Result: the HMACs of the data packets do not match → rejection.Why does Fedora work?
Fedora (OpenVPN 2.6.15 with AEAD/DCO) does not need separate “auth” because AES-256-GCM mode already includes authentication in the encryption.
Ubuntu Touch, on the other hand, still forces an older mode (AES-256-CBC + SHA1 authentication). -
RE: OpenVPN setup does not offer what i need for my vpn server....
@OtaDr @gpatel-fr
Openvpn is a cherry pick on my pihole rpi server...
The first goal was to anonymize the DNS so i have installed pihole and unbound.
The vpn is for rare take over from outdoor UT developpers to debug issue on my hardware.I thing there is some issue in the packet decryption.
This issue don't seem to happen when i launch openvpn manually on the phone (to be confirmed) so i have something to look out there.The openvpn are not in the same version on the different parts
[jll @ rpi3 - 07:44:11 ] ~ > openvpn --version OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Aug 25 2025 library versions: OpenSSL 1.1.1w 11 Sep 2023, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no [jll @ fedora - 07:42:40 ] ~ > openvpn --version OpenVPN 2.6.15 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] library versions: OpenSSL 3.2.6 30 Sep 2025, LZO 2.10 DCO version: N/A Originally developed by James Yonan Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no phablet@ubuntu-phablet:~$ openvpn --version OpenVPN 2.6.14 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10 DCO version: N/A Originally developed by James Yonan Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no -
RE: OpenVPN setup does not offer what i need for my vpn server....
@gpatel-fr
I think a have something interresting in the openvpn server log (as you expected)After phone connexion to VPN root@rpi3:/var/log# cat openvpn.log Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 TLS: Initial packet from [AF_INET]188.5.220.190:1210, sid=e5f0bc02 623c1eb2 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY OK: depth=1, CN=Easy-RSA CA Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY KU OK Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Validating certificate extended key usage Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY EKU OK Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY OK: depth=0, CN=phde Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_VER=2.6.14 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_PLAT=linux Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_TCPNL=1 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_MTU=1600 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_CIPHERS=AES-256-CBC Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_PROTO=990 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_LZO_STUB=1 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_COMP_STUB=1 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_COMP_STUBv2=1 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1557' Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1' Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1 Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 [phde] Peer Connection Initiated with [AF_INET]188.5.220.190:1210 Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: new connection by client 'phde' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI_sva: pool returned IPv4=10.238.198.2, IPv6=(Not enabled) Oct 26 07:14:56 rpi3 ovpn-server[11385]: OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/phde Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: Learn: 10.238.198.3 -> phde/188.5.220.190:1210 Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: primary virtual IP for phde/188.5.220.190:1210: 10.238.198.3 Oct 26 07:14:56 rpi3 ovpn-server[11385]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Oct 26 07:14:56 rpi3 ovpn-server[11385]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:14:56 rpi3 ovpn-server[11385]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key Oct 26 07:14:56 rpi3 ovpn-server[11385]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:14:56 rpi3 ovpn-server[11385]: SENT CONTROL [phde]: 'PUSH_REPLY,dhcp-option DNS 10.238.198.1,block-outside-dns,redirect-gateway def1,route-gateway 10.238.198.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.238.198.3 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1) Oct 26 07:14:56 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed Oct 26 07:15:00 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed Oct 26 07:15:07 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed Oct 26 07:15:21 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed After PC connexion to VPN ///Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 TLS: Initial packet from [AF_INET]188.5.220.190:1898, sid=0bfa998b 8f16b815 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY OK: depth=1, CN=Easy-RSA CA Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY KU OK Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Validating certificate extended key usage Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY EKU OK Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY OK: depth=0, CN=phde Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_VER=2.6.15 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_PLAT=linux Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_TCPNL=1 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_MTU=1600 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_NCP=2 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_PROTO=990 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_LZO_STUB=1 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_COMP_STUB=1 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_COMP_STUBv2=1 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1 Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 [phde] Peer Connection Initiated with [AF_INET]188.5.220.190:1898 Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI_sva: pool returned IPv4=10.238.198.2, IPv6=(Not enabled) Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/phde Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI: Learn: 10.238.198.3 -> phde/188.5.220.190:1898 Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI: primary virtual IP for phde/188.5.220.190:1898: 10.238.198.3 Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Data Channel: using negotiated cipher 'AES-256-GCM' Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 SENT CONTROL [phde]: 'PUSH_REPLY,dhcp-option DNS 10.238.198.1,block-outside-dns,redirect-gateway def1,route-gateway 10.238.198.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.238.198.3 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1) Oct 26 07:25:29 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 PUSH: Received control message: 'PUSH_REQUEST' -
RE: OpenVPN setup does not offer what i need for my vpn server....
@gpatel-fr
On the PC
Connected through my wife phone[jll @ fedora - 06:42:15 ] ~ > ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:aa:b6:35:ee:2d brd ff:ff:ff:ff:ff:ff permaddr 94:e6:f8:ed:7d:c6 altname wlp0s20f3 altname wlx94e6f7ed7dc6 inet 192.168.43.91/24 brd 192.168.43.255 scope global dynamic noprefixroute wlo1 valid_lft 3583sec preferred_lft 3583sec inet6 2a02:a020:3ca:ad84:2f98:edb3:fe4a:5d89/64 scope global dynamic noprefixroute valid_lft 3583sec preferred_lft 3583sec inet6 fe80::fa56:6baf:9454:41db/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 7a:36:73:60:85:f6 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.238.198.3/24 brd 10.238.198.255 scope global noprefixroute tun0 valid_lft forever preferred_lft forever inet6 fe80::1ba:8201:6599:7bb8/64 scope link stable-privacy proto kernel_ll valid_lft forever preferred_lft forever [jll @ fedora - 06:42:20 ] ~ > route -v Table de routage IP du noyau Destination Passerelle Genmask Indic Metric Ref Use Iface default _gateway 0.0.0.0 UG 50 0 0 tun0 default _gateway 0.0.0.0 UG 600 0 0 wlo1 10.238.198.0 0.0.0.0 255.255.255.0 U 50 0 0 tun0 171.167-240-81. _gateway 255.255.255.255 UGH 50 0 0 wlo1 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.43.0 0.0.0.0 255.255.255.0 U 600 0 0 wlo1 _gateway 0.0.0.0 255.255.255.255 UH 50 0 0 wlo1 [jll @ fedora - 06:49:12 ] ~ > ping 10.238.198.1 PING 10.238.198.1 (10.238.198.1) 56(84) octets de données. 64 octets de 10.238.198.1 : icmp_seq=1 ttl=64 temps=37.5 ms 64 octets de 10.238.198.1 : icmp_seq=2 ttl=64 temps=48.1 ms ^C --- statistiques ping 10.238.198.1 --- 2 paquets transmis, 2 reçus, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 37.533/42.797/48.062/5.264 ms [jll @ fedora - 06:49:24 ] ~ > ping 10.238.198.2 PING 10.238.198.2 (10.238.198.2) 56(84) octets de données. De 10.238.198.1 icmp_seq=2 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2) De 10.238.198.1 icmp_seq=3 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2) De 10.238.198.1 icmp_seq=4 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2) ^C --- statistiques ping 10.238.198.2 --- 4 paquets transmis, 0 reçus, +3 erreurs, 100% packet loss, time 3031ms [jll @ fedora - 06:44:05 ] ~ > ping 192.168.129.64 PING 192.168.129.64 (192.168.129.64) 56(84) octets de données. 64 octets de 192.168.129.64 : icmp_seq=1 ttl=254 temps=51.0 ms 64 octets de 192.168.129.64 : icmp_seq=2 ttl=254 temps=49.7 ms 64 octets de 192.168.129.64 : icmp_seq=3 ttl=254 temps=51.5 ms ^C --- statistiques ping 192.168.129.64 --- 3 paquets transmis, 3 reçus, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 49.699/50.727/51.526/0.763 ms -
RE: OpenVPN setup does not offer what i need for my vpn server....
@gpatel-fr
My first openvpn...
It is usable (Ratchanan has connected my phone to debug some issues) and i use it to connect to my proxmox infra.[jll @ rpi3 - 06:33:20 ] ~ > cat /etc/openvpn/server.conf dev tun proto udp port 1194 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/rpi3_9b0ae2d9-f297-4706-ab24-8a9d63b3b51f.crt key /etc/openvpn/easy-rsa/pki/private/rpi3_9b0ae2d9-f297-4706-ab24-8a9d63b3b51f.key dh none ecdh-curve prime256v1 topology subnet server 10.238.198.0 255.255.255.0 # Set your primary domain name server address for clients push "dhcp-option DNS 10.238.198.1" push "block-outside-dns" # Override the Client default gateway by using 0.0.0.0/1 and # 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of # overriding but not wiping out the original default gateway. push "redirect-gateway def1" client-to-client client-config-dir /etc/openvpn/ccd keepalive 15 120 remote-cert-tls client tls-version-min 1.2 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key cipher AES-256-CBC auth SHA256 user openvpn group openvpn persist-key persist-tun crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 syslog verb 3 #DuplicateCNs allow access control on a less-granular, per user basis. #Remove # if you will manage access by user instead of device. #duplicate-cn # Generated for use by PiVPN.io -
RE: OpenVPN setup does not offer what i need for my vpn server....
@gpatel-fr
I guess TLS key has to be feed at the begining of the connection (as it does in openvpn connection)With the NetworkManager
phablet@ubuntu-phablet:~$ route -v Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 10.238.198.1 0.0.0.0 UG 50 0 0 tun0 default 192.168.43.1 0.0.0.0 UG 600 0 0 wlan0 10.238.198.0 0.0.0.0 255.255.255.0 U 50 0 0 tun0 171.167-240-81. 192.168.43.1 255.255.255.255 UGH 50 0 0 wlan0 147.69.137.0 0.0.0.0 255.255.255.192 U 0 0 0 rmnet_data0 192.168.43.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0 192.168.43.1 0.0.0.0 255.255.255.255 UH 50 0 0 wlan0 192.168.128.0 0.0.0.0 255.255.254.0 U 50 0 0 tun0But i was not able to ping 192.168.129.161 (my PC)
No NAT/MASQUERADE on the openvpn server?
No idea, i have tried to had
push "route 192.168.128.0 255.255.254.0"
push "dhcp-option DNS 192.168.128.1"
in server config but without result.(/etc/openvpn/server.conf)sudo systemctl status NetworkManager
and
sudo systemctl status openvpn
gave me some clues (such as the TLS issue)I haven't had time yet to look at the various logs
VPN on my PC works fine with the actual openvpn server but not the phone...
-
RE: OpenVPN setup does not offer what i need for my vpn server....
@jagdtigger
Here's what I've done so far.
I imported the .ovpn file generated by my OpenVPN server into an Ubuntu 24.04 PC.
I tested that the VPN was working properly on the PC.
I exported this configuration using
nmcli connection export "<vpn name="">" > myvpn.nmconnection
I corrected the paths so that they point to /home/phablet/...
I copied this file to my phone, then imported the connection
nmcli connection import type openvpn file myvpn.ovpn
I opened this configuration in the UT VPN settings to add the TLS key password
I connected to my wife's phone's Wi-Fi and activated the VPN, which turned on.
My IP was 10.238.198.3
No way to ping a machine on my network even though the VPN is up (tun0 is in the result of ip a)
I copied the ovpn file on the smartphone then I then tried to simplify (no longer going through NetworkManager) and used
sudo openvpn --config /home/phablet/<vpn name>.ovpn --verb 4
ip a gives tun0 present
but no way to ping a machine on my network .
I have added the route
sudo ip route add 192.168.128.0/23 dev tun0.
After that i have been able to ping my network from the phone. -
RE: How can I browse files from a computer?
@mihael
For my part (old school), I use Midnight Commander with one of the two panels in SSH on the PC. -
RE: How can I browse files from a computer?
@mihael
You can use ssh from the phone to the PC. -
RE: OpenVPN setup does not offer what i need for my vpn server....
@gpatel-en
Thank you for these explanations. Interesting...
I will look into it further.
I will keep you informed. -
RE: OpenVPN setup does not offer what i need for my vpn server....
@gpatel-fr
I must have expressed myself poorly.
The tunnel created tun0 has an address of 10.238.198.3.
By adding the route, I can access my 192.168.128.0/23 network.
On my PC, NetworkManager does the job: it opens the connection, receives an IP for the VPN, and adds the route (this is configured by my user's .ovpn, which I imported).
Under UT, there is no .ovpn import. Configuration via the NetworkManager interface does not work (or I cannot get it to work). I exported the NetworkManager configuration from my PC with nmcli connection export and re-imported it into UT via nmcli connection import.
Roughly speaking, it should contain what is in the .ovpn file.
I added the TLS key password.
The connection is established, I have a tun0 created with an IP address of 10.238.198.x, but pinging my 192.168.128.x network does not work even if I add the route so that my access to 192.168.128.0/23 is via tun0.
However, if I do the same thing by launching the VPN via OpenVPN using the .ovpn and adding the same route as before, the tun0 tunnel is created and I can ping the machines on my network. -
RE: OpenVPN setup does not offer what i need for my vpn server....
@gpatel-fr
Tesing is uneasy because i can't connect via ssh on the phone and have to d all through terminal on the phone...
-
RE: OpenVPN setup does not offer what i need for my vpn server....
@gpatel-fr
Yes and the serveur config is working with my pc Fedora 42 and NetworkManager.
The VPN serveur is not my routeur but a rpi 3 running openvpn.
I have tried sudo openvpn --config /home/phablet/jll.ovpn --verb 4
The vpn is up and tun0 created.
but i can't ping my local network.
I have had ping success when i added sudo ip route add 192.168.128.0/23 dev tun0
It's look like (i'm not a network expert) the NM don't add the route for some reason on the phone (confinment or bug) and the NM on my PC does it. -
RE: OpenVPN setup does not offer what i need for my vpn server....
It's progressing, I can connect via network manager now but I don't have an IP address in my local network...
-
RE: OpenVPN setup does not offer what i need for my vpn server....
Well, changing the file doesn't help.
I'm now trying on the PC configured nmcli connection export jll > jll.nmconnection
and on the phone sudo nmcli connection import type openvpn file jll.nmconnection
So far, it's not working...
-
RE: OpenVPN setup does not offer what i need for my vpn server....
I must continue searching because, after restarting, the modified VPN configuration in /etc/netplan is no longer available.
-
RE: App security (new KeepassRX app)
@RandomUser
Yes, of course.
That's already what I do with KeepassXC on my PC.
My choice is to do it locally and not on the Bitwarden or Dashlane web servers.
Most of them have MFA.
I understand your concern about having a clear view of what the application can use.
And Maciek's idea of blocking installation until we accept a change in the permissions granted seems excellent to me.