Posts made by Vlad Nirky

Vlad Nirky

@Luksus
voLTE is always enabled for me (Xiaomi Redi Note 9 Pro 24.04 Stable (at the moment))
No effect on VPN connections

Vlad Nirky

@jagdtigger
I imagine it also depends on the VPN server and its configuration...
This works for me.

phablet@ubuntu-phablet:~$ cat /home/phablet/Documents/KeePass/phde.nmconnection 
client
remote '<my_server>.ddns.net' 1194
cert '/home/phablet/.cert/nm-openvpn/phde-cert.pem'
key '/home/phablet/.cert/nm-openvpn/phde-key.pem'
ca '/home/phablet/.cert/nm-openvpn/phde-ca.pem'
cipher AES-256-GCM
auth SHA256
ncp-disable
dev tun
proto udp
remote-cert-tls server
verify-x509-name rpi3_9b0ae2d9-f297-4706-ab24-8b9d63b3a51f name
tls-crypt '/home/phablet/.cert/nm-openvpn/phde-tls-crypt.pem'
tls-version-min '1.2'
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nm-openvpn
group nm-openvpn
route 192.168.128.0 255.255.254.0

Vlad Nirky

@gpatel-fr @OtaDr @gpatel-fr

Thanks for your help !

Vlad Nirky

@gpatel-fr
Solved.
Add this in nmconnection file before import.
~~cipher AES-256-CBC~~
cipher AES-256-GCM
auth SHA256
ncp-disable

Critical lines in your Ubuntu Touch log
WARNING: ‘auth’ is used inconsistently, local=‘auth SHA256’, remote=‘auth SHA1’
phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
The server uses SHA256 authentication
The Ubuntu Touch client uses SHA1 authentication
Result: the HMACs of the data packets do not match → rejection.

Why does Fedora work?

Fedora (OpenVPN 2.6.15 with AEAD/DCO) does not need separate “auth” because AES-256-GCM mode already includes authentication in the encryption.
Ubuntu Touch, on the other hand, still forces an older mode (AES-256-CBC + SHA1 authentication).

Vlad Nirky

@OtaDr @gpatel-fr
Openvpn is a cherry pick on my pihole rpi server...
The first goal was to anonymize the DNS so i have installed pihole and unbound.
The vpn is for rare take over from outdoor UT developpers to debug issue on my hardware.

I thing there is some issue in the packet decryption.
This issue don't seem to happen when i launch openvpn manually on the phone (to be confirmed) so i have something to look out there.

The openvpn are not in the same version on the different parts

[jll @ rpi3 - 07:44:11 ]  ~ 
> openvpn --version
OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Aug 25 2025
library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

[jll @ fedora - 07:42:40 ]  ~ 
> openvpn --version
OpenVPN 2.6.15 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.2.6 30 Sep 2025, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

phablet@ubuntu-phablet:~$ openvpn --version
OpenVPN 2.6.14 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

Vlad Nirky

@gpatel-fr
I think a have something interresting in the openvpn server log (as you expected)


After phone connexion to VPN
root@rpi3:/var/log# 
cat openvpn.log 
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 TLS: Initial packet from [AF_INET]188.5.220.190:1210, sid=e5f0bc02 623c1eb2
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY OK: depth=1, CN=Easy-RSA CA
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY KU OK
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Validating certificate extended key usage
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY EKU OK
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 VERIFY OK: depth=0, CN=phde
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_VER=2.6.14
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_PLAT=linux
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_TCPNL=1
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_MTU=1600
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_CIPHERS=AES-256-CBC
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_PROTO=990
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_LZO_STUB=1
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_COMP_STUB=1
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 peer info: IV_COMP_STUBv2=1
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1557'
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Oct 26 07:14:56 rpi3 ovpn-server[11385]: 188.5.220.190:1210 [phde] Peer Connection Initiated with [AF_INET]188.5.220.190:1210
Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: new connection by client 'phde' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI_sva: pool returned IPv4=10.238.198.2, IPv6=(Not enabled)
Oct 26 07:14:56 rpi3 ovpn-server[11385]: OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/phde
Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: Learn: 10.238.198.3 -> phde/188.5.220.190:1210
Oct 26 07:14:56 rpi3 ovpn-server[11385]: MULTI: primary virtual IP for phde/188.5.220.190:1210: 10.238.198.3
Oct 26 07:14:56 rpi3 ovpn-server[11385]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 26 07:14:56 rpi3 ovpn-server[11385]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:14:56 rpi3 ovpn-server[11385]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 26 07:14:56 rpi3 ovpn-server[11385]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:14:56 rpi3 ovpn-server[11385]: SENT CONTROL [phde]: 'PUSH_REPLY,dhcp-option DNS 10.238.198.1,block-outside-dns,redirect-gateway def1,route-gateway 10.238.198.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.238.198.3 255.255.255.0,peer-id 0,cipher AES-256-CBC' (status=1)
Oct 26 07:14:56 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
Oct 26 07:15:00 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
Oct 26 07:15:07 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed
Oct 26 07:15:21 rpi3 ovpn-server[11385]: phde/188.5.220.190:1210 Authenticate/Decrypt packet error: packet HMAC authentication failed

After PC connexion to VPN
///Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 TLS: Initial packet from [AF_INET]188.5.220.190:1898, sid=0bfa998b 8f16b815
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY OK: depth=1, CN=Easy-RSA CA
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY KU OK
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Validating certificate extended key usage
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY EKU OK
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 VERIFY OK: depth=0, CN=phde
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_VER=2.6.15
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_PLAT=linux
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_TCPNL=1
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_MTU=1600
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_NCP=2
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_PROTO=990
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_LZO_STUB=1
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_COMP_STUB=1
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 peer info: IV_COMP_STUBv2=1
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Oct 26 07:25:28 rpi3 ovpn-server[678]: 188.5.220.190:1898 [phde] Peer Connection Initiated with [AF_INET]188.5.220.190:1898
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI_sva: pool returned IPv4=10.238.198.2, IPv6=(Not enabled)
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/phde
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI: Learn: 10.238.198.3 -> phde/188.5.220.190:1898
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 MULTI: primary virtual IP for phde/188.5.220.190:1898: 10.238.198.3
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 26 07:25:28 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 SENT CONTROL [phde]: 'PUSH_REPLY,dhcp-option DNS 10.238.198.1,block-outside-dns,redirect-gateway def1,route-gateway 10.238.198.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.238.198.3 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Oct 26 07:25:29 rpi3 ovpn-server[678]: phde/188.5.220.190:1898 PUSH: Received control message: 'PUSH_REQUEST'

Vlad Nirky

@gpatel-fr
On the PC
Connected through my wife phone

[jll @ fedora - 06:42:15 ]  ~ 
> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether fe:aa:b6:35:ee:2d brd ff:ff:ff:ff:ff:ff permaddr 94:e6:f8:ed:7d:c6
    altname wlp0s20f3
    altname wlx94e6f7ed7dc6
    inet 192.168.43.91/24 brd 192.168.43.255 scope global dynamic noprefixroute wlo1
       valid_lft 3583sec preferred_lft 3583sec
    inet6 2a02:a020:3ca:ad84:2f98:edb3:fe4a:5d89/64 scope global dynamic noprefixroute 
       valid_lft 3583sec preferred_lft 3583sec
    inet6 fe80::fa56:6baf:9454:41db/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 7a:36:73:60:85:f6 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 10.238.198.3/24 brd 10.238.198.255 scope global noprefixroute tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::1ba:8201:6599:7bb8/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever
[jll @ fedora - 06:42:20 ]  ~ 
> route -v
Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    50     0        0 tun0
default         _gateway        0.0.0.0         UG    600    0        0 wlo1
10.238.198.0    0.0.0.0         255.255.255.0   U     50     0        0 tun0
171.167-240-81. _gateway        255.255.255.255 UGH   50     0        0 wlo1
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.43.0    0.0.0.0         255.255.255.0   U     600    0        0 wlo1
_gateway        0.0.0.0         255.255.255.255 UH    50     0        0 wlo1
[jll @ fedora - 06:49:12 ]  ~ 
> ping 10.238.198.1
PING 10.238.198.1 (10.238.198.1) 56(84) octets de données.
64 octets de 10.238.198.1 : icmp_seq=1 ttl=64 temps=37.5 ms
64 octets de 10.238.198.1 : icmp_seq=2 ttl=64 temps=48.1 ms
^C
--- statistiques ping 10.238.198.1 ---
2 paquets transmis, 2 reçus, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 37.533/42.797/48.062/5.264 ms
[jll @ fedora - 06:49:24 ]  ~ 
> ping 10.238.198.2
PING 10.238.198.2 (10.238.198.2) 56(84) octets de données.
De 10.238.198.1 icmp_seq=2 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2)
De 10.238.198.1 icmp_seq=3 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2)
De 10.238.198.1 icmp_seq=4 Rediriger l'hôte(Nouveau sautsuivant : 10.238.198.2)
^C
--- statistiques ping 10.238.198.2 ---
4 paquets transmis, 0 reçus, +3 erreurs, 100% packet loss, time 3031ms

[jll @ fedora - 06:44:05 ]  ~ 
> ping 192.168.129.64
PING 192.168.129.64 (192.168.129.64) 56(84) octets de données.
64 octets de 192.168.129.64 : icmp_seq=1 ttl=254 temps=51.0 ms
64 octets de 192.168.129.64 : icmp_seq=2 ttl=254 temps=49.7 ms
64 octets de 192.168.129.64 : icmp_seq=3 ttl=254 temps=51.5 ms
^C
--- statistiques ping 192.168.129.64 ---
3 paquets transmis, 3 reçus, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 49.699/50.727/51.526/0.763 ms

Vlad Nirky

@gpatel-fr
My first openvpn...
It is usable (Ratchanan has connected my phone to debug some issues) and i use it to connect to my proxmox infra.

[jll @ rpi3 - 06:33:20 ]  ~ 
> cat /etc/openvpn/server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/rpi3_9b0ae2d9-f297-4706-ab24-8a9d63b3b51f.crt
key /etc/openvpn/easy-rsa/pki/private/rpi3_9b0ae2d9-f297-4706-ab24-8a9d63b3b51f.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.238.198.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.238.198.1"
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
 tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

Vlad Nirky

@gpatel-fr
I guess TLS key has to be feed at the begining of the connection (as it does in openvpn connection)

With the NetworkManager

phablet@ubuntu-phablet:~$ route -v
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.238.198.1    0.0.0.0         UG    50     0        0 tun0
default         192.168.43.1    0.0.0.0         UG    600    0        0 wlan0
10.238.198.0    0.0.0.0         255.255.255.0   U     50     0        0 tun0
171.167-240-81. 192.168.43.1    255.255.255.255 UGH   50     0        0 wlan0
147.69.137.0    0.0.0.0         255.255.255.192 U     0      0        0 rmnet_data0
192.168.43.0    0.0.0.0         255.255.255.0   U     600    0        0 wlan0
192.168.43.1    0.0.0.0         255.255.255.255 UH    50     0        0 wlan0
192.168.128.0   0.0.0.0         255.255.254.0   U     50     0        0 tun0

But i was not able to ping 192.168.129.161 (my PC)

No NAT/MASQUERADE on the openvpn server?

No idea, i have tried to had
push "route 192.168.128.0 255.255.254.0"
push "dhcp-option DNS 192.168.128.1"
in server config but without result.(/etc/openvpn/server.conf)

sudo systemctl status NetworkManager
and
sudo systemctl status openvpn
gave me some clues (such as the TLS issue)

I haven't had time yet to look at the various logs

VPN on my PC works fine with the actual openvpn server but not the phone...

Vlad Nirky

@jagdtigger
Here's what I've done so far.
I imported the .ovpn file generated by my OpenVPN server into an Ubuntu 24.04 PC.
I tested that the VPN was working properly on the PC.
I exported this configuration using
nmcli connection export "<vpn name="">" > myvpn.nmconnection
I corrected the paths so that they point to /home/phablet/...
I copied this file to my phone, then imported the connection
nmcli connection import type openvpn file myvpn.ovpn
I opened this configuration in the UT VPN settings to add the TLS key password
I connected to my wife's phone's Wi-Fi and activated the VPN, which turned on.
My IP was 10.238.198.3
No way to ping a machine on my network even though the VPN is up (tun0 is in the result of ip a)
I copied the ovpn file on the smartphone then I then tried to simplify (no longer going through NetworkManager) and used
sudo openvpn --config /home/phablet/<vpn name>.ovpn --verb 4
ip a gives tun0 present
but no way to ping a machine on my network .
I have added the route
sudo ip route add 192.168.128.0/23 dev tun0.
After that i have been able to ping my network from the phone.

Vlad Nirky

@mihael
For my part (old school), I use Midnight Commander with one of the two panels in SSH on the PC.

Vlad Nirky

@mihael
You can use ssh from the phone to the PC.

Vlad Nirky

@gpatel-en
Thank you for these explanations. Interesting...
I will look into it further.
I will keep you informed.

Vlad Nirky

@gpatel-fr
I must have expressed myself poorly.
The tunnel created tun0 has an address of 10.238.198.3.
By adding the route, I can access my 192.168.128.0/23 network.
On my PC, NetworkManager does the job: it opens the connection, receives an IP for the VPN, and adds the route (this is configured by my user's .ovpn, which I imported).
Under UT, there is no .ovpn import. Configuration via the NetworkManager interface does not work (or I cannot get it to work). I exported the NetworkManager configuration from my PC with nmcli connection export and re-imported it into UT via nmcli connection import.
Roughly speaking, it should contain what is in the .ovpn file.
I added the TLS key password.
The connection is established, I have a tun0 created with an IP address of 10.238.198.x, but pinging my 192.168.128.x network does not work even if I add the route so that my access to 192.168.128.0/23 is via tun0.
However, if I do the same thing by launching the VPN via OpenVPN using the .ovpn and adding the same route as before, the tun0 tunnel is created and I can ping the machines on my network.

Vlad Nirky

@gpatel-fr
Tesing is uneasy because i can't connect via ssh on the phone and have to d all through terminal on the phone...

Vlad Nirky

@gpatel-fr
Yes and the serveur config is working with my pc Fedora 42 and NetworkManager.
The VPN serveur is not my routeur but a rpi 3 running openvpn.
I have tried sudo openvpn --config /home/phablet/jll.ovpn --verb 4
The vpn is up and tun0 created.
but i can't ping my local network.
I have had ping success when i added sudo ip route add 192.168.128.0/23 dev tun0
It's look like (i'm not a network expert) the NM don't add the route for some reason on the phone (confinment or bug) and the NM on my PC does it.

Vlad Nirky

It's progressing, I can connect via network manager now but I don't have an IP address in my local network...

Vlad Nirky

Well, changing the file doesn't help.
I'm now trying on the PC configured nmcli connection export jll > jll.nmconnection
and on the phone sudo nmcli connection import type openvpn file jll.nmconnection
So far, it's not working...

Vlad Nirky

I must continue searching because, after restarting, the modified VPN configuration in /etc/netplan is no longer available.

Vlad Nirky

@RandomUser
Yes, of course.
That's already what I do with KeepassXC on my PC.
My choice is to do it locally and not on the Bitwarden or Dashlane web servers.
Most of them have MFA.
I understand your concern about having a clear view of what the application can use.
And Maciek's idea of blocking installation until we accept a change in the permissions granted seems excellent to me.