On Feb 18, 2017 3:03 AM, "Ed Greshko" <ed.gres...@greshko.com> wrote:
On 02/18/17 14:38, InvalidPath wrote: > Well thats just it.. on linux IDK where the correct location is. I > tried placing it and the ca.crt in the same folder, then specifying > the entire path in the .ovpn and both times the gui prompted me, do I > want to copy them to /home/user/etc/etc and I chose yes. But the > connection times out in either case. First of all.... Many people on this list, myself included, would appreciate it if you'd put your responses below the text is the reply. It makes for easier reading With Networkmanager it is best to put them under their own directory under... ~/.local/share/networkmanagement/certificates For example..... [egreshko@meimei certificates]$ pwd /home/egreshko/.local/share/networkmanagement/certificates [egreshko@meimei certificates]$ ls AU-Sydney-S1 US-Los-Angeles-S3 US-San-Jose-S1 US-Kansas-City-S1 US-New-York-City-S1 US-Seattle-S1 Showing I have 6 connections defined. [egreshko@meimei certificates]$ ls -Z US-Kansas-City-S1 unconfined_u:object_r:home_cert_t:s0 ca.crt unconfined_u:object_r:home_cert_t:s0 cert.crt unconfined_u:object_r:home_cert_t:s0 private.key unconfined_u:object_r:home_cert_t:s0 tls_auth.key Shows the key files for that one connection and their selinux contents. Do Not "move" the cert files to their new locations but copy them. If you move them they will not have the selinux context and you'll have to take a second step to restore the context. Then, when you try connecting you should check the journal (using journalctl) to see if the connection is made and/or if there are any errors. A successful connection would look like something similar to this.... [egreshko@meimei ~]$ cat openvpn Feb 18 17:03:56 meimei.greshko.com nm-openvpn[32673]: OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016 Feb 18 17:03:56 meimei.greshko.com nm-openvpn[32673]: library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08 Feb 18 17:03:56 meimei.greshko.com nm-openvpn[32673]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Feb 18 17:03:56 meimei.greshko.com nm-openvpn[32673]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 18 17:03:56 meimei.greshko.com nm-openvpn[32673]: Control Channel Authentication: using '/home/egreshko/.local/share/networkmanagement/certificates/ US-Seattle-S1/tls_auth.key' as a OpenVPN static key file Feb 18 17:03:57 meimei.greshko.com nm-openvpn[32673]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Feb 18 17:03:57 meimei.greshko.com nm-openvpn[32673]: UDPv4 link local: [undef] Feb 18 17:03:57 meimei.greshko.com nm-openvpn[32673]: UDPv4 link remote: [AF_INET]69.4.227.18:53 Feb 18 17:04:00 meimei.greshko.com nm-openvpn[32673]: [isvpn.net] Peer Connection Initiated with [AF_INET]69.4.227.18:53 Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology-subnet (2.3.14) Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error: option 'mssfix' cannot be used in this context ([PUSH-OPTIONS]) Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-pre-release (2.3.14) Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:7: dhcp-renew (2.3.14) Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:8: dhcp-release (2.3.14) Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:14: register-dns (2.3.14) Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:15: block-ipv6 (2.3.14) Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: TUN/TAP device tun0 opened Feb 18 17:04:02 meimei.greshko.com nm-openvpn[32673]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 32667 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_9 --tun -- tun0 1500 1570 25.0.8.4 255.255.255.0 init Feb 18 17:04:07 meimei.greshko.com nm-openvpn[32673]: GID set to nm-openvpn Feb 18 17:04:07 meimei.greshko.com nm-openvpn[32673]: UID set to nm-openvpn Feb 18 17:04:07 meimei.greshko.com nm-openvpn[32673]: Initialization Sequence Completed Feb 18 17:04:12 meimei.greshko.com nm-openvpn[32673]: SIGTERM received, sending exit notification to peer Feb 18 17:04:13 meimei.greshko.com nm-openvpn[32673]: SIGTERM[soft,exit-with-notification] received, process exiting -- Fedora Users List - The place to go to get others to do the work for you _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Sorry Ed.. with the default being at the top for so many devices and apps it didn't even cross my mind. ~/.local/share/networkmanagement/certificates this is exactly where Network Manager prompts me to copy the cert to. So with that in mine that's when I tried removing the full path, here's an example: dev tun persist-tun persist-key cipher BF-CBC auth SHA1 tls-client client resolv-retry infinite remote x.x.x.x.x 34447 udp lport 0 auth-user-pass ca /home/bhart/Documents/VPN_CONFIG/config/xxxx-fw-1-udp-34447-ca.crt tls-auth /home/bhart/Documents/VPN_CONFIG/config/xxxx-fw-1-udp-34447-tls.key 1 ns-cert-type server comp-lzo adaptive But then once they're copied to that other location I decided that maybe I should remove those paths. It didn't change things. ➜ certificates ll total 8.0K -rw-r--r-- 1 bhart bhart 1.4K Feb 17 07:12 xxxx-fw-1-udp-34447-config_gntc-fw-1-udp-34447-ca.crt -rw-r--r-- 1 bhart bhart 657 Feb 17 07:12 xxxx-fw-1-udp-34447-config_gntc-fw-1-udp-34447-tls.key So journalctl -xe right now shows : Feb 18 08:23:27 localhost.localdomain NetworkManager[1297]: <info> [1487431407.9972] keyfile: update /etc/NetworkManager/system-connections/xxxx-fw-1-udp-34447-config (d550859 Feb 18 08:23:27 localhost.localdomain NetworkManager[1297]: <info> [1487431407.9976] audit: op="connection-update" uuid="d550859e-f14a-40b5-8ab0-64b3a13d8ef3" name="xxxx-fw-1- Feb 18 08:23:29 localhost.localdomain kde5-nm-connection-editor[5001]: QDBusObjectPath: invalid path "" Feb 18 08:23:29 localhost.localdomain NetworkManager[1297]: <info> [1487431409.6901] audit: op="connection-activate" uuid="d550859e-f14a-40b5-8ab0-64b3a13d8ef3" name="xxxx-fw- Feb 18 08:23:29 localhost.localdomain NetworkManager[1297]: <info> [1487431409.6927] vpn-connection[0x55ade43bb2f0,d550859e-f14a-40b5-8ab0-64b3a13d8ef3,"xxxx-fw-1-udp-34447-co Feb 18 08:23:29 localhost.localdomain NetworkManager[1297]: <info> [1487431409.6990] vpn-connection[0x55ade43bb2f0,d550859e-f14a-40b5-8ab0-64b3a13d8ef3,"xxxx-fw-1-udp-34447-co Feb 18 08:23:29 localhost.localdomain kdeinit5[2289]: plasma-nm: Unhandled VPN connection state change: 2 Feb 18 08:23:29 localhost.localdomain kdeinit5[2289]: plasma-nm: Unhandled VPN connection state change: 3 Feb 18 08:23:29 localhost.localdomain NetworkManager[1297]: <info> [1487431409.7264] vpn-connection[0x55ade43bb2f0,d550859e-f14a-40b5-8ab0-64b3a13d8ef3,"xxxx-fw-1-udp-34447-co Feb 18 08:23:29 localhost.localdomain nm-openvpn[5401]: Options error: If you use one of --cert or --key, you must use them both This is confusing.. according to the .ovpn file this connection should be using auth-user-pass but then without specifying password with TLS how does the key file get used? (I did attempt connection with just password set and it fails with: Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more in Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: UDPv4 link local: [undef] Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: UDPv4 link remote: [AF_INET]72.174.102.34:34447 Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: VERIFY ERROR: depth=0, error=certificate signature failure: C=US, ST=MT, O=$organization, OU=Operations, CN=xxxx-v Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: TLS_ERROR: BIO read tls_read_plaintext error Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: TLS Error: TLS object -> incoming plaintext read error Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: TLS Error: TLS handshake failed Feb 18 08:32:16 localhost.localdomain nm-openvpn[7769]: SIGUSR1[soft,tls-error] received, process restarting Which is even more confusing because this config file works perfectly with the Windows OpenVPN client. So there must be some difference in how the clients use this file because teh certificate is valid. I did goto the link in this error log and it's really not much help since the server certificate and actually the entire config was generated from pfSense. Thanks
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
