Arch Linux

Can't confirm. Using 2.5.0-3.

I just double check, and it does not work for me. I am using the applet for Plasma, but I can confirm the same issue using nmcli. And checking with journalctl I see that it fails with:
VPN plugin: failed: login-failed (0)
VPN plugin: failed: connect-failed (1)

Downgrading to 2.4.9-2 solves the issue. Anyone can replicate?

https://bbs.archlinux.org/viewtopic.php?id=260625

Confirm this issue using openvpn 2.5.0-3 and nm-openvpn plugin

Ran into the same issue but without NetworkManager: I use systemd scripts for the openvpn client and the recent change in openvpn 2.5.0-3 with User=openvpn Group=network in the systemd unit breaks things:

- files that are only readable by root in /etc/openvpn can't be read - fair enough
- after chowning the openvpn configs, next error was:

write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
write UDP: Operation not permitted (code=1)
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting

Turns out this was my firewall having some user-based outbound rules - perhaps that'll save someone a few minutes too.

I've got a "me too" report. With 2.5.0-3 + networkmanager-openvpn 1.8.12-1 it no longer connects. Downgrading to 2.4.9-2 and it immediately connects.


My nmcli config:

[connection]
id=MyVPN
uuid=f5f235d3-d2df-40b3-b21a-33f8321c74ff
type=vpn
autoconnect=true
#¤permissions=user:johan:;

[vpn]
ca=/etc/ca-certificates/trust-source/anchors/ca.pem
cert=/etc/openvpn/client/client.crt
cert-pass-flags=0
connection-type=tls
key=/etc/openvpn/client/client.key
remote=my.vpn.com
service-type=org.freedesktop.NetworkManager.openvpn
cipher=AES-128-CBC
remote-cert-tls=server
float=yes

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto




Error when connecting:
nov 17 13:14:39 sgo nm-openvpn[74610]: /usr/lib/nm-openvpn-service-openvpn-helper --debug 0 74606 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_4 --tun -- tun0 1500 1556 172.28.3.10 172.28.3.9 init
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3270] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/5)
nov 17 13:14:39 sgo systemd-udevd[74611]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3433] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN connection: (IP Config Get) reply received.
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3513] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: VPN connection: (IP4 Config Get) reply received
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3549] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: VPN connection: (IP6 Config Get) reply received
nov 17 13:14:39 sgo NetworkManager[74299]: <warn> [1605615279.3550] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: invalid IP6 config received!
nov 17 13:14:39 sgo NetworkManager[74299]: <warn> [1605615279.3552] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",23:(tun0)]: VPN connection: did not receive valid IP config information
nov 17 13:14:39 sgo nm-openvpn[74610]: GID set to nm-openvpn
nov 17 13:14:39 sgo nm-openvpn[74610]: UID set to nm-openvpn
nov 17 13:14:39 sgo nm-openvpn[74610]: Initialization Sequence Completed
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3590] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN plugin: state changed: started (4)
nov 17 13:14:39 sgo nm-openvpn[74610]: event_wait : Interrupted system call (code=4)
nov 17 13:14:39 sgo nm-openvpn[74610]: net_addr_ptp_v4_del: 172.28.3.10 dev tun0
nov 17 13:14:39 sgo nm-openvpn[74610]: sitnl_send: rtnl: generic error (-1): Operation not permitted
nov 17 13:14:39 sgo nm-openvpn[74610]: Linux can't del IP from iface tun0
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3676] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN plugin: state changed: stopping (5)
nov 17 13:14:39 sgo NetworkManager[74299]: <info> [1605615279.3678] vpn-connection[0x55c8b3dd8570,f5f235d3-d2df-40b3-b21a-33f8321c74ff,"MyVPN",0]: VPN plugin: state changed: stopped (6)

You guys should try using 2.4.9-2 systemd units on version 2.5.0-3 to make sure it's not caused by this patch:
https://github.com/archlinux/svntogit-packages/blob/packages/openvpn/trunk/0001-unprivileged.patch
Edit: never mind, according to the original reporter version 2.5.0-1 which doesn't have this patch yet is broken too, looks like you should bring this up to upstream.
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn

@o_m @jstrom
Fix your IPv6 setup or/and remove 'push "redirect-gateway ipv6 def1 bypass-dhcp"' in server config.

Culprits, OpenVPN 2.4.9:
~ nm-openvpn[8594]: OpenVPN ROUTE6: OpenVPN needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options
~ nm-openvpn[8594]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 2000::/3
~ NetworkManager[465]: <info> [1605205080.1428] vpn-connection[0x557849664740,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",6:(tun0)]: Data: No IPv6 configuration

vs OpenVPN 2.5.0:
~NetworkManager[465]: <info> [1605203437.7906] vpn-connection[0x557849664320,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",4:(tun0)]: VPN connection: (IP6 Config Get) reply received
~NetworkManager[465]: <warn> [1605203437.7907] vpn-connection[0x557849664320,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",4:(tun0)]: invalid IP6 config received!
~NetworkManager[465]: <warn> [1605203437.7908] vpn-connection[0x557849664320,b37e5dfc-4aad-4b6d-ae8c-c3479d468477,"openvpn",4:(tun0)]: VPN connection: did not receive valid IP config information

Aha, yes indeed that was the problem.

At first glance I thought that I do not have a single IPv6 config line in either the server (2.5.0 on FreeBSD) or client. But still the server seems to have added "route-ipv6 2000::/3" to the list of pushed options, as indicated in server logs.
After some digging I realised that my client-specific config had that route-ipv6 directive... Removing that, and I can now connect fine with 2.5.0.

Both the VPN server and the client network has IPv6, but I have not explicitly configured it in OpenVPN. Last time I looked into OpenVPN and v6, support in openvpn was lacking, hence the leftovers. Time to revisit that and configure it properly perhaps.

So the "error" (fatal warn?) was right on front of me the whole time.. Should have read more thoroughly, thanks for the hint!

I can change something for client-side only. NM in [vpn] section of connection config file has option "tun-ipv6=no". That's working with openvpn 2.4.9 package, but not with openvpn-2.5.0-3.... Is "client-specific config had that route-ipv6 directive..." on vpn-provider side?

Yes, OpenVPN server has possibility to have different config for different clients via "client-config-dir" directive.

Perhaps you can look into pull-filter directive to ignore certain pushed commands?

I've had this bug the last month. I am using XFCE gui and set my VPN in the Network Connections. IPv6 is set to Disable or Ignore (neither works).

The only solution for me is downgrade:

$ sudo pacman -U https://archive.archlinux.org/packages/o/openvpn/openvpn-2.4.9-2-x86_64.pkg.tar.zst

Hello, same issue here (cyberghost) Downgrading solve the issue.

It looks like one of the NetworkManger OpenVPN plugin maintainers has submitted a merge request to fix this: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/34

I can confirm that the aforementioned merge request (which is now committed) fixes the incompatibility with OpenVPN 2.5. There is no available information when the next version of networkmanager-openvpn will be released so I revived the networkmanager-openvpn-git package in AUR that includes the needed fix: https://aur.archlinux.org/packages/networkmanager-openvpn-git/