Public bug reported:
## Description
OpenVPN connections managed via NetworkManager are failing. The issue is
caused by AppArmor denying access to temporary certificate files
generated by NetworkManager in /run/NetworkManager/cert/.
## Environments
```
jehos@gogunbuntu:~$ date
03/10/26 (화) 05:17:46 PM KST
jehos@gogunbuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Resolute Raccoon (development branch)
Release: 26.04
Codename: resolute
jehos@gogunbuntu:~$ dpkg -l | grep openvpn
ii network-manager-openvpn 1.12.5-1
amd64 network management framework (OpenVPN plugin core)
ii network-manager-openvpn-gnome 1.12.5-1
amd64 network management framework (OpenVPN plugin GNOME
GUI)
ii openvpn 2.7.0-1ubuntu1
amd64 virtual private network daemon
ii openvpn-dco-dkms 0.0+git20251017-1
all DCO (Data-Channel Offload) kernel module for
OpenVPN 2.6
ii openvpn-systemd-resolved:amd64 1.3.0-5build1
amd64 integrates OpenVPN with systemd-resolved
```
## Steps to Reproduce
1. Import or create an OpenVPN profile in NetworkManager.
2. Attempt to connect to the VPN.
3. The connection fails immediately with a "Connect failed" message.
## syslog:
```
2026-03-10T16:57:35.017691+09:00 gogunbuntu NetworkManager[3073]: <info>
[1773129455.0174]
vpn[0x63e834bc9c30,931555d8-ad02-436e-84dc-c4089925e888,"AGN-PNU"]: starting
openvpn
2026-03-10T16:57:35.017932+09:00 gogunbuntu NetworkManager[3073]: <info>
[1773129455.0175] audit: op="connection-activate"
uuid="931555d8-ad02-436e-84dc-c4089925e888" name="AGN-PNU" pid=6836 uid=1000
result="success"
2026-03-10T16:57:35.090814+09:00 gogunbuntu nm-openvpn[45561]: DEPRECATED
OPTION: --persist-key option ignored. Keys are now always persisted across
restarts.
2026-03-10T16:57:35.090991+09:00 gogunbuntu nm-openvpn[45561]: Note: --cipher
is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when
cipher negotiation failed in this case. If you need this fallback please add
'--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to
--data-ciphers. E.g. --data-ciphers DEFAULT:BF-CBC
2026-03-10T16:57:35.091041+09:00 gogunbuntu nm-openvpn[45561]: Cannot pre-load
keyfile (/run/NetworkManager/cert/FRks7J)
2026-03-10T16:57:35.091068+09:00 gogunbuntu nm-openvpn[45561]: Exiting due to
fatal error
2026-03-10T16:57:35.091829+09:00 gogunbuntu NetworkManager[3073]: <warn>
[1773129455.0917]
vpn[0x63e834bc9c30,931555d8-ad02-436e-84dc-c4089925e888,"AGN-PNU"]: dbus:
failure: connect-failed (1)
```
## audit.log:
```
type=AVC msg=audit(1773129455.089:985): apparmor="DENIED" operation="open"
class="file" profile="openvpn" name="/run/NetworkManager/cert/FRks7J" pid=45561
comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=0^]FSUID="root"
OUID="root"
```
## apparmor openvpn config
```
jehos@gogunbuntu:~$ sudo grep -ri cert /etc/apparmor.d/openvpn
file r @{HOME}/.cert/nm-openvpn/*,
```
## Workaround
```
jehos@gogunbuntu:~$ sudo aa-complain /usr/sbin/openvpn
Setting /usr/sbin/openvpn to complain mode.
Warning: profile openvpn represents multiple programs
Warning: profile openvpn represents multiple programs
```
** Affects: network-manager-openvpn (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2143810
Title:
Cannot pre-load keyfile (/run/NetworkManager/cert/ )
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/2143810/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
