Dear All, I’m having trouble getting an OpenVPN connection to work properly on Fedora and would appreciate some advice.
Distribution: Fedora (fully up to date from the official repos) OpenVPN: 2.6.17 (from Fedora repos) Mode: TCP, using the .ovpn configuration supplied by the provider ________________________________ What works If I run OpenVPN from the command line, the TLS handshake completes and the tunnel appears to come up: sudo openvpn --config /path/to/provider-tcp.ovpn --dev tun0 --verb 4 2>&1 | tee /tmp/ovpn-test-tcp.log From the log (edited and anonymised): PUSH: Received control message: 'PUSH_REPLY,sndbuf 393216,rcvbuf 393216, redirect-gateway def1,dhcp-option DNS 8.8.8.8,register-dns, route-gateway 10.15.0.1,topology subnet,ping 10,ping-restart 60, socket-flags TCP_NODELAY,ifconfig 10.15.0.4 255.255.0.0,peer-id 0, cipher AES-256-GCM' TUN/TAP device tun0 opened do_ifconfig, ipv4=1, ipv6=0 net_addr_v4_add: 10.15.0.4/16 dev tun0 net_route_v4_add: /32 via dev [NULL] net_route_v4_add: 0.0.0.0/1 via 10.15.0.1 dev [NULL] net_route_v4_add: 128.0.0.0/1 via 10.15.0.1 dev [NULL] Initialization Sequence Completed The interface looks fine: ip addr show tun0 gives something like: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP inet 10.15.0.4/16 brd 10.15.255.255 scope global tun0 The routing table also seems consistent with “redirect-gateway def1”. For example: ip route get 8.8.8.8 returns: 8.8.8.8 via 10.15.0.1 dev tun0 src 10.15.0.4 uid 1000 ________________________________ What does NOT work Despite the above, there is no traffic over the tunnel. Examples: ping -c3 10.15.0.1 ping -c3 8.8.8.8 curl -4 --connect-timeout 10 https://api.ipify.org All of these time out (100% packet loss for ping, no response for curl). When I disconnect the VPN, normal Internet over the Ethernet interface works fine. To exclude firewall issues, I temporarily disabled everything: sudo systemctl stop firewalld 2>/dev/null || true sudo nft flush ruleset 2>/dev/null || true sudo iptables -F 2>/dev/null || true sudo ip6tables -F 2>/dev/null || true The behaviour is the same: OpenVPN connects, but I can’t even ping the VPN gateway (10.15.0.1), and the log keeps printing: write to TUN/TAP : Invalid argument (fd=-1,code=22) repeatedly. ________________________________ Extra oddity: many stale tunX interfaces/routes Because I’ve been testing several times (and previously experimented with some scripts), ip route now shows dozens of tunXX routes with state DOWN and linkdown, even when no OpenVPN process is running. Example (excerpt, anonymised): 10.15.0.0/16 dev tun28 proto kernel scope link src 10.15.0.3 metric 500 linkdown 10.15.0.0/16 dev tun53 proto kernel scope link src 10.15.0.5 metric 500 linkdown ... Even after: sudo pkill openvpn sudo ip route flush table main sudo systemctl restart NetworkManager many of these routes still remain. I’m not sure whether this is just cosmetic or a symptom of a deeper problem. ________________________________ NetworkManager plugin also fails I also tried importing the same .ovpn file into NetworkManager and bringing it up via: nmcli connection up "ovpn" --show-secrets This consistently fails with: Error: Connection activation failed: Unknown reason In the journal I see messages like: vpn["ovpn"]: starting openvpn vpn["ovpn"]: dbus: failure: connect-failed (1) The OpenVPN NM service binary is present and executable: /usr/libexec/nm-openvpn-service also exists. The connection profile (anonymised) looks roughly like: vpn.service-type: org.freedesktop.NetworkManager.openvpn vpn.data: auth = SHA256, ca = /path/to/ca.pem, cipher = AES-256-CBC, connection-type = password, dev = tun, mssfix = yes, proto-tcp = yes, remote = vpn.example.com:4443, ta = /path/to/ta.key, ta-dir = 1, username = vpn.secrets: ________________________________ Question Has anyone seen this combination of symptoms on Fedora? OpenVPN 2.6.17 connects, tun0 is UP with an IP, routes are installed, but: ping 10.15.0.1 and any other IP via the tunnel fail, and the log shows repeated write to TUN/TAP : Invalid argument (fd=-1,code=22). There are many stale tunX interfaces and routes left behind even when there is no OpenVPN process, and even after flushing routes and restarting NetworkManager. NetworkManager’s OpenVPN plugin refuses to bring up the connection with dbus: failure: connect-failed (1) even though nm-openvpn-service is present. Is there anything obvious I might be doing wrong on Fedora (kernel/module, permissions on /dev/net/tun, SELinux, interaction with NetworkManager, etc.) that could explain the write to TUN/TAP : Invalid argument and the lack of traffic, even though the control channel is clearly established? Any hints on how to systematically debug this on Fedora (and/or what extra logs to collect) would be very welcome. Best regards, Paul -- _______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
