OpenVPN troubles

Hello,

I’m new to PureOS. Just installed it. Almost completely migrated, for the most part. Came from Trisquel, which I’ve been using for years.

I have a VPN subscription that I’ve also been using for years, and successfully set up on multiple computers without issue. For some reason, I’m struggling to get it to connect one PureOS.

I contact the VPN provider but they told me to check the logs.

Not sure what to do at this point. Any help would be greatly appreciated. Thank you!

What are your issues?

I attempt to turn on the VPN, it thinks for about 30 seconds, and then gives me the notice that it failed to connect.

Are you using openvpn? If so, do you have either .ovpn or .conf files for whatever server you’re trying to connect to? If also so, try connecting the command line. If that works your network manager doesn’t have the proper settings. The command is:

sudo openvpn <path to your .ovpn or .conf file>

I have neither of those files, as the instructions I’m following doesn’t mention that.

I’m following the “Ubuntu” instructions here: https://wiki.btguard.com/index.php/OpenVPN_Linux

Those instructions have worked well on other distros before.

Edit: Interestingly enough, when I try to connect, it is not asking me for my admin password to proceed, as I believe it did on other distros. On other distros, I was able to somehow save the admin privileges so that I didn’t have to do it every time. That way I could connect and disconnect easily without having to add admin password. But IIRC I had to at least do it once, the first time.

Then it looks like you have a btguard.conf file. The site you linked to gives terminal instructions, so I would give that a shot. Namely:

openvpn /etc/openvpn/btguard.conf

If btguard.conf isn’t at that location, then substitute the location of that file (eg. ~/Documents/btguard.conf). This will ensure that openvpn is working correctly or provide some information on why it isn’t.

Sun Mar  1 12:21:38 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Mar  1 12:21:38 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.92.230:1194
Sun Mar  1 12:21:38 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Mar  1 12:21:38 2020 UDP link local: (not bound)
Sun Mar  1 12:21:38 2020 UDP link remote: [AF_INET]104.254.92.230:1194
Sun Mar  1 12:21:38 2020 TLS: Initial packet from [AF_INET]104.254.92.230:1194, sid=de3dfb27 79a0051d
Sun Mar  1 12:21:38 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Mar  1 12:21:38 2020 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
Sun Mar  1 12:21:38 2020 OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Sun Mar  1 12:21:38 2020 TLS_ERROR: BIO read tls_read_plaintext error
Sun Mar  1 12:21:38 2020 TLS Error: TLS object -> incoming plaintext read error
Sun Mar  1 12:21:38 2020 NOTE: --mute triggered...
Sun Mar  1 12:21:38 2020 1 variation(s) on previous 3 message(s) suppressed by --mute
Sun Mar  1 12:21:38 2020 SIGUSR1[soft,tls-error] received, process restarting
Sun Mar  1 12:21:38 2020 Restart pause, 5 second(s)
Sun Mar  1 12:21:43 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Mar  1 12:21:43 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.90.85:1194
Sun Mar  1 12:21:43 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Mar  1 12:21:43 2020 UDP link local: (not bound)
Sun Mar  1 12:21:43 2020 UDP link remote: [AF_INET]104.254.90.85:1194
Sun Mar  1 12:21:43 2020 TLS: Initial packet from [AF_INET]104.254.90.85:1194, sid=2ae37185 1db34b9d

What’s your openvpn version? In terminal, type

openvpn --version

OpenVPN 2.4.7 x86_64-pc-linux-gnu

in your btguard.conf file, you’ll see a bunch of settings and options on separate lines. At the end of the first chunk (so inside the first gap as you scroll down), add the line “tls-version-min 1.0” and then try to run it from the terminal again. If it exits and you see “Operation not permitted” somewhere in the last few lines, run the command with sudo. You’ll know it’s succeeded when the last line says “Initialization Sequence Completed”

Sun Mar  1 17:30:37 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Mar  1 17:30:37 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]104.254.92.228:1194
Sun Mar  1 17:30:37 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Mar  1 17:30:37 2020 UDP link local: (not bound)
Sun Mar  1 17:30:37 2020 UDP link remote: [AF_INET]104.254.92.228:1194
Sun Mar  1 17:30:37 2020 TLS: Initial packet from [AF_INET]104.254.92.228:1194, sid=8c2712b7 e16a5dd4
Sun Mar  1 17:30:37 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Mar  1 17:30:37 2020 VERIFY OK: depth=1, C=DE, ST=Hesse-Nassau, L=Frankfurt, O=BTGuard, CN=BTGuard CA, emailAddress=support@btguard.com
Sun Mar  1 17:30:37 2020 VERIFY OK: depth=0, C=DE, ST=Hesse-Nassau, L=Frankfurt, O=BTGuard, CN=server, emailAddress=support@btguard.com
Sun Mar  1 17:30:37 2020 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sun Mar  1 17:30:37 2020 [server] Peer Connection Initiated with [AF_INET]104.254.92.228:1194
Sun Mar  1 17:30:38 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Mar  1 17:30:38 2020 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,redirect-gateway,route 10.10.10.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.6 10.10.10.5'
Sun Mar  1 17:30:38 2020 OPTIONS IMPORT: timers and/or timeouts modified
Sun Mar  1 17:30:38 2020 NOTE: --mute triggered...
Sun Mar  1 17:30:38 2020 3 variation(s) on previous 3 message(s) suppressed by --mute
Sun Mar  1 17:30:38 2020 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Sun Mar  1 17:30:38 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sun Mar  1 17:30:38 2020 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar  1 17:30:38 2020 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Sun Mar  1 17:30:38 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sun Mar  1 17:30:38 2020 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar  1 17:30:38 2020 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Sun Mar  1 17:30:38 2020 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp2s0 HWADDR=7c:e9:d3:aa:bb:ca
Sun Mar  1 17:30:38 2020 TUN/TAP device tun0 opened
Sun Mar  1 17:30:38 2020 TUN/TAP TX queue length set to 100
Sun Mar  1 17:30:38 2020 /sbin/ip link set dev tun0 up mtu 1500
Sun Mar  1 17:30:38 2020 /sbin/ip addr add dev tun0 local 10.10.10.6 peer 10.10.10.5
Sun Mar  1 17:30:38 2020 /sbin/ip route add 104.254.92.228/32 via 192.168.1.1
Sun Mar  1 17:30:38 2020 /sbin/ip route del 0.0.0.0/0
Sun Mar  1 17:30:38 2020 /sbin/ip route add 0.0.0.0/0 via 10.10.10.5
Sun Mar  1 17:30:38 2020 /sbin/ip route add 10.10.10.1/32 via 10.10.10.5
Sun Mar  1 17:30:38 2020 Initialization Sequence Completed

I then went to whatismyip and others, and it’s still showing my normal IP and location instead of the VPN’s IP.

Try ipleak.net. it may give you more information. Let me know what you see there.

I’m going to mark this as solved.

My BTGuard was going to expire this month anyways, so I switched providers and followed their setup instructions and it’s working fine. So, maybe something was just goofed with my old provider.

I do have a new trouble, though, and that is that I cannot find the Auto-connect box to check to force VPN usage when connected to internet. I’ll create a new post if there’s no quick response here, though.

For completeness, the new post is here: Where to force VPN upon internet connectivity

1 Like