import of openvpn config ignores tls-crypt
I noticed that the import of an openvpn config file with an embedded <tls-crypt>
section was not imported correctly, leading to TLS timeout errors:
Apr 04 21:05:25 xx nm-openvpn[9807]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 04 21:05:25 xx nm-openvpn[9807]: TLS Error: TLS handshake failed
There is a related issue, #54 (closed), but it was closed because the OP's problem was the kde-plasma backend for the import. Reading the issue I became aware of the different tools and tried the cli, and I do get different output. Most interestingly, the nmcli
managed to import the key while the nm-connection-editor
didn't. When inspecting the UI result dialog, there was a value for tls-crypt but apparently it didn't make it into the final export.
This is the diff from the generated configs:
# diff -u Europe-41185-Entry3-f*
--- Europe-f91c315a-432c-49b6-b76c-3508a5722936.nmconnection 2023-04-04 22:22:39.708300527 +0200
+++ Europe-fb9c24cf-972c-44d1-86d7-729be5cb6b1a.nmconnection 2023-04-04 22:29:56.279765225 +0200
@@ -1,27 +1,29 @@
[connection]
id=Europe-41185-Entry3
-uuid=f91c315a-432c-49b6-b76c-3508a5722936
+uuid=fb9c24cf-972c-44d1-86d7-729be5cb6b1a
type=vpn
+autoconnect=false
[vpn]
auth=SHA512
ca=/XXX/.cert/nm-openvpn/Europe-ca.pem
cert=/XXX/.cert/nm-openvpn/Europe-cert.pem
+cert-pass-flags=0
comp-lzo=no-by-default
connection-type=tls
dev=tun
+dev-type=tun
key=/XXX/.cert/nm-openvpn/Europe-key.pem
push-peer-info=yes
remote=europe.ipv6.somewhere.org:41185
remote-cert-tls=server
-tls-crypt=/XXX/.cert/nm-openvpn/Europe-crypt.pem
service-type=org.freedesktop.NetworkManager.openvpn
[ipv4]
method=auto
[ipv6]
-addr-gen-mode=default
+addr-gen-mode=stable-privacy
method=auto
[proxy]
The previous one (base for the diff) was generated by nmcli connection import file Europe.ovpn
and it contains the tls-crypt
option. The latter was done by import with nm-conneciton-editor
called from terminal.
The initial import that lead to my investigation was done with the editor spawned by nm-applet initially.
$ rpm -qf ` which nm-connection-editor `
nm-connection-editor-1.28.0-2.fc37.x86_64
$ rpm -qf ` which nmcli`
NetworkManager-1.40.10-1.fc37.x86_64
$ rpm -qf `which nm-applet`
network-manager-applet-1.28.0-2.fc37.x86_64