Is it possible to use connection profiles generated by OpenVPN Access Server with gnome network manager?
Yes, it is possible to use with network-manager-gnome.
First of all, you need to extract certificates from
client.ovpn file which was generated by OpenVPN Access Server.
There is a pyhton script to make this process easy on: https://github.com/stackghost/gnovpn
$ wget https://raw.githubusercontent.com/stackghost/gnovpn/master/gnovpn.py $ python3 gnovpn.py ./client.ovpn Generated ca.crt ... Generated config.crt ... Generated config.key ... Generated config-tls.key ... Generated config.ovpn ... Done!
After that you must configure network-manager as below:
- Select “Password with Certificates (TLS)” as authentication type
config.crtas User Certificate
ca.crtas CA Certificate
config.keyas Private Key
- Give provided username and password
- Click on the Advanced and TLS Authentication tab
- Check “Use additional TLS authentication” field
config-tls.keyas Key File
- Select Key Direction as
noneas specified in exported
It is also good to check other settings in
config.ovpn file like LZO Compression, UDP or TCP protocol selection and port number.
I’m trying to use same python script to extract key and certs from an openvpn single config file which is generated by pfSense and has a description line at top:
#-- Config Auto Generated By pfSense for Viscosity --#
Everything seems ok, I’m following the same instructions above and vpn connection established successfully.
But I couldn’t connect any ip address within established tunnel. I can see following error messages on
/var/log/syslog on the client side:
openvpn: Authenticate/Decrypt packet error: cipher final failed
How can I solve this problem?
You are using different cipher algorithm from the one which is configured by your openvpn provider.
You need to learn which cipher must be used. Your single .ovpn config line must have a line that starts with
... cipher AES-256-CBC ...
In our example cipher algorithm is AES-256-CBC. We need to select this algorithm in network-manager profile rather than the Default selection. To do this, go to Identity -> Advanced -> Security tab and select correct cipher:
Now you can connect the systems in vpn tunnel.
Thank you so much! After changing the cipher it started to work properly.