Problem with network-manager and openvpn access server profile

Is it possible to use connection profiles generated by OpenVPN Access Server with gnome network manager?

Yes, it is possible to use with network-manager-gnome.

First of all, you need to extract certificates from client.ovpn file which was generated by OpenVPN Access Server.

There is a pyhton script to make this process easy on: https://github.com/stackghost/gnovpn

$ wget https://raw.githubusercontent.com/stackghost/gnovpn/master/gnovpn.py
$ python3 gnovpn.py ./client.ovpn
Generated ca.crt ...
Generated config.crt ...
Generated config.key ...
Generated config-tls.key ...
Generated config.ovpn ...
Done!

After that you must configure network-manager as below:

  • Select “Password with Certificates (TLS)” as authentication type
  • Select config.crt as User Certificate
  • Select ca.crt as CA Certificate
  • Select config.key as Private Key
  • Give provided username and password
  • Click on the Advanced and TLS Authentication tab
  • Check “Use additional TLS authentication” field
  • Select config-tls.key as Key File
  • Select Key Direction as 0, 1 or none as specified in exported config.ovpn file.

It is also good to check other settings in config.ovpn file like LZO Compression, UDP or TCP protocol selection and port number.

I’m trying to use same python script to extract key and certs from an openvpn single config file which is generated by pfSense and has a description line at top:

#-- Config Auto Generated By pfSense for Viscosity --#

Everything seems ok, I’m following the same instructions above and vpn connection established successfully.

But I couldn’t connect any ip address within established tunnel. I can see following error messages on /var/log/syslog on the client side:

openvpn: Authenticate/Decrypt packet error: cipher final failed

How can I solve this problem?

You are using different cipher algorithm from the one which is configured by your openvpn provider.

You need to learn which cipher must be used. Your single .ovpn config line must have a line that starts with cipher keyword:

...
cipher AES-256-CBC
...

In our example cipher algorithm is AES-256-CBC. We need to select this algorithm in network-manager profile rather than the Default selection. To do this, go to Identity → Advanced → Security tab and select correct cipher:

Now you can connect the systems in vpn tunnel.

Thank you so much! After changing the cipher it started to work properly.