kirsle.net/www/wiki/Fedora-NetworkManager-OpenV...

1.9 KiB

Fedora NetworkManager OpenVPN

I set up an OpenVPN server on my Raspberry Pi using the instructions here.

Setting it up in Fedora via the NetworkManager Applet wasn't extremely straightforward.

Install OpenVPN Support

sudo dnf -y install NetworkManager-openvpn NetworkManager-openvpn-gnome \
    openvpn

NetworkManager Logs

The log is the most useful place to look when the OpenVPN connection fails, as the only thing the applet tells you is that it failed but it doesn't elaborate.

Check the logs with journalctl:

sudo journalctl -u NetworkManager
# -or-
sudo journalctl -t nm-openvpn

SELinux: Where to place your certificates

SELinux will prevent access for nm-applet to read your certificates unless you put them in the right location.

Put your OpenVPN cert/key files in ~/.cert/

Make the .ovpn file importable

The Raspberry Pi OpenVPN tutorial above ends with creating a .ovpn file for the client certificate. This file is importable and works just fine in OpenVPN Connect for Android (and presumably other apps), but the NetworkManager Applet doesn't import it correctly: you'd still have to browse and pick all your cert/key files/etc.

If you open the ovpn file in a text editor you see it has all the certificates and keys included in-line in the file, like:

<ca>
-----BEGIN CERTIFICATE-----
...base64 encoded junk...
-----END CERTIFICATE-----
</ca>

To make it compatible with the NetworkManager Applet, keep all these certs in separate files (example, ca.crt) and edit the config file to refer to them by name.

Full file example:

client
dev tun
proto udp
remote ${YOUR_VPN_SERVER} 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
ca ca.crt
cert ${Your_User.crt}
key ${Your_User.key}
tls-auth ta.key