Troubleshooting

General Tips

Error Messages

AUTH: Received AUTH_FAILED control message”

This happens when you have the wrong password.

“No VPN secrets!”

This happens when the keyring is not working and returns an empty username and password.

example logs:

openvpn: TUN/TAP device tun0 opened
openvpn: /sbin/ifconfig tun0 172.27.0.X netmask 255.255.252.0 mtu 1500 broadcast 172.27.3.255
openvpn: /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper tun0 1500 1541 172.27.0.X 255.255.252.0 init
openvpn: OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011
openvpn: WARNING: No server certificate verification method has been enabled.  See openvpn.net/howto.html#mitm for more info.
openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
openvpn: UDPv4 link local: [undef]
openvpn: UDPv4 link remote: [AF_INET]209.234.253.121:1194
openvpn: [vpn.riseup.net] Peer Connection Initiated with [AF_INET]209.234.253.121:1194
openvpn: Initialization Sequence Completed

Linux

If OpenVPN is not working, run this to see what is wrong:

# tail -f /var/log/syslog | grep -i vpn

If you are on a distribution that has SELinux enabled (eg. Fedora), then SELinux is going to block OpenVPN from accessing cert files unless they have specific permissions set properly. You need to put the Riseup cert into ~/.cert and then you need to run:

# restorecon -Rv ~/.cert

You wont see a very specific error about this, graphically just a very vague error, but in the system log you would see something like:

nm-openvpn[6304]: Cannot load CA certificate file /home/phip/Documents/certs/RiseupCA.pem path (null) (SSL_CTX_load_verify_locations): error:0200100D:system library:fopen:Permission denied

although the above error is the same error you would get if the permissions are wrong in general on the certificate, so if you are getting that error, but are not running SELinux, check the permissions on your cert file!

Gnome

Example logs:

NetworkManager: <info> Starting VPN service 'openvpn'...
NetworkManager: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 5615
NetworkManager: <info> VPN service 'openvpn' appeared; activating connections
NetworkManager: <info> VPN plugin state changed: 3
NetworkManager: <info> VPN connection 'openvpn' (Connect) reply received.
NetworkManager:    SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
NetworkManager:    SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
NetworkManager: <info> VPN connection 'openvpn' (IP Config Get) reply received.
NetworkManager: <info> VPN Gateway: 209.234.253.121
NetworkManager: <info> Internal Gateway: 172.27.0.1
NetworkManager: <info> Tunnel Device: tun0
NetworkManager: <info> Internal IP4 Address: 172.27.0.X
NetworkManager: <info> Internal IP4 Prefix: 22
NetworkManager: <info> Internal IP4 Point-to-Point Address: 0.0.0.0
NetworkManager: <info> Maximum Segment Size (MSS): 0
NetworkManager: <info> Forbid Default Route: no
NetworkManager: <info> Internal IP4 DNS: 172.27.0.1
NetworkManager: <info> DNS Domain: '(none)'
NetworkManager: <info> VPN connection 'openvpn' (IP Config Get) complete.
NetworkManager: <info> Policy set 'openvpn' (tun0) as default for IPv4 routing and DNS.
NetworkManager: <info> VPN plugin state changed: 4

Mac

If the connection doesn’t work, try these:

  1. Where is the RiseupCA.pem file saved? Make sure you can find the file in the finder and that the path to the file is the same as specified in your configuration file.
  2. Did you remember to remove the .txt extensions from the certificate file and the configuration file? The config file must end in .ovpn
  3. If you are not able to use the internet when connected, your ISP may be blocking connections on port 1194. To change what port OpenVPN uses, you can change 1194 to 80 or 443 in the above configuration file.
  4. By default, OpenVPN will use an internet protocol call UDP. This is faster, but sometimes you need to change this to TCP in order to get OpenVPN to work. To do so, add this to the configuration: proto tcp.

Windows

If you are having problems connecting, the first thing you need to do is to find your openvpn logs because that is where problems are typically recorded. To get your logs you simply right click on the openvpn GUI notification icon, and click view logs.

Once you have these, look in there for errors, some errors and solutions are below:

ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.

If you get this error, add these lines to your openvpn.conf file:


route-method exe
route-delay 2

WARNING: ‘dev-type’ is used inconsistently, local=‘dev-type tap’, remote=‘dev-type tun’

If you find this error in your logs, you can try to change your configuration to have ‘dev tun’ instead of ‘dev tap’
and add this to your configuration:


tun-mtu 1500

Other Problems

Saving Passwords

Password storage on the windows client is insecure: There is no way in the current version to save your password. although it is possible recompile the software with this option enabled (such as this version), this stores your password in cleartext.

Instead of using your riseup.net password, you should use a VPN Secret. It is OK to store the VPN Secret in cleartext.

Using TUN instead of TAP

If you use dev tun instead of dev tap in the configuration file, you must run openvpn as administrator. Otherwise, it will appear to work, but none of your traffic will actually be going over the Riseup VPN.

To run OpenVPN as administrator:

Right click on the OpenVPN GUI application and either choose “Run as Administrator” or if that doesn’t exist, choose properties. From there, check compatibility mode and run as administrator. The OpenVPN GUI can be found under Start button → All Programs → OpenVPN → OpenVPN GUI.