- General Tips
This happens when you have the wrong password.
This happens when the keyring is not working and returns an empty username and password.
openvpn: TUN/TAP device tun0 opened openvpn: /sbin/ifconfig tun0 172.27.0.X netmask 255.255.252.0 mtu 1500 broadcast 172.27.3.255 openvpn: /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper tun0 1500 1541 172.27.0.X 255.255.252.0 init openvpn: OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011 openvpn: WARNING: No server certificate verification method has been enabled. See openvpn.net/howto.html#mitm for more info. openvpn: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts openvpn: UDPv4 link local: [undef] openvpn: UDPv4 link remote: [AF_INET]18.104.22.168:1194 openvpn: [vpn.riseup.net] Peer Connection Initiated with [AF_INET]22.214.171.124:1194 openvpn: Initialization Sequence Completed
If OpenVPN is not working, run this to see what is wrong:
# tail -f /var/log/syslog | grep -i vpn
If you are on a distribution that has SELinux enabled (eg. Fedora), then SELinux is going to block OpenVPN from accessing cert files unless they have specific permissions set properly. You need to put the Riseup cert into ~/.cert and then you need to run:
# restorecon -Rv ~/.cert
You wont see a very specific error about this, graphically just a very vague error, but in the system log you would see something like:
nm-openvpn: Cannot load CA certificate file /home/phip/Documents/certs/RiseupCA.pem path (null) (SSL_CTX_load_verify_locations): error:0200100D:system library:fopen:Permission denied
although the above error is the same error you would get if the permissions are wrong in general on the certificate, so if you are getting that error, but are not running SELinux, check the permissions on your cert file!
NetworkManager: <info> Starting VPN service 'openvpn'... NetworkManager: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 5615 NetworkManager: <info> VPN service 'openvpn' appeared; activating connections NetworkManager: <info> VPN plugin state changed: 3 NetworkManager: <info> VPN connection 'openvpn' (Connect) reply received. NetworkManager: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0) NetworkManager: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found. NetworkManager: <info> VPN connection 'openvpn' (IP Config Get) reply received. NetworkManager: <info> VPN Gateway: 126.96.36.199 NetworkManager: <info> Internal Gateway: 172.27.0.1 NetworkManager: <info> Tunnel Device: tun0 NetworkManager: <info> Internal IP4 Address: 172.27.0.X NetworkManager: <info> Internal IP4 Prefix: 22 NetworkManager: <info> Internal IP4 Point-to-Point Address: 0.0.0.0 NetworkManager: <info> Maximum Segment Size (MSS): 0 NetworkManager: <info> Forbid Default Route: no NetworkManager: <info> Internal IP4 DNS: 172.27.0.1 NetworkManager: <info> DNS Domain: '(none)' NetworkManager: <info> VPN connection 'openvpn' (IP Config Get) complete. NetworkManager: <info> Policy set 'openvpn' (tun0) as default for IPv4 routing and DNS. NetworkManager: <info> VPN plugin state changed: 4
If the connection doesn’t work, try these:
- Where is the RiseupCA.pem file saved? Make sure you can find the file in the finder and that the path to the file is the same as specified in your configuration file.
- Did you remember to remove the .txt extensions from the certificate file and the configuration file? The config file must end in .ovpn
- If you are not able to use the internet when connected, your ISP may be blocking connections on port 1194. To change what port OpenVPN uses, you can change 1194 to 80 or 443 in the above configuration file.
- By default, OpenVPN will use an internet protocol call UDP. This is faster, but sometimes you need to change this to TCP in order to get OpenVPN to work. To do so, add this to the configuration:
If you are having problems connecting, the first thing you need to do is to find your openvpn logs because that is where problems are typically recorded. To get your logs you simply right click on the openvpn GUI notification icon, and click view logs.
Once you have these, look in there for errors, some errors and solutions are below:
If you get this error, add these lines to your openvpn.conf file:
If you find this error in your logs, you can try to change your configuration to have ‘dev tun’ instead of ‘dev tap’
and add this to your configuration:
Password storage on the windows client is insecure: There is no way in the current version to save your password. although it is possible recompile the software with this option enabled (such as this version), this stores your password in cleartext.
Instead of using your riseup.net password, you should use a VPN Secret. It is OK to store the VPN Secret in cleartext.
If you use
dev tun instead of
dev tap in the configuration file, you must run openvpn as administrator. Otherwise, it will appear to work, but none of your traffic will actually be going over the Riseup VPN.
To run OpenVPN as administrator:
Right click on the OpenVPN GUI application and either choose “Run as Administrator” or if that doesn’t exist, choose properties. From there, check compatibility mode and run as administrator. The OpenVPN GUI can be found under Start button → All Programs → OpenVPN → OpenVPN GUI.