VPN issue: VPN connection failed because the VPN service returned invalid configuration

[patrickmj]

Hi all,

I'm trying to get my VPN connection working but I keep getting this networking error:

Code: Select all

VPN connection failed because the VPN service returned invalid configuration

I've seen and tried a couple different things here (getting packages: viewtopic.php?f=157&t=279316, and the info here didn't seem to line up with what's happening: viewtopic.php?f=157&t=225901&p=1191462& ... n#p1191462 )

I also hoped that a similar issue on Ubuntu's forums would yield progress, but this, too didn't work: https://ubuntuforums.org/showthread.php?t=2305819

I'm using PaloAlto's globalprotect, per my institution's requirements https://www.paloaltonetworks.com/docume ... linux.html

Any ideas on what else to try or where else to look for more information?

Thanks,
Patrick

[phd21]

Hi patrickmj,

It would help to know more about your system setup. If you run "inxi -Fxzd" from the console terminal prompt, highlight the results, copy and paste them back here, that should provide enough information.

What vpn provider's server configuration files are you trying to setup and with what protocol openvpn or something else?

FYI: Use the Network Manager's Import VPN option.

vpnbook setup error - Linux Mint Forums
viewtopic.php?f=90&t=279569&hilit=network+manager


Hope this helps ...

[patrickmj]

Many thanks. Here's the system info

Code: Select all

System:    Host: PMJlaptop Kernel: 4.15.0-34-generic x86_64
           bits: 64 gcc: 7.3.0
           Desktop: MATE 1.20.1 (Gtk 3.22.30-1ubuntu1)
           Distro: Linux Mint 19 Tara
Machine:   Device: laptop System: Dell product: Precision 3520 serial: N/A
           Mobo: Dell model: 0GD4NR v: A00 serial: N/A
           UEFI: Dell v: 1.10.4 date: 05/31/2018
Battery    BAT0: charge: 87.4 Wh 100.0% condition: 87.4/92.0 Wh (95%)
           model: SMP DELL WFWKK65 status: Full
CPU:       Quad core Intel Xeon E3-1505M v6 (-MT-MCP-) 
           arch: Skylake rev.9 cache: 8192 KB
           flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 24000
           clock speeds: max: 4000 MHz 1: 2230 MHz 2: 3221 MHz 3: 2823 MHz
           4: 3282 MHz 5: 3380 MHz 6: 3314 MHz 7: 3255 MHz 8: 3251 MHz
Graphics:  Card-1: Intel HD Graphics P630 bus-ID: 00:02.0
           Card-2: NVIDIA GM107GLM [Quadro M620 Mobile] bus-ID: 01:00.0
           Display Server: x11 (X.Org 1.19.6 )
           drivers: modesetting,nvidia (unloaded: fbdev,vesa,nouveau)
           Resolution: 1920x1080@60.02hz
           OpenGL: renderer: Quadro M620/PCIe/SSE2
           version: 4.6.0 NVIDIA 390.48 Direct Render: Yes
Audio:     Card Intel CM238 HD Audio Controller
           driver: snd_hda_intel bus-ID: 00:1f.3
           Sound: Advanced Linux Sound Architecture v: k4.15.0-34-generic
Network:   Card-1: Intel Ethernet Connection (5) I219-LM
           driver: e1000e v: 3.2.6-k bus-ID: 00:1f.6
           IF: enp0s31f6 state: down mac: <filter>
           Card-2: Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter
           driver: ath10k_pci bus-ID: 02:00.0
           IF: wlp2s0 state: up mac: <filter>
           Card-3: Atheros usb-ID: 001-002
           IF: null-if-id state: N/A speed: N/A duplex: N/A mac: N/A
Drives:    HDD Total Size: 256.1GB (23.6% used)
           ID-1: /dev/sda model: SK_hynix_SC311_S size: 256.1GB
           Optical: No optical drives detected.
Partition: ID-1: / size: 218G used: 42G (20%) fs: ext4 dev: /dev/dm-0
           ID-2: swap-1 size: 17.05GB used: 0.00GB (0%)
           fs: swap dev: /dev/dm-1
RAID:      No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors:   System Temperatures: cpu: 46.0C mobo: N/A gpu: 0.0:40C
           Fan Speeds (in rpm): cpu: N/A
Info:      Processes: 257 Uptime: 55 min Memory: 3254.6/15921.4MB
           Init: systemd runlevel: 5 Gcc sys: 7.3.0
           Client: Shell (bash 4.4.191) inxi: 2.3.56 

I'm not seeing an Import VPN option -- could you point me to where to look for that?
Looks like what they gave me is openvpn (at least that's marked as installed) They didn't give me configuration files, just the installer.

I ran

Code: Select all

sudo apt install resolvconf easy-rsa openvpn network-manager-openvpn

from one of the links you gave, and it didn't have an effect.

Thanks,
Patrick

[phd21]

Hi patrickmj,

You are welcome...

You are using Linux Mint Mate 19 (64-bit). I do not see anything wrong with the results of the "inxi -Fxzd" console terminal command, so that is a good thing.

I'm not seeing an Import VPN option -- could you point me to where to look for that? Looks like what they gave me is openvpn (at least that's marked as installed) They didn't give me configuration files, just the installer.

The console terminal command is to make sure the basic openVPN packages are installed.

Do you have a copy of the openVPN configuration file (somewhere.ovpn) that you are trying to import that we can see? Can you provide a link to the file or attach to the forum or open in a text editor and select all and copy then paste that into the forum?

Did you watch my tutorial on adding VPN servers? If you click or right-click the Network Manager (NM) icon in the system tray and select configure network connections, you should see a plus sign for adding a new network connection, click that and scroll down until you see import vpn or import from file a vpn, etc... and select that, browse to your openVPN configuration file, click ok. Then you need to edit the newly imported VPN connection (double-click it) to add your login credentials, username and password, click ok, exit the NM connection editor, then you can click the NM again and click the new VPN connection to connect to it.

Hope this helps ...

[patrickmj]

Hope I'm following the terminal commands correctly. There's this:

Code: Select all

patrickmj@PMJlaptop: sudo apt install resolvconf easy-rsa openvpn network-manager-openvpn
[sudo] password for patrickmj: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
network-manager-openvpn is already the newest version (1.8.2-1).
easy-rsa is already the newest version (2.2.2-2).
resolvconf is already the newest version (1.79ubuntu10).
openvpn is already the newest version (2.4.4-2ubuntu1.1).

which looks positive.

A configuration file to import seems like it might be the missing magic. When I set up the VPN, I went with the option that just said "OpenVPN", not "Import VPN configuration"

Digging around in /etc, I found this, but no .opvn files here or in the subdirectories of client or server

Code: Select all

patrickmj@PMJlaptop: pwd
/etc/openvpn
patrickmj@PMJlaptop: ls
client  server  update-resolv-conf
patrickmj@PMJlaptop: cat update-resolv-conf 
#!/bin/bash
# 
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. 
# 
# Example envs set from openvpn:
#
#     foreign_option_1='dhcp-option DNS 193.43.27.132'
#     foreign_option_2='dhcp-option DNS 193.43.27.133'
#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#

[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0

split_into_parts()
{
	part1="$1"
	part2="$2"
	part3="$3"
}

case "$script_type" in
  up)
	NMSRVRS=""
	SRCHS=""
	for optionvarname in ${!foreign_option_*} ; do
		option="${!optionvarname}"
		echo "$option"
		split_into_parts $option
		if [ "$part1" = "dhcp-option" ] ; then
			if [ "$part2" = "DNS" ] ; then
				NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
			elif [ "$part2" = "DOMAIN" ] ; then
				SRCHS="${SRCHS:+$SRCHS }$part3"
			fi
		fi
	done
	R=""
	[ "$SRCHS" ] && R="search $SRCHS
"
	for NS in $NMSRVRS ; do
        	R="${R}nameserver $NS
"
	done
	echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
	;;
  down)
	/sbin/resolvconf -d "${dev}.openvpn"
	;;
esac

Does that shed any light?
Thanks

[phd21]

Hi patrickmj,

You followed the terminal commands correctly, so that is done.

Do not go "Digging around in /etc" or other "root" folders unless you know what you are doing.

There are different kinds of vpn connections and vpn connection protocols and many vpn providers. Most people that add a VPN server connection is for protecting themselves while on the Internet and the "openvpn" protocol is usually used for this and whatever VPN provider you choose provides the openvpn server configurations files (somewhere.ovpn) to import and use.

And, there are also networks for businesses and schools that people can connect to using a VPN and they may use different vpn connection protocols and or programs (applications) other than "openvpn" or the Linux Network Manager for connecting to their network, see screenshot for a partial list.

What exactly are you trying to do, connect to your schools network? If yes, they said you would be using a VPN connection to do so and GlobalProtect is that VPN provider software?

"I'm using PaloAlto's globalprotect, per my institution's requirements".

What are those requirements and instructions?

After doing some research on this from your link, I think this "globalprotect" may be a vpn provider that your school is allowing you to use for connecting to the school's network and maybe the Internet through their servers as well. Do you have the GlobalProtect Linux archive file "PanGPLinux-4.1.0.tgz" from the school's IT dept, and your login credentials (username and password), and your school's portal identification code (the IP address or FQDN of your GlobalProtect portal)?

I cannot tell what VPN protocols they use, or if you can import their servers into your Linux Mint Network Manager (NM), but you can use their Linux Client application.

GlobalProtect™ is a program that runs on your endpoint (desktop computer, laptop, or server)
to protect you by using the same security policies that protect the sensitive resources in your
corporate network. GlobalProtect™ secures your intranet traffic and allows you to connect to
your corporate network to access your company’s resources from anywhere in the world
The following sections provide instructions for installing and using the GlobalProtect app for
Linux:
> Download and Install the GlobalProtect App for Linux
> Use the GlobalProtect App for Linux
...

Download and Install the GlobalProtect App for Linux
https://www.paloaltonetworks.com/docume ... -for-linux

Download the PDF instructions for GlobalProtect App for Linux
https://www.paloaltonetworks.com/conten ... -guide.pdf

1.) Obtain the GlobalProtect App for Linux package from your IT administrator and then copy the TGZ file to the Linux computer (endpoint).

2.) For Linux, unzip the package. You can use your file manager and just right-click the Linux archive file
"PanGPLinux-4.1.0.tgz" and inside that newly created folder will be a ".deb" file that you can double-click to install the "GlobalProtect App for Linux".

3.) I think this Linux client application is run from the console terminal prompt to connect to your school and possibly the rest of the Internet through their servers. I cannot tell if they have a desktop application.

see "Use the GlobalProtect App for Linux section"
https://www.paloaltonetworks.com/docume ... 81NC060RNM

Sample console terminal command

Code: Select all

globalprotect connect --portal myportal.example.com

4.) I still recommend changing your local ISP connection's DNS servers to secure ones from a DNS provider. Instructions are in the links I gave before.

5.) VIP: The main purpose for using any VPN provider's servers is for security and anonymity and or to access non-public private business or educational institutional web pages, or in the case of the "Tor - onion" network to access the "onion" dark web websites which are not normally accessible through normal Internet or regular vpn connections (you can use the Tor Browser bundle for this). When using a typical reliable Internet VPN provider's servers that is exactly what you will get security through the encrypted Internet connection and being anonymous because reliable VPN providers hide your actual location and public (wan) IP address and they do not keep any detailed user activity logs.

*** This may not be the case with "Global Protect" except to provide secure access to the educational and or business (portals) they connect with and their non-public private websites (web pages); this does not mean they do not monitor and record (log) all activity as well, I suspect that they do, including if they also allow pass-through access to the rest of the Internet. So you might seriously consider using "Global Protect" only for school-related activities and then disconnect from Global Protect to use another VPN provider or use the Internet without using their Global Protect vpn connection.

Console terminal command to disconnect from Global Protect

Code: Select all

globalprotect disconnect

Hope this helps ...
.

NM_ImportVPN1.jpg