"VPN connection failed" but zero explaination as to why

[Red Squirrel]

I just did a fresh install of Mint using Mint 21 XFCE and trying to get VPN to work so I can VPN to my house. I imported my config and cert files from the old install and I had to play around to get it to work, but I can get it to work when I use command line now. However if I import the config into the GUI and try to connect I just get a very generic error that says it failed. Is there a way to further troubleshoot this to get more details on why it's failing? By using command like it seems to time out now and then and I have to re-enter credentials to reconnect. I presume with the GUI it will automate that.

EDIT: Managed to find where the errors are going, they go in /var/log/syslog.

This is the errror I get:

Code: Select all

OpenSSL: error:0A00018E:SSL routines::ca md too weak
Cannot load certificate file /home/user/.vpn/home/home.crt

From what I gather I need to use an older client. How would I go about downgrading the client? I suppose the other option is to upgrade the server and redo all the cert stuff but that's a pain. I remember it being quite painstaking to set this up originally. They really don't make this easy.

[rossdv8]

What do you mean by 'VPN to my house'?

Which VPN company are you using? Nord, PIA, ExpressVPN or some other mob?

[Red Squirrel]

Not going through a company, just VPNing directly from my work to my house so I can access my network. I have a separate machine at work that I use when it's quiet and sometimes want to access stuff off my network like my email, password manager etc. It worked before but I upgraded to the latest Mint so just trying to get it going again. The VPN does work if I just run it in command line, but I need to edit DNS manually and it times out every 5-10 minutes and I have to re-enter the password so it's not really usable. In the GUI it just fails right away when I try to connect after importing the same ovpn file that works in command line.

[t42]

There is zero explanation what you are specifically doing, so start looking at your client log where disconnect or restart should be noted. Some other data to consider, openvpn client and server versions, cipher, command to connect etc. Probably GUI can't save in case of misconfiguration, if it is the case.

[rene]

It's this one, viewtopic.php?p=2290482, and the (right) solution will be to generate a new, modern certificate.

[Red Squirrel]

Hmm I was afraid of that. So guess that may mean I need to upgrade the VPN server and redo the certs, which is a pita. I guess the server and client versions have to match up more or less.

99% of my vpn use is for web related stuff, so I might even just take a different approach and setup a proxy, then I can use a SSH tunnel to access it. That should also be more future proof.

[rossdv8]

Still not quite following you.
In order:
Which 'VPN GUI' were you using before you upgraded Mint?

What 'VPN Server' was it connecting to?

Are you using OpenVPN and easy-rsa?

Are you using wireguard?

There are suggestions people might make about why your VPN stopped working, but without giving them info about how it was set up, there's no real way they can try to answer.

[rene]

Still not quite following you.

A VPN is a (v)irtual (p)rivate (n)etwork, i.e, a way to over the non-private internet connect a machine to a private LAN as if it were connected directly to said private LAN. A company c/would have one to allow staff to access the private company network resources from home and/or while on the road while not making said resources available directly from the internet, i.e., to the word at large, and conversely and as the matter here, a member of staff could have one to allow access to their home LAN from work and/or the road.

A VPN in that normal, original sense has little to nothing to do with the commercial "VPN" providers you mention; they act as little other than a proxy, with "VPN" just being the thereto used underlying technology. Poster had/has a normal, private VPN configured on a home system and with Mint 21 i.e. Ubuntu 22.04 now having deprecated the SHA1 certificate with which he has previously set up login to said own VPN now runs into this issue.

To poster: I clearly don't know how you generated your original certificate, supposedly easy-rsa indeed, but if you just consult whatever procedure it is that you used originally and simply redo the certificate generation you can just use that new certificate from then on and be done. Alternatively, if you're not worried about attacks on your home VPN you can do the tls-cipher=DEFAULT:@SECLEVEL=0 work-around described through the linked post. Even more alternatively: many/most not fully basic routers have VPN functionality built-in and you could use that rather than setting things up client-side (if you don't now already by the way; am noticing you might be from what you have specified; if so and if the router doesn't allow for a different cipher the @SECLEVEL=0 workaround for that connection would need to be it).

[rossdv8]

Poster had/has a normal, private VPN configured on a home system and with Mint 21 i.e. Ubuntu 22.04 now having deprecated the SHA1 certificate with which he has previously set up login to said own VPN now runs into this issue.

Thanks, I was wondering if that was the case.

[Red Squirrel]

Yeah this has nothing to do with commercial VPN providers, it's just a regular VPN like you'd use for work except in my case I'm VPNing to my house from work in order to access my network resources. (doing this on a separate network than the corporate network in case anyone wonders).

I don't recall how I set it up as it was a while back I just googled something like "how to setup openvpn server" and followed instructions, but given the cert type that server uses is considered unsafe I'm probably better off upgrading the VPN server anyway and going through it again from scratch if I decide to stick with VPN.

I do only allow my work IP to connect to the vpn server so I'm safe enough as far as direct attacks to the port goes, but still want safe ciphers of course to protect the actual traffic from potential snooping etc.