# openvpn and networkmanager-openvpn

## Princess Nell

I'm evaluating openvpn as a possible replacement for Cisco vpn. The Gentoo client as such works, but there some kinks to be ironed out.

First of all, why is openvpn so slow establishing connections? Getting a connection to the Cisco vpn server approx. 8500km away takes around three seconds from pressing return after entering the password. With openvpn, it takes a full minute to connect to a server less than 10km (geographically) away.

Here's a partial log from running "openvpn client.conf". We can see a 17s delay between TLS: initial packet and VERIFY, and another 37s delay between VERIFY EKU and Data Channel Encrypt. What takes so long? Once the connection is established, it's very snappy and much more responsive than the Cisco connection. Server HW is a 3GHz/2GB RAM box running OBSD, client is 2GHz/2GB RAM Gentoo.

```

...

Wed Jun 22 23:18:11 2011 UDPv4 link remote: xx.xx.xx.xx:1194

Wed Jun 22 23:18:11 2011 TLS: Initial packet from xx.xx.xx.xx:1194, sid=374a76c5 4da0843d

Wed Jun 22 23:18:28 2011 VERIFY OK: depth=1, /C=XX/ST=YYYY/....

Wed Jun 22 23:18:28 2011 Validating certificate key usage

Wed Jun 22 23:18:28 2011 ++ Certificate has key usage  00a0, expects 00a0

Wed Jun 22 23:18:28 2011 VERIFY KU OK

Wed Jun 22 23:18:28 2011 Validating certificate extended key usage

Wed Jun 22 23:18:28 2011 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Wed Jun 22 23:18:28 2011 VERIFY EKU OK

Wed Jun 22 23:18:28 2011 VERIFY OK: depth=0, /C=XX/ST=YYYY/.....

Wed Jun 22 23:19:05 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

...

```

Another problem is networkmanager. I installed networkmanager-openvpn, but cannot figure out how to translate the working client.conf into a working nm configuration. Any connection attempt fails.

```

client

dev tun

proto udp

remote xx.xx.xx.xx 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca /tmp/openvpn/ca.crt

cert /tmp/openvpn/client1.crt

key /tmp/openvpn/client1.key

comp-lzo

verb 3

auth-user-pass

remote-cert-tls server

auth-nocache

```

I followed http://live.gnome.org/NetworkManager/Debugging and created a 300kb+ debug log file, but cannot see anything failing in an obvious way. The only thing obvious and IMHO bogus was this

```

Wed Jun 22 23:01:56 2011 us=491372 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

```

This is why "remote-cert-tls server" is in client.conf (although it works without), but I cannot see how to configure nm-openvpn accordingly.

Any help would be appreciated.

----------

## gerdesj

I use OVPN for a very large number of systems.  Windows (XP->2008R2), BSD (pfSense) and Linux (Gentoo).

I've never seen setup times in that range - a few seconds (<5) is normal.  Geographical displacement has very little to do with the speed of electrical/light signals down network lines!  

On the off chance it helps, this is the config I use pretty much everywhere:

```

##############################################

# BLL01, client OpenVPN config

# JG 18 July 2008

##############################################

cert gerdesj-jglaptop.crt

key gerdesj-jglaptop.key

##############################################

client

dev tun

remote-random

ca ca.crt

resolv-retry infinite

nobind

persist-key

persist-tun

ns-cert-type server

comp-lzo

verb 3

mute 10

remote <IP> 1194 tcp

remote <IP> 1194 tcp

remote <IP> 1194 tcp

```

My use of TCP rather than UDP is another difference - but I'd like to move back to UDP (its a long story!!)

I don't bother with network manager - its another layer of complexity.  It is handy for WiFi though (prettier than a text editor), but I still don't use it  :Cool: 

Cheers

Jon

----------

## Princess Nell

After a bit of googling, it looks like the network manager problem is really just a consequence of the long setup time. There seems to be a builtin timeout that cannot be customised and is too short in this situation.

----------

## Princess Nell

Turns out the problem was my home firewall. And it wasn't the pf configuration, but NAT isn't working correctly with a custom kernel. Reverting to the generic kernel got rid of the delay.

----------

