After upgrading my system to Fedora 38 I had some weird issues with a previously working OpenVPN connection. Since I found no documentation on these problems, I hope this post may help somebody out there.

No access to TLS-Auth certificate

My connection uses TLS-Auth. Although all certificates were correct, network manager could not open the connection. Checking the logs, I saw the network manager failed to open the certificate file. The permissions of the file were correct (chmod 600).

# journalctl -u NetworkManager
nm-openvpn\[19642\]: Cannot pre-load keyfile (/home/user/.vpn/tlscrypt.pem

The problem for me was that SELinux denied openvpn access to the key file. You can check all SELinux denials by running ausearch -m avc. By running setenforce 0, SELinux can be disabled temporarily. As a permanent fix, add an allow rule to SELinux as described in this post.

Failed to load larger (or encrypted) web-pages

After I fixed the TLS authentication issue, I ran into another problem. I could ping servers on the VPN and load small web-pages, but anything with TLS on it or larger web-pages failed. By analyzing the connection with Wireshark I saw that it breaks after the TLS-Cipher handshake.

The reason for this behavior was an incorrectly set MTU on the OpenVPN connection. I am on a DS-Lite DSL, so the full 1492 bytes are not available for every TCP package. Manually reducing the MTU to 1400 bytes in the OpenVPN config fixed the issue.