After upgrading my system to Fedora 38 I had some weird issues with a previously working OpenVPN connection. Since I found no documentation on these problems, I hope this post may help somebody out there.
No access to TLS-Auth certificate
My connection uses TLS-Auth. Although all certificates were correct, network manager could not open the connection. Checking the logs, I saw the network manager failed to open the certificate file. The permissions of the file were correct (
# journalctl -u NetworkManager nm-openvpn\[19642\]: Cannot pre-load keyfile (/home/user/.vpn/tlscrypt.pem
The problem for me was that SELinux denied openvpn access to the key file. You can check all SELinux denials by running
ausearch -m avc. By running
setenforce 0, SELinux can be disabled temporarily. As a permanent fix, add an allow rule to SELinux as described in this post.
Failed to load larger (or encrypted) web-pages
After I fixed the TLS authentication issue, I ran into another problem. I could ping servers on the VPN and load small web-pages, but anything with TLS on it or larger web-pages failed. By analyzing the connection with Wireshark I saw that it breaks after the TLS-Cipher handshake.
The reason for this behavior was an incorrectly set MTU on the OpenVPN connection. I am on a DS-Lite DSL, so the full 1492 bytes are not available for every TCP package. Manually reducing the MTU to 1400 bytes in the OpenVPN config fixed the issue.