skip to content
Home

Computing

 

OpenVPN troubleshooting

Basic troubleshooting steps

  • First of all, reboot the machine and try again.
  • If you are using Windows, make sure you are running the latest version of the OpenVPN software. The latest can be downloaded from https://openvpn.net/community-downloads/ .
  • If you are using Windows and can start the OpenVPN GUI but get no 'Connect' option then your installation is missing its config files, or they are in the wrong place, or have been given the wrong names. Download the Windows config file and copy it into your OpenVPN 'config' directory C:\Users\<your username>\OpenVPN\config .
  • Make sure you are actually connected to the VPN by visiting https://apps.ch.cam.ac.uk/vpn/vpn-test
  • If the VPN software won't accept your password then check you are typing the right one:
    • ChemNet token, in which case your username for OpenVPN is your crsid followed by @ch.2021.cam.ac.uk
    • Admitto password, in which case your username for OpenVPN is your crsid (your Admitto username)
    • You cannot use your Raven password to connect to this service
(Show all answers)

Windows fails to connect after using 'Import File'

If you use the Import File option in the Windows OpenVPN software and then try to connect, you might see a message that 'Connecting to chemistry-win10-token has failed'. If you then View Log in OpenVPN, the logfile then includes messages such as

WARNING: cannot stat file 'credentials.txt': The system cannot find the file specified  (errno=2)

Options error: --auth-user-pass fails with 'credentials.txt': No such file or directory (errno=2)

This is because after using Import File, OpenVPN will store the imported file in a new folder inside c:\users\<your username>\openvpn\config\ , such as c:\users\<your username>\openvpn\config\chemistry-win10-token\ . You then need to make sure you have moved the credentials.txt file you downloaded into that directory, which will also contain an OVPN file with the same name as the folder. After doing this the result should be similar to the screenshot below.

Windows reports "Connecting to management interface failed"

When trying to connect using a Windows computer using an old version of the OpenVPN software, you might see a message similar to the picture below when you try to connect:

Upon opening the log file, you may also see a message about an Options error similar to:

Options error: Unrecognized option or missing or extra parameter(s) in chemistry-win10-token.ovpn:5: data-ciphers (2.4.12)
Use --help for more information.

If you see this error, you need to update the OpenVPN software you have installed by going to https://openvpn.net/community-downloads/ and then downloading and running the most recent installer.

Windows reports 'There already exists a config file ....'

When opening OpenVPN on Windows, you may see a message that 'There already exists a config file named chemistry-win10-token.ovpn. You cannot have multiple config files with the same name, even if they reside in different folders'.

If you see this message:

  1. Click OK, and close the OpenVPN software (locate its icon in the tray at the bottom right, right-click the icon and select Exit).
  2. Browse to c:\program files\openvpn\config and delete all of the files in the directory
  3. Start the OpenVPN software and you should now be able to connect as normal.

Using a Mac and Tunnelblick warns 'One or more VPN configurations ... were not recognized by Tunnelblick'

When trying to import the Tunnelblick config file using an old version of the software, you may seen a warning similar to that shown below.

Click 'Cancel'. Then go to https://tunnelblick.net/downloads.html , download and run the latest stable Tunnelblick installer, and then import the configuration file.

Using a Mac and getting the warning 'apparent public IP address was not different after connecting'

This warning appears when connecting using newer versions of Tunnelblick with our latest configuration files. It is a warning, not an error. It happens because our default VPN configuration only sends network traffic destined for the University of Cambridge over the VPN link, whereas all other traffic goes direct to its destination. This setup gives the best network performance for videoconferencing, while still allowing you to access University-only resources. There are two ways to avoid the warning:

  • Disable the IP address checking feature using the checkbox on the "Preferences" panel of Tunnelblick's "VPN Details" window.
  • Switch to using a 'Full Tunnel' configuration file. This will send all your network traffic via Chemistry's network when the VPN is on and may be slower. Full tunnel configuration can be downloaded from https://downloads.ch.cam.ac.uk/vpn/latest/mac/chemistry-full-tunnel.tblk...

Unable to access some resources even though the VPN is definitely running

The VPN can be configured in two different modes

  • full tunnel, where all traffic is routed over the VPN. This is very secure, but slows down your network connection.
  • split tunnel, where only traffic whose destination is within the University is routed over the VPN. Everything else goes via your usual network connection.

Split tunnel mode is the most suitable for remote work because you are much less likely to experience problems when using high bandwidth applications such as video conferencing. However there are a few resources that can only be accessed remotely with a full tunnel. Configuration file versions for both full and split tunnels are available from https://downloads.ch.cam.ac.uk/vpn/latest/ . If you need a full tunnel, make sure you are using the appropriate configuration file.

Getting full tunnel despite using split tunnel config file

Some client software will set up a full tunnel even if given a split tunnel configuration file. If you are experiencing this problem please ensure you have the very latest split tunnel configuration file version, which can be found at https://downloads.ch.cam.ac.uk/vpn/latest/ . This fixes the issue for some clients. 

Linux in particular tends to set up a full tunnel no matter what config file you use. If you are using Network Manager to configure the VPN (most people will be) then go to the IPv4 tab and tick 'Use this connection only for resources on its network' box. This will set up the routing correctly for a split tunnel, but won't configure your default DNS to use the Department DNS servers, which is necessary for getting access to anything with a name ending .ch.private.cam.ac.uk . How to set your DNS varies between Linux distributions. The DNS servers to use are 131.111.112.138, 131.111.115.208, 131.111.112.9 . 

Feel free to consult the computer officers if you need more help.

Our detailed test results for split versus full tunnelling for various clients can be found at https://docs.google.com/spreadsheets/d/1VWrN7BA9o3UelssVjjHDRJjK_XW-dja9...

Connection drops after a period of inactivity

Make sure your device isn't going to sleep. The VPN needs to communicate with the server once per hour to maintain the connection.

VPN connects but runs very slowly

Some networks and computers do not work well with the Chemistry OpenVPN default settings. A common symptom is that basic network connectivity is OK, but loading large web pages is very slow or doesn't work at all. If you are having performance problems when connected to the Chemistry VPN it can be worth trying some of the suggestions below. Whether they help or make things worse depends a great deal on the network you are connected to, so only try these if you are having real problems. They require altering your OpenVPN config file. Make sure to back up the original file before you change it.

Do not try more than one of these suggestions at once because some combinations are incompatible.

  • Try using TCP rather than UDP to connect. This leads to lower performance overall, but can work around certain kinds of network problem. To do that you need to do one of the following:
    • Download a TCP configuration file from https://downloads.ch.cam.ac.uk/vpn/latest/ and install it into your client
    • If you have a config file you can edit, replace the line "proto udp" in your config file with "proto tcp" 
    • If your client provides a GUI for configuration look for an option saying something like "Use a TCP connection" and turn it on
  • Set the link-mtu setting to a lower number than the default 1500. 1300 is a good place to start. Not all OpenVPN software supports this option so you may find you can't do this. Setting it will lead to complaints from your client about a settings mismatch with the server, but has been observed to help on some networks. Either:
    • Edit your config file and add a line saying "link-mtu 1300" . It can go anywhere in the config file.
    • If your client provides a GUI for configuration look for an option saying something like "Use custom link maximum transmission unit", turn it on, and set the MTU value to 1300.
  • Set the tun-mtu setting to a lower number than the default 1500. 1300 is a good place to start. This will lead to complaints from your client about a settings mismatch with the server, but has been observed to help on some networks. To do that, do one of the following:
    • Edit your config file and add a line saying "tun-mtu 1300" . It can go anywhere in the config file.
    • If your client provides a GUI for configuration look for an option saying something like "Use custom tunnel maximum transmission unit", turn it on, and set the MTU value to 1300.
  • Set the mssfix parameter. This is relatively new and not available in all OpenVPN software. Try one of these:
    • Edit your config file and add a line saying "mssfix 1300"
    • If your client provides a GUI for configuration look for an option saying something like "Restrict tunnel TCP maximum segment size" and turn it on. If you can set a number for the maximum segment size try 1300.

Linux (network manager) reports "Cannot import VPN connection"

When trying to import one of the split-tunnel config files, Network Manager reports "Cannot import VPN connection" with a dialog box similar to the following:

This is because setting up a split tunnel configuration using Network Manager requires manual steps beyond importing one of our config files. For most Linux users we recommend using a full tunnel configuration by downloading and importing this configuration file.

Problems with Tunnelblick August 2023

As of August 2023, we are aware of some problems with Tunnelblick version 3.8.8d and 3.8.8c. If you have any difficulty connecting with those versions, please uninstall Tunnelblick and download and install 3.8.8b from https://tunnelblick.net/downloadsDeprecated.html

System status 

System monitoring page

Can't find what you're looking for?

Then you might find our A-Z site index useful. Or, you can search the site using the box at the top of the page, or by clicking here.

Study at Cambridge

About the University

Research at Cambridge