{"id":50852,"date":"2026-03-30T12:34:16","date_gmt":"2026-03-30T12:34:16","guid":{"rendered":"https:\/\/ubuntuhandbook.org\/?p=50852"},"modified":"2026-03-30T12:34:16","modified_gmt":"2026-03-30T12:34:16","slug":"fix-openvpn-connection-fail-in-ubuntu-26-04","status":"publish","type":"post","link":"https:\/\/ubuntuhandbook.org\/index.php\/2026\/03\/fix-openvpn-connection-fail-in-ubuntu-26-04\/","title":{"rendered":"Fix OpenVPN Immediate Connection Failure in Ubuntu 26.04"},"content":{"rendered":"

\"\"<\/p>\n

In Ubuntu 26.04 (Beta so far), OpenVPN connection does not work out-of-the-box due to a bug in AppArmor. Here’s a quick workaround to fix the issue.<\/p>\n

For security reason, Ubuntu by default uses AppArmor (Application Armor), a Linux Kernel security mode, to restrict programs’ capabilities for file access, networking and permissions.<\/p>\n

<\/p>\n

It uses a list of profiles under \/etc\/apparmor.d<\/code> directory to define and restrict the applications’ capabilities. And, AppArmor in Ubuntu since 25.04 added a profile for openvpn to restrict its capabilities.<\/p>\n

\"\"<\/p>\n

When import or create a OpenVPN connection, and then connect to the VPN, the Network Manager will copy the certificate keys into memory (\/run<\/code> directory). However, the new AppArmor profile in 26.04 does not allow openvpn<\/code> to access the files there.<\/p>\n

So, it immediately return “connection failed”, and the \/var\/log\/syslog<\/code> file will show you something like below:<\/p>\n

2026-03-30T04:47:32.996275-07:00 Resolute nm-openvpn[70487]: Cannot pre-load keyfile (\/run\/NetworkManager\/cert\/NVIziP)
\n2026-03-30T04:47:32.996332-07:00 Resolute nm-openvpn[70487]: Exiting due to fatal error
\n2026-03-30T04:47:32.996558-07:00 Resolute kernel: audit: type=1400 audit(1774871252.994:2433): apparmor=”DENIED” operation=”open” class=”file” profile=”openvpn” name=”\/run\/NetworkManager\/cert\/NVIziP” pid=70487 comm=”openvpn” requested_mask=”r” denied_mask=”r” fsuid=0 ouid=0<\/i><\/p><\/blockquote>\n

Apparently, the issue is that AppArmor denied openvpn from accessing the \/run\/NetworkManager\/cert\/NVIziP<\/code> file.<\/p>\n

\"\"

AppArmor denied openvpn from accessing the key file<\/p><\/div>\n

And, the solution is simply add read access to the files under \/run\/NetworkManager\/cert<\/code> directory for openvpn<\/b>.<\/p>\n

It’s said that the issue has been fixed in version 5.0.0~beta1-0ubuntu3<\/code> according to this bug report<\/a>, though it still occurs in my case, so I write a workaround via the steps below.<\/p>\n

1. Edit the AppArmor profile.<\/b><\/p>\n

First, press Ctrl+Alt+T<\/code> to open terminal. When terminal opens, run the command below to navigate to AppArmor config files directory and list all the default profiles.<\/p>\n

cd \/etc\/apparmor.d\/ && ls<\/pre>\n
There you’ll see the openvpn<\/code> config file.<\/p>\n
\"\"<\/p>\n
To edit it, run command:<\/p>\n
sudo gnome-text-editor \/etc\/apparmor.d\/openvpn<\/pre>\n
Tips: Here gnome-text-editor<\/code> is for the default GNOME, replace it with your desktop text editor, or use nano<\/code> that works in most desktops.<\/p>\n
2. Add read access<\/b><\/p>\n
When file opens in text editor, add the line file r \/run\/NetworkManager\/cert\/*,<\/code> between the main section, so it will look like:<\/p>\n
profile openvpn \/usr\/sbin\/openvpn flags= ( ... ) {\r\n    ...\r\n    ...\r\n    file r \/run\/NetworkManager\/cert\/*,<\/b>\r\n    ...\r\n    ...\r\n}<\/pre>\n
It tells to allow read access to any files under \/run\/NetworkManager\/cert<\/code> directory. Remember to add comma (,) in line end.<\/b><\/p>\n
To be strict, use file r @{run}\/NetworkManager\/cert\/@{rand6},<\/b> instead, so it only has read access to any 6-character name files under that directory.<\/p>\n
\"\"<\/p>\n
3. Apply Changes<\/b><\/p>\n
After made changes to the AppArmor profiles, restart the service to reload the rules:<\/p>\n
sudo systemctl restart apparmor.service<\/pre>\n
Finally, try to connect to your OpenVPN and hope it works!<\/p>","protected":false},"excerpt":{"rendered":"
In Ubuntu 26.04 (Beta so far), OpenVPN connection does not work out-of-the-box due to a bug in AppArmor. Here’s a quick workaround to fix the issue. For security reason, Ubuntu by default uses AppArmor (Application Armor), a Linux Kernel security mode, to restrict programs’ capabilities for file access, networking and permissions.<\/p>\n","protected":false},"author":1,"featured_media":43605,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[1317,2059],"class_list":["post-50852","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-network","tag-vpn"],"_links":{"self":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/50852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/comments?post=50852"}],"version-history":[{"count":0,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/posts\/50852\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media\/43605"}],"wp:attachment":[{"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/media?parent=50852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/categories?post=50852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ubuntuhandbook.org\/index.php\/wp-json\/wp\/v2\/tags?post=50852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}