Sonntag, 15. Februar 2026
KAGIS IR Profil Fire TV Fernbedienung
Freitag, 13. Februar 2026
Yunohost fix userlogin peertube via ldap
Using Yunohost version 12.1.39 with peertube 8.0.2 and also after a clean reinstall i can't login with my yunohost users. So after some research i found the simple trick to put the correct informaitons in the plugin configuration and it just works.
Mind that if you install PeerTube with your yunohost user the email of this user gets the one of the root user whicht is beeing created at installing. If you want to use your own yunohost account separate you have to change the admin emailadress to another one!
For setting the correct konfiguration for ldap-auth so you can login with your yunohost users without creating them separately log in with your root user, go to Administration->Settings->Plugins/Designs->auth-ldap and put in:
URL: ldap://localhost:389
Bind DN: [NULL]
Bind Passwort: [NULL]
Search base: dc=yunohost,dc=org
Filter (already was in there in my case): (|(mail={{username}})(uid={{username}}))
Mail property (already was in there in my case): mail
Mail property index (already was in there in my case): 0
Username property (already was in there in my case): uid
Group base: [NULL]
Group filter: (member={{dn}})
Administrator group DN: [NULL]
Moderator group DN: [NULL]
User group DN: [NULL]
Checkbox "No group matches login" keep unchecked
then Update settings and you should be able to login with your yunohost users in peertube now!
Yunohost Peertube Setup Wasabi S3 Storage
Der Storage kann nicht in der Admin-Oberfläche von Peertube eingestellt werden, es muss auf die Konsole zurückgeriffen werden. Ich habe die Installation mit Yunohost durchgeführt, hier wird erwähnt, dass man die Konfiguration updatefähig macht, in dem man eine neue Datei /var/www/peertube/config/local.yaml anlegt. Wir direkt die /var/www/peertube/config/production.yaml bearbeitet wird das beim nächsten Update überschrieben
Wasabi konfigurieren
Zuerst lege ich den bucket "peertube-data" an, dann in meinem Wasabi-Account eine neue Richtlinie an, sodass wenn aus irgend einem Grund meine Konfigurationsdatei nach außen geht nur der Zugriff auf den einen S3 Bucket frei ist und nicht auf alle Buckes in meinem Account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::peertube-data/*",
"arn:aws:s3:::peertube-data"
]
}
]
}
Dann lege ich den user peertube an und weise ihm nur diese eine Richtlinie zu.
Peertube konfigurieren
per ssh auf den Server, Datei anlegen
vi /var/www/peertube/config/local.yaml
und dann folgenden Inhalt einfügen, in meinem Beispiel für den eu-central-2 (Frankfurt) Speicher von Wasabi:
object_storage:
enabled: true
endpoint: 's3.eu-central-2.wasabisys.com'
region: 'eu-central-2'
credentials:
access_key_id: '<<access-key-id>>'
secret_access_key: '<<long-secret-access-key>>'
videos:
bucket_name: 'peertube-data'
prefix: 'videos/'
streaming_playlists:
bucket_name: 'peertube-data'
prefix: 'streaming-playlists/'
user_exports:
bucket_name: 'peertube-data'
prefix: 'user-exports/'
original_video_files:
bucket_name: 'peertube-data'
prefix: 'original-video-files/'
captions:
bucket_name: 'peertube-data'
prefix: 'captions/'
systemctl restart peertube
Wenn alles passt schauts so aus:
...
info: Creating job to send video creation of https://tube.srv.com/videos/watch/bd77446b-2a00-4a11-8c2b-69a9faa1299f.info: Creating job to send announce https://tube.srv.com/videos/watch/bd77446b-2a00-4a11-8c2b-69a9faa1299f/announces/3.info: Creating job to send announce https://tube.srv.com/videos/watch/bd77446b-2a00-4a11-8c2b-69a9faa1299f/announces/1.info: Notifying user usr of the publication of its video https://tube.srv.com/videos/watch/bd77446b-2a00-4a11-8c2b-69a9faa1299f....
Quellen:
https://docs.wasabi.com/docs/how-do-i-set-up-wasabi-for-user-access-separation
Dienstag, 2. September 2025
Fixing “no shared cipher” with OpenVPN on Ubuntu 24.04 (NetworkManager)
Solution
If your VPN stopped working after upgrading to Ubuntu 24.04 and logs say “Data channel cipher negotiation failed (no shared cipher)”, set the data-ciphers list on your NetworkManager VPN connection to include both modern AEAD and legacy CBC ciphers.
(works bestwhen you can’t change the OpenVPN server. If youre just working with one server its easyer to change cipher on Server to a GCM-cypher because thats default from version 2.5 on in openvpn)
Add a universal cipher list:
nmcli connection modify "YOUR_VPN" +vpn.data "data-ciphers=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC:AES-128-CBC"
Reconnect:
nmcli connection down "YOUR_VPN"
nmcli -w 60 connection up "YOUR_VPN" --ask
Optional (security warning fix):
nmcli connection modify "YOUR_VPN" +vpn.data "remote-cert-tls=server"
In many environments this single change is enough. Do not add compat-mode or data-ciphers-fallback via NetworkManager; those options are not supported there and can prevent the connection from starting.
Background
Ubuntu 24.04 ships OpenVPN 2.6. Defaults changed to AEAD ciphers (AES-GCM/ChaCha20), while many servers still require CBC (e.g., AES-128-CBC or AES-256-CBC).
NetworkManager’s OpenVPN plugin in 24.04 does not support compat-mode or data-ciphers-fallback, so adding those options breaks the profile.
Symptom in logs
AUTH: Received control message: AUTH_FAILED, Data channel cipher negotiation failed (no shared cipher)
Reference: Step-by-step fix and troubleshooting
Verify current VPN settings (NetworkManager)
Show OpenVPN key/values:
nmcli -f connection.id,type,vpn.data connection show "YOUR_VPN"
If you see compat-mode or data-ciphers-fallback in vpn.data, remove them:
nmcli connection modify "YOUR_VPN" -vpn.data "compat-mode=2.4"
nmcli connection modify "YOUR_VPN" -vpn.data "data-ciphers-fallback=AES-128-CBC"
Set the cipher list (works for both modern and legacy servers)
Recommended universal list:
nmcli connection modify "YOUR_VPN" +vpn.data "data-ciphers=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC:AES-128-CBC"
If your server explicitly requires a specific CBC cipher/HMAC and may have NCP disabled, set them explicitly too:
nmcli connection modify "YOUR_VPN" +vpn.data "cipher=AES-128-CBC,auth=SHA256"
Replace AES-128-CBC/SHA256 with what your server actually uses (e.g., AES-256-CBC, SHA512).
Fix common warnings and file permission issues
Remove “group or others accessible” warnings and avoid AppArmor denials by moving certs/keys out of $HOME and locking permissions:
sudo mkdir -p /etc/NetworkManager/openvpn-certs
sudo cp /path/to/ca.pem /etc/NetworkManager/openvpn-certs/
sudo cp /path/to/cert.pem /etc/NetworkManager/openvpn-certs/
sudo cp /path/to/cert.key /etc/NetworkManager/openvpn-certs/
sudo chmod 600 /etc/NetworkManager/openvpn-certs/*
Update your VPN profile to point to these new paths:
nmcli connection modify "YOUR_VPN" +vpn.data "ca=/etc/NetworkManager/openvpn-certs/ca.pem,cert=/etc/NetworkManager/openvpn-certs/cert.pem,key=/etc/NetworkManager/openvpn-certs/cert.key"
Enable server cert verification to remove the MITM warning:
nmcli connection modify "YOUR_VPN" +vpn.data "remote-cert-tls=server"
Optionally enforce modern TLS:
nmcli connection modify "YOUR_VPN" +vpn.data "tls-version-min=1.2"
Reconnect and watch logs live
Reconnect:
nmcli connection down "YOUR_VPN"
nmcli -w 60 connection up "YOUR_VPN" --ask
Live logs:
sudo journalctl -b -u NetworkManager -t nm-openvpn -n 100 -f
or only the tag, simplified:
sudo journalctl -f -t nm-openvpn -o cat
If you still see “no shared cipher,” double‑check that:
The cipher in data-ciphers actually matches what the server allows (e.g., AES-128-CBC).
If the server disables NCP, you may need to set both cipher and auth explicitly (see step 2).
Your keys/certs are readable by root-only (600) and accessible (no AppArmor denials).
Alternative: Use the native OpenVPN client (bypass NetworkManager)
But be aware no gui is availible out of the box.
If you want to avoid NetworkManager quirks entirely, you can run OpenVPN directly.
Run:
sudo openvpn --config /etc/openvpn/client/your.conf
Notes and caveats
NetworkManager OpenVPN plugin in Ubuntu 24.04 does not support compat-mode and data-ciphers-fallback; adding them stops the connection from starting.
The simplest reliable fix within NM is to set data-ciphers to a list that includes the server’s CBC option.
If you manage the server, consider migrating to AEAD (AES-GCM/ChaCha20-Poly1305). It’s safer and faster, and aligns with OpenVPN 2.6 defaults.