Openvpn android tls error

Hello members, i have recently installed a openvpn server on my ARCH 4.4.5-1 i686 GNU/Linux home machine.

kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Unable to connect with Openvpn server (TLS Error)

Hello members, i have recently installed a openvpn server on my ARCH 4.4.5-1 i686 GNU/Linux home machine.

Aparently the server is running OK as the output show:
Image

My server config:

Code: Select all

port 1194
proto udp
dev tun

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/homeserver.crt
key /etc/openvpn/certs/homeserver.key
dh /etc/openvpn/certs/dh2048.pem
tls-auth /etc/openvpn/certs/ta.key 0

server 192.168.88.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-to-client
keepalive 1800 4000

cipher DES-EDE3-CBC # Triple-DES
comp-lzo

max-clients 2

user nobody
group nobody

persist-key
persist-tun

#log /var/log/openvpn.log
#status /var/log/openvpn-status.log
verb 5
mute 20

#client-config-dir ccd

and the client config:

Code: Select all

client
remote
ca /root/easy-rsa/keys/ca.crt
cert /root/easy-rsa/keys/kelsinni.crt
key /root/easy-rsa/keys/kelsinni.key
cipher DES-EDE3-CBC
comp-lzo yes
dev tun
proto udp
tls-auth /root/easy-rsa/keys/ta.key 1
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup

When i try to connect my server with my android phone (with openvpn for android app installed) with the respective imported keys and cert (ca.crt; kelsinni.crt; kelsinni.key) i got always the same TLS error:
Image

I have double checked all the configs but still got this same error all the times…can anyone please give me a tip about the source of this problem?
Thanks in advance for all the help given…


User avatar

Traffic

OpenVPN Protagonist
Posts: 4071
Joined: Sat Aug 09, 2014 11:24 am

Re: Unable to connect with Openvpn server (TLS Error)

Post

by Traffic » Tue Apr 12, 2016 2:50 pm

Try —comp-lzo yes in your server as well ..


kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post

by kelsini » Tue Apr 12, 2016 6:47 pm

Traffic wrote:Try —comp-lzo yes in your server as well ..

Hello…first of all thanks for your reply.
I have changed my server config as you said…


client-to-client
keepalive 1800 4000

cipher DES-EDE3-CBC # Triple-DES
comp-lzo yes

max-clients 2

user nobody
group nobody

…but still getting the exact same error when trying to access my server with my smartphone…:(


User avatar

Traffic

OpenVPN Protagonist
Posts: 4071
Joined: Sat Aug 09, 2014 11:24 am

Re: Unable to connect with Openvpn server (TLS Error)

Post

by Traffic » Tue Apr 12, 2016 7:23 pm

Please post your complete server log showing the failure (remove private data)


kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post

by kelsini » Tue Apr 12, 2016 9:34 pm

Traffic wrote:Please post your complete server log showing the failure (remove private data)

Here it is:

Code: Select all

2016-04-12 22:12:23 compilação oficial 0.6.50 running on lge LG-D855 (MSM8974), Android 5.0 (LRX21R.A1445306351) API 21, ABI armeabi-v7a, (lge/g3_global_com/g3:5.0/LRX21R.A1445306351/1445306351:user/release-keys)
 2016-04-12 22:12:23 A preparar a configuração...
 2016-04-12 22:12:23 started Socket Thread
 2016-04-12 22:12:24 Current Parameter Settings:
 2016-04-12 22:12:24   config = '/data/data/de.blinkt.openvpn/cache/android.conf'
 2016-04-12 22:12:24   mode = 0
 2016-04-12 22:12:24   show_ciphers = DISABLED
 2016-04-12 22:12:24   show_digests = DISABLED
 2016-04-12 22:12:24   show_engines = DISABLED
 2016-04-12 22:12:24   genkey = DISABLED
 2016-04-12 22:12:24   key_pass_file = '[UNDEF]'
 2016-04-12 22:12:24   show_tls_ciphers = DISABLED
 2016-04-12 22:12:24   connect_retry_max = 5
 2016-04-12 22:12:24 Connection profiles [0]:
 2016-04-12 22:12:24   proto = udp
 2016-04-12 22:12:24   local = '[UNDEF]'
 2016-04-12 22:12:24   local_port = '1194'
 2016-04-12 22:12:24   remote = 'XXXXXXXXX (My DNS)'
 2016-04-12 22:12:24   remote_port = '1194'
 2016-04-12 22:12:24   remote_float = DISABLED
 2016-04-12 22:12:24   bind_defined = DISABLED
 2016-04-12 22:12:24   bind_local = ENABLED
 2016-04-12 22:12:24   bind_ipv6_only = DISABLED
 2016-04-12 22:12:24   connect_retry_seconds = 5
 2016-04-12 22:12:24   connect_timeout = 240
 2016-04-12 22:12:24   socks_proxy_server = '[UNDEF]'
 2016-04-12 22:12:24   socks_proxy_port = '[UNDEF]'
 2016-04-12 22:12:24   socks_proxy_retry = DISABLED
 2016-04-12 22:12:24   tun_mtu = 1500
 2016-04-12 22:12:24   tun_mtu_defined = ENABLED
 2016-04-12 22:12:24   link_mtu = 1500
 2016-04-12 22:12:24   link_mtu_defined = DISABLED
 2016-04-12 22:12:24   tun_mtu_extra = 0
 2016-04-12 22:12:24   tun_mtu_extra_defined = DISABLED
 2016-04-12 22:12:24   mtu_discover_type = -1
 2016-04-12 22:12:24   fragment = 0
 2016-04-12 22:12:24   mssfix = 1450
 2016-04-12 22:12:24   explicit_exit_notification = 0
 2016-04-12 22:12:24 Connection profiles END
 2016-04-12 22:12:24   remote_random = DISABLED
 2016-04-12 22:12:24   ipchange = '[UNDEF]'
 2016-04-12 22:12:24   dev = 'tun'
 2016-04-12 22:12:24   dev_type = '[UNDEF]'
 2016-04-12 22:12:24   dev_node = '[UNDEF]'
 2016-04-12 22:12:24   lladdr = '[UNDEF]'
 2016-04-12 22:12:24   topology = 1
 2016-04-12 22:12:24   tun_ipv6 = DISABLED
 2016-04-12 22:12:24   ifconfig_local = '[UNDEF]'
 2016-04-12 22:12:24   ifconfig_remote_netmask = '[UNDEF]'
 2016-04-12 22:12:24   ifconfig_noexec = DISABLED
 2016-04-12 22:12:24   ifconfig_nowarn = ENABLED
 2016-04-12 22:12:24   ifconfig_ipv6_local = '[UNDEF]'
 2016-04-12 22:12:24   ifconfig_ipv6_netbits = 0
 2016-04-12 22:12:24   ifconfig_ipv6_remote = '[UNDEF]'
 2016-04-12 22:12:24   shaper = 0
 2016-04-12 22:12:24   mtu_test = 0
 2016-04-12 22:12:24   mlock = DISABLED
 2016-04-12 22:12:24   keepalive_ping = 0
 2016-04-12 22:12:24   keepalive_timeout = 0
 2016-04-12 22:12:24   inactivity_timeout = 0
 2016-04-12 22:12:24   ping_send_timeout = 0
 2016-04-12 22:12:24   ping_rec_timeout = 0
 2016-04-12 22:12:24   ping_rec_timeout_action = 0
 2016-04-12 22:12:24   ping_timer_remote = DISABLED
 2016-04-12 22:12:24   remap_sigusr1 = 0
 2016-04-12 22:12:24   persist_tun = DISABLED
 2016-04-12 22:12:24   persist_local_ip = DISABLED
 2016-04-12 22:12:24   persist_remote_ip = DISABLED
 2016-04-12 22:12:24   persist_key = DISABLED
 2016-04-12 22:12:24   passtos = DISABLED
 2016-04-12 22:12:24   resolve_retry_seconds = 60
 2016-04-12 22:12:24   resolve_in_advance = DISABLED
 2016-04-12 22:12:24   username = '[UNDEF]'
 2016-04-12 22:12:24   groupname = '[UNDEF]'
 2016-04-12 22:12:24   chroot_dir = '[UNDEF]'
 2016-04-12 22:12:24   cd_dir = '[UNDEF]'
 2016-04-12 22:12:24   writepid = '[UNDEF]'
 2016-04-12 22:12:24   up_script = '[UNDEF]'
 2016-04-12 22:12:24   down_script = '[UNDEF]'
 2016-04-12 22:12:24   down_pre = DISABLED
 2016-04-12 22:12:24   up_restart = DISABLED
 2016-04-12 22:12:24   up_delay = DISABLED
 2016-04-12 22:12:24   daemon = DISABLED
 2016-04-12 22:12:24   inetd = 0
 2016-04-12 22:12:24   log = DISABLED
 2016-04-12 22:12:24   suppress_timestamps = DISABLED
 2016-04-12 22:12:24   machine_readable_output = ENABLED
 2016-04-12 22:12:24   nice = 0
 2016-04-12 22:12:24   verbosity = 4
 2016-04-12 22:12:24   mute = 0
 2016-04-12 22:12:24   gremlin = 0
 2016-04-12 22:12:24   status_file = '[UNDEF]'
 2016-04-12 22:12:24   status_file_version = 1
 2016-04-12 22:12:24   status_file_update_freq = 60
 2016-04-12 22:12:24   occ = ENABLED
 2016-04-12 22:12:24   rcvbuf = 0
 2016-04-12 22:12:24   sndbuf = 0
 2016-04-12 22:12:24   sockflags = 0
 2016-04-12 22:12:24   fast_io = DISABLED
 2016-04-12 22:12:24   comp.alg = 2
 2016-04-12 22:12:24   comp.flags = 1
 2016-04-12 22:12:24   route_script = '[UNDEF]'
 2016-04-12 22:12:24   route_default_gateway = '[UNDEF]'
 2016-04-12 22:12:24   route_default_metric = 0
 2016-04-12 22:12:24   route_noexec = DISABLED
 2016-04-12 22:12:24   route_delay = 0
 2016-04-12 22:12:24   route_delay_window = 30
 2016-04-12 22:12:24   route_delay_defined = DISABLED
 2016-04-12 22:12:24   route_nopull = DISABLED
 2016-04-12 22:12:24   route_gateway_via_dhcp = DISABLED
 2016-04-12 22:12:24   allow_pull_fqdn = DISABLED
 2016-04-12 22:12:24   route 0.0.0.0/0.0.0.0/vpn_gateway/nil
 2016-04-12 22:12:24   management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
 2016-04-12 22:12:24   management_port = 'unix'
 2016-04-12 22:12:24   management_user_pass = '[UNDEF]'
 2016-04-12 22:12:24   management_log_history_cache = 250
 2016-04-12 22:12:24   management_echo_buffer_size = 100
 2016-04-12 22:12:24   management_write_peer_info_file = '[UNDEF]'
 2016-04-12 22:12:24   management_client_user = '[UNDEF]'
 2016-04-12 22:12:24   management_client_group = '[UNDEF]'
 2016-04-12 22:12:24   management_flags = 4390
 2016-04-12 22:12:24   shared_secret_file = '[UNDEF]'
 2016-04-12 22:12:24   key_direction = 0
 2016-04-12 22:12:24   ciphername_defined = ENABLED
 2016-04-12 22:12:24   ciphername = 'BF-CBC'
 2016-04-12 22:12:24   authname_defined = ENABLED
 2016-04-12 22:12:24   authname = 'SHA1'
 2016-04-12 22:12:24   prng_hash = 'SHA1'
 2016-04-12 22:12:24   prng_nonce_secret_len = 16
 2016-04-12 22:12:24   keysize = 0
 2016-04-12 22:12:24   engine = DISABLED
 2016-04-12 22:12:24   replay = ENABLED
 2016-04-12 22:12:24   mute_replay_warnings = DISABLED
 2016-04-12 22:12:24   replay_window = 64
 2016-04-12 22:12:24   replay_time = 15
 2016-04-12 22:12:24   packet_id_file = '[UNDEF]'
 2016-04-12 22:12:24   use_iv = ENABLED
 2016-04-12 22:12:24   test_crypto = DISABLED
 2016-04-12 22:12:24   tls_server = DISABLED
 2016-04-12 22:12:24   tls_client = ENABLED
 2016-04-12 22:12:24   key_method = 2
 2016-04-12 22:12:24   ca_file = '[[INLINE]]'
 2016-04-12 22:12:24   ca_path = '[UNDEF]'
 2016-04-12 22:12:24   dh_file = '[UNDEF]'
 2016-04-12 22:12:24   cert_file = '[[INLINE]]'
 2016-04-12 22:12:24   extra_certs_file = '[UNDEF]'
 2016-04-12 22:12:24   priv_key_file = '[[INLINE]]'
 2016-04-12 22:12:24   pkcs12_file = '[UNDEF]'
 2016-04-12 22:12:24   cipher_list = '[UNDEF]'
 2016-04-12 22:12:24   tls_verify = '[UNDEF]'
 2016-04-12 22:12:24   tls_export_cert = '[UNDEF]'
 2016-04-12 22:12:24   verify_x509_type = 2
 2016-04-12 22:12:24   verify_x509_name = 'XXXXXXXXX (My DNS)'
 2016-04-12 22:12:24   crl_file = '[UNDEF]'
 2016-04-12 22:12:24   ns_cert_type = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_ku[i] = 0
 2016-04-12 22:12:24   remote_cert_eku = '[UNDEF]'
 2016-04-12 22:12:24   ssl_flags = 0
 2016-04-12 22:12:24   tls_timeout = 2
 2016-04-12 22:12:24   renegotiate_bytes = 0
 2016-04-12 22:12:24   renegotiate_packets = 0
 2016-04-12 22:12:24   renegotiate_seconds = 3600
 2016-04-12 22:12:24   handshake_window = 60
 2016-04-12 22:12:24   transition_window = 3600
 2016-04-12 22:12:24   single_session = DISABLED
 2016-04-12 22:12:24   push_peer_info = DISABLED
 2016-04-12 22:12:24   tls_exit = DISABLED
 2016-04-12 22:12:24   tls_auth_file = '[UNDEF]'
 2016-04-12 22:12:24   client = ENABLED
 2016-04-12 22:12:24   pull = ENABLED
 2016-04-12 22:12:24   auth_user_pass_file = '[UNDEF]'
 2016-04-12 22:12:24 OpenVPN 2.4-icsopenvpn [git:icsopenvpn-a6eda60c1e79b5c9] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Mar  9 2016
 2016-04-12 22:12:24 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
 2016-04-12 22:12:24 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
 2016-04-12 22:12:24 MANAGEMENT: CMD 'hold release'
 2016-04-12 22:12:24 MANAGEMENT: CMD 'proxy NONE'
 2016-04-12 22:12:24 MANAGEMENT: CMD 'bytecount 2'
 2016-04-12 22:12:24 MANAGEMENT: CMD 'state on'
 2016-04-12 22:12:24 Estado da rede: CONNECTED  to WIFI "FON_ZON_FREE_INTERNET"
 2016-04-12 22:12:25 LZO compression initializing
 2016-04-12 22:12:25 Control Channel MTU parms [ L:1542 D:1212 EF:38 EB:0 ET:0 EL:3 ]
 2016-04-12 22:12:25 MANAGEMENT: >STATE:1460495545,RESOLVE,,,,,,
 2016-04-12 22:12:25 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:393 ET:0 EL:3 ]
 2016-04-12 22:12:25 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
 2016-04-12 22:12:25 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
 2016-04-12 22:12:25 TCP/UDP: Preserving recently used remote address: [AF_INET]89.114.238.189:1194
 2016-04-12 22:12:25 Socket Buffers: R=[163840->163840] S=[163840->163840]
 2016-04-12 22:12:25 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
 2016-04-12 22:12:25 UDP link local (bound): [AF_INET][undef]:1194
 2016-04-12 22:12:25 UDP link remote: [AF_INET]89.114.238.189:1194
 2016-04-12 22:12:25 MANAGEMENT: >STATE:1460495545,WAIT,,,,,,
 2016-04-12 22:13:25 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
 2016-04-12 22:13:25 TLS Error: TLS handshake failed
 2016-04-12 22:13:25 TCP/UDP: Closing s


User avatar

Traffic

OpenVPN Protagonist
Posts: 4071
Joined: Sat Aug 09, 2014 11:24 am

Re: Unable to connect with Openvpn server (TLS Error)

Post

by Traffic » Tue Apr 12, 2016 10:15 pm

kelsini wrote:

Traffic wrote:Please post your complete server log showing the failure (remove private data)

Here it is:

Code: Select all

2016-04-12 22:12:23 compilação oficial 0.6.50 running on lge LG-D855 (MSM8974), Android 5.0 (LRX21R.A1445306351) API 21, ABI armeabi-v7a, (lge/g3_global_com/g3:5.0/LRX21R.A1445306351/1445306351:user/release-keys)

 2016-04-12 22:12:24   config = '/data/data/de.blinkt.openvpn/cache/android.conf'

 2016-04-12 22:12:24   remote = 'XXXXXXXXX (My DNS)'
 2016-04-12 22:12:24   remote_port = '1194'

 2016-04-12 22:13:25 TCP/UDP: Closing s

:roll:


kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post

by kelsini » Tue Apr 12, 2016 11:11 pm

I have notice that ‘de.blinkt.openvpn’ wasnt for sure correct but…i went on the smartphone openvpn for android app and change the «search domain» on «DNS AND IP» tab form ‘de.blinkt.openvpn’ to my DNS…

The most strange is that after this change the log still give me that ‘de.blinkt.openvpn’ DNS…and the same TLS error…

Code: Select all

2016-04-13 00:04:02 compilação oficial 0.6.50 running on lge LG-D855 (MSM8974), Android 5.0 (LRX21R.A1445306351) API 21, ABI armeabi-v7a, (lge/g3_global_com/g3:5.0/LRX21R.A1445306351/1445306351:user/release-keys)
 2016-04-13 00:04:02 A preparar a configuração...
 2016-04-13 00:04:02 started Socket Thread
 2016-04-13 00:04:02 Current Parameter Settings:
 2016-04-13 00:04:02   config = '/data/data/de.blinkt.openvpn/cache/android.conf'
 2016-04-13 00:04:02   mode = 0
 2016-04-13 00:04:02   show_ciphers = DISABLED
 2016-04-13 00:04:02   show_digests = DISABLED
 2016-04-13 00:04:02   show_engines = DISABLED
 2016-04-13 00:04:02   genkey = DISABLED
 2016-04-13 00:04:02   key_pass_file = '[UNDEF]'
 2016-04-13 00:04:02   show_tls_ciphers = DISABLED
 2016-04-13 00:04:02   connect_retry_max = 5
 2016-04-13 00:04:02 Connection profiles [0]:
 2016-04-13 00:04:02   proto = udp
 2016-04-13 00:04:02   local = '[UNDEF]'
 2016-04-13 00:04:02   local_port = '1194'
 2016-04-13 00:04:02   remote = 'XXXXXX (MY DNS)'
 2016-04-13 00:04:02   remote_port = '1194'
 2016-04-13 00:04:02   remote_float = DISABLED
 2016-04-13 00:04:02   bind_defined = DISABLED
 2016-04-13 00:04:02   bind_local = ENABLED
 2016-04-13 00:04:02   bind_ipv6_only = DISABLED
 2016-04-13 00:04:02   connect_retry_seconds = 5
 2016-04-13 00:04:02   connect_timeout = 240
 2016-04-13 00:04:02   socks_proxy_server = '[UNDEF]'
 2016-04-13 00:04:02   socks_proxy_port = '[UNDEF]'
 2016-04-13 00:04:02   socks_proxy_retry = DISABLED
 2016-04-13 00:04:02   tun_mtu = 1500
 2016-04-13 00:04:02   tun_mtu_defined = ENABLED
 2016-04-13 00:04:02   link_mtu = 1500
 2016-04-13 00:04:02   link_mtu_defined = DISABLED
 2016-04-13 00:04:02   tun_mtu_extra = 0
 2016-04-13 00:04:02   tun_mtu_extra_defined = DISABLED
 2016-04-13 00:04:02   mtu_discover_type = -1
 2016-04-13 00:04:02   fragment = 0
 2016-04-13 00:04:02   mssfix = 1450
 2016-04-13 00:04:02   explicit_exit_notification = 0
 2016-04-13 00:04:02 Connection profiles END
 2016-04-13 00:04:02   remote_random = DISABLED
 2016-04-13 00:04:02   ipchange = '[UNDEF]'
 2016-04-13 00:04:02   dev = 'tun'
 2016-04-13 00:04:02   dev_type = '[UNDEF]'
 2016-04-13 00:04:02   dev_node = '[UNDEF]'
 2016-04-13 00:04:02   lladdr = '[UNDEF]'
 2016-04-13 00:04:02   topology = 1
 2016-04-13 00:04:02   tun_ipv6 = DISABLED
 2016-04-13 00:04:02   ifconfig_local = '[UNDEF]'
 2016-04-13 00:04:02   ifconfig_remote_netmask = '[UNDEF]'
 2016-04-13 00:04:02   ifconfig_noexec = DISABLED
 2016-04-13 00:04:02   ifconfig_nowarn = ENABLED
 2016-04-13 00:04:02   ifconfig_ipv6_local = '[UNDEF]'
 2016-04-13 00:04:02   ifconfig_ipv6_netbits = 0
 2016-04-13 00:04:02   ifconfig_ipv6_remote = '[UNDEF]'
 2016-04-13 00:04:02   shaper = 0
 2016-04-13 00:04:02   mtu_test = 0
 2016-04-13 00:04:02   mlock = DISABLED
 2016-04-13 00:04:02   keepalive_ping = 0
 2016-04-13 00:04:02   keepalive_timeout = 0
 2016-04-13 00:04:02   inactivity_timeout = 0
 2016-04-13 00:04:02   ping_send_timeout = 0
 2016-04-13 00:04:02   ping_rec_timeout = 0
 2016-04-13 00:04:02   ping_rec_timeout_action = 0
 2016-04-13 00:04:02   ping_timer_remote = DISABLED
 2016-04-13 00:04:02   remap_sigusr1 = 0
 2016-04-13 00:04:02   persist_tun = DISABLED
 2016-04-13 00:04:02   persist_local_ip = DISABLED
 2016-04-13 00:04:02   persist_remote_ip = DISABLED
 2016-04-13 00:04:02   persist_key = DISABLED
 2016-04-13 00:04:02   passtos = DISABLED
 2016-04-13 00:04:02   resolve_retry_seconds = 60
 2016-04-13 00:04:02   resolve_in_advance = DISABLED
 2016-04-13 00:04:02   username = '[UNDEF]'
 2016-04-13 00:04:02   groupname = '[UNDEF]'
 2016-04-13 00:04:02   chroot_dir = '[UNDEF]'
 2016-04-13 00:04:02   cd_dir = '[UNDEF]'
 2016-04-13 00:04:02   writepid = '[UNDEF]'
 2016-04-13 00:04:02   up_script = '[UNDEF]'
 2016-04-13 00:04:02   down_script = '[UNDEF]'
 2016-04-13 00:04:02   down_pre = DISABLED
 2016-04-13 00:04:02   up_restart = DISABLED
 2016-04-13 00:04:02   up_delay = DISABLED
 2016-04-13 00:04:02   daemon = DISABLED
 2016-04-13 00:04:02   inetd = 0
 2016-04-13 00:04:02   log = DISABLED
 2016-04-13 00:04:02   suppress_timestamps = DISABLED
 2016-04-13 00:04:02   machine_readable_output = ENABLED
 2016-04-13 00:04:02   nice = 0
 2016-04-13 00:04:02   verbosity = 4
 2016-04-13 00:04:02   mute = 0
 2016-04-13 00:04:02   gremlin = 0
 2016-04-13 00:04:02   status_file = '[UNDEF]'
 2016-04-13 00:04:02   status_file_version = 1
 2016-04-13 00:04:02   status_file_update_freq = 60
 2016-04-13 00:04:02   occ = ENABLED
 2016-04-13 00:04:02   rcvbuf = 0
 2016-04-13 00:04:02 Estado da rede: CONNECTED  to WIFI "FON_ZON_FREE_INTERNET"
 2016-04-13 00:04:02   sndbuf = 0
 2016-04-13 00:04:02   sockflags = 0
 2016-04-13 00:04:02   fast_io = DISABLED
 2016-04-13 00:04:02   comp.alg = 2
 2016-04-13 00:04:02   comp.flags = 1
 2016-04-13 00:04:02   route_script = '[UNDEF]'
 2016-04-13 00:04:02   route_default_gateway = '[UNDEF]'
 2016-04-13 00:04:02   route_default_metric = 0
 2016-04-13 00:04:02   route_noexec = DISABLED
 2016-04-13 00:04:02   route_delay = 0
 2016-04-13 00:04:02   route_delay_window = 30
 2016-04-13 00:04:02   route_delay_defined = DISABLED
 2016-04-13 00:04:02   route_nopull = DISABLED
 2016-04-13 00:04:02   route_gateway_via_dhcp = DISABLED
 2016-04-13 00:04:02   allow_pull_fqdn = DISABLED
 2016-04-13 00:04:02   route 0.0.0.0/0.0.0.0/vpn_gateway/nil
 2016-04-13 00:04:02   management_addr = '/data/data/de.blinkt.openvpn/cache/mgmtsocket'
 2016-04-13 00:04:02   management_port = 'unix'
 2016-04-13 00:04:02   management_user_pass = '[UNDEF]'
 2016-04-13 00:04:02   management_log_history_cache = 250
 2016-04-13 00:04:02   management_echo_buffer_size = 100
 2016-04-13 00:04:02   management_write_peer_info_file = '[UNDEF]'
 2016-04-13 00:04:02   management_client_user = '[UNDEF]'
 2016-04-13 00:04:02   management_client_group = '[UNDEF]'
 2016-04-13 00:04:02   management_flags = 4390
 2016-04-13 00:04:02   shared_secret_file = '[UNDEF]'
 2016-04-13 00:04:02   key_direction = 0
 2016-04-13 00:04:02   ciphername_defined = ENABLED
 2016-04-13 00:04:02   ciphername = 'BF-CBC'
 2016-04-13 00:04:02   authname_defined = ENABLED
 2016-04-13 00:04:02   authname = 'SHA1'
 2016-04-13 00:04:02   prng_hash = 'SHA1'
 2016-04-13 00:04:02   prng_nonce_secret_len = 16
 2016-04-13 00:04:02   keysize = 0
 2016-04-13 00:04:02   engine = DISABLED
 2016-04-13 00:04:02   replay = ENABLED
 2016-04-13 00:04:02   mute_replay_warnings = DISABLED
 2016-04-13 00:04:02   replay_window = 64
 2016-04-13 00:04:02   replay_time = 15
 2016-04-13 00:04:02   packet_id_file = '[UNDEF]'
 2016-04-13 00:04:02   use_iv = ENABLED
 2016-04-13 00:04:02   test_crypto = DISABLED
 2016-04-13 00:04:02   tls_server = DISABLED
 2016-04-13 00:04:02   tls_client = ENABLED
 2016-04-13 00:04:02   key_method = 2
 2016-04-13 00:04:02   ca_file = '[[INLINE]]'
 2016-04-13 00:04:02   ca_path = '[UNDEF]'
 2016-04-13 00:04:02   dh_file = '[UNDEF]'
 2016-04-13 00:04:02   cert_file = '[[INLINE]]'
 2016-04-13 00:04:02   extra_certs_file = '[UNDEF]'
 2016-04-13 00:04:02   priv_key_file = '[[INLINE]]'
 2016-04-13 00:04:02   pkcs12_file = '[UNDEF]'
 2016-04-13 00:04:02   cipher_list = '[UNDEF]'
 2016-04-13 00:04:02   tls_verify = '[UNDEF]'
 2016-04-13 00:04:02   tls_export_cert = '[UNDEF]'
 2016-04-13 00:04:02   verify_x509_type = 0
 2016-04-13 00:04:02   verify_x509_name = '[UNDEF]'
 2016-04-13 00:04:02   crl_file = '[UNDEF]'
 2016-04-13 00:04:02   ns_cert_type = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_ku[i] = 0
 2016-04-13 00:04:02   remote_cert_eku = '[UNDEF]'
 2016-04-13 00:04:02   ssl_flags = 0
 2016-04-13 00:04:02   tls_timeout = 2
 2016-04-13 00:04:02   renegotiate_bytes = 0
 2016-04-13 00:04:02   renegotiate_packets = 0
 2016-04-13 00:04:02   renegotiate_seconds = 3600
 2016-04-13 00:04:02   handshake_window = 60
 2016-04-13 00:04:02   transition_window = 3600
 2016-04-13 00:04:02   single_session = DISABLED
 2016-04-13 00:04:02   push_peer_info = DISABLED
 2016-04-13 00:04:02   tls_exit = DISABLED
 2016-04-13 00:04:02   tls_auth_file = '[UNDEF]'
 2016-04-13 00:04:02   client = ENABLED
 2016-04-13 00:04:02   pull = ENABLED
 2016-04-13 00:04:02   auth_user_pass_file = '[UNDEF]'
 2016-04-13 00:04:02 OpenVPN 2.4-icsopenvpn [git:icsopenvpn-a6eda60c1e79b5c9] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Mar  9 2016
 2016-04-13 00:04:02 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
 2016-04-13 00:04:02 MANAGEMENT: Connected to management server at /data/data/de.blinkt.openvpn/cache/mgmtsocket
 2016-04-13 00:04:02 MANAGEMENT: CMD 'hold release'
 2016-04-13 00:04:02 MANAGEMENT: CMD 'bytecount 2'
 2016-04-13 00:04:02 MANAGEMENT: CMD 'proxy NONE'
 2016-04-13 00:04:02 MANAGEMENT: CMD 'state on'
 2016-04-13 00:04:03 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
 2016-04-13 00:04:03 LZO compression initializing
 2016-04-13 00:04:03 Control Channel MTU parms [ L:1542 D:1212 EF:38 EB:0 ET:0 EL:3 ]
 2016-04-13 00:04:03 MANAGEMENT: >STATE:1460502243,RESOLVE,,,,,,
 2016-04-13 00:04:03 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:393 ET:0 EL:3 ]
 2016-04-13 00:04:03 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
 2016-04-13 00:04:03 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
 2016-04-13 00:04:03 TCP/UDP: Preserving recently used remote address: [AF_INET]89.114.238.189:1194
 2016-04-13 00:04:03 Socket Buffers: R=[163840->163840] S=[163840->163840]
 2016-04-13 00:04:03 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
 2016-04-13 00:04:03 UDP link local (bound): [AF_INET][undef]:1194
 2016-04-13 00:04:03 UDP link remote: [AF_INET]89.114.238.189:1194
 2016-04-13 00:04:03 MANAGEMENT: >STATE:1460502243,WAIT,,,,,,
 2016-04-13 00:05:03 TLS Error: TLS key negotiation failed to occur within 60

I cant see in any other tab or any option where that ‘de.blinkt.openvpn’ is mentioned again…


User avatar

Traffic

OpenVPN Protagonist
Posts: 4071
Joined: Sat Aug 09, 2014 11:24 am

Re: Unable to connect with Openvpn server (TLS Error)

Post

by Traffic » Tue Apr 12, 2016 11:25 pm

Please post your Server log


kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post

by kelsini » Wed Apr 13, 2016 9:24 pm

Traffic wrote:Please post your Server log

cd /var/log/
dir
btmp faillog journal lastlog old openvpn.log pacman.log wtmp

I think you are asking openvpn.log…here it is:

Code: Select all

Wed Apr 13 22:17:25 2016 us=95312 Current Parameter Settings:
Wed Apr 13 22:17:25 2016 us=95601   config = '/etc/openvpn/homeserver-vpn.conf'
Wed Apr 13 22:17:25 2016 us=95680   mode = 1
Wed Apr 13 22:17:25 2016 us=95744   persist_config = DISABLED
Wed Apr 13 22:17:25 2016 us=95808   persist_mode = 1
Wed Apr 13 22:17:25 2016 us=95868   show_ciphers = DISABLED
Wed Apr 13 22:17:25 2016 us=95927   show_digests = DISABLED
Wed Apr 13 22:17:25 2016 us=95987   show_engines = DISABLED
Wed Apr 13 22:17:25 2016 us=96047   genkey = DISABLED
Wed Apr 13 22:17:25 2016 us=96105   key_pass_file = '[UNDEF]'
Wed Apr 13 22:17:25 2016 us=96167   show_tls_ciphers = DISABLED
Wed Apr 13 22:17:25 2016 us=96229 Connection profiles [default]:
Wed Apr 13 22:17:25 2016 us=96290   proto = udp
Wed Apr 13 22:17:25 2016 us=96349   local = '[UNDEF]'
Wed Apr 13 22:17:25 2016 us=96410   local_port = 1194
Wed Apr 13 22:17:25 2016 us=98947   remote = '[UNDEF]'
Wed Apr 13 22:17:25 2016 us=99502   remote_port = 1194
Wed Apr 13 22:17:25 2016 us=99567   remote_float = DISABLED
Wed Apr 13 22:17:25 2016 us=99615   bind_defined = DISABLED
Wed Apr 13 22:17:25 2016 us=99661   bind_local = ENABLED
Wed Apr 13 22:17:25 2016 us=99708 NOTE: --mute triggered...
Wed Apr 13 22:17:25 2016 us=99770 213 variation(s) on previous 20 message(s) suppressed by --mute
Wed Apr 13 22:17:25 2016 us=99817 OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
Wed Apr 13 22:17:25 2016 us=99895 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Wed Apr 13 22:17:25 2016 us=115220 Diffie-Hellman initialized with 2048 bit key
Wed Apr 13 22:17:25 2016 us=139828 Control Channel Authentication: using '/etc/openvpn/certs/ta.key' as a OpenVPN static key file
Wed Apr 13 22:17:25 2016 us=139975 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 13 22:17:25 2016 us=140056 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 13 22:17:25 2016 us=140147 TLS-Auth MTU parms [ L:1542 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Wed Apr 13 22:17:25 2016 us=140259 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Apr 13 22:17:25 2016 us=140534 ROUTE: default_gateway=UNDEF
Wed Apr 13 22:17:25 2016 us=245008 TUN/TAP device tun0 opened
Wed Apr 13 22:17:25 2016 us=245172 TUN/TAP TX queue length set to 100
Wed Apr 13 22:17:25 2016 us=245265 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Apr 13 22:17:25 2016 us=245379 /usr/bin/ip link set dev tun0 up mtu 1500
Wed Apr 13 22:17:25 2016 us=271194 /usr/bin/ip addr add dev tun0 local 192.168.88.1 peer 192.168.88.2
Wed Apr 13 22:17:25 2016 us=278962 /usr/bin/ip route add 192.168.88.0/24 via 192.168.88.2
Wed Apr 13 22:17:25 2016 us=285863 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Wed Apr 13 22:17:25 2016 us=286998 GID set to nobody
Wed Apr 13 22:17:25 2016 us=287116 UID set to nobody
Wed Apr 13 22:17:25 2016 us=287181 UDPv4 link local (bound): [undef]
Wed Apr 13 22:17:25 2016 us=292745 UDPv4 link remote: [undef]
Wed Apr 13 22:17:25 2016 us=292865 MULTI: multi_init called, r=256 v=256
Wed Apr 13 22:17:25 2016 us=292997 IFCONFIG POOL: base=192.168.88.4 size=62, ipv6=0
Wed Apr 13 22:17:25 2016 us=293098 IFCONFIG POOL LIST
Wed Apr 13 22:17:25 2016 us=293241 Initialization Sequence Completed


User avatar

Traffic

OpenVPN Protagonist
Posts: 4071
Joined: Sat Aug 09, 2014 11:24 am

Re: Unable to connect with Openvpn server (TLS Error)

Post

by Traffic » Wed Apr 13, 2016 9:30 pm

Your server log does not show any connection attempts:

kelsini wrote:Wed Apr 13 22:17:25 2016 us=293241 Initialization Sequence Completed

Traffic wrote:Please post your Server log

Showing the connection attempt from your client ..


kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post

by kelsini » Wed Apr 13, 2016 9:54 pm

Here it is again:

Code: Select all

Wed Apr 13 22:53:10 2016 us=937880 Current Parameter Settings:
Wed Apr 13 22:53:10 2016 us=938186   config = '/etc/openvpn/homeserver-vpn.conf'
Wed Apr 13 22:53:10 2016 us=938261   mode = 1
Wed Apr 13 22:53:10 2016 us=938326   persist_config = DISABLED
Wed Apr 13 22:53:10 2016 us=938390   persist_mode = 1
Wed Apr 13 22:53:10 2016 us=938453   show_ciphers = DISABLED
Wed Apr 13 22:53:10 2016 us=938515   show_digests = DISABLED
Wed Apr 13 22:53:10 2016 us=938719   show_engines = DISABLED
Wed Apr 13 22:53:10 2016 us=938789   genkey = DISABLED
Wed Apr 13 22:53:10 2016 us=938851   key_pass_file = '[UNDEF]'
Wed Apr 13 22:53:10 2016 us=938915   show_tls_ciphers = DISABLED
Wed Apr 13 22:53:10 2016 us=938976 Connection profiles [default]:
Wed Apr 13 22:53:10 2016 us=939039   proto = udp
Wed Apr 13 22:53:10 2016 us=939101   local = '[UNDEF]'
Wed Apr 13 22:53:10 2016 us=939164   local_port = 1194
Wed Apr 13 22:53:10 2016 us=939230   remote = '[UNDEF]'
Wed Apr 13 22:53:10 2016 us=939293   remote_port = 1194
Wed Apr 13 22:53:10 2016 us=939356   remote_float = DISABLED
Wed Apr 13 22:53:10 2016 us=939417   bind_defined = DISABLED
Wed Apr 13 22:53:10 2016 us=939480   bind_local = ENABLED
Wed Apr 13 22:53:10 2016 us=939542 NOTE: --mute triggered...
Wed Apr 13 22:53:10 2016 us=939625 213 variation(s) on previous 20 message(s) suppressed by --mute
Wed Apr 13 22:53:10 2016 us=939689 OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
Wed Apr 13 22:53:10 2016 us=939789 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Wed Apr 13 22:53:10 2016 us=948982 Diffie-Hellman initialized with 2048 bit key
Wed Apr 13 22:53:10 2016 us=958396 Control Channel Authentication: using '/etc/openvpn/certs/ta.key' as a OpenVPN static key file
Wed Apr 13 22:53:10 2016 us=958536 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 13 22:53:10 2016 us=958612 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 13 22:53:10 2016 us=958697 TLS-Auth MTU parms [ L:1542 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Wed Apr 13 22:53:10 2016 us=958803 Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Apr 13 22:53:10 2016 us=959092 ROUTE: default_gateway=UNDEF
Wed Apr 13 22:53:10 2016 us=990694 TUN/TAP device tun0 opened
Wed Apr 13 22:53:10 2016 us=990870 TUN/TAP TX queue length set to 100
Wed Apr 13 22:53:10 2016 us=991685 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Apr 13 22:53:10 2016 us=991837 /usr/bin/ip link set dev tun0 up mtu 1500
Wed Apr 13 22:53:11 2016 us=23502 /usr/bin/ip addr add dev tun0 local 192.168.88.1 peer 192.168.88.2
Wed Apr 13 22:53:11 2016 us=31611 /usr/bin/ip route add 192.168.88.0/24 via 192.168.88.2
Wed Apr 13 22:53:11 2016 us=36078 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Wed Apr 13 22:53:11 2016 us=41551 GID set to nobody
Wed Apr 13 22:53:11 2016 us=41668 UID set to nobody
Wed Apr 13 22:53:11 2016 us=41730 UDPv4 link local (bound): [undef]
Wed Apr 13 22:53:11 2016 us=41784 UDPv4 link remote: [undef]
Wed Apr 13 22:53:11 2016 us=41847 MULTI: multi_init called, r=256 v=256
Wed Apr 13 22:53:11 2016 us=41962 IFCONFIG POOL: base=192.168.88.4 size=62, ipv6=0
Wed Apr 13 22:53:11 2016 us=42062 IFCONFIG POOL LIST
Wed Apr 13 22:53:11 2016 us=42199 Initialization Sequence Completed
Wed Apr 13 22:53:13 2016 us=125058 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]89.180.151.187:54074
Wed Apr 13 22:53:14 2016 us=864777 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]89.180.151.187:54074
Wed Apr 13 22:53:19 2016 us=540852 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]89.180.151.187:54074


User avatar

Traffic

OpenVPN Protagonist
Posts: 4071
Joined: Sat Aug 09, 2014 11:24 am

Re: Unable to connect with Openvpn server (TLS Error)

Post

by Traffic » Wed Apr 13, 2016 10:53 pm

kelsini wrote:Wed Apr 13 22:53:13 2016 us=125058 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]89.180.151.187:54074

This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.

You may have to use inline config: https://community.openvpn.net/openvpn/wiki/IOSinline

FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.


kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post

by kelsini » Thu Apr 14, 2016 10:40 am

Traffic wrote:

kelsini wrote:Wed Apr 13 22:53:13 2016 us=125058 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]89.180.151.187:54074

This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.

You may have to use inline config: https://community.openvpn.net/openvpn/wiki/IOSinline

FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.

I have 2 folders where keys and certs are…

in /root/easy-rsa/keys/
01.pem dh2048.pem index.txt ipp.txt serial
02.pem homeserver.crt index.txt.attr kelsinni.crt serial.old
ca.crt homeserver.csr index.txt.attr.old kelsinni.csr ta.key
ca.key homeserver.key index.txt.old kelsinni.key

and in /etc/openvpn/certs/
ca.crt dh2048.pem homeserver.key
ca.key homeserver.crt ta.key

The keys that i copied to my android were the client certificate (kelsinni.crt), client certificate key (kelsinni.key) and the CA certificate (ca.crt) all locate on /root/easy-rsa/keys/

The app openvpn for android only asks these 3 files CA certificate, Client certificate and Client certificate key…nothing about ta.key:
Image

Im going to copy again the files to the android…


User avatar

Traffic

OpenVPN Protagonist
Posts: 4071
Joined: Sat Aug 09, 2014 11:24 am

Re: Unable to connect with Openvpn server (TLS Error)

Post

by Traffic » Thu Apr 14, 2016 12:19 pm

kelsini wrote:The app openvpn for android only asks these 3 files CA certificate, Client certificate and Client certificate key…nothing about ta.key

Then you must disable —tls-auth on the server ..


kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post

by kelsini » Thu Apr 14, 2016 2:21 pm

Traffic wrote:

kelsini wrote:The app openvpn for android only asks these 3 files CA certificate, Client certificate and Client certificate key…nothing about ta.key

Then you must disable —tls-auth on the server ..

Well…finally i think i got a sucefull connection :)

Code: Select all

Thu Apr 14 15:06:34 2016 us=45204 Current Parameter Settings:
Thu Apr 14 15:06:34 2016 us=45471   config = '/etc/openvpn/homeserver-vpn.conf'
Thu Apr 14 15:06:34 2016 us=45567   mode = 1
Thu Apr 14 15:06:34 2016 us=45652   persist_config = DISABLED
Thu Apr 14 15:06:34 2016 us=45732   persist_mode = 1
Thu Apr 14 15:06:34 2016 us=45813   show_ciphers = DISABLED
Thu Apr 14 15:06:34 2016 us=45888   show_digests = DISABLED
Thu Apr 14 15:06:34 2016 us=45958   show_engines = DISABLED
Thu Apr 14 15:06:34 2016 us=46018   genkey = DISABLED
Thu Apr 14 15:06:34 2016 us=46077   key_pass_file = '[UNDEF]'
Thu Apr 14 15:06:34 2016 us=46136   show_tls_ciphers = DISABLED
Thu Apr 14 15:06:34 2016 us=46194 Connection profiles [default]:
Thu Apr 14 15:06:34 2016 us=46253   proto = udp
Thu Apr 14 15:06:34 2016 us=46312   local = '[UNDEF]'
Thu Apr 14 15:06:34 2016 us=46381   local_port = 1194
Thu Apr 14 15:06:34 2016 us=46461   remote = '[UNDEF]'
Thu Apr 14 15:06:34 2016 us=46542   remote_port = 1194
Thu Apr 14 15:06:34 2016 us=46619   remote_float = DISABLED
Thu Apr 14 15:06:34 2016 us=46700   bind_defined = DISABLED
Thu Apr 14 15:06:34 2016 us=46772   bind_local = ENABLED
Thu Apr 14 15:06:34 2016 us=46842 NOTE: --mute triggered...
Thu Apr 14 15:06:34 2016 us=46920 213 variation(s) on previous 20 message(s) suppressed by --mute
Thu Apr 14 15:06:34 2016 us=46980 OpenVPN 2.3.10 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 14 2016
Thu Apr 14 15:06:34 2016 us=47077 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.09
Thu Apr 14 15:06:34 2016 us=88916 Diffie-Hellman initialized with 2048 bit key
Thu Apr 14 15:06:34 2016 us=100742 TLS-Auth MTU parms [ L:1542 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Apr 14 15:06:34 2016 us=100907 Socket Buffers: R=[163840->163840] S=[163840->163840]
Thu Apr 14 15:06:34 2016 us=101191 ROUTE: default_gateway=UNDEF
Thu Apr 14 15:06:34 2016 us=126690 TUN/TAP device tun0 opened
Thu Apr 14 15:06:34 2016 us=127009 TUN/TAP TX queue length set to 100
Thu Apr 14 15:06:34 2016 us=127125 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 14 15:06:34 2016 us=127237 /usr/bin/ip link set dev tun0 up mtu 1500
Thu Apr 14 15:06:34 2016 us=160313 /usr/bin/ip addr add dev tun0 local 192.168.88.1 peer 192.168.88.2
Thu Apr 14 15:06:34 2016 us=163614 /usr/bin/ip route add 192.168.88.0/24 via 192.168.88.2
Thu Apr 14 15:06:34 2016 us=167431 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Apr 14 15:06:34 2016 us=168865 GID set to nobody
Thu Apr 14 15:06:34 2016 us=168975 UID set to nobody
Thu Apr 14 15:06:34 2016 us=169037 UDPv4 link local (bound): [undef]
Thu Apr 14 15:06:34 2016 us=169092 UDPv4 link remote: [undef]
Thu Apr 14 15:06:34 2016 us=169156 MULTI: multi_init called, r=256 v=256
Thu Apr 14 15:06:34 2016 us=169670 IFCONFIG POOL: base=192.168.88.4 size=62, ipv6=0
Thu Apr 14 15:06:34 2016 us=204863 ifconfig_pool_read(), in='kelsinni,192.168.88.4', TODO: IPv6
Thu Apr 14 15:06:34 2016 us=204970 succeeded -> ifconfig_pool_set()
Thu Apr 14 15:06:34 2016 us=205030 IFCONFIG POOL LIST
Thu Apr 14 15:06:34 2016 us=205087 kelsinni,192.168.88.4
Thu Apr 14 15:06:34 2016 us=205223 Initialization Sequence Completed
Thu Apr 14 15:14:04 2016 us=962812 MULTI: multi_create_instance called
Thu Apr 14 15:14:04 2016 us=963100 89.180.149.129:58052 Re-using SSL/TLS context
Thu Apr 14 15:14:04 2016 us=963251 89.180.149.129:58052 LZO compression initialized
Thu Apr 14 15:14:04 2016 us=963656 89.180.149.129:58052 Control Channel MTU parms [ L:1542 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Apr 14 15:14:04 2016 us=963752 89.180.149.129:58052 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Thu Apr 14 15:14:04 2016 us=963901 89.180.149.129:58052 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-server'
Thu Apr 14 15:14:04 2016 us=963965 89.180.149.129:58052 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-client'
Thu Apr 14 15:14:04 2016 us=964100 89.180.149.129:58052 Local Options hash (VER=V4): '974bef3f'
Thu Apr 14 15:14:04 2016 us=964192 89.180.149.129:58052 Expected Remote Options hash (VER=V4): '827c9ed0'
RThu Apr 14 15:14:04 2016 us=964398 89.180.149.129:58052 TLS: Initial packet from [AF_INET]89.180.149.129:58052, sid=9cc8d214 1064ccf7
WRRWWWRRRWRThu Apr 14 15:14:05 2016 us=454820 89.180.149.129:58052 VERIFY OK: depth=1, C=PT, ST=LX, L=LX, O=SV, OU=MY, CN=HOME, name=SERVER, emailAddress=MYEMAIL
Thu Apr 14 15:14:05 2016 us=457938 89.180.149.129:58052 VERIFY OK: depth=0, C=PT, ST=LX, L=LX, O=SV, OU=MY, CN=kelsinni, name=server, emailAddress=MYEMAIL
WRWRThu Apr 14 15:14:05 2016 us=702731 89.180.149.129:58052 WARNING: 'cipher' is used inconsistently, local='cipher DES-EDE3-CBC', remote='cipher BF-CBC'
Thu Apr 14 15:14:05 2016 us=702866 89.180.149.129:58052 WARNING: 'keysize' is used inconsistently, local='keysize 192', remote='keysize 128'
Thu Apr 14 15:14:05 2016 us=703748 89.180.149.129:58052 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Thu Apr 14 15:14:05 2016 us=703887 89.180.149.129:58052 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 14 15:14:05 2016 us=703971 89.180.149.129:58052 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Thu Apr 14 15:14:05 2016 us=704049 89.180.149.129:58052 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
WRThu Apr 14 15:14:05 2016 us=740252 89.180.149.129:58052 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Apr 14 15:14:05 2016 us=740379 89.180.149.129:58052 [kelsinni] Peer Connection Initiated with [AF_INET]89.180.149.129:58052
Thu Apr 14 15:14:05 2016 us=740488 kelsinni/89.180.149.129:58052 MULTI_sva: pool returned IPv4=192.168.88.6, IPv6=(Not enabled)
Thu Apr 14 15:14:05 2016 us=740672 kelsinni/89.180.149.129:58052 MULTI: Learn: 192.168.88.6 -> kelsinni/89.180.149.129:58052
Thu Apr 14 15:14:05 2016 us=740733 kelsinni/89.180.149.129:58052 MULTI: primary virtual IP for kelsinni/89.180.149.129:58052: 192.168.88.6
RThu Apr 14 15:14:06 2016 us=974533 kelsinni/89.180.149.129:58052 PUSH: Received control message: 'PUSH_REQUEST'
Thu Apr 14 15:14:06 2016 us=974632 kelsinni/89.180.149.129:58052 send_push_reply(): safe_cap=940
Thu Apr 14 15:14:06 2016 us=974906 kelsinni/89.180.149.129:58052 SENT CONTROL [kelsinni]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 192.168.88.0 255.255.255.0,topology net30,ping$
WWR

The problem now its i have no internet access on my cellphone after the connection…i dont know if it has to be with that IP 192.168.88.6 that is showed on the log…because its out of range of my internal LAN IP range (192.168.1.xxx)



kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post

by kelsini » Fri Apr 15, 2016 12:09 pm

I think i had already did that when the instalation of the openvpn in my Arch Linux…

Below is my server config:
It have already that push «redirect-gateway» line…

Code: Select all

port 1194
proto udp
dev tun

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/homeserver.crt
key /etc/openvpn/certs/homeserver.key
dh /etc/openvpn/certs/dh2048.pem
#tls-auth /etc/openvpn/certs/ta.key 0

server 192.168.88.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-to-client
keepalive 1800 4000

cipher DES-EDE3-CBC # Triple-DES
comp-lzo yes

max-clients 2

user nobody
group nobody

persist-key
persist-tun

log /var/log/openvpn.log
#status /var/log/openvpn-status.log
verb 5
mute 20

#client-config-dir ccd

About iptables the commands that i have used were:
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp4s0 -j MASQUERADE

There is any missing line or command that i should place?

Thanks again


kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post

by kelsini » Mon Apr 18, 2016 9:36 am

I have already compared my configs with that «HOWTO: Routing all client traffic (including web-traffic) through the VPN» and made a few changes to try get internet access but all the times i got no luck…to be honest im now on a dead end and cannot see what should i change to pass this issue :(

Any tip would be very grateful…

Thks


User avatar

Traffic

OpenVPN Protagonist
Posts: 4071
Joined: Sat Aug 09, 2014 11:24 am

Re: Unable to connect with Openvpn server (TLS Error)

Post

by Traffic » Mon Apr 18, 2016 11:42 am

This looks wrong:

Traffic wrote:iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp4s0 -j MASQUERADE

Try: iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp0s4 -j MASQUERADE

If that does not work try this:

Code: Select all

iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -j SNAT --to-source 12.34.56.78

replace 12.34.56.78 with the server public IP .. :mrgreen:


kelsini

OpenVPN User
Posts: 23
Joined: Mon Apr 11, 2016 10:11 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post

by kelsini » Mon Apr 18, 2016 1:12 pm

Traffic wrote:This looks wrong:

Traffic wrote:iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp4s0 -j MASQUERADE

Try: iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp0s4 -j MASQUERADE

If that does not work try this:

Code: Select all

iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -j SNAT --to-source 12.34.56.78

replace 12.34.56.78 with the server public IP .. :mrgreen:

First of all thanks once more for your reply…

My wired network device is enp4s0…so i assume that the line that i had (iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o enp4s0 -j MASQUERADE) was ok…

I tried to insert the rule that you said:
iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -j SNAT —to-source ***.***.***.*** (my home IP)

but unfortunatly despite the connection with the server is established after a couple of seconds…still cannot access the internet with it…:(


Содержание

  1. OpenVPN Support Forum
  2. TLS Error at working connection
  3. TLS Error at working connection
  4. Re: TLS Error at working connection
  5. Re: TLS Error at working connection
  6. Re: TLS Error at working connection
  7. Re: TLS Error at working connection
  8. Re: TLS Error at working connection
  9. Re: TLS Error at working connection
  10. Re: TLS Error at working connection
  11. OpenVPN Support Forum
  12. Unable to connect with Openvpn server (TLS Error)
  13. Unable to connect with Openvpn server (TLS Error)
  14. Re: Unable to connect with Openvpn server (TLS Error)
  15. Re: Unable to connect with Openvpn server (TLS Error)
  16. Re: Unable to connect with Openvpn server (TLS Error)
  17. Re: Unable to connect with Openvpn server (TLS Error)
  18. Re: Unable to connect with Openvpn server (TLS Error)
  19. Re: Unable to connect with Openvpn server (TLS Error)
  20. Re: Unable to connect with Openvpn server (TLS Error)
  21. Re: Unable to connect with Openvpn server (TLS Error)
  22. Re: Unable to connect with Openvpn server (TLS Error)
  23. Re: Unable to connect with Openvpn server (TLS Error)
  24. Re: Unable to connect with Openvpn server (TLS Error)
  25. Re: Unable to connect with Openvpn server (TLS Error)
  26. OpenVPN Support Forum
  27. tls-crypt not working with OpenVPN Connect/Android?
  28. tls-crypt not working with OpenVPN Connect/Android?
  29. Re: tls-crypt not working with OpenVPN Connect/Android?
  30. FAQ regarding OpenVPN Connect Android
  31. Some common errors and solutions
  32. error parsing certificate : X509 — The date tag or value is invalid
  33. certificate verification failed : x509 — certificate verification failed, e.g. crl, ca or signature check failed
  34. digest_error: NONE: not usable
  35. SSL — Processing of the ServerKeyExchange handshake message failed
  36. BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
  37. Other client error messages
  38. MD5 signature algorithm support
  39. How to get started with OpenVPN Connect
  40. Is OpenVPN Connect for Android vulnerable to Heartbleed?
  41. Are CRLs (certificate revocation lists) supported?
  42. I am having trouble importing my .ovpn file.
  43. 1. All files must be in the same directory
  44. 2. Check formatting and size
  45. 3. Use the unified format for OpenVPN profiles
  46. Where are the support forums for OpenVPN Connect?
  47. Is IPv6 supported?
  48. Why does OpenVPN Connect show two notification icons when connected?
  49. Can I disable the connection notification sound?
  50. How can I maximize battery life?
  51. Can I control the VPN from outside the app?
  52. How can I ensure that the VPN stays continuously connected?
  53. Why does the VPN disconnect when I make or receive a voice call?
  54. Given that mobile devices are easily lost or stolen, how best to secure VPN profiles against compromise if the device falls into the wrong hands?
  55. Is it safe to save passwords?
  56. Why is the save password switch sometimes disabled?
  57. How can I use OpenVPN Connect with profiles that lack a client certificate/key?
  58. Why does the app not support TAP-style tunnels?
  59. Are there any OpenVPN directives not supported by the app?
  60. Can I have multiple profiles?
  61. How do I delete or rename a profile?
  62. Can I have multiple proxies?
  63. How do I edit or delete a proxy?
  64. How do I use a client certificate and private key from the Android Keychain?
  65. When I try to import a PKCS#12 file, why am I being asked for a password?
  66. Why doesn’t the PKCS#12 file in my OpenVPN configuration file work the same as on desktop systems?
  67. How do I set up my profile for server failover?

OpenVPN Support Forum

Community Support Forum

TLS Error at working connection

TLS Error at working connection

Post by Yacudzer » Tue Apr 28, 2020 9:04 pm

Re: TLS Error at working connection

Post by TinCanTech » Tue Apr 28, 2020 9:27 pm

Re: TLS Error at working connection

Post by Yacudzer » Tue May 05, 2020 4:43 pm

example config for clients:

client
remote vpn.myvpnserveraddress.su 443
cipher aes-256-cbc
auth sha256
dev tun
proto udp
tls-client
key-direction 1
pull

——BEGIN OpenVPN Static key V1——
— skipped —
——END OpenVPN Static key V1——

What other information needed?

Re: TLS Error at working connection

Post by TinCanTech » Tue May 05, 2020 6:11 pm

Re: TLS Error at working connection

Post by Yacudzer » Tue May 05, 2020 6:36 pm

Re: TLS Error at working connection

Post by Yacudzer » Thu May 07, 2020 11:03 am

Re: TLS Error at working connection

Post by TinCanTech » Thu May 07, 2020 12:07 pm

If you post complete logs they would probably show that the client times out due to some network error.

These are the sort of problems you can get with UDP.

Openvpn recovered from the error without compromising your security.

You can either live with it, which is what I do or you can use TCP.

There is not much else you can do, except find out what is wrong with your network
and that is not going to be easy.

Re: TLS Error at working connection

Post by Yacudzer » Thu May 07, 2020 1:19 pm

Источник

OpenVPN Support Forum

Community Support Forum

Unable to connect with Openvpn server (TLS Error)

Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 12:17 pm

Hello members, i have recently installed a openvpn server on my ARCH 4.4.5-1 i686 GNU/Linux home machine.

Aparently the server is running OK as the output show:

My server config:

When i try to connect my server with my android phone (with openvpn for android app installed) with the respective imported keys and cert (ca.crt; kelsinni.crt; kelsinni.key) i got always the same TLS error:

I have double checked all the configs but still got this same error all the times. can anyone please give me a tip about the source of this problem?
Thanks in advance for all the help given.

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 2:50 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 6:47 pm

.
client-to-client
keepalive 1800 4000

cipher DES-EDE3-CBC # Triple-DES
comp-lzo yes

user nobody
group nobody
.

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 7:23 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 9:34 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 10:15 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Tue Apr 12, 2016 11:11 pm

I have notice that ‘de.blinkt.openvpn’ wasnt for sure correct but. i went on the smartphone openvpn for android app and change the «search domain» on «DNS AND IP» tab form ‘de.blinkt.openvpn’ to my DNS.

The most strange is that after this change the log still give me that ‘de.blinkt.openvpn’ DNS. and the same TLS error.

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Tue Apr 12, 2016 11:25 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Wed Apr 13, 2016 9:24 pm

cd /var/log/
dir
btmp faillog journal lastlog old openvpn.log pacman.log wtmp

I think you are asking openvpn.log. here it is:

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Wed Apr 13, 2016 9:30 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Wed Apr 13, 2016 9:54 pm

Re: Unable to connect with Openvpn server (TLS Error)

Post by Traffic » Wed Apr 13, 2016 10:53 pm

This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.

FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.

Re: Unable to connect with Openvpn server (TLS Error)

Post by kelsini » Thu Apr 14, 2016 10:40 am

This most probably means that you have corrupted your tls-auth ta.key while importing it to you phone .. or possibly imported the wrong file. Try again. make sure the file is exactly the same.

FYI: you do not have to call the file ta.key .. you can rename it to anything more memorable.

I have 2 folders where keys and certs are.

in /root/easy-rsa/keys/
01.pem dh2048.pem index.txt ipp.txt serial
02.pem homeserver.crt index.txt.attr kelsinni.crt serial.old
ca.crt homeserver.csr index.txt.attr.old kelsinni.csr ta.key
ca.key homeserver.key index.txt.old kelsinni.key

and in /etc/openvpn/certs/
ca.crt dh2048.pem homeserver.key
ca.key homeserver.crt ta.key

The keys that i copied to my android were the client certificate (kelsinni.crt), client certificate key (kelsinni.key) and the CA certificate (ca.crt) all locate on /root/easy-rsa/keys/

The app openvpn for android only asks these 3 files CA certificate, Client certificate and Client certificate key. nothing about ta.key:

Im going to copy again the files to the android.

Источник

OpenVPN Support Forum

Community Support Forum

tls-crypt not working with OpenVPN Connect/Android?

tls-crypt not working with OpenVPN Connect/Android?

Post by vpnhuman » Thu Jul 06, 2017 1:52 am

Hi all, posted this in the Android/OpenVPN Connect form, no answers.

I’ve googled this and searched these fourms, and wanted to confirm with others: it appears OpenVPN Connect on Android 1.1.17 does not connect when using the new «tls-auth» option. I’ve tried the exact same client configuration file on windows, linux, and the OpenVPN for Android app and they all connect correctly. So the issue seems to be OpenVPN Connect.

Can anyone else confirm?

The server error message (from two different android devices, one on android 6 and one on android 7, both using OpenVPN Connect) is:
tls-crypt unwrap error: packet too short
TLS Error: tls-crypt unwrapping failed from [AF_INET]x.x.x.x:34258

Running ovpn server on linux, startup message and configs below
OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 23 2017
library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sat Jun 24 13:06:30 2017 TUN/TAP device tun0 opened
Sat Jun 24 13:06:30 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jun 24 13:06:30 2017 /sbin/ifconfig tun0 x.x.x.x pointopoint x.x.x.y mtu 1500
Sat Jun 24 13:06:30 2017 UDPv4 link local (bound): [AF_INET][undef]:1194
Sat Jun 24 13:06:30 2017 UDPv4 link remote: [AF_UNSPEC]
Sat Jun 24 13:06:30 2017 GID set to nobody
Sat Jun 24 13:06:30 2017 UID set to nobody
Sat Jun 24 13:06:30 2017 Initialization Sequence Completed

server.conf
[oconf=]
port 1194
proto udp4
dev tun0

server x.x.x.x 255.255.255.0
client-to-client

push «dhcp-option DNS y.y.y.y»
push «redirect-gateway»

keepalive 10 60

user nobody
group nobody
persist-key
persist-tun
auth SHA512

cipher AES-256-GCM
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ncp-disable

——BEGIN OpenVPN Static key V1——

——END OpenVPN Static key V1——

ca ca.crt
cert server.crt
key server.key
dh dh4096.pem

client.conf
[oconf=]
remote x.x.x.y 1194
client

dev tun0
proto udp

cipher AES-256-GCM
auth SHA512

——BEGIN OpenVPN Static key V1——

——END OpenVPN Static key V1——

ca ca.crt
cert client.crt
key client.key
[/oconf]

Re: tls-crypt not working with OpenVPN Connect/Android?

Post by TinCanTech » Thu Jul 06, 2017 12:46 pm

Openvpn-Connect-Android does not support —tls-crypt.

Источник

FAQ regarding OpenVPN Connect Android

Some common errors and solutions

The following are common error messages and information about them.

error parsing certificate : X509 — The date tag or value is invalid

This error message occurs with a faulty certificate. Refer to this detailed forum post for more info.

certificate verification failed : x509 — certificate verification failed, e.g. crl, ca or signature check failed

This error message occurs when a certificate can’t be verified properly. Certificate verification failure can occur, for example, if you are using an MD5-signed certificate. With an MD5-signed certificate, the security level is so low that the authenticity of the certificate can’t by any reasonable means be assured. In other words, it could very well be a fake certificate. The solution is to use a certificate not signed with MD5 but with SHA256 or better. Refer to the MD5 signature algorithm support section for more information.

digest_error: NONE: not usable

This error message occurs if you specify auth none and also tls-auth in your client profile. This happens because tls-auth needs an auth digest, but it isn’t specified. To resolve the error, remove the tls-auth directive. It’s not possible to enable it with auth none enabled.

SSL — Processing of the ServerKeyExchange handshake message failed

This error message likely occurs when using older versions of OpenVPN/OpenSSL on the server-side. Some users have solved this issue by updating their OpenVPN and OpenSSL software on the server-side.

BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

This error message relates to cipher suites. You can usually remedy this by going to the app settings in OpenVPN Connect and checking the box for AES-CBC Cipher Algorithm.

Other client error messages

MD5 signature algorithm support

We recommend not using MD5 as an algorithm for a signing certificate due to its possible insecurity. For example, time-standard home computer equipment takes about eight hours to falsify a certificate signed using MD5 as an algorithm. Using MD5 means it’s possible to fake the identity of the server. This opens up to a risk for a man-in-the-middle attack. Such an attack leads to the interception of data communication.

You should only support the use of MD5 for older equipment.

We pushed out a security and functionality upgrade of OpenVPN Connect for Android in November 2017 and discovered that many people’s devices still used MD5-signed certificates.

We recommend converting to a setup with SHA256-signed certificates for any installations that still use MD5-signed certificates. If the devices in use don’t support this option, we recommend updating the device to add the function or replacing the device completely.

For your reference, we have a list of deprecated options and ciphers here: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Refer to these links for more information about MD5 signatures:

To determine if you are using an MD5 type certificate, use this command with openssl as your testing tool:

Example result if the certificate is using MD5:

If you see this result on the CA certificate or client certificate, we recommend converting to a proper, securely signed certificate set that uses at least SHA256 or better.

OpenVPN Access Server doesn’t use MD5-certificate signatures.

For open-source OpenVPN users or users with a third-party device that includes OpenVPN functionality using MD5-type certificates, you should investigate the option to update the software on your device or change the signature algorithm type, if possible.

The default settings of a program like EasyRSA 3, used by open-source OpenVPN for generating client certificates and keys, are pretty secure and will generate certificates that are not signed with MD5.

How to get started with OpenVPN Connect

To use OpenVPN Connect, you must have an OpenVPN profile that connects to a VPN server. OpenVPN profiles are files with the extension .ovpn.

To import a profile, do one of the following:

  • If you have a .ovpn profile, copy the profile and any files it references to a folder or SD card on your device. Ensure you copy all files to the same folder. Launch OpenVPN Connect, tap the menu icon, tap Import Profile, and tap File. Select the .ovpn profile from the folder location.
  • If you need to connect with OpenVPN Access Server, import the profile directly from Access Server: launch OpenVPN Connect, tap the menu icon, tap Import Profile, and enter the URL for the Access Server Client UI.

If you need to connect with OpenVPN Cloud, import the profile directly from your private Cloud service: launch OpenVPN Connect, tap the menu icon, tap Import Profile, and enter your OpenVPN Cloud URL.

Is OpenVPN Connect for Android vulnerable to Heartbleed?

No—all versions of OpenVPN Connect for Android use the OpenSSL library, which is immune to Heartbleed.

Are CRLs (certificate revocation lists) supported?

Yes, OpenVPN Connect supports certificate revocation lists (CRLs) as of Android version 1.1.14.

To use a CRL, you must add it to the .ovpn profile:

You can concatenate multiple CRLs together within the crl-verify block above.

If you are importing a .ovpn file that references an external CRL file such as crl-verify crl.pem make sure to drop the file crl.pem into the same place as the .ovpn file during import so the profile parser can access it.

I am having trouble importing my .ovpn file.

The following pointers can help with importing .ovpn files:

1. All files must be in the same directory

When you import a .ovpn file, ensure that all files referenced by the .ovpn file, such as ca, cert, and key files, are in the same directory on the device as the .ovpn file.

2. Check formatting and size

Profiles must be UTF-8 (or ASCII) and under 256 KB in size.

3. Use the unified format for OpenVPN profiles

Consider using the unified format for OpenVPN profiles which allows all certs and keys to be embedded into the .ovpn file. This simplifies OpenVPN configuration management because it integrates all elements of the configuration into a single file.

For example, a traditional OpenVPN profile might specify certs and keys as follows: ca ca.crt cert client.crt key client.key tls-auth ta.key 1. You can convert this usage to unified form by pasting the content of the certificate and key files directly into the OpenVPN profile as follows using an XML-like syntax:

——BEGIN CERTIFICATE—— MIIBszCCARygAwIBAgIE. . . . /NygscQs1bxBSZ0X3KRk. Lq9iNBNgWg== ——END CERTIFICATE—— ——BEGIN CERTIFICATE—— . . . ——BEGIN RSA PRIVATE KEY—— . . . key-direction 1 ——BEGIN OpenVPN Static key V1—— . . .

Another approach to eliminate certificates and keys from the OpenVPN profile is to use the Android Keychain. For information about this, refer to the section on using the Android Keychain below.

Note: When converting tls-auth to unified format, check for a second parameter after the filename (usually a 0 or 1). This parameter is also known as the key-direction parameter and must be specified as a standalone directive when tls-auth is converted to a unified format. For example, if the parameter is 1, add this line to the profile: key-direction 1. If there is no second parameter to tls-auth, you must add this line to the profile: key-direction bidirectional.

Where are the support forums for OpenVPN Connect?

Is IPv6 supported?

Yes. OpenVPN Connect supports IPv6 transport and IPv6 tunnels as long as the server supports them as well.

Why does OpenVPN Connect show two notification icons when connected?

The Android operating system requires two notification icons. They show that the VPN session is a high priority and shouldn’t be arbitrarily terminated by the system.

Can I disable the connection notification sound?

On some Android devices, a connection notification sound plays whenever a VPN tunnel is established and can’t be silenced by a non-root app.

How can I maximize battery life?

You can enable Battery Saver within OpenVPN Connect to pause the VPN when the phone screen goes blank:

  1. Launch OpenVPN Connect.
  2. Tap the menu icon.
  3. Tap Settings.
  4. Tap to enable Battery Saver.

Note: It’s possible if you enable Battery Saver settings and Seamless Tunnel options, you will block any app from reaching the internet while the VPN is active, but the device screen isn’t on. Enabling both can be useful for additional energy savings, as long as you don’t have any background apps that need constant internet access.

Can I control the VPN from outside the app?

Yes, you can control the VPN connection using shortcuts. You can quickly connect to a specific profile by adding a shortcut on your phone for OpenVPN Connect:

  1. Launch OpenVPN Connect.
  2. Tap the edit icon for the profile you want to make a shortcut.
  3. Tap Set Connect Shortcut.
  4. Enter a shortcut name, or keep the default suggestions and tap Create.
  5. Add the app shortcut to your home screen.

You can quickly disconnect from the VPN by adding a shortcut on your phone for OpenVPN Connect:

  1. Launch OpenVPN Connect.
  2. Tap the menu icon at the top left.
  3. Tap Settings.
  4. Tap Set Disconnect Shortcut.
  5. Add the app shortcut to your home screen.

How can I ensure that the VPN stays continuously connected?

In the Preferences menu, select the Reconnect on reboot option. Also, consider setting

You can enable reconnecting on reboot within OpenVPN Connect. If there’s an active VPN connection when the phone restarts, the app will reconnect on reboot.

  1. Launch OpenVPN Connect.
  2. Tap the menu icon.
  3. Tap Settings.
  4. Tap to enable Reconnect on Reboot.

Additionally, you can set the Connection Timeout under Settings to Continuously Retry.

Why does the VPN disconnect when I make or receive a voice call?

Some cellular networks are incapable of maintaining a data connection during a voice call. If Android detects this as a loss of network connectivity, the VPN pauses during the call and automatically resumes when the call ends.

Given that mobile devices are easily lost or stolen, how best to secure VPN profiles against compromise if the device falls into the wrong hands?

The safest option is not to save your password and use the Android Keychain as a repository for your private key (see below).

You have the option to save the password by checking Save Password when you edit the profile. When you check this, OpenVPN Connect stores your password in the keychain.

Is it safe to save passwords?

If you check the Save checkbox on the authentication or private key password fields, the app will store your password in an encrypted form, however a determined attacker with physical possession of the device would still be able to recover the password with some reverse engineering.

Currently, the best options for security are to avoid saving passwords, and to use the Android Keychain as a repository for your private key (see below).

The Android developers are in the process of implementing an API for secure storage of passwords that will leverage on the hardware-backed keystore and master device password, however this development is not complete as of Android 4.2. This approach will protect saved passwords even if the device is rooted. When this development is complete, we plan to support it in the app.

Why is the save password switch sometimes disabled?

The save password switch on the authentication password field is typically enabled, but you can disable it by adding the following OpenVPN directive to the profile:

Note: The above directive only applies to the authentication password. The private key password, if it exists, can always be saved.

How can I use OpenVPN Connect with profiles that lack a client certificate/key?

If you have a profile that connects to a server without a client certificate/key, you must include the following directive in your profile:

Including this directive is necessary to resolve an ambiguity when the profile doesn’t contain a client certificate or key. When there isn’t a client certificate or key in the profile, OpenVPN Connect doesn’t know whether to obtain an external certificate/key pair from the Android Keychain or whether the server requires a client certificate/key. For example, a server that doesn’t require a client certificate/key is configured with the client-cert-not-required directive. The option is given as a “setenv” to avoid breaking other OpenVPN clients that might not recognize it.

Why does the app not support TAP-style tunnels?

The Android VPN API currently supports only TUN-style or routed tunnels on Layer 3. TAP-style or bridged tunnels on Layer 2 are not possible on Android. This is a limitation of the Android platform. If you try to connect a profile that uses a TAP-based tunnel, you get an error that says only Layer 3 tunnels are currently supported.

If you want to see TAP-style tunnels supported in OpenVPN Connect, contact the Google Android team and ask them to extend the VpnService API to allow this. Without such changes to the VpnService API, non-root apps such as OpenVPN Connect can’t support TAP-style tunnels.

Are there any OpenVPN directives not supported by the app?

While OpenVPN Connect supports most OpenVPN client directives, we’ve made an effort to reduce bloat and improve maintainability by eliminating what we believe to be obsolete or rarely-used directives. Please email us at android@openvpn.net if you think that we should reconsider a specific directive that we’ve excluded.

Here is a partial list of directives not currently supported:

  • dev tap — This directive is not supported because the underlying Android VPN API doesn’t support tap-style tunnels.
  • fragment — The fragment directive is not supported due to the complexity it adds to the OpenVPN implementation. It’s better to leave fragmentation up to the lower-level transport protocols. Note as well that the client doesn’t support connecting to a server that uses the fragment directive.
  • secret — Static key encryption mode (non-TLS) isn’t supported.
  • socks-proxy — Socks proxy support is currently not supported.
  • Not all ciphers are supported — OpenVPN Connect fully supports the AES-GCM and AES-CBC ciphers, and ChaCha20-Poly1305 as of Connect v3.3. The AES-GCM cipher algorithm in particular is well-suited for modern processors generally used in Android devices, iOS devices, macs and modern PCs. The deprecated DES and Blowfish ciphers are currently still supported but will be removed in the future.
  • proxy directives — While proxy directives are currently supported (http-proxy and http-proxy-option), they are currently NOT supported in profiles.

Can I have multiple profiles?

Yes, you can import any number of profiles from the Import menu:

  1. Launch OpenVPN Connect.
  2. Tap the Add icon.
  3. Enter the URL and username credentials or import a .ovpn file.
  4. To connect to the profile, tap the profile’s radio button.
  5. Enter your password.

OpenVPN Connect assigns a name to the profile based on the server hostname, username and filename. If you import a profile with the same name as one that already exists, OpenVPN Connect adds (1), (2), etc to the profile name.

How do I delete or rename a profile?

To delete a profile, tap the Edit icon next to the profile. From the Edit Profile screen, tap Delete Profile.

To rename a profile, tap the Edit icon next to the profile. From the Edit Profile screen, tap the Profile Name field and change it.

Can I have multiple proxies?

Yes, you can add any number of proxies from the main menu. Each profile can have one proxy assigned.

  1. Launch OpenVPN Connect.
  2. Tap the Menu icon in the top left.
  3. Tap Proxies.
  4. Tap the Add icon.
  5. Enter the connection information for the proxy and tap Save.

Once you’ve added a proxy, you can add it to your profile:

  1. Tap the Edit icon for the profile.
  2. Under Proxy, tap the radio button of the proxy to add.
  3. Tap Save.

The profile now displays both the OpenVPN Profile and the proxy name. When you connect, your connection to the VPN server authenticates using the proxy server.

How do I edit or delete a proxy?

To edit or delete a proxy:

  1. Launch OpenVPN Connect.
  2. Tap the Menu icon in the top left.
  3. Tap Proxies.
  4. Tap the Edit icon next to the proxy you wish to edit or delete.
  5. Edit the proxy details and tap Save or if you want to delete, tap Delete Proxy.

You can also edit or delete a proxy from within a profile:

  1. Launch OpenVPN Connect.
  2. Tap the Edit icon for a profile.
  3. Tap the Edit icon for the proxy.
  4. Edit the proxy details and tap Save or if you want to delete, tap Delete Proxy.

How do I use a client certificate and private key from the Android Keychain?

Using the Android Keychain to store your private key leverages the hardware-backed Keystore on many Android devices. This protects the key with the Android-level device password and prevents key compromise even if the device is rooted.

If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the Android Keychain using the Import menu or Android Settings.

If you don’t have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using this openssl command (where cert, key, and ca are your client certificate, client key, and root CA files).

After converting your certificate and key files into PKCS#12 form, import the client.p12 file into OpenVPN Connect using the Import / Import PKCS#12 menu option.

Once you’ve done this, remove the ca, cert, and key directives from your .ovpn file and re-import it. When you connect the first time, the app will ask you to select a certificate to use for the profile. Just select the MyClient certificate, and you should be able to connect normally.

When I try to import a PKCS#12 file, why am I being asked for a password?

When you generate a PKCS#12 file, you’re prompted for an «export password» to encrypt the file. You must enter this password when you import the PKCS#12 file into the Android Keychain. This prevents interception and recovery of the private key during transport.

Why doesn’t the PKCS#12 file in my OpenVPN configuration file work the same as on desktop systems?

Android uses PKCS#12 files differently than on desktops using OpenVPN. Android manages PKCS#12 in the Android Keychain. In contrast, desktops can reference the PKCS#12 files bundled in the OpenVPN profile. The Android approach is much better from a security perspective because the Keychain can leverage hardware features in the device, such as hardware-backed keystores. However, it requires that you load the PKCS#12 file into the Android Keychain separate from importing the OpenVPN profile. It also moves the responsibility for managing PKCS#12 files to the Android Keychain and away from OpenVPN, potentially introducing compatibility issues.

To use a PKCS#12 file on Android, see the FAQ item above: How do I use a client certificate and private key from the Android Keychain?

How do I set up my profile for server failover?

You can provide OpenVPN with a list of servers to make connections. On connection failure, OpenVPN will rotate through the list until it finds a responsive server. For example, the following entries in the profile will first try to connect to server A via UDP port 1194, then TCP port 443, then repeat the process with server B. OpenVPN will continue to retry until it successfully connects or hits the Connection Timeout, which you can configure in Settings.

Источник

I am configuring OpenVPN 2.3.6-1 on my Arch Linux server in order to encrypt SMB traffic over the public Internet. When I test the setup on one of my Linux virtual machine clients, I get the error: TLS Error: TLS handshake failed.

I quickly read (OpenVPN on OpenVZ TLS Error: TLS handshake failed (google suggested solutions not helping)) and tried to switch from the default UDP to TCP, but that only caused the client to repeatedly report that the connection timed out. I also tried disabling the cipher and TLS authentication, but that caused the server to fail with Assertion failed at crypto_openssl.c:523. In both instances, the required changes were made to both the client and server configurations.

I have been following the instructions at (https://wiki.archlinux.org/index.php/OpenVPN) to set up OpenVPN and the instructions at (https://wiki.archlinux.org/index.php/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts) to create the keys and certificates. The only deviations I have made from these instructions have been specifying my own computers’ names and their corresponding key/certificate file names.

See also my original question about securing SMB traffic over the Internet: (Simple encryption for Samba shares)

Can anybody explain how I can solve this issue?

Details:

Server: Arch Linux (up to date) connected directly to gateway via ethernet cable. No iptables.

Client: Arch Linux (up to date) virtual machine on VirtualBox 4.3.28r100309 Windows 8.1 host, bridged network adapter. No iptables. Windows Firewall disabled.

Gateway: Port forwarding for port 1194 enabled, no firewall restrictions.

Here are the configuration files on the server and client, respectively. I created these according to the instructions on the Arch Wiki.

/etc/openvpn/server.conf (Non-comment lines only):

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server-name.crt
key /etc/openvpn/server-name.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

/etc/openvpn/client.conf (Non-comment lines only):

client
dev tun
proto udp
remote [my public IP here] 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client-name.crt
key /etc/openvpn/client-name.key
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 3

Here are the outputs of running openvpn on the machines with the above configurations. I started the server first, then the client.

The output of openvpn /etc/openvpn/server.conf on the server:

Thu Jul 30 17:02:53 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014
Thu Jul 30 17:02:53 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Jul 30 17:02:53 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Jul 30 17:02:53 2015 Diffie-Hellman initialized with 2048 bit key
Thu Jul 30 17:02:53 2015 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Jul 30 17:02:53 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 17:02:53 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 17:02:53 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jul 30 17:02:53 2015 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enp5s0 HWADDR=##:##:##:##:##:##
Thu Jul 30 17:02:53 2015 TUN/TAP device tun0 opened
Thu Jul 30 17:02:53 2015 TUN/TAP TX queue length set to 100
Thu Jul 30 17:02:53 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jul 30 17:02:53 2015 /usr/bin/ip link set dev tun0 up mtu 1500
Thu Jul 30 17:02:53 2015 /usr/bin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Thu Jul 30 17:02:53 2015 /usr/bin/ip route add 10.8.0.0/24 via 10.8.0.2
Thu Jul 30 17:02:53 2015 GID set to nobody
Thu Jul 30 17:02:53 2015 UID set to nobody
Thu Jul 30 17:02:53 2015 UDPv4 link local (bound): [undef]
Thu Jul 30 17:02:53 2015 UDPv4 link remote: [undef]
Thu Jul 30 17:02:53 2015 MULTI: multi_init called, r=256 v=256
Thu Jul 30 17:02:53 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Jul 30 17:02:53 2015 IFCONFIG POOL LIST
Thu Jul 30 17:02:53 2015 Initialization Sequence Completed

The output of openvpn /etc/openvpn/client.conf on the client:

Thu Jul 30 21:03:02 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014
Thu Jul 30 21:03:02 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Thu Jul 30 21:03:02 2015 WARNING: file '/etc/openvpn/client-name.key' is group or others accessible
Thu Jul 30 21:03:02 2015 WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Thu Jul 30 21:03:02 2015 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu Jul 30 21:03:02 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 21:03:02 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 30 21:03:02 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Jul 30 21:03:02 2015 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Jul 30 21:03:02 2015 UDPv4 link local: [undef]
Thu Jul 30 21:03:02 2015 UDPv4 link remote: [AF_INET][my public IP here]:1194
Thu Jul 30 21:04:02 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Jul 30 21:04:02 2015 TLS Error: TLS handshake failed
Thu Jul 30 21:04:02 2015 SIGUSR1[soft,tls-error] received, process restarting
Thu Jul 30 21:04:02 2015 Restart pause, 2 second(s)

If you are facing “OpenVPN TLS handshake failed” Error on computer while attempting to setting up “OpenVPN”, then you are in right place. Here, we are discussing about this problem in details and providing some recommended methods/procedures to fix this error. Let’s take have a look at error message and then starts the discussion.

“Sun May 13 19:39:51 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sun May 13 19:39:51 2018 TLS Error: TLS handshake failed”

About OpenVPN

“OpenVPN” is open-source commercial software that implements virtual private network techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access faculties. It is available in free for charge. With the digital privacy and online security continuing to be major concerns, more people are interested in “VPNs (Virtual Private Networks)” than ever before.

Pros:

  • Free, open-source VPN
  • Booted Privacy and Secure browsing
  • Supported by developer community

Cons:

  • Can lead to poor speeds when is use
  • Too technical and complex for first use-timers
  • Can be blocked by business proxies

However, it is important to remember that “OpenVPN” is not VPN Provide and it doesn’t add a piece of software to your desktop or simple plug-in to your browser that you click once to connect. “OpenVPN” is encryption protocol that can connect your VPN which means you will need to know exactly how to configure it to your specific server.

What is “OpenVPN TLS handshake failed” Error?

It is common TLS error that is appears while trying to connect to OpenVPN. This error message usually appears on Android, iOS, Windows, Mac and Linux OS based device. “HandShake” word refers to negotiation between two ends just like meeting between two different people for any propose, then shake hands at first, then go ahead with anything else. In this case, “handShake” refers to negotiations between two servers.

On other hand, “TLS (Transport Layer Security)” is used every time when you access a website or application over HTTPS, access emails, messages, and VOIP (Voice over Internet Protocol). In simple word, we can say that HTTPs is implementation of TLS encryption.

Now comes to matter “OpenVPN TLS handshake Failed” Error, it is one of the most common problems in setting up OpenVPN that is occurs due to several reasons. Some user reported that this error appears usually on Windows/Mac/iOS/Linux/Android OS based devices when Windows Firewall is blocking access for the “openvpn.exe”.

“TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)”

Reasons behind OpenVPN TLS handshake failed issues

  • Incorrect Client Configuration: The “OpenVPN” client config does not have the correct server address in its config file. The remote directive in the client config must point to either the server itself or the public IP address of the server network’s gateway.
  • OpenVPN packets: A perimeter Firewall on server’s network is filtering out incoming OpenVPN packets. By Default OpenVPN uses UDP or TCP port number 1194.
  • NAT/PAT: A NAT Gateway on the server’s network does not have a port forward rule for TCP/UDP 1194 to internal address of OpenVPN server machine.
  • Firewall/routing blocking port: Windows Firewall is blocking access for the “openvpn.exe” binary.
  • OSes block incoming connections: A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many OSes will block incoming connections by default unless configured otherwise.

[Tips & Tricks] How to Fix OpenVPN TLS handshake failed error on Windows 10?

Procedure 1: Change “TLS” protocol in Windows

Windows 10 and earlier versions of Windows centralize the protocol settings in the System. To fix “OpenVPN TLS handshake failed” Error, you can change TLS version via the steps below:

Step 1: Press “Windows + R” key from keyboard to open “Run Dialog Box”

Step 2: In the opened “Run Dialog Box”, type “inetcpl.cpl” and hit “Ok” button

Step 3: In the opened “Internet Properties” window, click on “Advanced” tab

Step 4: Find “Security” section and here, you can add or remove TLS

Step 5: If the website is looking for TLS 1.2 and it is not checked, you need to check it. Similarly, if someone is experimenting with TLS 1.3, you need to check it

Step 6: Finally, click on “Apply” and “Ok” to save the changes. Once done, try opening the same website again

Procedure 2: Change TLS protocol in Firefox

Step 1: Open “Firefox” browser and type “about:config” in address bar and then hit “Enter” key

Step 2: Now, type “TLS” in search box and locate “security.tls.version.min

Step 3: You can change it to “1 and 2 to force TLS 1 and 1.1”, “3 to force TLS 1.2”, “4 to force maximum protocol of TLS 1.3”

Procedure 3: Delete Browser profile or certificate database

Every browser maintains a database for certificates. For example, every Firefox profile has Cert8.db file. In case if delete that file, and restart fixes it, then the problem is related to the local certificate database.

In Windows 10 or other Windows OS based device, when you are using Internet Explorer or Edge browser, the Certificate Manager is responsible, or you can go to the edge://settings/privacy and click on Manage HTTPS/SSL certificates and settings. Delete the certificates and try again.

Procedure 4: Reset web browser

To reset Google Chrome settings, follow the steps below:

OpenVPN TLS handshake failed

Step 1: Open Google Chrome browser and type “Chrome://Settings” in address bar and then hit “Enter” key

Step 2: Scroll towards end and click on “Advance settings”

Step 3: You will see the “Reset Browser Settings” button

Step 4: When you use this option, it will reset your profile to the post-fresh-install state

Step 5: This process will reset search engine, homepage, new tab page and pinned tabs to default. Extensions, add-ons and themes will be disabled and Content Settings will be reset. Cookies, Cache and Site data will be deleted.

Step 6: Once done, restart your browser and please check if “OpenVPN TLS handshake failed” Error is resolved.

To reset Microsoft Edge Chromium browser, follow the steps below:

 Step 1: Open Microsoft Edge browser

Step 2: Click on Open Settings

Step 3: Navigate to “Reset Settings”

Step 4: Click on “Restore Settings” to their default values.

Step 5: This process will reset your Startup page, new tab page, search engine and pinned tabs, disable all extensions and clear temporary data like cookies, and favourites, history and saved passwords will not be cleared.

Step 6: Once done, restart your browser and please check if the error is resolved.

To reset Firefox settings, follow the steps below:

OpenVPN TLS handshake failed

Step 1: Open “Firefox browser”

Step 2: Go to “Settings > Help > Troubleshooting information”

Step 3: Click on “Reset Firefox” button.

Step 4: This process will reset search engine and homepage to default. Your extensions, sync settings, open tabs, tab groups, themes and toolbars will be removed. However, your passwords, from data, browsing history, favourites or bookmarks, cookies and plug-ins will not be removed. They will instead be moved to new profile.

Procedure 5: Ensuring the correct System time

OpenVPN TLS handshake failed

Step 1: Press “Windows + I” keys together from keyboard to open “Settings App”

Step 2: In the “Settings App”, select “Time & Language”

Step 3: Go to the right pane, then toggle the switch under “Set Time Automatically” to “ON”

Step 4: After that, restart your computer and try visiting the website again to see if TLS handshake error is gone.

You may also read: Fix Cisco AnyConnect Certificate Validation Failure Problem

Conclusion

I am sure this article helped you to “Fix OpenVPN TLS handshake failed on Windows 10” with several easy methods/procedures. You can choose/follow either one or all procedures to fix this issue.

If you are unable to fix OpenVPN TLS handshake failed problem with the solutions mentioned above, then it might possible that your System has infected with malware or viruses. According to security researchers, malware or viruses cause several damages in your computer.

In this case, you can scan your computer with powerful antivirus software that has the ability to delete all types of malware or viruses from System.

You can also try another possible solution to fix this issue. We recommended you to Repair your PCs/laptops with powerful PC Repair Tools/Software that has the ability to remove all the faculty software, clean System registry, remove all types of malware or viruses, fix all types of bugs or errors and improves System performance as well. You can download powerful PC Repair Tool/Software via “Download” link below.

Is Your PC Behaving Abnormal & Needs Instant Optimzation?

We recommend you to choose Advanced System Repair Suite which is dedicated to offer complete options to optimize a PC, fix any Windows error, and remove malware threats in easy. The software is award winning and suggested as the best malware fix application supporting all Windows versions including XP/Vista/7/8/8.1/10. Just 3 steps to avail error free PC.

  1. Download Advanced System Repair and install on your PC. (Follow all on screen instructions when installer is executed)
  2. Click “Scan Your PC” button to scan all present issues, errors, junk files, and malware threats.
  3. Finally, click “Start Repair” to fix all detected problems in next few minutes.

Wondering how to resolve TLS key negotiation failed error in OpenVPN? We can help you.

As part of our Server Management Services, we assist our customers with several OpenVPN queries.

Today, let us see how our Support techs resolve this error.

How to resolve TLS key negotiation failed error in OpenVPN?

First and foremost, to diagnose problems with an OpenVPN server or client, it is helpful to look at the log files.

Locating the server log files

The log files are located in specific areas on your computer systems.

Log files are the place to check whenever you’re having any problems making a connection with an OpenVPN client program to the OpenVPN Access Server.

On the OpenVPN Access Server there is the server side log:

/var/log/openvpnas.log /var/log/openvpnas.node.log (in case of a failover setup)

In the event that you are having problems with starting the Access Server or certain portions of it, for example the web services, then it may be useful to stop the Access Server service.

Then, move the log file aside, then start the Access Server service, and stop it again immediately.

This creates a new clean log file that contains the startup and shutdown sequence of the Access Server and no other extraneous information.

This makes analysis of the log file much easier.

To do so use these commands in order:

service openvpnas stop
mv /var/log/openvpnas.log /var/log/openvpnas.log.old
service openvpnas start
service openvpnas stop

You can then grab the /var/log/openvpnas.log file for analysis and start the Access Server again:

service openvpnas start

Locating the client log files

Log file location for the OpenVPN Connect Client for Windows:

C:Program Files (x86)OpenVPN TechnologiesOpenVPN Clientetclogopenvpn_(unique_name).log

The OpenVPN Connect Client for Mac:

/Library/Application Support/OpenVPN/log/openvpn_(unique_name).log

To get to the /Library folder, open Finder and in the menu at the top choose Go followed by Go to folder and then enter the path /Library to get into that directory.

You can then go to the correct folder and look up the log file.

Please also note that the OpenVPN Connect Client for Macintosh will have permissions set on the log file so that you cannot normally open it.

To bypass this, right click the log file and choose the Get info option in the menu.

Then at the bottom, under Sharing & Permissions, you will be able to use the yellow padlock icon to unlock the settings and to give everyone read access.

Then, you will be able to open the log file with a right click and selecting Open with and then choosing something like Text editor to view the contents of the log file.

TLS key negotiation failed error

Typical error will look as shown below:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

This particular error can have multiple different causes as it is a fairly generic error message.

A possible explanation is that the client program is old and supports only TLS 1.0, but the server is expecting TLS level 1.1 or higher.

To see if this is the case log on to the server and check the server side log file.

The chances are high that your client program is an older version, like version 2.2 or older, and that it doesn’t know how to handle a modern TLS minimum level requirement, when you see messages that look like this on the server side:

OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol’
TLS_ERROR: BIO read tls_read_plaintext error’
TLS Error: TLS object -> incoming plaintext read error’
TLS Error: TLS handshake failed’
SIGUSR1[soft,tls-error] received, client-instance restarting’

The solution to this particular problem is to upgrade the client software to the latest version.

Another possible explanation is that the settings regarding TLS minimum requirement level have been altered but the OpenVPN client is using an older copy of the connection profile which has incorrect instructions.

The settings on the client and the server must match for the connection to be successful.

In this situation installing a new copy of the configuration profile will solve the issue.

A complete uninstall, redownload, and reinstall of the OpenVPN Connect Client should take care of that for you.

And yet another possible explanation is that there is a blockage in place in a firewall or at the Internet service provider that is blocking or interfering with the TLS handshake in some way.

[Stuck in between? We’d be glad to assist you]

Conclusion

In short, today we saw steps followed by our Support Techs to resolve TLS key negotiation failed error in OpenVPN.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

Еще одна причина ошибки при коннекте к OpenVPN серверу
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). TLS Error: TLS handshake failed


Как ни стран­но, при­чи­на не свя­за­на с кон­фи­га­ми само­го OpenVPN сер­ве­ра или кли­ен­тов, а кро­ет­ся в сети, что и напи­са­но в логе.
Про­слуш­ка тра­фи­ка пока­за­ла, что нет обрат­но­го кон­нек­та от сер­ве­ра до кли­ен­та при рукопожатии:

14:01:59.465502 IP ServerIP.openvpn > ClientIP.54954: UDP, length 42

14:02:00.272635 IP ClientIP.54961 > ServerIP.openvpn: UDP, length 42

14:02:00.272889 IP ServerIP.openvpn > ClientIP.54961: UDP, length 54

14:02:03.568343 IP ClientIP.54961 > ServerIP.openvpn: UDP, length 42

14:02:03.568536 IP ServerIP.openvpn > ClientIP.54961: UDP, length 50

14:02:03.612846 IP ClientIP > ServerIP: ICMP host ClientIP unreachable — admin prohibited filter, length 36

При подроб­ном режи­ме (verbose) такая картина:

14:08:14.154062 IP (tos 0x0, ttl 64, id 21182, offset 0, flags [DF], proto UDP (17), length 70)

    ServerIP.openvpn > ClientIP.57304: [bad udp cksum 0xd2f6 —> 0xb107!] UDP, length 42

14:08:20.193700 IP (tos 0x0, ttl 122, id 29713, offset 0, flags [none], proto UDP (17), length 70)

    ClientIP.62614 > ServerIP.openvpn: [udp sum ok] UDP, length 42

14:08:20.194123 IP (tos 0x0, ttl 64, id 21620, offset 0, flags [DF], proto UDP (17), length 82)

    ServerIP.openvpn > ClientIP.62614: [bad udp cksum 0xd302 —> 0x6091!] UDP, length 54

14:08:20.238329 IP (tos 0x0, ttl 250, id 27288, offset 0, flags [none], proto ICMP (1), length 56)

    ClientIP > ServerIP: ICMP host ClientIP unreachable — admin prohibited filter, length 36

IP (tos 0x0, ttl 58, id 21620, offset 0, flags [DF], proto UDP (17), length 82)

    ServerIP.openvpn > ClientIP.62614: UDP, length 54

14:08:21.400665 IP (tos 0x0, ttl 122, id 29742, offset 0, flags [none], proto UDP (17), length 70)

    ClientIP.62614 > ServerIP.openvpn: [udp sum ok] UDP, length 42

14:08:21.400811 IP (tos 0x0, ttl 64, id 21703, offset 0, flags [DF], proto UDP (17), length 78)

    ServerIP.openvpn > ClientIP.62614: [bad udp cksum 0xd2fe —> 0x80f0!] UDP, length 50

При­чи­на кры­лась в запре­те фор­вар­да вхо­дя­щих UDP под­клю­че­ний на цис­ке роу­те­ре со сто­ро­ны кли­ен­та. При этом исхо­дя­щие рабо­та­ли, т.к. под­клю­че­ние и обще­ние до руко­по­жа­тия происходило.
Как толь­ко раз­ре­ши­ли про­хо­дить UDP тра­фик — кон­нект до OpenVPN сер­ве­ра поднялся.
Если нет воз­мож­но­сти открыть UDP тра­фик, то сто­ит перей­ти на TCP соединение.

https://github.com/midnight47/

Понравилась статья? Поделить с друзьями:

Читайте также:

  • Openvpn agent request error
  • Openvpn aead decrypt error bad packet id may be a replay
  • Opensslerrorstack error 03000086 digital envelope routines initialization error
  • Openssl ssl connect ssl error syscall
  • Openssl mac verify error invalid password

  • 0 0 голоса
    Рейтинг статьи
    Подписаться
    Уведомить о
    guest

    0 комментариев
    Старые
    Новые Популярные
    Межтекстовые Отзывы
    Посмотреть все комментарии