[SOLVED] PureVPN with OpenVPN timeout

R1220 · 2017-10-02 15:48:20

Hi everybody.
I've tried to search for similar problems in the forum, but seems there's nothing
Probably it is just a silly mistake, Anyway.
Open Vpn is working on my machine, I can use a free vpn server easly.
I subscribed with PureVPN and they sent me the .ovpn files plus .crt and .key
Seem easy and it is...but Connection times out when i try using TCP and UDP as well
I checked the port 80 and 1194 on the router and on iptables as well and they seems ok.
I have the same problem on 2 pc running both Arch and 2 raspberry pi with of course ArchPi.
Any suggestion?
Below the output file with verbosity 6
Thank you
Raf

Mon Oct  2 17:38:12 2017 us=287215 WARNING: file 'Wdc.key' is group or others accessible
Mon Oct  2 17:38:12 2017 us=287328 Current Parameter Settings:
Mon Oct  2 17:38:12 2017 us=287367   config = 'Italy,Milano1-tcp.ovpn'
Mon Oct  2 17:38:12 2017 us=287400   mode = 0
Mon Oct  2 17:38:12 2017 us=287431   persist_config = DISABLED
Mon Oct  2 17:38:12 2017 us=287463   persist_mode = 1
Mon Oct  2 17:38:12 2017 us=287493   show_ciphers = DISABLED
Mon Oct  2 17:38:12 2017 us=287524   show_digests = DISABLED
Mon Oct  2 17:38:12 2017 us=287554   show_engines = DISABLED
Mon Oct  2 17:38:12 2017 us=287585   genkey = DISABLED
Mon Oct  2 17:38:12 2017 us=287615   key_pass_file = '[UNDEF]'
Mon Oct  2 17:38:12 2017 us=287645   show_tls_ciphers = DISABLED
Mon Oct  2 17:38:12 2017 us=287675   connect_retry_max = 0
Mon Oct  2 17:38:12 2017 us=287706 Connection profiles [0]:
Mon Oct  2 17:38:12 2017 us=287738   proto = tcp-client
Mon Oct  2 17:38:12 2017 us=287768   local = '[UNDEF]'
Mon Oct  2 17:38:12 2017 us=287816   local_port = '[UNDEF]'
Mon Oct  2 17:38:12 2017 us=287863   remote = 'vlus-it1-ovpn-tcp.pointtoserver.com'
Mon Oct  2 17:38:12 2017 us=287907   remote_port = '1194'
Mon Oct  2 17:38:12 2017 us=287951   remote_float = ENABLED
Mon Oct  2 17:38:12 2017 us=287988   bind_defined = DISABLED
Mon Oct  2 17:38:12 2017 us=288020 NOTE: --mute triggered...
Mon Oct  2 17:38:12 2017 us=288069 261 variation(s) on previous 20 message(s) suppressed by --mute
Mon Oct  2 17:38:12 2017 us=288100 OpenVPN 2.4.4 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017
Mon Oct  2 17:38:12 2017 us=288148 library versions: OpenSSL 1.1.0f  25 May 2017, LZO 2.10
Enter Auth Username: XXXXXXXXXXXXXXXXX
Enter Auth Password: XXXXXXXXXXXXXXXXX
Mon Oct  2 17:38:42 2017 us=522704 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Oct  2 17:38:42 2017 us=523686 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct  2 17:38:42 2017 us=523731 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct  2 17:38:42 2017 us=523769 LZO compression initializing
Mon Oct  2 17:38:42 2017 us=523942 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Mon Oct  2 17:38:42 2017 us=569993 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Mon Oct  2 17:38:42 2017 us=570089 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Mon Oct  2 17:38:42 2017 us=570134 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Mon Oct  2 17:38:42 2017 us=570190 TCP/UDP: Preserving recently used remote address: [AF_INET]172.111.137.130:1194
Mon Oct  2 17:38:42 2017 us=570240 Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Oct  2 17:38:42 2017 us=570278 Attempting to establish TCP connection with [AF_INET]172.111.137.130:1194 [nonblock]
Mon Oct  2 17:40:42 2017 us=585483 TCP: connect to [AF_INET]172.111.137.130:1194 failed: Connection timed out
Mon Oct  2 17:40:42 2017 us=585691 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Mon Oct  2 17:40:42 2017 us=585742 Restart pause, 5 second(s)

Last edited by R1220 (2017-10-12 07:59:35)

R1220 · 2017-10-03 11:21:10

Hi

Ok, I'm sorting this out with the VPN provider.
Their system still not updated to use OpenSSL 1.1.0.
They sent me new addresses (For now just located in USA) and a new ca.crt
Still not working.
Now the log says:

Tue Oct  3 13:04:11 2017 us=769121 PKCS#11: pkcs11_initialize - entered
Tue Oct  3 13:04:11 2017 us=769270 PKCS#11: pkcs11_initialize - return 0-'CKR_OK'
Tue Oct  3 13:04:11 2017 us=769321 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Oct  3 13:04:11 2017 us=769350 PO_INIT maxevents=4 flags=0x00000002
Tue Oct  3 13:04:11 2017 us=770298 PRNG init md=SHA1 size=36
Tue Oct  3 13:04:11 2017 us=770557 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Oct  3 13:04:11 2017 us=770614 Outgoing Control Channel Authentication: HMAC KEY: 19438a46 54663cad 975e138f 5bc5af89 c737ad82
Tue Oct  3 13:04:11 2017 us=770649 Outgoing Control Channel Authentication: HMAC size=20 block_size=20  
Tue Oct  3 13:04:11 2017 us=770697 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication                                                                           
Tue Oct  3 13:04:11 2017 us=770747 Incoming Control Channel Authentication: HMAC KEY: 1352379c df74952b 588fb161 a93e13df 9135b2b2
Tue Oct  3 13:04:11 2017 us=770784 Incoming Control Channel Authentication: HMAC size=20 block_size=20
Tue Oct  3 13:04:11 2017 us=770821 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 28 bytes
Tue Oct  3 13:04:11 2017 us=770865 LZO compression initializing
Tue Oct  3 13:04:11 2017 us=770924 TLS: tls_session_init: entry
Tue Oct  3 13:04:11 2017 us=770965 PID packet_id_init seq_backtrack=64 time_backtrack=15
Tue Oct  3 13:04:11 2017 us=771139 PID packet_id_init seq_backtrack=64 time_backtrack=15
Tue Oct  3 13:04:11 2017 us=771191 TLS: tls_session_init: new session object, sid=b2c70986 f3ba19d5
Tue Oct  3 13:04:11 2017 us=771224 TLS: tls_session_init: entry
Tue Oct  3 13:04:11 2017 us=771261 PID packet_id_init seq_backtrack=64 time_backtrack=15
Tue Oct  3 13:04:11 2017 us=771359 PID packet_id_init seq_backtrack=64 time_backtrack=15
Tue Oct  3 13:04:11 2017 us=771410 TLS: tls_session_init: new session object, sid=815f2bd7 60f87985
Tue Oct  3 13:04:11 2017 us=771455 Control Channel MTU parms [ L:1624 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Tue Oct  3 13:04:11 2017 us=771525 MTU DYNAMIC mtu=1450, flags=2, 1624 -> 1450
Tue Oct  3 13:04:11 2017 us=771696 GETADDRINFO flags=0x0101 ai_family=0 ai_socktype=1
Tue Oct  3 13:04:11 2017 us=876272 RESOLVE_REMOTE flags=0x0101 phase=1 rrs=0 sig=-1 status=0
Tue Oct  3 13:04:11 2017 us=876365 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Tue Oct  3 13:04:11 2017 us=876435 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes
Tue Oct  3 13:04:11 2017 us=876473 calc_options_string_link_mtu: link-mtu 1624 -> 1560
Tue Oct  3 13:04:11 2017 us=876551 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes
Tue Oct  3 13:04:11 2017 us=876585 calc_options_string_link_mtu: link-mtu 1624 -> 1560
Tue Oct  3 13:04:11 2017 us=876638 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Oct  3 13:04:11 2017 us=876670 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Oct  3 13:04:11 2017 us=876730 STREAM: RESET
Tue Oct  3 13:04:11 2017 us=876765 STREAM: INIT maxlen=1627
Tue Oct  3 13:04:11 2017 us=876802 TCP/UDP: Preserving recently used remote address: [AF_INET]92.242.132.16:80
Tue Oct  3 13:04:11 2017 us=876861 Socket Buffers: R=[87380->87380] S=[16384->16384]
Tue Oct  3 13:04:11 2017 us=876900 Attempting to establish TCP connection with [AF_INET]92.242.132.16:80 [nonblock]
Tue Oct  3 13:04:12 2017 us=877138 TCP connection established with [AF_INET]92.242.132.16:80
Tue Oct  3 13:04:12 2017 us=877200 TCP_CLIENT link local: (not bound)
Tue Oct  3 13:04:12 2017 us=877224 TCP_CLIENT link remote: [AF_INET]92.242.132.16:80
Tue Oct  3 13:04:12 2017 us=877254 TIMER: coarse timer wakeup 1 seconds
Tue Oct  3 13:04:12 2017 us=877287 TLS: tls_multi_process: i=0 state=S_INITIAL, mysid=b2c70986 f3ba19d5, stored-sid=00000000 00000000, stored-ip=[AF_INET]92.242.132.16:80
Tue Oct  3 13:04:12 2017 us=877304 TLS: tls_process: chg=0 ks=S_INITIAL lame=S_UNDEF to_link->len=0 wakeup=604800
Tue Oct  3 13:04:12 2017 us=877319 ACK mark active outgoing ID 0
Tue Oct  3 13:04:12 2017 us=877336 TLS: Initial Handshake, sid=b2c70986 f3ba19d5
Tue Oct  3 13:04:12 2017 us=877351 ACK reliable_can_send active=1 current=1 : [1] 0
Tue Oct  3 13:04:12 2017 us=877365 ACK reliable_send ID 0 (size=4 to=2)
Tue Oct  3 13:04:12 2017 us=877396 ENCRYPT HMAC: 011ca365 2347b195 13eb879f a4ec997e d21b73e1
Tue Oct  3 13:04:12 2017 us=877423 ENCRYPT TO: 011ca365 2347b195 13eb879f a4ec997e d21b73e1 00000001 59d38acc 38b2c70[more...]
Tue Oct  3 13:04:12 2017 us=877438 Reliable -> TCP/UDP
Tue Oct  3 13:04:12 2017 us=877452 ACK reliable_send_timeout 2 [1] 0
Tue Oct  3 13:04:12 2017 us=877465 TLS: tls_process: timeout set to 2
Tue Oct  3 13:04:12 2017 us=877486 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=815f2bd7 60f87985, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Tue Oct  3 13:04:12 2017 us=877506 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Tue Oct  3 13:04:12 2017 us=877527 RANDOM USEC=62949
Tue Oct  3 13:04:12 2017 us=877543 STREAM: SET NEXT, buf=[536,0] next=[536,1627] len=-1 maxlen=1627
Tue Oct  3 13:04:12 2017 us=877558 PO_CTL rwflags=0x0003 ev=3 arg=0x55d5a3019168
Tue Oct  3 13:04:12 2017 us=877576 I/O WAIT T?|T?|SR|SW [1/62949]
Tue Oct  3 13:04:12 2017 us=877594 PO_WAIT[0,0] fd=3 rev=0x00000004 rwflags=0x0002 arg=0x55d5a3019168 
Tue Oct  3 13:04:12 2017 us=877608  event_wait returned 1
Tue Oct  3 13:04:12 2017 us=877621 NOTE: --mute triggered...
Tue Oct  3 13:04:12 2017 us=877635 1 variation(s) on previous 20 message(s) suppressed by --mute
Tue Oct  3 13:04:12 2017 us=877673 TCP_CLIENT WRITE [42] to [AF_INET]92.242.132.16:80: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=b2c70986 f3ba19d5 tls_hmac=011ca365 2347b195 13eb879f a4ec997e d21b73e1 pid=[ #1 / time = (1507035852) Tue Oct  3 13:04:12 2017 ] [ ] pid=0 DATA 
Tue Oct  3 13:04:12 2017 us=877688 STREAM: WRITE 42 offset=30
Tue Oct  3 13:04:12 2017 us=877737 TCP_CLIENT write returned 44
Tue Oct  3 13:04:12 2017 us=877774 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=b2c70986 f3ba19d5, stored-sid=00000000 00000000, stored-ip=[AF_INET]92.242.132.16:80
Tue Oct  3 13:04:12 2017 us=877799 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Tue Oct  3 13:04:12 2017 us=877814 ACK reliable_can_send active=1 current=0 : [1] 0
Tue Oct  3 13:04:12 2017 us=877896 SSL state (connect): before SSL initialization
Tue Oct  3 13:04:12 2017 us=877951 SSL state (connect): SSLv3/TLS write client hello
Tue Oct  3 13:04:12 2017 us=877975 ACK reliable_send_timeout 2 [1] 0
Tue Oct  3 13:04:12 2017 us=877989 TLS: tls_process: timeout set to 2
Tue Oct  3 13:04:12 2017 us=878009 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=815f2bd7 60f87985, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Tue Oct  3 13:04:12 2017 us=878030 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Tue Oct  3 13:04:12 2017 us=878047 STREAM: SET NEXT, buf=[536,0] next=[536,1627] len=-1 maxlen=1627
Tue Oct  3 13:04:12 2017 us=878061 PO_CTL rwflags=0x0001 ev=3 arg=0x55d5a3019168
Tue Oct  3 13:04:12 2017 us=878077 I/O WAIT T?|T?|SR|Sw [1/62949]
Tue Oct  3 13:04:12 2017 us=884802 PO_WAIT[0,0] fd=3 rev=0x00000001 rwflags=0x0001 arg=0x55d5a3019168 
Tue Oct  3 13:04:12 2017 us=884848  event_wait returned 1
Tue Oct  3 13:04:12 2017 us=884872 I/O WAIT status=0x0001
Tue Oct  3 13:04:12 2017 us=884895 STREAM: GET NEXT len=1627
Tue Oct  3 13:04:12 2017 us=884922 STREAM: ADD length_added=311
Tue Oct  3 13:04:12 2017 us=884944 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
Tue Oct  3 13:04:12 2017 us=884968 STREAM: RESET
Tue Oct  3 13:04:12 2017 us=884989 Connection reset, restarting [0]

The part seems to be the problem is

Tue Oct  3 13:04:12 2017 us=884944 WARNING: Bad encapsulated packet length from peer (18516), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]

I'm going to investigate on that.

Small ot:
Why nmap still says e.g. port 80 is closed if I opened the port on the router and create a rule in iptables and restarted the service?
Is the same also with other ports.

Raf

R1220 · 2017-10-11 08:15:22

Hi everybody

So, Using Lubuntu the connection is established.
What is missing or wrong configured on my Arch machine?
I'm assuming that both Arch and Lubuntu has the same OpenSSL version (1.1.0)
Is there some conflict between the various net tools? some package that is needed?

Thank you

R1220 · 2017-10-11 10:32:06

Ok maybe we got it,

Thank to masque on #archlinux-it we found that using:
tls-cipher "DEFAULT:@SECLEVEL=0"
in the .ovpn file and so "ignoring" the certificate.
We tought that maybe the vpn provider uses MD% cert, but actually they use SHA1 and seems that openssl won't digest it anymore.
I asked for a SHA256 certificate and as soon as I can confirm that I will close the post as solved.

R1220 · 2017-10-12 07:58:49

Problem solved.
OpenSSL 1.1.0 onwards ask minimum a SHA2 auth. PureVPN has SAH1 certificate.
with tls-cipher "DEFAULT:@SECLEVEL=0" in .ovpn file the problem is deceived but not solved.

Arch Linux

#1 2017-10-02 15:48:20

[SOLVED] PureVPN with OpenVPN timeout

#2 2017-10-03 11:21:10

Re: [SOLVED] PureVPN with OpenVPN timeout

#3 2017-10-11 08:15:22

Re: [SOLVED] PureVPN with OpenVPN timeout

#4 2017-10-11 10:32:06

Re: [SOLVED] PureVPN with OpenVPN timeout

#5 2017-10-12 07:58:49

Re: [SOLVED] PureVPN with OpenVPN timeout

Board footer