You are not logged in.
After updating the client system in early November, a problem appeared: the openvpn client does not connect.
Many other clients on older versions of openssl connect without problems.
OpenVPN server: Debian 8 (Jessie), OpenVPN 2.3.4, OpenSSL 1.0.1t
OpenVPN client: Archlinux latest, OpenVPN 2.5.8, OpenSSL 3.0.7
On the client, I run vpn with the following command:
sudo openvpn --config /etc/openvpn/client/client.confclient.conf
client
dev tun
proto udp
remote myvpnhost 1234
resolv-retry infinite
nobind
persist-tun
persist-key
daemon
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/client.crt
key /etc/openvpn/client/client.key
dh /etc/openvpn/client/dh2048.pem
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
data-ciphers-fallback AES-128-CBC
verb 3
remote-cert-tls serverOpenvpn client log:
2022-11-15 18:15:19 WARNING: Ignoring option 'dh' in tls-client mode, please only include this in your server configuration
2022-11-15 18:15:19 OpenVPN 2.5.8 [git:makepkg/0357ceb877687faa+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2022
2022-11-15 18:15:19 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2022-11-15 18:15:21 TCP/UDP: Preserving recently used remote address: [AF_INET]<serverip>
2022-11-15 18:15:21 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-11-15 18:15:21 UDP link local: (not bound)
2022-11-15 18:15:21 UDP link remote: [AF_INET]<serverip>
2022-11-15 18:15:27 TLS: Initial packet from [AF_INET]<serverip>, sid=11a1a99c 5be30144
2022-11-15 18:15:28 VERIFY OK: depth=1, C=EU, ST=EU, L=none, O=none, OU=none, CN=none CA, name=EasyRSA, emailAddress=nobody@nobody
2022-11-15 18:15:28 VERIFY KU OK
2022-11-15 18:15:28 Validating certificate extended key usage
2022-11-15 18:15:28 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-11-15 18:15:28 VERIFY EKU OK
2022-11-15 18:15:28 VERIFY OK: depth=0, C=EU, ST=EU, L=none, O=none, OU=none, CN=server-udp-tun, name=EasyRSA, emailAddress=nobody@nobody
2022-11-15 18:15:28 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-11-15 18:15:28 TLS_ERROR: BIO read tls_read_plaintext error
2022-11-15 18:15:28 TLS Error: TLS object -> incoming plaintext read error
2022-11-15 18:15:28 TLS Error: TLS handshake failed
2022-11-15 18:15:28 SIGUSR1[soft,tls-error] received, process restarting
2022-11-15 18:15:28 Restart pause, 5 second(s)I've already made changes to the config following the advice from this post, but nothing has changed.
Last edited by Energ0block (2022-11-16 11:08:35)
Offline
I found the solution here.
You need to add this line to the client config:
tls-cipher "DEFAULT:@SECLEVEL=0"Not recommended due to security risks, but for my home projects, this is a suitable solution to the problem.
Offline