Arch Linux

anon2019

Member

Registered: 2019-09-16

Posts: 8

[SOLVED] OpenVpn Connection reset, restarting [0]

Hello. I have an OpenVpn config, which works good on android OpenVpn client. But on my arch machine it's  resetting connection.

client.ovpn config:

client
dev tun
proto tcp
remote xxx.xxx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
xxxx
-----END ENCRYPTED PRIVATE KEY-----
</key>
auth-user-pass username_password.txt
remote-cert-tls server
verb 6
route-delay 5

Log:

11:16:39 ❯ openvpn client.ovpn 
2023-04-18 11:20:19 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-04-18 11:20:19 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2023-04-18 11:20:19 OpenVPN 2.6.3 [git:makepkg/94aad8c51043a805+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Apr 13 2023
2023-04-18 11:20:19 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-04-18 11:20:19 DCO version: N/A
Enter Private Key Password: ********
2023-04-18 11:20:22 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-04-18 11:20:22 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:22 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-04-18 11:20:22 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:22 TCP connection established with [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:22 TCPv4_CLIENT link local: (not bound)
2023-04-18 11:20:22 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:22 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xx:1194, sid=ccb1ea7a f0b83dbe
2023-04-18 11:20:22 VERIFY OK: depth=1, CN=templ-OVPN-CA
2023-04-18 11:20:22 VERIFY KU OK
2023-04-18 11:20:22 Validating certificate extended key usage
2023-04-18 11:20:22 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-04-18 11:20:22 VERIFY EKU OK
2023-04-18 11:20:22 VERIFY OK: depth=0, CN=server-key
2023-04-18 11:20:22 Connection reset, restarting [0]
2023-04-18 11:20:22 SIGUSR1[soft,connection-reset] received, process restarting
2023-04-18 11:20:22 Restart pause, 1 second(s)
2023-04-18 11:20:23 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:23 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-04-18 11:20:23 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:23 TCP connection established with [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:23 TCPv4_CLIENT link local: (not bound)
2023-04-18 11:20:23 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:23 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xx:1194, sid=ac7d02ea 4a745e77
2023-04-18 11:20:24 VERIFY OK: depth=1, CN=templ-OVPN-CA
2023-04-18 11:20:24 VERIFY KU OK
2023-04-18 11:20:24 Validating certificate extended key usage
2023-04-18 11:20:24 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-04-18 11:20:24 VERIFY EKU OK
2023-04-18 11:20:24 VERIFY OK: depth=0, CN=server-key
2023-04-18 11:20:24 Connection reset, restarting [0]
2023-04-18 11:20:24 SIGUSR1[soft,connection-reset] received, process restarting
2023-04-18 11:20:24 Restart pause, 1 second(s)
2023-04-18 11:20:25 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:25 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-04-18 11:20:25 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:25 TCP connection established with [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:25 TCPv4_CLIENT link local: (not bound)
2023-04-18 11:20:25 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:25 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xx:1194, sid=57d67b9d 41e76cf9
2023-04-18 11:20:25 VERIFY OK: depth=1, CN=templ-OVPN-CA
2023-04-18 11:20:25 VERIFY KU OK
2023-04-18 11:20:25 Validating certificate extended key usage
2023-04-18 11:20:25 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-04-18 11:20:25 VERIFY EKU OK
2023-04-18 11:20:25 VERIFY OK: depth=0, CN=server-key
2023-04-18 11:20:26 Connection reset, restarting [0]
2023-04-18 11:20:26 SIGUSR1[soft,connection-reset] received, process restarting
2023-04-18 11:20:26 Restart pause, 1 second(s)
2023-04-18 11:20:27 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:27 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-04-18 11:20:27 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:27 TCP connection established with [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:27 TCPv4_CLIENT link local: (not bound)
2023-04-18 11:20:27 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xx:1194
2023-04-18 11:20:27 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xx:1194, sid=dc9889e1 564c9e47
2023-04-18 11:20:27 VERIFY OK: depth=1, CN=templ-OVPN-CA
2023-04-18 11:20:27 VERIFY KU OK
2023-04-18 11:20:27 Validating certificate extended key usage
2023-04-18 11:20:27 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-04-18 11:20:27 VERIFY EKU OK
2023-04-18 11:20:27 VERIFY OK: depth=0, CN=server-key
2023-04-18 11:20:27 Connection reset, restarting [0]
2023-04-18 11:20:27 SIGUSR1[soft,connection-reset] received, process restarting
2023-04-18 11:20:27 Restart pause, 1 second(s)

Info:

OS: Arch Linux x86_64
Kernel: 6.2.11-arch1-1
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
OpenVPN 2.6.3 [git:makepkg/94aad8c51043a805+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Apr 13 2023
library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
Compile time defines:

Thank & regards.

Last edited by anon2019 (2023-04-18 18:02:08)

-thc

Member

Registered: 2017-03-15

Posts: 670

Re: [SOLVED] OpenVpn Connection reset, restarting [0]

2023-04-18 11:20:22 Validating certificate extended key usage
2023-04-18 11:20:22 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-04-18 11:20:22 VERIFY EKU OK
2023-04-18 11:20:22 VERIFY OK: depth=0, CN=server-key
2023-04-18 11:20:22 Connection reset, restarting [0]
2023-04-18 11:20:22 SIGUSR1[soft,connection-reset] received, process restarting
2023-04-18 11:20:22 Restart pause, 1 second(s)

The reset happens exactly at the TLS control channel negotiations. The most likely explanation is a failure to agree on an acceptable cipher suite - which in turn can happen because OpenSSL and OpenVPN are more recent on Arch than (presumably) on the OpenVPN server and Android.

Does you OpenVPN client on Android allow you to show the connection log? Or do you have access to the OpenVPN server?

anon2019

Member

Registered: 2019-09-16

Posts: 8

Re: [SOLVED] OpenVpn Connection reset, restarting [0]

I have an android log, but don't have an access to the server.

android log:

[18, 2023, 00:15:52] ----- OpenVPN Start -----

[18, 2023, 00:15:52] EVENT: CORE_THREAD_ACTIVE

[18, 2023, 00:15:52] OpenVPN core 3.git::081bfebe:RelWithDebInfo android arm64 64-bit PT_PROXY

[18, 2023, 00:15:52] Frame=512/2048/512 mssfix-ctrl=1250

[18, 2023, 00:15:52] UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
13 [verb] [3]
14 [route-delay] [5]

[18, 2023, 00:15:52] EVENT: RESOLVE

[18, 2023, 00:15:52] Contacting xxx.xxx.xxx.xx:1194 via TCPv4

[18, 2023, 00:15:52] EVENT: WAIT

[18, 2023, 00:15:52] Connecting to [xxx.xxx.xxx.xx]:1194 (xxx.xxx.xxx.xx) via TCPv4

[18, 2023, 00:15:52] EVENT: CONNECTING

[18, 2023, 00:15:52] Tunnel Options:V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client

[18, 2023, 00:15:52] Creds: Username/Password

[18, 2023, 00:15:52] Peer Info:
IV_VER=3.git::081bfebe:RelWithDebInfo
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.android_3.3.3-9248
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1


[18, 2023, 00:15:52] VERIFY OK: depth=1, /CN=templ-OVPN-CA, signature: RSA-SHA256

[18, 2023, 00:15:52] VERIFY OK: depth=0, /CN=server-key, signature: RSA-SHA256

[18, 2023, 00:15:53] SSL Handshake: peer certificate: CN=server-key, 4096 bit RSA, cipher: DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD


[18, 2023, 00:15:53] Session is ACTIVE

[18, 2023, 00:15:53] Sending PUSH_REQUEST to server...

[18, 2023, 00:15:53] EVENT: GET_CONFIG

[18, 2023, 00:15:54] Sending PUSH_REQUEST to server...

[18, 2023, 00:15:54] OPTIONS:
0 [ping] [20]
1 [ping-restart] [60]
2 [topology] [subnet]
3 [route-gateway] [192.168.20.1]
4 [ifconfig] [192.168.20.250] [255.255.0.0]


[18, 2023, 00:15:54] PROTOCOL OPTIONS:
  cipher: BF-CBC
  digest: SHA1
  key-derivation: OpenVPN PRF
  compress: NONE
  peer ID: -1

[18, 2023, 00:15:54] EVENT: ASSIGN_IP

[18, 2023, 00:15:54] Connected via tun

[18, 2023, 00:15:54] Per-Key Data Limit: 48000000/48000000

[18, 2023, 00:15:54] EVENT: CONNECTED info='user@xxx.xxx.xxx.xx:1194 (xxx.xxx.xxx.xx) via /TCPv4 on tun/192.168.20.250/ gw=[192.168.20.1/]'

[18, 2023, 00:15:54] EVENT: WARN info='Proto: Using a 64-bit block cipher that is vulnerable to the SWEET32 attack. Please inform your admin to upgrade to a stronger algorithm. Support for 64-bit block cipher will be dropped in the future.'

[18, 2023, 00:16:24] EVENT: CANCELLED

[18, 2023, 00:16:24] EVENT: DISCONNECTED

[18, 2023, 00:16:24] Tunnel bytes per CPU second: 0

[18, 2023, 00:16:24] ----- OpenVPN Stop -----

[18, 2023, 00:16:24] EVENT: CORE_THREAD_DONE

[18, 2023, 02:02:08] EVENT: DISCONNECTED info='Service destroyed'

[18, 2023, 10:31:26] OpenVPN core 3.git::081bfebe:RelWithDebInfo android arm64 64-bit PT_PROXY

-thc

Member

Registered: 2017-03-15

Posts: 670

Re: [SOLVED] OpenVpn Connection reset, restarting [0]

As I suspected: Android uses the insecure cipher "BF-CBC", which modern versions of OpenVPN doesn't allow anymore - unless explicitly configured.

Please try adding

data-ciphers-fallback BF-CBC

to your OpenVPN config file.

Please also read
https://github.com/OpenVPN/openvpn/blob … hanges.rst
https://community.openvpn.net/openvpn/w … egotiation
why this is not very secure.

anon2019

Member

Registered: 2019-09-16

Posts: 8

Re: [SOLVED] OpenVpn Connection reset, restarting [0]

OUTDATED:

I downgraded openvpn to 2.4.8v, and tried to start connection without changes in config, and got a another  error:
After that I installed openvpn 2.5.0v, and added
but it didn't help me (returned TLS Error too), then I played around with arguments from this link https://github.com/OpenVPN/openvpn/blob … hanges.rst, but the same result with TLS Error. Any ideas?

Last edited by anon2019 (2023-04-18 18:03:14)

anon2019

Member

Registered: 2019-09-16

Posts: 8

Re: [SOLVED] OpenVpn Connection reset, restarting [0]

Now it works!
Finally:
openvpn 2.4.7v works.
openvpn 2.5.0v works, with arguments:

 sudo openvpn --data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC  --cipher BF-CBC --data-ciphers-fallback BF-CBC --config client.ovpn 

Thank you very much for help!

Last edited by anon2019 (2023-04-18 18:03:32)