OpenVPN 2.4 client connection problems

[mlamat]

I installed an OpenVPN + stunnel server on my Raspberry PI following this tutorial: https://www.youtube.com/watch?v=nnQDiGBFIXk

I have the problem that with the Windows client 2.3.X it all works fine, but with the client 2.4.X the connection always fails on the first try. Only when a 2 minute timeout is reached and it automatically attempts a reconnect, the connection is established successfully.

[TinCanTech]

Please see:
HOWTO: Request Help ! {2}

[mlamat]

Here is my configuration:

Server system:

# uname -a

Code: Select all

Linux raspberrypi 4.9.35-v7+ #1014 SMP Fri Jun 30 14:47:43 BST 2017 armv7l GNU/Linux

# ifconfig

Code: Select all

eth0      Link encap:Ethernet  HWaddr b8:27:eb:72:0e:2c
          inet addr:192.168.2.3  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::4c91:2a68:c850:7ffa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19532135 errors:0 dropped:152 overruns:0 frame:0
          TX packets:15760772 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1706217330 (1.5 GiB)  TX bytes:2126397334 (1.9 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:10455267 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10455267 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:10536587152 (9.8 GiB)  TX bytes:10536587152 (9.8 GiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00       -00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          inet6 addr: fe80::664a:a4b6:78d:6fdb/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5818894 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8759999 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:597976966 (570.2 MiB)  TX bytes:8817799882 (8.2 GiB)

wlan0     Link encap:Ethernet  HWaddr b8:27:eb:27:5b:79
          inet6 addr: fe80::9f27:d1e0:ecd2:146b/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

server.conf

View OriginalSERVER

port 1194
proto tcp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/MY_DOMAIN_NAME.crt
key /etc/openvpn/easy-rsa/keys/MY_DOMAIN_NAME.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status /var/log/openvpn.log
verb 4

openvpn.log

Code: Select all

OpenVPN CLIENT LIST
Updated,Tue Jul 18 20:56:22 2017
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
home-client,127.0.0.1:51694,18914,31348,Tue Jul 18 20:53:24 2017
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,home-client,127.0.0.1:51694,Tue Jul 18 20:56:11 2017
GLOBAL STATS
Max bcast/mcast queue length,1
END

stunnel.conf

Code: Select all

[openvpn]
client = yes
accept = 1337
connect = MY_DOMAIN_NAME:443
cert = stunnel.pem

stunnel client log:

Code: Select all

2017.07.18 07:44:06 LOG5[main]: stunnel 5.42 on x86-pc-msvc-1500 platform
2017.07.18 07:44:06 LOG5[main]: Compiled/running with OpenSSL 1.0.2l-fips  25 May 2017
2017.07.18 07:44:06 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2017.07.18 07:44:06 LOG5[main]: Reading configuration from file stunnel.conf
2017.07.18 07:44:06 LOG5[main]: UTF-8 byte order mark detected
2017.07.18 07:44:06 LOG5[main]: FIPS mode disabled
2017.07.18 07:44:06 LOG4[main]: Service [openvpn] needs authentication to prevent MITM attacks
2017.07.18 07:44:06 LOG5[main]: Configuration successful
2017.07.18 07:46:32 LOG5[0]: Service [openvpn] accepted connection from 127.0.0.1:50146
2017.07.18 07:46:32 LOG5[0]: s_connect: connected MY_PUBLIC_IP:443
2017.07.18 07:46:32 LOG5[0]: Service [openvpn] connected remote server from 10.0.0.59:50147
2017.07.18 20:32:29 LOG3[0]: readsocket: Connection reset by peer (WSAECONNRESET) (10054)
2017.07.18 20:32:29 LOG5[0]: Connection reset: 85348024 byte(s) sent to TLS, 784020195 byte(s) sent to socket
2017.07.18 20:45:57 LOG5[1]: Service [openvpn] accepted connection from 127.0.0.1:59194
2017.07.18 20:45:57 LOG5[1]: s_connect: connected MY_PUBLIC_IP:443
2017.07.18 20:45:57 LOG5[1]: Service [openvpn] connected remote server from 10.0.0.59:59195
2017.07.18 20:50:59 LOG5[1]: Connection closed: 107988 byte(s) sent to TLS, 123669 byte(s) sent to socket
2017.07.18 20:51:04 LOG5[2]: Service [openvpn] accepted connection from 127.0.0.1:59226
2017.07.18 20:51:13 LOG3[2]: s_connect: connect MY_PUBLIC_IP:443: Connection refused (WSAECONNREFUSED) (10061)
2017.07.18 20:51:13 LOG3[2]: No more addresses to connect
2017.07.18 20:51:13 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2017.07.18 20:53:23 LOG5[3]: Service [openvpn] accepted connection from 127.0.0.1:59239
2017.07.18 20:53:23 LOG5[3]: s_connect: connected MY_PUBLIC_IP:443
2017.07.18 20:53:23 LOG5[3]: Service [openvpn] connected remote server from 10.0.0.59:59240

Client OS:

Code: Select all

Microsoft Windows [Version 10.0.15063]

Network setup:

Code: Select all

Windows IP Configuration


Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Local network connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::95b3:cbd2:f3dc:3ab8%16
   IPv4 Address. . . . . . . . . . . : 10.8.0.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Default Gateway . . . . . . . . . :

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::dcbd:e797:856a:24b6%21
   IPv4 Address. . . . . . . . . . . : 10.0.0.59
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.138

client.ovpn

View OriginalCLIENT

client
dev tun
proto tcp
remote localhost 1337
route MY_PUBLIC_IP 255.255.255.255 net_gateway
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
auth-nocache
remote-cert-tls server
comp-lzo
verb 4

OpenVPN client log:

Code: Select all

Tue Jul 18 20:43:51 2017   pkcs11_protected_authentication = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_private_mode = 00000000
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_cert_private = DISABLED
Tue Jul 18 20:43:51 2017   pkcs11_pin_cache_period = -1
Tue Jul 18 20:43:51 2017   pkcs11_id = '[UNDEF]'
Tue Jul 18 20:43:51 2017   pkcs11_id_management = DISABLED
Tue Jul 18 20:43:51 2017   server_network = 0.0.0.0
Tue Jul 18 20:43:51 2017   server_netmask = 0.0.0.0
Tue Jul 18 20:43:51 2017   server_network_ipv6 = ::
Tue Jul 18 20:43:51 2017   server_netbits_ipv6 = 0
Tue Jul 18 20:43:51 2017   server_bridge_ip = 0.0.0.0
Tue Jul 18 20:43:51 2017   server_bridge_netmask = 0.0.0.0
Tue Jul 18 20:43:51 2017   server_bridge_pool_start = 0.0.0.0
Tue Jul 18 20:43:51 2017   server_bridge_pool_end = 0.0.0.0
Tue Jul 18 20:43:51 2017   ifconfig_pool_defined = DISABLED
Tue Jul 18 20:43:51 2017   ifconfig_pool_start = 0.0.0.0
Tue Jul 18 20:43:51 2017   ifconfig_pool_end = 0.0.0.0
Tue Jul 18 20:43:51 2017   ifconfig_pool_netmask = 0.0.0.0
Tue Jul 18 20:43:51 2017   ifconfig_pool_persist_filename = '[UNDEF]'
Tue Jul 18 20:43:51 2017   ifconfig_pool_persist_refresh_freq = 600
Tue Jul 18 20:43:51 2017   ifconfig_ipv6_pool_defined = DISABLED
Tue Jul 18 20:43:51 2017   ifconfig_ipv6_pool_base = ::
Tue Jul 18 20:43:51 2017   ifconfig_ipv6_pool_netbits = 0
Tue Jul 18 20:43:51 2017   n_bcast_buf = 256
Tue Jul 18 20:43:51 2017   tcp_queue_limit = 64
Tue Jul 18 20:43:51 2017   real_hash_size = 256
Tue Jul 18 20:43:51 2017   virtual_hash_size = 256
Tue Jul 18 20:43:51 2017   client_connect_script = '[UNDEF]'
Tue Jul 18 20:43:51 2017   learn_address_script = '[UNDEF]'
Tue Jul 18 20:43:51 2017   client_disconnect_script = '[UNDEF]'
Tue Jul 18 20:43:51 2017   client_config_dir = '[UNDEF]'
Tue Jul 18 20:43:51 2017   ccd_exclusive = DISABLED
Tue Jul 18 20:43:51 2017   tmp_dir = 'C:\Users\MY_USERNAME~1\AppData\Local\Temp\'
Tue Jul 18 20:43:51 2017   push_ifconfig_defined = DISABLED
Tue Jul 18 20:43:51 2017   push_ifconfig_local = 0.0.0.0
Tue Jul 18 20:43:51 2017   push_ifconfig_remote_netmask = 0.0.0.0
Tue Jul 18 20:43:51 2017   push_ifconfig_ipv6_defined = DISABLED
Tue Jul 18 20:43:51 2017   push_ifconfig_ipv6_local = ::/0
Tue Jul 18 20:43:51 2017   push_ifconfig_ipv6_remote = ::
Tue Jul 18 20:43:51 2017   enable_c2c = DISABLED
Tue Jul 18 20:43:51 2017   duplicate_cn = DISABLED
Tue Jul 18 20:43:51 2017   cf_max = 0
Tue Jul 18 20:43:51 2017   cf_per = 0
Tue Jul 18 20:43:51 2017   max_clients = 1024
Tue Jul 18 20:43:51 2017   max_routes_per_client = 256
Tue Jul 18 20:43:51 2017   auth_user_pass_verify_script = '[UNDEF]'
Tue Jul 18 20:43:51 2017   auth_user_pass_verify_script_via_file = DISABLED
Tue Jul 18 20:43:51 2017   auth_token_generate = DISABLED
Tue Jul 18 20:43:51 2017   auth_token_lifetime = 0
Tue Jul 18 20:43:51 2017   client = ENABLED
Tue Jul 18 20:43:51 2017   pull = ENABLED
Tue Jul 18 20:43:51 2017   auth_user_pass_file = '[UNDEF]'
Tue Jul 18 20:43:51 2017   show_net_up = DISABLED
Tue Jul 18 20:43:51 2017   route_method = 0
Tue Jul 18 20:43:51 2017   block_outside_dns = DISABLED
Tue Jul 18 20:43:51 2017   ip_win32_defined = DISABLED
Tue Jul 18 20:43:51 2017   ip_win32_type = 3
Tue Jul 18 20:43:51 2017   dhcp_masq_offset = 0
Tue Jul 18 20:43:51 2017   dhcp_lease_time = 31536000
Tue Jul 18 20:43:51 2017   tap_sleep = 0
Tue Jul 18 20:43:51 2017   dhcp_options = DISABLED
Tue Jul 18 20:43:51 2017   dhcp_renew = DISABLED
Tue Jul 18 20:43:51 2017   dhcp_pre_release = DISABLED
Tue Jul 18 20:43:51 2017   domain = '[UNDEF]'
Tue Jul 18 20:43:51 2017   netbios_scope = '[UNDEF]'
Tue Jul 18 20:43:51 2017   netbios_node_type = 0
Tue Jul 18 20:43:51 2017   disable_nbt = DISABLED
Tue Jul 18 20:43:51 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
Tue Jul 18 20:43:51 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jul 18 20:43:51 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Tue Jul 18 20:43:51 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jul 18 20:43:51 2017 Need hold release from management interface, waiting...
Tue Jul 18 20:43:51 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jul 18 20:43:51 2017 MANAGEMENT: CMD 'state on'
Tue Jul 18 20:43:51 2017 MANAGEMENT: CMD 'log all on'
Tue Jul 18 20:43:51 2017 MANAGEMENT: CMD 'echo all on'
Tue Jul 18 20:43:51 2017 MANAGEMENT: CMD 'hold off'
Tue Jul 18 20:43:51 2017 MANAGEMENT: CMD 'hold release'
Tue Jul 18 20:43:52 2017 LZO compression initializing
Tue Jul 18 20:43:52 2017 Control Channel MTU parms [ L:1656 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Tue Jul 18 20:43:52 2017 MANAGEMENT: >STATE:1500403432,RESOLVE,,,,,,
Tue Jul 18 20:43:52 2017 Data Channel MTU parms [ L:1656 D:1450 EF:124 EB:412 ET:32 EL:3 ]
Tue Jul 18 20:43:52 2017 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Jul 18 20:43:52 2017 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Jul 18 20:43:52 2017 TCP/UDP: Preserving recently used remote address: [AF_INET6]::1:1337
Tue Jul 18 20:43:52 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 18 20:43:52 2017 Attempting to establish TCP connection with [AF_INET6]::1:1337 [nonblock]
Tue Jul 18 20:43:52 2017 MANAGEMENT: >STATE:1500403432,TCP_CONNECT,,,,,,
Tue Jul 18 20:45:52 2017 TCP: connect to [AF_INET6]::1:1337 failed: Connection timed out (WSAETIMEDOUT)
Tue Jul 18 20:45:52 2017 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Tue Jul 18 20:45:52 2017 MANAGEMENT: >STATE:1500403552,RECONNECTING,init_instance,,,,,
Tue Jul 18 20:45:52 2017 Restart pause, 5 second(s)
Tue Jul 18 20:45:57 2017 Re-using SSL/TLS context
Tue Jul 18 20:45:57 2017 LZO compression initializing
Tue Jul 18 20:45:57 2017 Control Channel MTU parms [ L:1656 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Tue Jul 18 20:45:57 2017 Data Channel MTU parms [ L:1656 D:1450 EF:124 EB:412 ET:32 EL:3 ]
Tue Jul 18 20:45:57 2017 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Jul 18 20:45:57 2017 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Jul 18 20:45:57 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1337
Tue Jul 18 20:45:57 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 18 20:45:57 2017 Attempting to establish TCP connection with [AF_INET]127.0.0.1:1337 [nonblock]
Tue Jul 18 20:45:57 2017 MANAGEMENT: >STATE:1500403557,TCP_CONNECT,,,,,,
Tue Jul 18 20:45:57 2017 TCP connection established with [AF_INET]127.0.0.1:1337
Tue Jul 18 20:45:57 2017 TCP_CLIENT link local: (not bound)
Tue Jul 18 20:45:57 2017 TCP_CLIENT link remote: [AF_INET]127.0.0.1:1337
Tue Jul 18 20:45:57 2017 MANAGEMENT: >STATE:1500403557,WAIT,,,,,,
Tue Jul 18 20:45:57 2017 MANAGEMENT: >STATE:1500403557,AUTH,,,,,,
Tue Jul 18 20:45:57 2017 TLS: Initial packet from [AF_INET]127.0.0.1:1337, sid=e7ffddf2 4b3ef37a
Tue Jul 18 20:45:57 2017 VERIFY OK: depth=1, C=*, L=*, CN=*, emailAddress=*
Tue Jul 18 20:45:57 2017 VERIFY KU OK
Tue Jul 18 20:45:57 2017 Validating certificate extended key usage
Tue Jul 18 20:45:57 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 18 20:45:57 2017 VERIFY EKU OK
Tue Jul 18 20:45:57 2017 VERIFY OK: depth=0, C=*, L=*, CN=*, emailAddress=*
Tue Jul 18 20:45:58 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Jul 18 20:45:58 2017 [MY_DOMAIN_NAME] Peer Connection Initiated with [AF_INET]127.0.0.1:1337
Tue Jul 18 20:45:59 2017 MANAGEMENT: >STATE:1500403559,GET_CONFIG,,,,,,
Tue Jul 18 20:45:59 2017 SENT CONTROL [MY_DOMAIN_NAME]: 'PUSH_REQUEST' (status=1)
Tue Jul 18 20:45:59 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.8.0.6 10.8.0.5'
Tue Jul 18 20:45:59 2017 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 18 20:45:59 2017 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 18 20:45:59 2017 OPTIONS IMPORT: route options modified
Tue Jul 18 20:45:59 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jul 18 20:45:59 2017 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:412 ET:32 EL:3 ]
Tue Jul 18 20:45:59 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 18 20:45:59 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Jul 18 20:45:59 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 18 20:45:59 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 18 20:45:59 2017 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Tue Jul 18 20:45:59 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 18 20:45:59 2017 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Tue Jul 18 20:45:59 2017 interactive service msg_channel=0
Tue Jul 18 20:45:59 2017 ROUTE_GATEWAY 10.0.0.138/255.255.255.0 I=21 HWADDR=74:e5:0b:4f:12:56
Tue Jul 18 20:45:59 2017 open_tun
Tue Jul 18 20:45:59 2017 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{BF6EC74E-E387-41D4-97AF-7AAC090606D7}.tap
Tue Jul 18 20:45:59 2017 TAP-Windows Driver Version 9.21 
Tue Jul 18 20:45:59 2017 TAP-Windows MTU=1500
Tue Jul 18 20:45:59 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {BF6EC74E-E387-41D4-97AF-7AAC090606D7} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Tue Jul 18 20:45:59 2017 DHCP option string: 06080808 08080808 0404
Tue Jul 18 20:45:59 2017 Successful ARP Flush on interface [16] {BF6EC74E-E387-41D4-97AF-7AAC090606D7}
Tue Jul 18 20:45:59 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jul 18 20:45:59 2017 MANAGEMENT: >STATE:1500403559,ASSIGN_IP,,10.8.0.6,,,,
Tue Jul 18 20:46:04 2017 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Tue Jul 18 20:46:04 2017 C:\WINDOWS\system32\route.exe ADD 127.0.0.1 MASK 255.255.255.255 10.0.0.138
Tue Jul 18 20:46:04 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=50 and dwForwardType=4
Tue Jul 18 20:46:04 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 20:46:04 2017 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jul 18 20:46:04 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Tue Jul 18 20:46:04 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 20:46:04 2017 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Jul 18 20:46:04 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Tue Jul 18 20:46:04 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 20:46:04 2017 MANAGEMENT: >STATE:1500403564,ADD_ROUTES,,,,,,
Tue Jul 18 20:46:04 2017 C:\WINDOWS\system32\route.exe ADD MY_PUBLIC_IP MASK 255.255.255.255 10.0.0.138
Tue Jul 18 20:46:04 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=50 and dwForwardType=4
Tue Jul 18 20:46:04 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 20:46:04 2017 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Tue Jul 18 20:46:04 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=35 and dwForwardType=4
Tue Jul 18 20:46:04 2017 Route addition via IPAPI succeeded [adaptive]
Tue Jul 18 20:46:04 2017 Initialization Sequence Completed
Tue Jul 18 20:46:04 2017 MANAGEMENT: >STATE:1500403564,CONNECTED,SUCCESS,10.8.0.6,127.0.0.1,1337,127.0.0.1,59194

This is the error. A two minute timeout must pass before a connection is successful.

Code: Select all

Tue Jul 18 20:43:52 2017 TCP/UDP: Preserving recently used remote address: [AF_INET6]::1:1337
Tue Jul 18 20:43:52 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jul 18 20:43:52 2017 Attempting to establish TCP connection with [AF_INET6]::1:1337 [nonblock]
[b]Tue Jul 18 20:43:52 2017 MANAGEMENT: >STATE:1500403432,TCP_CONNECT,,,,,,
Tue Jul 18 20:45:52 2017 TCP: connect to [AF_INET6]::1:1337 failed: Connection timed out (WSAETIMEDOUT)[/b]
Tue Jul 18 20:45:52 2017 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Tue Jul 18 20:45:52 2017 MANAGEMENT: >STATE:1500403552,RECONNECTING,init_instance,,,,,
Tue Jul 18 20:45:52 2017 Restart pause, 5 second(s)
Tue Jul 18 20:45:57 2017 Re-using SSL/TLS context
Tue Jul 18 20:45:57 2017 LZO compression initializing

[TinCanTech]

Does it work with out stunnel ?

[mlamat]

Yes, it does. How should I configure Stunnel?

BTW. Stunnel doesn't work for me. The organization I work for blocks all encrypted trafic, but seems to allow certain SSL connections (E-banking, Gmail...). The stunnel connection is always blocked. Any tips?

[TinCanTech]

The organization I work for blocks all encrypted trafic <snip> Any tips?

Is it worth risking your job for ?

[mlamat]

I travel a lot so it would be nice to have the stunnel connection for other reasons.