New version 3.0.0-870 not working

[vpnhuman]

Hi,

On both my Nexus 5 phone and Nexus 9 tablet, went from 1.1.27 to 3.0.0-870, and in trying to connect to two different servers, the new app doesn't work. Ended up going back to 1.1.27, and everything works. The client confs and server confs, which did not change, are listed below

client
[oconf=]
remote xxx.xxx.xxx.xxx
client

remote-cert-tls server

tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

comp-lzo

dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
float

cipher AES-256-GCM
auth SHA512

<tls-crypt> </tls-crypt>

<ca> </ca>

<cert> </cert>

<key> </key>
[/oconf]

server
[oconf=]
port x
proto udp4
dev tun0

server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
client-to-client

push "dhcp-option DNS zzz.zzz.zzz.zzz"
push "redirect-gateway"

keepalive 10 60

compress lz4-v2
push "compress lz4-v2"

user nobody
group nobody
persist-key
persist-tun
auth SHA512

push "route-ipv6 ::/128 ::1" #my hack way of blocking ipv6

cipher AES-256-GCM
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ecdh-curve secp521r1
ncp-disable
prng sha512 64

<tls-crypt> </tls-crypt>

<cert> </cert>

<key> </key>

<dh> </dh>

[/oconf]

The errors on the server logs are:
Feb 14 18:34:58 debian openvpn[1825]: OpenVPN 2.4.4 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 28 2017
Feb 14 18:34:58 debian openvpn[1825]: library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Feb 14 18:34:58 debian openvpn[1826]: TUN/TAP device tun0 opened
Feb 14 18:34:58 debian openvpn[1826]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 14 18:34:58 debian openvpn[1826]: /sbin/ifconfig tun0 xxx.xxx.xxx.xxx pointopoint xxx.xxx.xxx.xxx mtu 1500
Feb 14 18:34:58 debian openvpn[1826]: UDPv4 link local (bound): [AF_INET][undef]xx
Feb 14 18:34:58 debian openvpn[1826]: UDPv4 link remote: [AF_UNSPEC]
Feb 14 18:34:58 debian openvpn[1826]: GID set to nobody
Feb 14 18:34:58 debian openvpn[1826]: UID set to nobody
Feb 14 18:34:58 debian openvpn[1826]: Initialization Sequence Completed
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS_ERROR: BIO read tls_read_plaintext error
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS object -> incoming plaintext read error
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS handshake failed
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS_ERROR: BIO read tls_read_plaintext error
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS object -> incoming plaintext read error
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS handshake failed

No settings changed, no tls settings or crypto keys changed, and none of the in-app settings changed - the only thing that changed is the app.
Did the app override some of the profile settings?

[viviopri]

all right, confirm. after the update does not connect.
Thu Feb 15 13:16:41 2018 TLS Error: Auth Username/Password was not provided by peer
Thu Feb 15 13:16:41 2018 TLS Error: TLS handshake failed

[viviopri]

it helped me to re-import the profile.

[vpnhuman]

Tried reimporting both profiles to both servers - same errors/results, still no connection established.

[TinCanTech]

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Remove this because it causes this ..

OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

[vpnhuman]

I took the tls-cipher line out (also tried ecdhe like the server instead of dhe) reimported the profile, still same result

Feb 15 06:49:05 debian daemon.err openvpn[1866]: 192.168.1.51 OpenSSL: error:1408A0C1:lib(20):func(138):reason(193)

Still not connecting

[erik-hh]

I have same error (server 2.4.4 running on a router with lede firmware):

Thu Feb 15 18:09:54 2018 daemon.err openvpn( ) TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Thu Feb 15 18:09:54 2018 daemon.err openvpn( ) OpenSSL: error:1408A0C1:lib(20):func(138):reason(193)

I have on server (as recommended):
tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'

and tried adding on android client:
tls_cipher "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"

but no luck

With 1.1.27 working well again (I just switched off automatic update )

[gersonsm]

We had the same problem. On the server we had
tls-cipher TLS-RSA-WITH-AES-128-CBC-SHA

change to
tls-cipher DHE-RSA-AES128-SHA

and solve the problem.

[erik-hh]

change to
tls-cipher DHE-RSA-AES128-SHA

and solve the problem.

How will I get a list of supported ciphers? openvpn --show-tls dosn't show this entry

[erik-hh]

I added to server tls-cipher:

Code: Select all

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

and it workes, and

Code: Select all

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

works, too.

Seems that the new version supports less tls-ciphers than 1.1.27, e.g. recommended 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' is not supported. Al list would be usefull

Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA'

[kmartburrito]

I am having issues with the new 3.0 version as well. I found and fixed my issue, and wanted to put it out here in case anyone else saw it while researching. My setup was working fine on the 1.2x client, and in my case it was because I did not have an MTU defined and upon moving to the new 3.0 client, all of a sudden my client would connect and immediately disconnect, and repeat that cycle indefinitely.

My server logs were showing this message when the disconnect was happening -

WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers

I started pinging my server until I found the right MTU value, by following this guide - https://www.sonassi.com/help/troublesho ... or-openvpn

I started at 1500 per the instructions, and found my reply at 1470. I added to my openvpn config "mssfix 1430" as the MSS value is 40 less than your MTU value.

After adding this, and reimporting my profile in the new client, it's now working as expected. Not sure if the lack of an MTU setting might trip up someone else, but wanted to add it since this is the only 3.0 thread where people are talking about issues.

[vpnhuman]

I tried my server and router with "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" and the android client connects with 3.0.0-870.

Ordex or TinCanTech and other devs: you guys do great work with OpenVPN and the redesign looks cool - please allow the app to work with TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 and all the EC, SHA2, and AEAD/GCM crypto.

<paranoid rant> Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. </rant>

Thank you all.

[pjc123]

Oh that's not a good sign. The view count just hit "666".

[yuriy]

I tried my server and router with "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" and the android client connects with 3.0.0-870.

Ordex or TinCanTech and other devs: you guys do great work with OpenVPN and the redesign looks cool - please allow the app to work with TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 and all the EC, SHA2, and AEAD/GCM crypto.

<paranoid rant> Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. </rant>

Thank you all.

Could you please try apk with possible solution:
https://swupdate.openvpn.net/downloads/ ... .1-885.apk

Thanks

[vpnhuman]

Success! Manually installed the above version 3.0.1-885 apk and it connects on both my router and sever with the desired tls-cipher setting - thanks yuriy

Feb 17 04:35:05 debian daemon.notice openvpn[13806]: XXX.XXX.XXX.XXX Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Feb 17 04:35:05 debian daemon.notice openvpn[13806]: XXX.XXX.XXX.XXX [android client] Peer Connection Initiated with [client]

Was this an unintended regression?

[MisterSurface]

I'm having issues in connecting as well, old profile was lost, re-set it all up and not working with newest version available in google play. I'm also using TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384

I'm on 3.0.1 with release date 2/19/18