I wanted to change the type of key used in OpenVPN so I started with a fresh /etc/openvpn on my server,
I change part of my intiale server.conf, redo all the key, certificate, ... for both the server and the cilents.
Everything is working fine with my PC but I can't manage to connect from both android and ios openvpn connect client.
On the device I have the following error:
TCP recv EOF
Transport Error: Transport error on 'MY_IP_XXXXXX: NETWORK_EOF_ERROR'
On the server I have
TLS: Initial packet from [AF_INET]
TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, client-instance restarting
On both output I've removed the IP/PORTS for anonimity
My previous config was functional on all devices. I'm generating certificates/keys specific for each device so I can connect at the same time from different devices.
On both config (old and new) I have cipher AES-256-CBC
But on new config I have
tls-cipher TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
and: tls-version-min 1.2
(no parameter on previous config, I used easy-rsa to create the keys)
android app says: OPenVPN Connect 1.1.17 (build 76), core 3.0.12, Android version is 7.0, I have turn on the openvpn toggle "Force AES-CBC Ciphersuites"
Failed to connect
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Failed to connect
Just remove tls-cipher and restart ..
-
oxygen77
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Oct 11, 2017 7:43 pm
Re: Failed to connect
Thx TinCanTech for your answer
I tryed removing the tls-cipher option in both client and server config files,
=> on android device no change, still can't connect, also tested putting back the option in client config file
=> I had to put back the option in the pc config file in order to have it working
not that I generated EC keys using this command line: openssl ecparam -genkey -name secp384r1 -noout -out my_file.key
I'm pretty new to openvpn config & management, so I'm not sure how to understand the log output. I can't decide if
- the issue is that the key I generated are not supported by openvpn connect (while supported by the server and computer)
- the issue is elsewhere in the communication or in the param
I tryed removing the tls-cipher option in both client and server config files,
=> on android device no change, still can't connect, also tested putting back the option in client config file
=> I had to put back the option in the pc config file in order to have it working
not that I generated EC keys using this command line: openssl ecparam -genkey -name secp384r1 -noout -out my_file.key
I'm pretty new to openvpn config & management, so I'm not sure how to understand the log output. I can't decide if
- the issue is that the key I generated are not supported by openvpn connect (while supported by the server and computer)
- the issue is elsewhere in the communication or in the param
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Failed to connect
The message is clear "No shared cipher" .: Do not specify the cipher, let openvpn decide on the best available "shared" cipher .. perhaps you did something wrong ?
I think also, you may have created incompatible certificates .. try using EasyRSA303 to create your PKI:
https://github.com/OpenVPN/easy-rsa/releases
-
oxygen77
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Oct 11, 2017 7:43 pm
Re: Failed to connect
I would like to understand my error before going to automated tools
I've removed the tls-cipher param
I've restart from scratch the param of the server and the client.
In order to create server key & certificate I'm doing:
#pki
openssl ecparam -genkey -name secp384r1 -noout -out ca.key
openssl req -new -sha256 -key ca.key -out ca.csr -subj "/CN=aturys.vpn"
openssl x509 -req -sha256 -days 365 -in ca.csr -signkey ca.key -out ca.crt
# server key
openssl ecparam -genkey -name secp384r1 -noout -out server.key
openssl req -new -config server_ssl.cnf -key server.key -out server.csr
yes | openssl ca -config server_ssl.cnf -out server.crt -infiles server.csr
openssl dhparam 2048 -dsaparam -out dh2048.pem
openvpn --genkey --secret ta.key
and for client
openssl ecparam -genkey -name secp384r1 -noout -out client.key
openssl req -new -config client_ssl.cnf -key client.key -out client.csr
yes | openssl ca -config client_ssl.cnf -out client.crt -infiles client.csr
client & server cnf files are similar:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/openvpn/keys
new_certs_dir = $dir
unique_subject = no
certificate = $dir/ca.crt
database = $dir/index
private_key = $dir/ca.key
serial = $dir/serial
default_days = 365
default_md = sha256
policy = ca_policy
x509_extensions = ca_extensions
copy_extensions = copy
crlnumber = $dir/crlnumber
default_crl_days = 1825
[ ca_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ ca_extensions ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ req ]
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ dn ]
CN = server.vpn
[ req_ext ]
keyUsage = digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
my guess is that the secp384r1 is not supported on mobile platform ?
I've removed the tls-cipher param
I've restart from scratch the param of the server and the client.
In order to create server key & certificate I'm doing:
#pki
openssl ecparam -genkey -name secp384r1 -noout -out ca.key
openssl req -new -sha256 -key ca.key -out ca.csr -subj "/CN=aturys.vpn"
openssl x509 -req -sha256 -days 365 -in ca.csr -signkey ca.key -out ca.crt
# server key
openssl ecparam -genkey -name secp384r1 -noout -out server.key
openssl req -new -config server_ssl.cnf -key server.key -out server.csr
yes | openssl ca -config server_ssl.cnf -out server.crt -infiles server.csr
openssl dhparam 2048 -dsaparam -out dh2048.pem
openvpn --genkey --secret ta.key
and for client
openssl ecparam -genkey -name secp384r1 -noout -out client.key
openssl req -new -config client_ssl.cnf -key client.key -out client.csr
yes | openssl ca -config client_ssl.cnf -out client.crt -infiles client.csr
client & server cnf files are similar:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/openvpn/keys
new_certs_dir = $dir
unique_subject = no
certificate = $dir/ca.crt
database = $dir/index
private_key = $dir/ca.key
serial = $dir/serial
default_days = 365
default_md = sha256
policy = ca_policy
x509_extensions = ca_extensions
copy_extensions = copy
crlnumber = $dir/crlnumber
default_crl_days = 1825
[ ca_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ ca_extensions ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ req ]
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ dn ]
CN = server.vpn
[ req_ext ]
keyUsage = digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
my guess is that the secp384r1 is not supported on mobile platform ?