OpenVPN update from 1.1.21 to 1.1.22 (Google Play)

[l0ck0n]

Dear All,

Need some help here, I am using ASUS RT-AC56S. Within the router, it comes with OpenVPN. Over the years with OpenVPN App (1.1.21), I have no problem connecting it. With the recent update it connect fails and cause my OpenVPN Server on my router to shut down.

People who download the update also complain that they have connection issues.

https://play.google.com/store/apps/deta ... nvpn&hl=en

My Error message as follow from the Router:

TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:24266 (via [AF_INET]xxx.xxx.xxx.xxx%eth0), sid=aaada127 1a874fe6
Assertion failed at ssl.c:2005
Exiting due to fatal error
/sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Closing TUN/TAP interface
/sbin/ifconfig tun21 0.0.0.0

Other information as follow:

rc_service: httpds 421:notify_rc stop_openvpnd;restart_samba
Samba Server: smb daemon is stoped
kernel: gro disabled
kernel: gro enabled with interval 2
Samba Server: daemon is started
rc_service: httpds 421:notify_rc restart_openvpnd;restart_chpass;restart_samba
openvpn[24984]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 2 2017
openvpn[24984]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
openvpn[24984]: Diffie-Hellman initialized with 2048 bit key
openvpn[24984]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
openvpn[24984]: Socket Buffers: R=[122880->131072] S=[122880->131072]
openvpn[24984]: TUN/TAP device tun21 opened
openvpn[24984]: TUN/TAP TX queue length set to 100
openvpn[24984]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
openvpn[24984]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
openvpn[24984]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
openvpn[24990]: UDPv4 link local (bound): [undef]
openvpn[24990]: UDPv4 link remote: [undef]
openvpn[24990]: MULTI: multi_init called, r=256 v=256
openvpn[24990]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
openvpn[24990]: Initialization Sequence Completed
Samba Server: smb daemon is stoped
kernel: gro disabled
kernel: gro enabled with interval 2
Samba Server: daemon is started




Can anyone help ??

[TinCanTech]

https://play.google.com/store/apps/deta ... nvpn&hl=en

What's New
Changes from 1.1.21 to 1.1.22:
* fix for importing profiles using external certificates/bundles

Thanks to your own link above ..

With the recent update it connect fails and cause my OpenVPN Server on my router to shut down

Exactly what version of openvpn is that ?

Please post your complete server log at verb 4.

[openwhat]

After updating to OpenVPN Connect 1.1.22 (build 89), on my mobile phone, I can't connect to my home router.
(ASUS RT-N66U running OpenVPN 2.4.3 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 3 2017)
Connecting from my Windows laptop keeps working fine!
Yesterday, before the 1.1.22 Android update on my phone, all was working fine.

In other words, it seems there is something wrong with the recent 'OpenVPN Connect' update for Android.
Error message I get on my phone: "OpenVPN server certificate verification failed : mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed".

On the server site (my router) I see NO error messages, just a client restart message.
- Connection reset, restarting [0]
- SIGUSR1[soft,connection-reset] received, client-instance restarting

Bug or am I missing something?

[gkuenning]

Same problem here. My server is openvpn 2.3.8 on an OpenSuSE system. The server logs say only this:

2017-11-01T10:25:40.039357-07:00 mallet openvpn[8229]: TCP connection established with [AF_INET]134.173.211.213:45993
2017-11-01T10:25:40.069357-07:00 mallet openvpn[8229]: 134.173.211.213:45993 Connection reset, restarting [-1]

I'm going to try to see if I can downgrade on Google Play until somebody figures this out.

[BioHazardous]

New user here. Zero issues connecting last night. I see my Android app updated last night on my phone, and can't connect. The logs show everything is pointed to the right destination, but I get this in the logs:
"server poll timeout trying next remote entry"

On the front end it says connection timeout.

Tried a bunch of different settings in the OpenVPN Connect client for Android one at a time and then reverting back to how everything was configured when it was working last night, no changes made any difference. Tried restarting my OpenVPN server on my Netgear router, no change. Logs on my router show no activity on VPN since last night.

[SharpThunder]

My connection gone i cannot connect with android. I checked server logs it says TLS handshake failed plaintext buffer too short. I tried to find a fix because it connects on windows. So i downloaded another openvpn client from playstore and it works. I guess new update broke TLS.

[Crash]

Same issue here. app updated 1-2 days ago and now it can't connect. Tried reboot hard and soft, /etc/init.d/openvpn restart, ensured the ports are forwarded, apt-get update on system, apt-get upgrade on system, verified no changes on client or server side files, and same firewall rules, nothing blocking it. Set the app to try infinitely and after about 3-5 minutes it just says "Session invalidated: KEEPALIVE_TIMEOUT". As TinCanTech noted above though, there are tons of reviews on the app from 10/31 and 11/01 saying they can't connect anymore so hopefully they take note and resolve the issue.

[gkuenning]

Further evidence: I managed to restore 1.1.17 (app only, not data) from a backup and it works again.

[mnl1121]

My connection gone i cannot connect with android. I checked server logs it says TLS handshake failed plaintext buffer too short. I tried to find a fix because it connects on windows. So i downloaded another openvpn client from playstore and it works. I guess new update broke TLS.

My exact error as well. Guess we need to wait for a fix. I'm going to try reverting to an earlier version in the meantime.

[mnl1121]

My connection gone i cannot connect with android. I checked server logs it says TLS handshake failed plaintext buffer too short. I tried to find a fix because it connects on windows. So i downloaded another openvpn client from playstore and it works. I guess new update broke TLS.

My exact error as well. Guess we need to wait for a fix. I'm going to try reverting to an earlier version in the meantime.

EDIT: Reverting back to 1.1.17 works
https://www.apkmirror.com/apk/openvpn/o ... -download/

[Crash]

found the solution. Have to install the update from the source for the server to version 2.4. They haven't put 2.4 into apt-get yet. Someone else posted on the forum already, but in case you guys can't find it, just download the 2.4 tarball from here:
https://openvpn.net/index.php/open-source/downloads.html
extract it, then follow the instructions here:
https://www.htpcguides.com/compile-latest-openvpn-from-source-on-debian-8/
also, don't forget to do the "sudo /etc/init.d/openvpn restart" or a reboot.
Should be good to go after that.

[openwhat]

found the solution. Have to install the update from the source for the server to version 2.4.
...

Are you sure?
See my earlier post, I'm already on OpenVPN 2.4.3 and having these issues.

I wish they would revert to 1.1.21 in the Google Play Store for now!
There is no easy way to go back otherwise.

[mnl1121]

found the solution. Have to install the update from the source for the server to version 2.4.
...

Are you sure?
See my earlier post, I'm already on OpenVPN 2.4.3 and having these issues.

I wish they would revert to 1.1.21 in the Google Play Store for now!
There is no easy way to go back otherwise.

It's very easy to go back, just uninstall and then go to the link I posted above from APK Mirror (APK Mirror is a known trusted site). After downloading the APK if you don't have "install from unknown sources" checked it'll prevent you but give you the option to install just this one time. Simply install and boom you've reverted back.

[openwhat]

/off topic

Thx, but my phone is under company policy.
Install from unknown sources is simply not allowed. (Setting is greyed out.)

[nwright]

I just got an update to the app that fixed the issue for me.

[openwhat]

Also tested OpenVPN Connect 1.1.23 (build 90) but still no joy.

Server gives the same error message: ...SIGUSR1[soft,connection-reset] received, client-instance restarting
Client also same message: "OpenVPN server certificate verification failed : mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed".

Happy to see devs are looking for a solution!

[Nardi.koci@gmail.com]

I have the same issue with version 1.1.33
Who can help me with an stable previous version?

[mnl1121@live.com]

I just got an update to the app that fixed the issue for me.

Newest app update fixed it for me as well.

[YUChoe]

Also tested OpenVPN Connect 1.1.23 (build 90) but still no joy.

Server gives the same error message: ...SIGUSR1[soft,connection-reset] received, client-instance restarting
Client also same message: "OpenVPN server certificate verification failed : mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed".

Happy to see devs are looking for a solution!

It doesn't work for me either. I think the new(updated) SSL library forced not to use MD5 anymore. I hope there's a flag for legacy mode or less-secure mode.

[ordex]

Hi,
OpenVPN Connect for Android already supports "legacy" mode, but it goes as back as RSA with 1024 bits keys.

Providing a workaround to still accept MD5 basically means opening a (big) security hole and that is not really acceptable.

I know it can be troublesome, but servers still using MD5 should *really* upgrade to something stronger.
MD5 has been broken for years now and supporting it means being unprofessional towards our users.

However, this is different from the bug discussed by the OP of this post. I am glad to hear that the original problem was solved by 1.1.23.

Cheers,