New version 3.0.0-870 not working
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Jun 24, 2017 8:04 pm
New version 3.0.0-870 not working
Hi,
On both my Nexus 5 phone and Nexus 9 tablet, went from 1.1.27 to 3.0.0-870, and in trying to connect to two different servers, the new app doesn't work. Ended up going back to 1.1.27, and everything works. The client confs and server confs, which did not change, are listed below
client
[oconf=]
remote xxx.xxx.xxx.xxx
client
remote-cert-tls server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
comp-lzo
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
float
cipher AES-256-GCM
auth SHA512
<tls-crypt> </tls-crypt>
<ca> </ca>
<cert> </cert>
<key> </key>
[/oconf]
server
[oconf=]
port x
proto udp4
dev tun0
server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
client-to-client
push "dhcp-option DNS zzz.zzz.zzz.zzz"
push "redirect-gateway"
keepalive 10 60
compress lz4-v2
push "compress lz4-v2"
user nobody
group nobody
persist-key
persist-tun
auth SHA512
push "route-ipv6 ::/128 ::1" #my hack way of blocking ipv6
cipher AES-256-GCM
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ecdh-curve secp521r1
ncp-disable
prng sha512 64
<tls-crypt> </tls-crypt>
<cert> </cert>
<key> </key>
<dh> </dh>
[/oconf]
The errors on the server logs are:
Feb 14 18:34:58 debian openvpn[1825]: OpenVPN 2.4.4 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 28 2017
Feb 14 18:34:58 debian openvpn[1825]: library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Feb 14 18:34:58 debian openvpn[1826]: TUN/TAP device tun0 opened
Feb 14 18:34:58 debian openvpn[1826]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 14 18:34:58 debian openvpn[1826]: /sbin/ifconfig tun0 xxx.xxx.xxx.xxx pointopoint xxx.xxx.xxx.xxx mtu 1500
Feb 14 18:34:58 debian openvpn[1826]: UDPv4 link local (bound): [AF_INET][undef]xx
Feb 14 18:34:58 debian openvpn[1826]: UDPv4 link remote: [AF_UNSPEC]
Feb 14 18:34:58 debian openvpn[1826]: GID set to nobody
Feb 14 18:34:58 debian openvpn[1826]: UID set to nobody
Feb 14 18:34:58 debian openvpn[1826]: Initialization Sequence Completed
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS_ERROR: BIO read tls_read_plaintext error
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS object -> incoming plaintext read error
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS handshake failed
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS_ERROR: BIO read tls_read_plaintext error
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS object -> incoming plaintext read error
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS handshake failed
No settings changed, no tls settings or crypto keys changed, and none of the in-app settings changed - the only thing that changed is the app.
Did the app override some of the profile settings?
On both my Nexus 5 phone and Nexus 9 tablet, went from 1.1.27 to 3.0.0-870, and in trying to connect to two different servers, the new app doesn't work. Ended up going back to 1.1.27, and everything works. The client confs and server confs, which did not change, are listed below
client
[oconf=]
remote xxx.xxx.xxx.xxx
client
remote-cert-tls server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
comp-lzo
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
float
cipher AES-256-GCM
auth SHA512
<tls-crypt> </tls-crypt>
<ca> </ca>
<cert> </cert>
<key> </key>
[/oconf]
server
[oconf=]
port x
proto udp4
dev tun0
server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
client-to-client
push "dhcp-option DNS zzz.zzz.zzz.zzz"
push "redirect-gateway"
keepalive 10 60
compress lz4-v2
push "compress lz4-v2"
user nobody
group nobody
persist-key
persist-tun
auth SHA512
push "route-ipv6 ::/128 ::1" #my hack way of blocking ipv6
cipher AES-256-GCM
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
ecdh-curve secp521r1
ncp-disable
prng sha512 64
<tls-crypt> </tls-crypt>
<cert> </cert>
<key> </key>
<dh> </dh>
[/oconf]
The errors on the server logs are:
Feb 14 18:34:58 debian openvpn[1825]: OpenVPN 2.4.4 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 28 2017
Feb 14 18:34:58 debian openvpn[1825]: library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Feb 14 18:34:58 debian openvpn[1826]: TUN/TAP device tun0 opened
Feb 14 18:34:58 debian openvpn[1826]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 14 18:34:58 debian openvpn[1826]: /sbin/ifconfig tun0 xxx.xxx.xxx.xxx pointopoint xxx.xxx.xxx.xxx mtu 1500
Feb 14 18:34:58 debian openvpn[1826]: UDPv4 link local (bound): [AF_INET][undef]xx
Feb 14 18:34:58 debian openvpn[1826]: UDPv4 link remote: [AF_UNSPEC]
Feb 14 18:34:58 debian openvpn[1826]: GID set to nobody
Feb 14 18:34:58 debian openvpn[1826]: UID set to nobody
Feb 14 18:34:58 debian openvpn[1826]: Initialization Sequence Completed
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS_ERROR: BIO read tls_read_plaintext error
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS object -> incoming plaintext read error
Feb 14 18:35:05 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS handshake failed
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS_ERROR: BIO read tls_read_plaintext error
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS object -> incoming plaintext read error
Feb 14 18:35:58 debian openvpn[1826]: xxx.xxx.xxx.xxx:yyyyyy TLS Error: TLS handshake failed
No settings changed, no tls settings or crypto keys changed, and none of the in-app settings changed - the only thing that changed is the app.
Did the app override some of the profile settings?
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Feb 15, 2018 10:39 am
Re: New version 3.0.0-870 not working
all right, confirm. after the update does not connect.
Thu Feb 15 13:16:41 2018 TLS Error: Auth Username/Password was not provided by peer
Thu Feb 15 13:16:41 2018 TLS Error: TLS handshake failed
Thu Feb 15 13:16:41 2018 TLS Error: Auth Username/Password was not provided by peer
Thu Feb 15 13:16:41 2018 TLS Error: TLS handshake failed
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Feb 15, 2018 10:39 am
Re: New version 3.0.0-870 not working
it helped me to re-import the profile.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Jun 24, 2017 8:04 pm
Re: New version 3.0.0-870 not working
Tried reimporting both profiles to both servers - same errors/results, still no connection established.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Jun 24, 2017 8:04 pm
Re: New version 3.0.0-870 not working
I took the tls-cipher line out (also tried ecdhe like the server instead of dhe) reimported the profile, still same result
Feb 15 06:49:05 debian daemon.err openvpn[1866]: 192.168.1.51 OpenSSL: error:1408A0C1:lib(20):func(138):reason(193)
Still not connecting
Feb 15 06:49:05 debian daemon.err openvpn[1866]: 192.168.1.51 OpenSSL: error:1408A0C1:lib(20):func(138):reason(193)
Still not connecting
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Feb 15, 2018 5:42 pm
Re: New version 3.0.0-870 not working
I have same error (server 2.4.4 running on a router with lede firmware):
Thu Feb 15 18:09:54 2018 daemon.err openvpn( ) TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Thu Feb 15 18:09:54 2018 daemon.err openvpn( ) OpenSSL: error:1408A0C1:lib(20):func(138):reason(193)
I have on server (as recommended):
tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
and tried adding on android client:
tls_cipher "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"
but no luck
With 1.1.27 working well again (I just switched off automatic update )
Thu Feb 15 18:09:54 2018 daemon.err openvpn( ) TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Thu Feb 15 18:09:54 2018 daemon.err openvpn( ) OpenSSL: error:1408A0C1:lib(20):func(138):reason(193)
I have on server (as recommended):
tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
and tried adding on android client:
tls_cipher "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"
but no luck
With 1.1.27 working well again (I just switched off automatic update )
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Feb 15, 2018 7:24 pm
Re: New version 3.0.0-870 not working
We had the same problem. On the server we had
tls-cipher TLS-RSA-WITH-AES-128-CBC-SHA
change to
tls-cipher DHE-RSA-AES128-SHA
and solve the problem.
tls-cipher TLS-RSA-WITH-AES-128-CBC-SHA
change to
tls-cipher DHE-RSA-AES128-SHA
and solve the problem.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Feb 15, 2018 5:42 pm
Re: New version 3.0.0-870 not working
How will I get a list of supported ciphers? openvpn --show-tls dosn't show this entrychange to
tls-cipher DHE-RSA-AES128-SHA
and solve the problem.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Feb 15, 2018 5:42 pm
Re: New version 3.0.0-870 not working
I added to server tls-cipher:
and it workes, and
works, too.
Seems that the new version supports less tls-ciphers than 1.1.27, e.g. recommended 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' is not supported. Al list would be usefull
Code: Select all
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
Code: Select all
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
Seems that the new version supports less tls-ciphers than 1.1.27, e.g. recommended 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' is not supported. Al list would be usefull
Deprecated TLS cipher name 'DHE-RSA-AES128-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-128-CBC-SHA'
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Feb 15, 2018 10:49 pm
Re: New version 3.0.0-870 not working
I am having issues with the new 3.0 version as well. I found and fixed my issue, and wanted to put it out here in case anyone else saw it while researching. My setup was working fine on the 1.2x client, and in my case it was because I did not have an MTU defined and upon moving to the new 3.0 client, all of a sudden my client would connect and immediately disconnect, and repeat that cycle indefinitely.
My server logs were showing this message when the disconnect was happening -
WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers
I started pinging my server until I found the right MTU value, by following this guide - https://www.sonassi.com/help/troublesho ... or-openvpn
I started at 1500 per the instructions, and found my reply at 1470. I added to my openvpn config "mssfix 1430" as the MSS value is 40 less than your MTU value.
After adding this, and reimporting my profile in the new client, it's now working as expected. Not sure if the lack of an MTU setting might trip up someone else, but wanted to add it since this is the only 3.0 thread where people are talking about issues.
My server logs were showing this message when the disconnect was happening -
WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or --link-mtu is equal on both peers
I started pinging my server until I found the right MTU value, by following this guide - https://www.sonassi.com/help/troublesho ... or-openvpn
I started at 1500 per the instructions, and found my reply at 1470. I added to my openvpn config "mssfix 1430" as the MSS value is 40 less than your MTU value.
After adding this, and reimporting my profile in the new client, it's now working as expected. Not sure if the lack of an MTU setting might trip up someone else, but wanted to add it since this is the only 3.0 thread where people are talking about issues.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Jun 24, 2017 8:04 pm
Re: New version 3.0.0-870 not working
I tried my server and router with "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" and the android client connects with 3.0.0-870.
Ordex or TinCanTech and other devs: you guys do great work with OpenVPN and the redesign looks cool - please allow the app to work with TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 and all the EC, SHA2, and AEAD/GCM crypto.
<paranoid rant> Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. </rant>
Thank you all.
Ordex or TinCanTech and other devs: you guys do great work with OpenVPN and the redesign looks cool - please allow the app to work with TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 and all the EC, SHA2, and AEAD/GCM crypto.
<paranoid rant> Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. </rant>
Thank you all.
-
- OpenVpn Newbie
- Posts: 8
- Joined: Fri Feb 16, 2018 2:13 pm
Re: New version 3.0.0-870 not working
Oh that's not a good sign. The view count just hit "666".
-
- OpenVpn Newbie
- Posts: 5
- Joined: Sat Feb 17, 2018 2:32 am
Re: New version 3.0.0-870 not working
Could you please try apk with possible solution:vpnhuman wrote: โFri Feb 16, 2018 5:21 amI tried my server and router with "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" and the android client connects with 3.0.0-870.
Ordex or TinCanTech and other devs: you guys do great work with OpenVPN and the redesign looks cool - please allow the app to work with TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 and all the EC, SHA2, and AEAD/GCM crypto.
<paranoid rant> Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. </rant>
Thank you all.
https://swupdate.openvpn.net/downloads/ ... .1-885.apk
Thanks
-
- OpenVpn Newbie
- Posts: 10
- Joined: Sat Jun 24, 2017 8:04 pm
Re: New version 3.0.0-870 not working
Success! Manually installed the above version 3.0.1-885 apk and it connects on both my router and sever with the desired tls-cipher setting - thanks yuriy
Feb 17 04:35:05 debian daemon.notice openvpn[13806]: XXX.XXX.XXX.XXX Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Feb 17 04:35:05 debian daemon.notice openvpn[13806]: XXX.XXX.XXX.XXX [android client] Peer Connection Initiated with [client]
Was this an unintended regression?
Feb 17 04:35:05 debian daemon.notice openvpn[13806]: XXX.XXX.XXX.XXX Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Feb 17 04:35:05 debian daemon.notice openvpn[13806]: XXX.XXX.XXX.XXX [android client] Peer Connection Initiated with [client]
Was this an unintended regression?
-
- OpenVPN User
- Posts: 34
- Joined: Wed May 10, 2017 10:08 pm
Re: New version 3.0.0-870 not working
I'm having issues in connecting as well, old profile was lost, re-set it all up and not working with newest version available in google play. I'm also using TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
I'm on 3.0.1 with release date 2/19/18
I'm on 3.0.1 with release date 2/19/18