Configs look as follows:
Server:
Code: Select all
port 101
proto udp
dev tun2
auth-user-pass-verify /etc/openvpn/server1/auth.sh via-env
server 10.2.5.0 255.255.255.0
topology subnet
client-to-client
username-as-common-name
push "route 10.0.0.0 255.240.0.0"
push "dhcp-option DNS 10.2.5.1"
push "dhcp-option DOMAIN heim.netz"
duplicate-cn
ca /etc/openvpn/easy_rsa_elliptic/easy-rsa/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy_rsa_elliptic/easy-rsa/easyrsa3/pki/issued/rwserver.crt
key /etc/openvpn/easy_rsa_elliptic/easy-rsa/easyrsa3/pki/private/rwserver.key
dh none
keepalive 10 60
ping-timer-rem
persist-key
persist-tun
script-security 3
status /tmp/server2.ovpn
verb 3
mssfix 1300
ncp-ciphers AES-128-GCM
tls-version-min 1.2
Code: Select all
client
dev tun
remote XXXX 101 udp
server-poll-timeout 4
auth-user-pass
redirect-gateway def1
remote-cert-tls server
auth-retry interact
resolv-retry infinite
persist-key
persist-tun
verb 3
tls-version-min 1.2
<ca>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
XXX
-----END PRIVATE KEY-----
</key>
Code: Select all
2018-01-09 19:37:07 ----- OpenVPN Start -----
OpenVPN core 3.1.2 ios arm64 64-bit built on Jan 5 2018 23:09:59
2018-01-09 19:37:07 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-09 19:37:07 UNUSED OPTIONS
10 [verify-x509-name] [rwserver] [name]
11 [auth-retry] [interact]
12 [resolv-retry] [infinite]
13 [persist-key]
14 [persist-tun]
15 [verb] [3]
2018-01-09 19:37:07 EVENT: RESOLVE
2018-01-09 19:37:07 Contacting [85.195.251.181]:101/UDP via UDP
2018-01-09 19:37:07 EVENT: WAIT
2018-01-09 19:37:07 Connecting to [onion.4flex.info]:101 (85.195.251.181) via UDPv4
2018-01-09 19:37:07 EVENT: CONNECTING
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:6557 2]: => handshake
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:3363 2]: client state: 0
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2416 2]: => flush output
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2428 2]: <= flush output
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:3363 2]: client state: 1
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2416 2]: => flush output
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2428 2]: <= flush output
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:719 2]: => write client hello
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:757 3]: client hello, max version: [3:3]
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:695 3]: client hello, current time: 1515523027
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:766 3]: dumping 'client hello, random bytes' (32 bytes)
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:766 3]: 0000: 5a 55 0b d3 f1 dc 1c cb a4 0a 66 d8 e2 ef 6b 63 ZU........f...kc
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:766 3]: 0010: 1f a2 7a 0a 66 2d ef d2 3b 94 79 5e 25 37 47 f7 ..z.f-..;.y^%7G.
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:819 3]: client hello, session id len.: 0
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:820 3]: dumping 'client hello, session id' (0 bytes)
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c030
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 009f
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c028
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 006b
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c02f
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 009e
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c027
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 0067
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c012
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 0016
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 009d
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 003d
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 0035
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c032
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c02a
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c00f
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 009c
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 003c
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 002f
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c031
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c029
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c00e
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: 000a
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c00d
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:920 3]: client hello, got 25 ciphersuites
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:951 3]: client hello, compress len.: 1
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:953 3]: client hello, compress alg.: 0
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:178 3]: client hello, adding signature_algorithms extension
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:263 3]: client hello, adding supported_elliptic_curves extension
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:328 3]: client hello, adding supported_point_formats extension
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:510 3]: client hello, adding encrypt_then_mac extension
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:544 3]: client hello, adding extended_master_secret extension
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:577 3]: client hello, adding session ticket extension
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:1025 3]: client hello, total extension length: 72
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2701 2]: => write record
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2838 3]: output record: msgtype = 22, version = [3:3], msglen = 167
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2416 2]: => flush output
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2435 2]: message length: 172, out_left: 172
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2441 2]: ssl->f_send() returned 172 (-0xffffff54)
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2460 2]: <= flush output
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2850 2]: <= write record
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:1051 2]: <= write client hello
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:3363 2]: client state: 2
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2416 2]: => flush output
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2428 2]: <= flush output
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:1447 2]: => parse server hello
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:3721 2]: => read record
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2208 2]: => fetch input
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2366 2]: in_left: 0, nb_want: 5
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2390 2]: in_left: 0, nb_want: 5
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:2391 2]: ssl->f_recv(_timeout)() returned -32768 (-0x8000)
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:3875 1]: mbedtls_ssl_fetch_input() returned -32768 (-0x8000)
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:3729 1]: mbedtls_ssl_read_record_layer() returned -32768 (-0x8000)
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:1454 1]: mbedtls_ssl_read_record() returned -32768 (-0x8000)
2018-01-09 19:37:07 mbed TLS[ssl_tls.c:6567 2]: <= handshake
Logfile on Server:
notice openvpn(rwvpn2_ec)[9859]: 178.197.228.255:64891 TLS: Initial packet from [AF_INET]178.197.228.255:64891, sid=1f4acb83 06d19f9e
err openvpn(rwvpn2_ec)[9859]: 178.197.228.255:64891 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
err openvpn(rwvpn2_ec)[9859]: 178.197.228.255:64891 OpenSSL: error:1408A0C1:lib(20):func(138):reason(193)
err openvpn(rwvpn2_ec)[9859]: 178.197.228.255:64891 TLS_ERROR: BIO read tls_read_plaintext error
err openvpn(rwvpn2_ec)[9859]: 178.197.228.255:64891 TLS Error: TLS object -> incoming plaintext read error
err openvpn(rwvpn2_ec)[9859]: 178.197.228.255:64891 TLS Error: TLS handshake failed
notice openvpn(rwvpn2_ec)[9859]: 178.197.228.255:64891 SIGUSR1[soft,tls-error] received, client-instance restarting
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
According to iOS log:
Code: Select all
2018-01-09 19:37:07 mbed TLS[ssl_cli.c:887 3]: client hello, add ciphersuite: c030
thanks!