Unable to connect using OVPN server client: "wrong curve"

kobuki · Post by **kobuki** » Fri Oct 11, 2019 1:33 pm

I've configured an OpenVPN 2.4.7 instance on Debian Buster. I'm using the exact same config on another server, but on Debian Stretch. On Buster it doesn't work. I'm not sure the issue is with OVPN or Debian packages, please help. My configs and a log excerpt is below. The connection fails from a Windows 7 x64 client and also from a Debian Buster amd64 client, using the same config.

Any ideas and hints are welcome.

OpenVPN info:

Code: Select all

# openvpn --version
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

Server:

Code: Select all

proto udp
port 1194
tls-server
compress lz4
dev tun0
keepalive 10 120
persist-key
persist-tun
verb 4

dh none
ecdh-curve secp521r1
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-max 1.2

user nobody
group nogroup

ifconfig-pool-persist /var/lib/openvpn/ipp.txt
status /var/lib/openvpn/status.log
log-append /var/log/openvpn/openvpn.log

topology subnet
server 172.16.27.0 255.255.255.0
push "route 192.168.99.0 255.255.255.0"
push "dhcp-option DNS 10.42.13.5"
push "compress lz4"

<ca>
...
</ca>

<cert>
...
</cert>

<key>
...
</key>

<tls-crypt>
...
</tls-crypt>

Client:

Code: Select all

client
dev tun
remote vpn.server.tld 1194 udp
resolv-retry infinite
compress lz4
nobind
remote-cert-tls server
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
tls-version-min 1.2
persist-key
persist-tun
verb 3
auth-nocache

<ca>
...
</ca>

<cert>
...
</cert>

<key>
...
</key>

<tls-crypt>
...
</tls-crypt>

Log of a single connection attempt:

Code: Select all

Fri Oct 11 15:30:27 2019 us=885347 MULTI: multi_create_instance called
Fri Oct 11 15:30:27 2019 us=885429 81.183.35.55:62581 Re-using SSL/TLS context
Fri Oct 11 15:30:27 2019 us=885444 81.183.35.55:62581 LZ4 compression initializing
Fri Oct 11 15:30:27 2019 us=885541 81.183.35.55:62581 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Fri Oct 11 15:30:27 2019 us=885556 81.183.35.55:62581 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Fri Oct 11 15:30:27 2019 us=885636 81.183.35.55:62581 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Fri Oct 11 15:30:27 2019 us=885647 81.183.35.55:62581 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Fri Oct 11 15:30:27 2019 us=885670 81.183.35.55:62581 TLS: Initial packet from [AF_INET]x.x.x.x:62581, sid=4482530e f8286ebe
Fri Oct 11 15:30:27 2019 us=910025 81.183.35.55:62581 VERIFY OK: depth=1, CN=Zortal Project CA
Fri Oct 11 15:30:27 2019 us=911297 81.183.35.55:62581 VERIFY OK: depth=0, CN=admin@vpn.zortal.hu
Fri Oct 11 15:30:27 2019 us=911958 81.183.35.55:62581 OpenSSL: error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve
Fri Oct 11 15:30:27 2019 us=911977 81.183.35.55:62581 TLS_ERROR: BIO read tls_read_plaintext error
Fri Oct 11 15:30:27 2019 us=911986 81.183.35.55:62581 TLS Error: TLS object -> incoming plaintext read error
Fri Oct 11 15:30:27 2019 us=911995 81.183.35.55:62581 TLS Error: TLS handshake failed
Fri Oct 11 15:30:27 2019 us=912065 81.183.35.55:62581 SIGUSR1[soft,tls-error] received, client-instance restarting

kobuki · Post by **kobuki** » Fri Oct 11, 2019 1:45 pm

OK, sorry for the noise, I found the mistake in the meantime. I used the wrong curve in vars file (of easy-rsa). Please delete the whole thread if possible, to keep out the fluff. Sorry again.

TinCanTech · Post by **TinCanTech** » Fri Oct 11, 2019 2:48 pm

Thanks for letting us know your solution

This is useful and clear information.

OpenVPN Support Forum

Unable to connect using OVPN server client: "wrong curve"

Unable to connect using OVPN server client: "wrong curve"

Re: Unable to connect using OVPN server client: "wrong curve"

Re: Unable to connect using OVPN server client: "wrong curve"