Any ideas and hints are welcome.
OpenVPN info:
Code: Select all
# openvpn --version
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
Code: Select all
proto udp
port 1194
tls-server
compress lz4
dev tun0
keepalive 10 120
persist-key
persist-tun
verb 4
dh none
ecdh-curve secp521r1
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-version-max 1.2
user nobody
group nogroup
ifconfig-pool-persist /var/lib/openvpn/ipp.txt
status /var/lib/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
topology subnet
server 172.16.27.0 255.255.255.0
push "route 192.168.99.0 255.255.255.0"
push "dhcp-option DNS 10.42.13.5"
push "compress lz4"
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-crypt>
...
</tls-crypt>
Code: Select all
client
dev tun
remote vpn.server.tld 1194 udp
resolv-retry infinite
compress lz4
nobind
remote-cert-tls server
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM
tls-version-min 1.2
persist-key
persist-tun
verb 3
auth-nocache
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
<tls-crypt>
...
</tls-crypt>
Code: Select all
Fri Oct 11 15:30:27 2019 us=885347 MULTI: multi_create_instance called
Fri Oct 11 15:30:27 2019 us=885429 81.183.35.55:62581 Re-using SSL/TLS context
Fri Oct 11 15:30:27 2019 us=885444 81.183.35.55:62581 LZ4 compression initializing
Fri Oct 11 15:30:27 2019 us=885541 81.183.35.55:62581 Control Channel MTU parms [ L:1622 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Fri Oct 11 15:30:27 2019 us=885556 81.183.35.55:62581 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Fri Oct 11 15:30:27 2019 us=885636 81.183.35.55:62581 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Fri Oct 11 15:30:27 2019 us=885647 81.183.35.55:62581 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1550,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Fri Oct 11 15:30:27 2019 us=885670 81.183.35.55:62581 TLS: Initial packet from [AF_INET]x.x.x.x:62581, sid=4482530e f8286ebe
Fri Oct 11 15:30:27 2019 us=910025 81.183.35.55:62581 VERIFY OK: depth=1, CN=Zortal Project CA
Fri Oct 11 15:30:27 2019 us=911297 81.183.35.55:62581 VERIFY OK: depth=0, CN=admin@vpn.zortal.hu
Fri Oct 11 15:30:27 2019 us=911958 81.183.35.55:62581 OpenSSL: error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve
Fri Oct 11 15:30:27 2019 us=911977 81.183.35.55:62581 TLS_ERROR: BIO read tls_read_plaintext error
Fri Oct 11 15:30:27 2019 us=911986 81.183.35.55:62581 TLS Error: TLS object -> incoming plaintext read error
Fri Oct 11 15:30:27 2019 us=911995 81.183.35.55:62581 TLS Error: TLS handshake failed
Fri Oct 11 15:30:27 2019 us=912065 81.183.35.55:62581 SIGUSR1[soft,tls-error] received, client-instance restarting