Connection only possible without TLS authentication

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
SanPetro
OpenVpn Newbie
Posts: 6
Joined: Mon Nov 22, 2021 5:01 pm

Connection only possible without TLS authentication

Post by SanPetro » Mon Nov 22, 2021 5:11 pm

Hi everyone,

i've got OpenVPN running on my Ubuntu 20.4-Server on the internet.
Connecting from my Android client (OpenVPN for Android) only works, if i deselct "TLS authentication".
My config is as follows:
server.conf :
server

remote-cert-tls client

tls-version-min 1.2
auth SHA512
port 1194
proto tcp4

dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120

tls-crypt ta.key
cipher AES-256-GCM

user nobody
group nogroup
persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log
verb 3


client.conf:
client

auth-nocache
auth SHA512
verify-x509-name server name
client
dev tun
proto tcp4
remote x.x.x.x 1194
resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key

remote-cert-tls server
tls-crypt ta.key

cipher AES-256-GCM
verb 3


The client-log shows following error:

Code: Select all

2021-11-21 17:51:07 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=d3ff6c18 9bf8727e
2021-11-21 17:51:07 tls-crypt unwrap error: packet too short
2021-11-21 17:51:07 TLS Error: tls-crypt unwrapping failed from [AF_INET]x.x.x.x.42:1194
2021-11-21 17:51:07 Fatal TLS error (check_tls_errors_co), restarting
2021-11-21 17:51:07 TCP/UDP: Closing socket
2021-11-21 17:51:07 SIGUSR1[soft,tls-error] received, process restarting
The server log:

Code: Select all

Sun Nov 21 17:51:11 2021 us=801704 MULTI: multi_create_instance called
Sun Nov 21 17:51:11 2021 us=802019 Re-using SSL/TLS context
Sun Nov 21 17:51:11 2021 us=802420 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun Nov 21 17:51:11 2021 us=802544 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Sun Nov 21 17:51:11 2021 us=802793 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
Sun Nov 21 17:51:11 2021 us=802867 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
Sun Nov 21 17:51:11 2021 us=802978 TCP connection established with [AF_INET]x.x.x.x:63210
Sun Nov 21 17:51:11 2021 us=803011 TCPv4_SERVER link local: (not bound)
Sun Nov 21 17:51:11 2021 us=803031 TCPv4_SERVER link remote: [AF_INET]x.x.x.x:63210
Sun Nov 21 17:51:11 2021 us=807550 x.x.x.x:63210 TCPv4_SERVER READ [54] from [AF_INET]x.x.x.x:63210: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=353 DATA len=40
Sun Nov 21 17:51:11 2021 us=807688 x.x.x.x:63210 TLS: Initial packet from [AF_INET]x.x.x.x:63210, sid=36aa9ed0 3ece228d
Sun Nov 21 17:51:11 2021 us=807753 x.x.x.x:63210 TCPv4_SERVER WRITE [14] to [AF_INET]x.x.x.x:63210: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Sun Nov 21 17:51:11 2021 us=853518 x.x.x.x:63210 Connection reset, restarting [0]
Sun Nov 21 17:51:11 2021 us=853626 x.x.x.x:63210 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sun Nov 21 17:51:11 2021 us=853770 TCP/UDP: Closing socket
Any ideas? I've already searched multiple sources for "tls-error" and "packet to short", but to no avail.
Your help is appreciated

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection only possible without TLS authentication

Post by TinCanTech » Mon Nov 22, 2021 5:29 pm

SanPetro wrote:
Mon Nov 22, 2021 5:11 pm
Android client (OpenVPN for Android) only works, if i deselct "TLS authentication".
What do you mean ? (You cannot deselect TLS Authentication)

SanPetro
OpenVpn Newbie
Posts: 6
Joined: Mon Nov 22, 2021 5:01 pm

Re: Connection only possible without TLS authentication

Post by SanPetro » Mon Nov 22, 2021 5:50 pm

There's this swith in the app:
https://cloud-ius.de/nextcloud/s/ZgGRsGAstmMQ5Y4

"TLS-Authentifizierung verwenden" means "use TLS-Authentication".
Referenced below is the ta.key as "embedded file" (="eingebettete Datei") because i loaded an .ovpn-file into the app.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection only possible without TLS authentication

Post by TinCanTech » Mon Nov 22, 2021 6:04 pm

SanPetro wrote:
Mon Nov 22, 2021 5:50 pm
"TLS-Authentifizierung verwenden" means "use TLS-Authentication".
Referenced below is the ta.key as "embedded file" (="eingebettete Datei") because i loaded an .ovpn-file into the app.
It sounds like the app maybe over-riding your selection of --tls-crypt, would need to see your full client log.

I think you may need to turn "TLS-Authentication" OFF.

SanPetro
OpenVpn Newbie
Posts: 6
Joined: Mon Nov 22, 2021 5:01 pm

Re: Connection only possible without TLS authentication

Post by SanPetro » Mon Nov 22, 2021 6:11 pm

Well that would be this:

Code: Select all

2021-11-22 19:06:30 Generiere OpenVPN-Konfiguration...
2021-11-22 19:06:30 started Socket Thread
2021-11-22 19:06:30 Netzwerkstatus: CONNECTED to WIFI
2021-11-22 19:06:30 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2021-11-22 19:06:30 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2021-11-22 19:06:30 P:WARNING: linker: Warning: "/data/app/de.blinkt.openvpn-CkmL-pKoP5mqENbjuDPaeQ==/lib/arm/libovpnexec.so" is not a directory (ignoring)
2021-11-22 19:06:30 Current Parameter Settings:
2021-11-22 19:06:30 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2021-11-22 19:06:30 mode = 0
2021-11-22 19:06:30 show_ciphers = DISABLED
2021-11-22 19:06:30 show_digests = DISABLED
2021-11-22 19:06:30 show_engines = DISABLED
2021-11-22 19:06:30 genkey = DISABLED
2021-11-22 19:06:30 genkey_filename = '[UNDEF]'
2021-11-22 19:06:30 key_pass_file = '[UNDEF]'
2021-11-22 19:06:30 show_tls_ciphers = DISABLED
2021-11-22 19:06:30 connect_retry_max = 0
2021-11-22 19:06:30 Connection profiles [0]:
2021-11-22 19:06:30 proto = tcp-client
2021-11-22 19:06:30 local = '[UNDEF]'
2021-11-22 19:06:30 local_port = '[UNDEF]'
2021-11-22 19:06:30 remote = 'x.x.x.x'
2021-11-22 19:06:30 remote_port = '1194'
2021-11-22 19:06:30 remote_float = DISABLED
2021-11-22 19:06:30 bind_defined = DISABLED
2021-11-22 19:06:30 bind_local = DISABLED
2021-11-22 19:06:30 bind_ipv6_only = DISABLED
2021-11-22 19:06:30 connect_retry_seconds = 2
2021-11-22 19:06:30 connect_timeout = 120
2021-11-22 19:06:30 socks_proxy_server = '[UNDEF]'
2021-11-22 19:06:30 socks_proxy_port = '[UNDEF]'
2021-11-22 19:06:30 tun_mtu = 1500
2021-11-22 19:06:30 tun_mtu_defined = ENABLED
2021-11-22 19:06:30 link_mtu = 1500
2021-11-22 19:06:30 link_mtu_defined = DISABLED
2021-11-22 19:06:30 tun_mtu_extra = 0
2021-11-22 19:06:30 tun_mtu_extra_defined = DISABLED
2021-11-22 19:06:30 mtu_discover_type = -1
2021-11-22 19:06:30 fragment = 0
2021-11-22 19:06:30 mssfix = 1450
2021-11-22 19:06:30 explicit_exit_notification = 0
2021-11-22 19:06:30 tls_auth_file = '[UNDEF]'
2021-11-22 19:06:30 key_direction = not set
2021-11-22 19:06:30 tls_crypt_file = '[INLINE]'
2021-11-22 19:06:30 tls_crypt_v2_file = '[UNDEF]'
2021-11-22 19:06:30 Connection profiles END
2021-11-22 19:06:30 remote_random = DISABLED
2021-11-22 19:06:30 ipchange = '[UNDEF]'
2021-11-22 19:06:30 dev = 'tun'
2021-11-22 19:06:30 dev_type = '[UNDEF]'
2021-11-22 19:06:30 dev_node = '[UNDEF]'
2021-11-22 19:06:30 lladdr = '[UNDEF]'
2021-11-22 19:06:30 topology = 1
2021-11-22 19:06:30 ifconfig_local = '[UNDEF]'
2021-11-22 19:06:30 ifconfig_remote_netmask = '[UNDEF]'
2021-11-22 19:06:30 ifconfig_noexec = DISABLED
2021-11-22 19:06:30 ifconfig_nowarn = ENABLED
2021-11-22 19:06:30 ifconfig_ipv6_local = '[UNDEF]'
2021-11-22 19:06:30 ifconfig_ipv6_netbits = 0
2021-11-22 19:06:30 ifconfig_ipv6_remote = '[UNDEF]'
2021-11-22 19:06:30 shaper = 0
2021-11-22 19:06:30 mtu_test = 0
2021-11-22 19:06:30 mlock = DISABLED
2021-11-22 19:06:30 keepalive_ping = 0
2021-11-22 19:06:30 keepalive_timeout = 0
2021-11-22 19:06:30 inactivity_timeout = 0
2021-11-22 19:06:30 ping_send_timeout = 0
2021-11-22 19:06:30 ping_rec_timeout = 0
2021-11-22 19:06:30 ping_rec_timeout_action = 0
2021-11-22 19:06:30 ping_timer_remote = DISABLED
2021-11-22 19:06:30 remap_sigusr1 = 0
2021-11-22 19:06:30 persist_tun = ENABLED
2021-11-22 19:06:30 persist_local_ip = DISABLED
2021-11-22 19:06:30 persist_remote_ip = DISABLED
2021-11-22 19:06:30 persist_key = DISABLED
2021-11-22 19:06:30 passtos = DISABLED
2021-11-22 19:06:30 resolve_retry_seconds = 1000000000
2021-11-22 19:06:30 resolve_in_advance = ENABLED
2021-11-22 19:06:30 username = '[UNDEF]'
2021-11-22 19:06:30 groupname = '[UNDEF]'
2021-11-22 19:06:30 chroot_dir = '[UNDEF]'
2021-11-22 19:06:30 cd_dir = '[UNDEF]'
2021-11-22 19:06:30 writepid = '[UNDEF]'
2021-11-22 19:06:30 up_script = '[UNDEF]'
2021-11-22 19:06:30 down_script = '[UNDEF]'
2021-11-22 19:06:30 down_pre = DISABLED
2021-11-22 19:06:30 up_restart = DISABLED
2021-11-22 19:06:30 up_delay = DISABLED
2021-11-22 19:06:30 daemon = DISABLED
2021-11-22 19:06:30 log = DISABLED
2021-11-22 19:06:30 suppress_timestamps = DISABLED
2021-11-22 19:06:30 machine_readable_output = ENABLED
2021-11-22 19:06:30 nice = 0
2021-11-22 19:06:30 verbosity = 4
2021-11-22 19:06:30 mute = 0
2021-11-22 19:06:30 gremlin = 0
2021-11-22 19:06:30 status_file = '[UNDEF]'
2021-11-22 19:06:30 status_file_version = 1
2021-11-22 19:06:30 status_file_update_freq = 60
2021-11-22 19:06:30 occ = ENABLED
2021-11-22 19:06:30 rcvbuf = 0
2021-11-22 19:06:30 sndbuf = 0
2021-11-22 19:06:30 sockflags = 0
2021-11-22 19:06:30 fast_io = DISABLED
2021-11-22 19:06:30 comp.alg = 0
2021-11-22 19:06:30 comp.flags = 24
2021-11-22 19:06:30 route_script = '[UNDEF]'
2021-11-22 19:06:30 route_default_gateway = '[UNDEF]'
2021-11-22 19:06:30 route_default_metric = 0
2021-11-22 19:06:30 route_noexec = DISABLED
2021-11-22 19:06:30 route_delay = 0
2021-11-22 19:06:30 route_delay_window = 30
2021-11-22 19:06:30 route_delay_defined = DISABLED
2021-11-22 19:06:30 route_nopull = DISABLED
2021-11-22 19:06:30 route_gateway_via_dhcp = DISABLED
2021-11-22 19:06:30 allow_pull_fqdn = DISABLED
2021-11-22 19:06:30 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2021-11-22 19:06:30 management_port = 'unix'
2021-11-22 19:06:30 management_user_pass = '[UNDEF]'
2021-11-22 19:06:30 management_log_history_cache = 250
2021-11-22 19:06:30 management_echo_buffer_size = 100
2021-11-22 19:06:30 management_write_peer_info_file = '[UNDEF]'
2021-11-22 19:06:30 management_client_user = '[UNDEF]'
2021-11-22 19:06:30 management_client_group = '[UNDEF]'
2021-11-22 19:06:30 management_flags = 16678
2021-11-22 19:06:30 shared_secret_file = '[UNDEF]'
2021-11-22 19:06:30 key_direction = not set
2021-11-22 19:06:30 ciphername = 'AES-256-GCM'
2021-11-22 19:06:30 ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305'
2021-11-22 19:06:30 authname = 'SHA512'
2021-11-22 19:06:30 prng_hash = 'SHA1'
2021-11-22 19:06:30 prng_nonce_secret_len = 16
2021-11-22 19:06:30 engine = DISABLED
2021-11-22 19:06:30 replay = ENABLED
2021-11-22 19:06:30 mute_replay_warnings = DISABLED
2021-11-22 19:06:30 replay_window = 64
2021-11-22 19:06:30 replay_time = 15
2021-11-22 19:06:30 packet_id_file = '[UNDEF]'
2021-11-22 19:06:30 test_crypto = DISABLED
2021-11-22 19:06:30 tls_server = DISABLED
2021-11-22 19:06:30 tls_client = ENABLED
2021-11-22 19:06:30 ca_file = '[INLINE]'
2021-11-22 19:06:30 ca_path = '[UNDEF]'
2021-11-22 19:06:30 dh_file = '[UNDEF]'
2021-11-22 19:06:30 cert_file = '[INLINE]'
2021-11-22 19:06:30 extra_certs_file = '[UNDEF]'
2021-11-22 19:06:30 priv_key_file = '[INLINE]'
2021-11-22 19:06:30 pkcs12_file = '[UNDEF]'
2021-11-22 19:06:30 cipher_list = '[UNDEF]'
2021-11-22 19:06:30 cipher_list_tls13 = '[UNDEF]'
2021-11-22 19:06:30 tls_cert_profile = 'legacy'
2021-11-22 19:06:30 tls_verify = '[UNDEF]'
2021-11-22 19:06:30 tls_export_cert = '[UNDEF]'
2021-11-22 19:06:30 verify_x509_type = 2
2021-11-22 19:06:30 verify_x509_name = 'server'
2021-11-22 19:06:30 crl_file = '[UNDEF]'
2021-11-22 19:06:30 ns_cert_type = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 65535
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_ku[i] = 0
2021-11-22 19:06:30 remote_cert_eku = 'TLS Web Server Authentication'
2021-11-22 19:06:30 ssl_flags = 192
2021-11-22 19:06:30 tls_timeout = 2
2021-11-22 19:06:30 renegotiate_bytes = -1
2021-11-22 19:06:30 renegotiate_packets = 0
2021-11-22 19:06:30 renegotiate_seconds = 3600
2021-11-22 19:06:30 handshake_window = 60
2021-11-22 19:06:30 transition_window = 3600
2021-11-22 19:06:30 single_session = DISABLED
2021-11-22 19:06:30 push_peer_info = DISABLED
2021-11-22 19:06:30 tls_exit = DISABLED
2021-11-22 19:06:30 tls_crypt_v2_metadata = '[UNDEF]'
2021-11-22 19:06:30 server_network = 0.0.0.0
2021-11-22 19:06:30 server_netmask = 0.0.0.0
2021-11-22 19:06:30 server_network_ipv6 = ::
2021-11-22 19:06:30 server_netbits_ipv6 = 0
2021-11-22 19:06:30 server_bridge_ip = 0.0.0.0
2021-11-22 19:06:30 server_bridge_netmask = 0.0.0.0
2021-11-22 19:06:30 server_bridge_pool_start = 0.0.0.0
2021-11-22 19:06:30 server_bridge_pool_end = 0.0.0.0
2021-11-22 19:06:30 ifconfig_pool_defined = DISABLED
2021-11-22 19:06:30 ifconfig_pool_start = 0.0.0.0
2021-11-22 19:06:30 ifconfig_pool_end = 0.0.0.0
2021-11-22 19:06:30 ifconfig_pool_netmask = 0.0.0.0
2021-11-22 19:06:30 ifconfig_pool_persist_filename = '[UNDEF]'
2021-11-22 19:06:30 ifconfig_pool_persist_refresh_freq = 600
2021-11-22 19:06:30 ifconfig_ipv6_pool_defined = DISABLED
2021-11-22 19:06:30 ifconfig_ipv6_pool_base = ::
2021-11-22 19:06:30 ifconfig_ipv6_pool_netbits = 0
2021-11-22 19:06:30 n_bcast_buf = 256
2021-11-22 19:06:30 tcp_queue_limit = 64
2021-11-22 19:06:30 real_hash_size = 256
2021-11-22 19:06:30 virtual_hash_size = 256
2021-11-22 19:06:30 client_connect_script = '[UNDEF]'
2021-11-22 19:06:30 learn_address_script = '[UNDEF]'
2021-11-22 19:06:30 client_disconnect_script = '[UNDEF]'
2021-11-22 19:06:30 client_config_dir = '[UNDEF]'
2021-11-22 19:06:30 ccd_exclusive = DISABLED
2021-11-22 19:06:30 tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2021-11-22 19:06:30 push_ifconfig_defined = DISABLED
2021-11-22 19:06:30 push_ifconfig_local = 0.0.0.0
2021-11-22 19:06:30 push_ifconfig_remote_netmask = 0.0.0.0
2021-11-22 19:06:30 push_ifconfig_ipv6_defined = DISABLED
2021-11-22 19:06:30 push_ifconfig_ipv6_local = ::/0
2021-11-22 19:06:30 push_ifconfig_ipv6_remote = ::
2021-11-22 19:06:30 enable_c2c = DISABLED
2021-11-22 19:06:30 duplicate_cn = DISABLED
2021-11-22 19:06:30 cf_max = 0
2021-11-22 19:06:30 cf_per = 0
2021-11-22 19:06:30 max_clients = 1024
2021-11-22 19:06:30 max_routes_per_client = 256
2021-11-22 19:06:30 auth_user_pass_verify_script = '[UNDEF]'
2021-11-22 19:06:30 auth_user_pass_verify_script_via_file = DISABLED
2021-11-22 19:06:30 auth_token_generate = DISABLED
2021-11-22 19:06:30 auth_token_lifetime = 0
2021-11-22 19:06:30 auth_token_secret_file = '[UNDEF]'
2021-11-22 19:06:30 port_share_host = '[UNDEF]'
2021-11-22 19:06:30 port_share_port = '[UNDEF]'
2021-11-22 19:06:30 vlan_tagging = DISABLED
2021-11-22 19:06:30 vlan_accept = all
2021-11-22 19:06:30 vlan_pvid = 1
2021-11-22 19:06:30 client = ENABLED
2021-11-22 19:06:30 pull = ENABLED
2021-11-22 19:06:30 auth_user_pass_file = '[UNDEF]'
2021-11-22 19:06:30 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.29-0-g65ad05d7] armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 19 2021
2021-11-22 19:06:30 library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10
2021-11-22 19:06:30 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2021-11-22 19:06:30 MANAGEMENT: CMD 'version 3'
2021-11-22 19:06:30 MANAGEMENT: CMD 'hold release'
2021-11-22 19:06:30 MANAGEMENT: CMD 'proxy NONE'
2021-11-22 19:06:30 MANAGEMENT: CMD 'bytecount 2'
2021-11-22 19:06:30 MANAGEMENT: CMD 'state on'
2021-11-22 19:06:32 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-11-22 19:06:32 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-11-22 19:06:32 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-11-22 19:06:32 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-11-22 19:06:32 Control Channel MTU parms [ L:1623 D:1154 EF:96 EB:0 ET:0 EL:3 ]
2021-11-22 19:06:32 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2021-11-22 19:06:32 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
2021-11-22 19:06:32 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
2021-11-22 19:06:32 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
2021-11-22 19:06:32 Socket Buffers: R=[2097152->2097152] S=[524288->524288]
2021-11-22 19:06:32 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194
2021-11-22 19:06:32 MANAGEMENT: >STATE:1637604392,TCP_CONNECT,,,,,,
2021-11-22 19:06:32 Could not protect VPN socket
2021-11-22 19:06:32 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2021-11-22 19:06:32 TCP connection established with [AF_INET]x.x.x.x:1194
2021-11-22 19:06:32 Could not protect VPN socket
2021-11-22 19:06:32 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2021-11-22 19:06:32 TCP_CLIENT link local: (not bound)
2021-11-22 19:06:32 TCP_CLIENT link remote: [AF_INET]x.x.x.x:1194
2021-11-22 19:06:32 MANAGEMENT: >STATE:1637604392,WAIT,,,,,,
2021-11-22 19:06:32 MANAGEMENT: >STATE:1637604392,AUTH,,,,,,
2021-11-22 19:06:32 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=7acdd304 cc923432
2021-11-22 19:06:32 tls-crypt unwrap error: packet too short
2021-11-22 19:06:32 TLS Error: tls-crypt unwrapping failed from [AF_INET]x.x.x.x:1194
2021-11-22 19:06:32 Fatal TLS error (check_tls_errors_co), restarting
2021-11-22 19:06:32 TCP/UDP: Closing socket
2021-11-22 19:06:32 SIGUSR1[soft,tls-error] received, process restarting
2021-11-22 19:06:32 MANAGEMENT: >STATE:1637604392,RECONNECTING,tls-error,,,,,

SanPetro
OpenVpn Newbie
Posts: 6
Joined: Mon Nov 22, 2021 5:01 pm

Re: Connection only possible without TLS authentication

Post by SanPetro » Mon Nov 22, 2021 6:12 pm

Do i understand correctly, that if i turn off the authentication-switch, no tls-encryption would be active?
Or do you suggest, it would be active? How could i check?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection only possible without TLS authentication

Post by TinCanTech » Mon Nov 22, 2021 9:05 pm

SanPetro wrote:
Mon Nov 22, 2021 5:11 pm
Connecting from my Android client (OpenVPN for Android) only works, if i deselct "TLS authentication".
Please post your log files showing this connection.

SanPetro
OpenVpn Newbie
Posts: 6
Joined: Mon Nov 22, 2021 5:01 pm

Re: Connection only possible without TLS authentication

Post by SanPetro » Tue Nov 23, 2021 6:18 am

There you go:

Code: Select all

2021-11-23 07:11:26 started Socket Thread
2021-11-23 07:11:26 Netzwerkstatus: CONNECTED EDGE to MOBILE internet.telekom
2021-11-23 07:11:26 Debug state info: CONNECTED EDGE to MOBILE internet.telekom, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2021-11-23 07:11:26 Debug state info: CONNECTED EDGE to MOBILE internet.telekom, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2021-11-23 07:11:26 P:WARNING: linker: Warning: "/data/app/de.blinkt.openvpn-CkmL-pKoP5mqENbjuDPaeQ==/lib/arm/libovpnexec.so" is not a directory (ignoring)
2021-11-23 07:11:26 Current Parameter Settings:
2021-11-23 07:11:26 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2021-11-23 07:11:26 mode = 0
2021-11-23 07:11:26 show_ciphers = DISABLED
2021-11-23 07:11:26 show_digests = DISABLED
2021-11-23 07:11:26 show_engines = DISABLED
2021-11-23 07:11:26 genkey = DISABLED
2021-11-23 07:11:26 genkey_filename = '[UNDEF]'
2021-11-23 07:11:26 key_pass_file = '[UNDEF]'
2021-11-23 07:11:26 show_tls_ciphers = DISABLED
2021-11-23 07:11:26 connect_retry_max = 0
2021-11-23 07:11:26 Connection profiles [0]:
2021-11-23 07:11:26 proto = tcp-client
2021-11-23 07:11:26 local = '[UNDEF]'
2021-11-23 07:11:26 local_port = '[UNDEF]'
2021-11-23 07:11:26 remote = 'x.x.x.x'
2021-11-23 07:11:26 remote_port = '1194'
2021-11-23 07:11:26 remote_float = DISABLED
2021-11-23 07:11:26 bind_defined = DISABLED
2021-11-23 07:11:26 bind_local = DISABLED
2021-11-23 07:11:26 bind_ipv6_only = DISABLED
2021-11-23 07:11:26 connect_retry_seconds = 2
2021-11-23 07:11:26 connect_timeout = 120
2021-11-23 07:11:26 socks_proxy_server = '[UNDEF]'
2021-11-23 07:11:26 socks_proxy_port = '[UNDEF]'
2021-11-23 07:11:26 tun_mtu = 1500
2021-11-23 07:11:26 tun_mtu_defined = ENABLED
2021-11-23 07:11:26 link_mtu = 1500
2021-11-23 07:11:26 link_mtu_defined = DISABLED
2021-11-23 07:11:26 tun_mtu_extra = 0
2021-11-23 07:11:26 tun_mtu_extra_defined = DISABLED
2021-11-23 07:11:26 mtu_discover_type = -1
2021-11-23 07:11:26 fragment = 0
2021-11-23 07:11:26 mssfix = 1450
2021-11-23 07:11:26 explicit_exit_notification = 0
2021-11-23 07:11:26 tls_auth_file = '[UNDEF]'
2021-11-23 07:11:26 key_direction = not set
2021-11-23 07:11:26 tls_crypt_file = '[UNDEF]'
2021-11-23 07:11:26 tls_crypt_v2_file = '[UNDEF]'
2021-11-23 07:11:26 Connection profiles END
2021-11-23 07:11:26 remote_random = DISABLED
2021-11-23 07:11:26 ipchange = '[UNDEF]'
2021-11-23 07:11:26 dev = 'tun'
2021-11-23 07:11:26 dev_type = '[UNDEF]'
2021-11-23 07:11:26 dev_node = '[UNDEF]'
2021-11-23 07:11:26 lladdr = '[UNDEF]'
2021-11-23 07:11:26 topology = 1
2021-11-23 07:11:26 ifconfig_local = '[UNDEF]'
2021-11-23 07:11:26 ifconfig_remote_netmask = '[UNDEF]'
2021-11-23 07:11:26 ifconfig_noexec = DISABLED
2021-11-23 07:11:26 ifconfig_nowarn = ENABLED
2021-11-23 07:11:26 ifconfig_ipv6_local = '[UNDEF]'
2021-11-23 07:11:26 ifconfig_ipv6_netbits = 0
2021-11-23 07:11:26 ifconfig_ipv6_remote = '[UNDEF]'
2021-11-23 07:11:26 shaper = 0
2021-11-23 07:11:26 mtu_test = 0
2021-11-23 07:11:26 mlock = DISABLED
2021-11-23 07:11:26 keepalive_ping = 0
2021-11-23 07:11:26 keepalive_timeout = 0
2021-11-23 07:11:26 inactivity_timeout = 0
2021-11-23 07:11:26 ping_send_timeout = 0
2021-11-23 07:11:26 ping_rec_timeout = 0
2021-11-23 07:11:26 ping_rec_timeout_action = 0
2021-11-23 07:11:26 ping_timer_remote = DISABLED
2021-11-23 07:11:26 remap_sigusr1 = 0
2021-11-23 07:11:26 persist_tun = ENABLED
2021-11-23 07:11:26 persist_local_ip = DISABLED
2021-11-23 07:11:26 persist_remote_ip = DISABLED
2021-11-23 07:11:26 persist_key = DISABLED
2021-11-23 07:11:26 passtos = DISABLED
2021-11-23 07:11:26 resolve_retry_seconds = 1000000000
2021-11-23 07:11:26 resolve_in_advance = ENABLED
2021-11-23 07:11:26 username = '[UNDEF]'
2021-11-23 07:11:26 groupname = '[UNDEF]'
2021-11-23 07:11:26 chroot_dir = '[UNDEF]'
2021-11-23 07:11:26 cd_dir = '[UNDEF]'
2021-11-23 07:11:26 writepid = '[UNDEF]'
2021-11-23 07:11:26 up_script = '[UNDEF]'
2021-11-23 07:11:26 down_script = '[UNDEF]'
2021-11-23 07:11:26 down_pre = DISABLED
2021-11-23 07:11:26 up_restart = DISABLED
2021-11-23 07:11:26 up_delay = DISABLED
2021-11-23 07:11:26 daemon = DISABLED
2021-11-23 07:11:26 log = DISABLED
2021-11-23 07:11:26 suppress_timestamps = DISABLED
2021-11-23 07:11:26 machine_readable_output = ENABLED
2021-11-23 07:11:26 nice = 0
2021-11-23 07:11:26 verbosity = 4
2021-11-23 07:11:26 mute = 0
2021-11-23 07:11:26 gremlin = 0
2021-11-23 07:11:26 status_file = '[UNDEF]'
2021-11-23 07:11:26 status_file_version = 1
2021-11-23 07:11:26 status_file_update_freq = 60
2021-11-23 07:11:26 occ = ENABLED
2021-11-23 07:11:26 rcvbuf = 0
2021-11-23 07:11:26 sndbuf = 0
2021-11-23 07:11:26 sockflags = 0
2021-11-23 07:11:26 fast_io = DISABLED
2021-11-23 07:11:26 comp.alg = 0
2021-11-23 07:11:26 comp.flags = 24
2021-11-23 07:11:26 route_script = '[UNDEF]'
2021-11-23 07:11:26 route_default_gateway = '[UNDEF]'
2021-11-23 07:11:26 route_default_metric = 0
2021-11-23 07:11:26 route_noexec = DISABLED
2021-11-23 07:11:26 route_delay = 0
2021-11-23 07:11:26 route_delay_window = 30
2021-11-23 07:11:26 route_delay_defined = DISABLED
2021-11-23 07:11:26 route_nopull = DISABLED
2021-11-23 07:11:26 route_gateway_via_dhcp = DISABLED
2021-11-23 07:11:26 allow_pull_fqdn = DISABLED
2021-11-23 07:11:26 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2021-11-23 07:11:26 management_port = 'unix'
2021-11-23 07:11:26 management_user_pass = '[UNDEF]'
2021-11-23 07:11:26 management_log_history_cache = 250
2021-11-23 07:11:26 management_echo_buffer_size = 100
2021-11-23 07:11:26 management_write_peer_info_file = '[UNDEF]'
2021-11-23 07:11:26 management_client_user = '[UNDEF]'
2021-11-23 07:11:26 management_client_group = '[UNDEF]'
2021-11-23 07:11:26 management_flags = 16678
2021-11-23 07:11:26 shared_secret_file = '[UNDEF]'
2021-11-23 07:11:26 key_direction = not set
2021-11-23 07:11:26 ciphername = 'AES-256-GCM'
2021-11-23 07:11:26 ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305'
2021-11-23 07:11:26 authname = 'SHA512'
2021-11-23 07:11:26 prng_hash = 'SHA1'
2021-11-23 07:11:26 prng_nonce_secret_len = 16
2021-11-23 07:11:26 engine = DISABLED
2021-11-23 07:11:26 replay = ENABLED
2021-11-23 07:11:26 mute_replay_warnings = DISABLED
2021-11-23 07:11:26 replay_window = 64
2021-11-23 07:11:26 replay_time = 15
2021-11-23 07:11:26 packet_id_file = '[UNDEF]'
2021-11-23 07:11:26 test_crypto = DISABLED
2021-11-23 07:11:26 tls_server = DISABLED
2021-11-23 07:11:26 tls_client = ENABLED
2021-11-23 07:11:26 ca_file = '[INLINE]'
2021-11-23 07:11:26 ca_path = '[UNDEF]'
2021-11-23 07:11:26 dh_file = '[UNDEF]'
2021-11-23 07:11:26 cert_file = '[INLINE]'
2021-11-23 07:11:26 extra_certs_file = '[UNDEF]'
2021-11-23 07:11:26 priv_key_file = '[INLINE]'
2021-11-23 07:11:26 pkcs12_file = '[UNDEF]'
2021-11-23 07:11:26 cipher_list = '[UNDEF]'
2021-11-23 07:11:26 cipher_list_tls13 = '[UNDEF]'
2021-11-23 07:11:26 tls_cert_profile = 'legacy'
2021-11-23 07:11:26 tls_verify = '[UNDEF]'
2021-11-23 07:11:26 tls_export_cert = '[UNDEF]'
2021-11-23 07:11:26 verify_x509_type = 2
2021-11-23 07:11:26 verify_x509_name = 'server'
2021-11-23 07:11:26 crl_file = '[UNDEF]'
2021-11-23 07:11:26 ns_cert_type = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 65535
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_ku[i] = 0
2021-11-23 07:11:26 remote_cert_eku = 'TLS Web Server Authentication'
2021-11-23 07:11:26 ssl_flags = 192
2021-11-23 07:11:26 tls_timeout = 2
2021-11-23 07:11:26 renegotiate_bytes = -1
2021-11-23 07:11:26 renegotiate_packets = 0
2021-11-23 07:11:26 renegotiate_seconds = 3600
2021-11-23 07:11:26 handshake_window = 60
2021-11-23 07:11:26 transition_window = 3600
2021-11-23 07:11:26 single_session = DISABLED
2021-11-23 07:11:26 push_peer_info = DISABLED
2021-11-23 07:11:26 tls_exit = DISABLED
2021-11-23 07:11:26 tls_crypt_v2_metadata = '[UNDEF]'
2021-11-23 07:11:26 server_network = 0.0.0.0
2021-11-23 07:11:26 server_netmask = 0.0.0.0
2021-11-23 07:11:26 server_network_ipv6 = ::
2021-11-23 07:11:26 server_netbits_ipv6 = 0
2021-11-23 07:11:26 server_bridge_ip = 0.0.0.0
2021-11-23 07:11:26 server_bridge_netmask = 0.0.0.0
2021-11-23 07:11:26 server_bridge_pool_start = 0.0.0.0
2021-11-23 07:11:26 server_bridge_pool_end = 0.0.0.0
2021-11-23 07:11:26 ifconfig_pool_defined = DISABLED
2021-11-23 07:11:26 ifconfig_pool_start = 0.0.0.0
2021-11-23 07:11:26 ifconfig_pool_end = 0.0.0.0
2021-11-23 07:11:26 ifconfig_pool_netmask = 0.0.0.0
2021-11-23 07:11:26 ifconfig_pool_persist_filename = '[UNDEF]'
2021-11-23 07:11:26 ifconfig_pool_persist_refresh_freq = 600
2021-11-23 07:11:26 ifconfig_ipv6_pool_defined = DISABLED
2021-11-23 07:11:26 ifconfig_ipv6_pool_base = ::
2021-11-23 07:11:26 ifconfig_ipv6_pool_netbits = 0
2021-11-23 07:11:26 n_bcast_buf = 256
2021-11-23 07:11:26 tcp_queue_limit = 64
2021-11-23 07:11:26 real_hash_size = 256
2021-11-23 07:11:26 virtual_hash_size = 256
2021-11-23 07:11:26 client_connect_script = '[UNDEF]'
2021-11-23 07:11:26 learn_address_script = '[UNDEF]'
2021-11-23 07:11:26 client_disconnect_script = '[UNDEF]'
2021-11-23 07:11:26 client_config_dir = '[UNDEF]'
2021-11-23 07:11:26 ccd_exclusive = DISABLED
2021-11-23 07:11:26 tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2021-11-23 07:11:26 push_ifconfig_defined = DISABLED
2021-11-23 07:11:26 push_ifconfig_local = 0.0.0.0
2021-11-23 07:11:26 push_ifconfig_remote_netmask = 0.0.0.0
2021-11-23 07:11:26 push_ifconfig_ipv6_defined = DISABLED
2021-11-23 07:11:26 push_ifconfig_ipv6_local = ::/0
2021-11-23 07:11:26 push_ifconfig_ipv6_remote = ::
2021-11-23 07:11:26 enable_c2c = DISABLED
2021-11-23 07:11:26 duplicate_cn = DISABLED
2021-11-23 07:11:26 cf_max = 0
2021-11-23 07:11:26 cf_per = 0
2021-11-23 07:11:26 max_clients = 1024
2021-11-23 07:11:26 max_routes_per_client = 256
2021-11-23 07:11:26 auth_user_pass_verify_script = '[UNDEF]'
2021-11-23 07:11:26 auth_user_pass_verify_script_via_file = DISABLED
2021-11-23 07:11:26 auth_token_generate = DISABLED
2021-11-23 07:11:26 auth_token_lifetime = 0
2021-11-23 07:11:26 auth_token_secret_file = '[UNDEF]'
2021-11-23 07:11:26 port_share_host = '[UNDEF]'
2021-11-23 07:11:26 port_share_port = '[UNDEF]'
2021-11-23 07:11:26 vlan_tagging = DISABLED
2021-11-23 07:11:26 vlan_accept = all
2021-11-23 07:11:26 vlan_pvid = 1
2021-11-23 07:11:26 client = ENABLED
2021-11-23 07:11:26 pull = ENABLED
2021-11-23 07:11:26 auth_user_pass_file = '[UNDEF]'
2021-11-23 07:11:26 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.29-0-g65ad05d7] armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 19 2021
2021-11-23 07:11:26 library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10
2021-11-23 07:11:26 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2021-11-23 07:11:26 MANAGEMENT: CMD 'version 3'
2021-11-23 07:11:26 MANAGEMENT: CMD 'hold release'
2021-11-23 07:11:26 MANAGEMENT: CMD 'bytecount 2'
2021-11-23 07:11:26 MANAGEMENT: CMD 'state on'
2021-11-23 07:11:26 MANAGEMENT: CMD 'proxy NONE'
2021-11-23 07:11:27 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2021-11-23 07:11:27 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2021-11-23 07:11:27 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
2021-11-23 07:11:27 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
2021-11-23 07:11:27 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
2021-11-23 07:11:27 Socket Buffers: R=[26280->26280] S=[16384->16384]
2021-11-23 07:11:27 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194
2021-11-23 07:11:27 MANAGEMENT: >STATE:1637647887,TCP_CONNECT,,,,,,
2021-11-23 07:11:27 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2021-11-23 07:11:28 TCP connection established with [AF_INET]x.x.x.x:1194
2021-11-23 07:11:28 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2021-11-23 07:11:28 TCP_CLIENT link local: (not bound)
2021-11-23 07:11:28 TCP_CLIENT link remote: [AF_INET]x.x.x.x:1194
2021-11-23 07:11:28 MANAGEMENT: >STATE:1637647888,WAIT,,,,,,
2021-11-23 07:11:29 MANAGEMENT: >STATE:1637647889,AUTH,,,,,,
2021-11-23 07:11:29 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=56da6ae1 fc353d29
2021-11-23 07:11:29 VERIFY OK: depth=1, C=DE, ST=NRW, L=BOCHUM, CN=Easy-RSA CA, emailAddress=x@x.com
2021-11-23 07:11:29 VERIFY KU OK
2021-11-23 07:11:29 Validating certificate extended key usage
2021-11-23 07:11:29 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-11-23 07:11:29 VERIFY EKU OK
2021-11-23 07:11:29 VERIFY X509NAME OK: C=DE, ST=NRW, L=BOCHUM, CN=server, emailAddress=x@x.com
2021-11-23 07:11:29 VERIFY OK: depth=0, C=DE, ST=NRW, L=BOCHUM, CN=server, emailAddress=x@x.com
2021-11-23 07:11:32 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 3352 bit RSA, signature: RSA-SHA256
2021-11-23 07:11:32 [server] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
2021-11-23 07:11:33 MANAGEMENT: >STATE:1637647893,GET_CONFIG,,,,,,
2021-11-23 07:11:33 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2021-11-23 07:11:34 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2021-11-23 07:11:34 OPTIONS IMPORT: timers and/or timeouts modified
2021-11-23 07:11:34 OPTIONS IMPORT: --ifconfig/up options modified
2021-11-23 07:11:34 OPTIONS IMPORT: route options modified
2021-11-23 07:11:34 OPTIONS IMPORT: peer-id set
2021-11-23 07:11:34 OPTIONS IMPORT: adjusting link_mtu to 1626
2021-11-23 07:11:34 OPTIONS IMPORT: data channel crypto options modified
2021-11-23 07:11:34 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-11-23 07:11:34 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-11-23 07:11:34 ROUTE_GATEWAY 127.100.103.119 IFACE=android-gw
2021-11-23 07:11:34 do_ifconfig, ipv4=1, ipv6=0
2021-11-23 07:11:34 MANAGEMENT: >STATE:1637647894,ASSIGN_IP,,10.8.0.6,,,,
2021-11-23 07:11:34 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2021-11-23 07:11:34 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2021-11-23 07:11:34 MANAGEMENT: >STATE:1637647894,ADD_ROUTES,,,,,,
2021-11-23 07:11:34 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2021-11-23 07:11:34 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2021-11-23 07:11:34 Tun-Netzwerkinterface wird geöffnet:
2021-11-23 07:11:34 Lokale IPv4: 10.8.0.6/30 IPv6: (not set) MTU: 1500
2021-11-23 07:11:34 DNS-Server: , Domäne: null
2021-11-23 07:11:34 Routen: 0.0.0.0/0, 10.8.0.1/32, 10.8.0.4/30
2021-11-23 07:11:34 Excluded Routes:
2021-11-23 07:11:34 Installierte VpnService-Routen: 0.0.0.0/0
2021-11-23 07:11:34 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2021-11-23 07:11:34 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-11-23 07:11:34 Initialization Sequence Completed
2021-11-23 07:11:34 MANAGEMENT: >STATE:1637647894,CONNECTED,SUCCESS,10.8.0.6,x.x.x.x,1194,10.174.163.200,43536
2021-11-23 07:11:34 Debug state info: CONNECTED EDGE to MOBILE internet.telekom, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection only possible without TLS authentication

Post by TinCanTech » Tue Nov 23, 2021 2:36 pm

That looks like a normal stable connection, I would use it like that.

SanPetro
OpenVpn Newbie
Posts: 6
Joined: Mon Nov 22, 2021 5:01 pm

Re: Connection only possible without TLS authentication

Post by SanPetro » Tue Nov 23, 2021 5:38 pm

It works, but is it safe?
To my understanding, now my traffic is encrypted, but not the TLS handshake, right?
And could any middle-man see the ip of my server while connected? I thought, taht could only be prohibited by tthe use of tls auth or tls crpyt!?

Ongoing thanks for your help btw ;-)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Connection only possible without TLS authentication

Post by TinCanTech » Tue Nov 23, 2021 7:15 pm

SanPetro wrote:
Tue Nov 23, 2021 5:38 pm
is it safe?
2021-11-23 07:11:32 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 3352 bit RSA, signature: RSA-SHA256
2021-11-23 07:11:34 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-11-23 07:11:34 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
LGTM.

bassdb
OpenVpn Newbie
Posts: 2
Joined: Mon Mar 06, 2023 9:47 pm

Re: Connection only possible without TLS authentication

Post by bassdb » Tue Mar 07, 2023 4:16 pm

I too can only connect my client to OpenVPN 2.60 server with TLS-Auth turned off. Is there a fix?

I am using Windows 2019 Server, and Windows 10, client. Thanks

Post Reply