TLS failure on android 4.4.4

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
hyegeek
OpenVpn Newbie
Posts: 1
Joined: Sat Apr 18, 2015 8:38 pm

TLS failure on android 4.4.4

Post by hyegeek » Sat Apr 18, 2015 8:55 pm

Hardware:
Moto-e android 4.4.4
OpenConnect 1.1.16
OpenVPN core 3.0.3 android armv7a thumb2 32-bit

Let me start off by saying this is not my first rodeo. I've been using openvpn (including openvpn on androids) for many years. I am succesfully connecting this same phone to a different openvpn server with no issues. I simply can't get it to work to my home server.

When I generate keys using the latest greatest easy-rsa in the recommended fashion, my vpn connection fails with a header too long error that many hours of research tells me might be related to 64bit time vs. 32bit time. The same key work fine between my server and a linux box, so I know the keys are OK.

Since I have a working connection to a server that is a few years old, I decided to generate new keys using the older easy-rsa that I am using on that server. Doing this does fix the above error, but the TLS negotiaion simply stops and eventually times out. The timeout is not caused by a firewall (I even turned off the firewall to be sure), it just simply stops.

I've been beating my head against this problem for hours.

The ovpn file is pretty simple and imports fine

Code: Select all

client
comp-lzo
dev tun
nobind
proto udp
remote vpn.gnatcreek.org 5000
resolv-retry infinite
route 192.168.101.0 255.255.255.0
tls-timeout 5
verb 4
I import the keys from my android keychain and when I connect The server seems happy until things just stop and then timeout.

Code: Select all

Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 Re-using SSL/TLS context
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 LZO compression initialized
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 858)
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 Control Channel MTU parms [ L:900 D:138 EF:38 EB:0 ET:0 EL:0 ]
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 Data Channel MTU parms [ L:900 D:900 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 Local Options String: 'V4,dev-type tun,link-mtu 900,tun-mtu 858,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 Expected Remote Options String: 'V4,dev-type tun,link-mtu 900,tun-mtu 858,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 Local Options hash (VER=V4): '55331fa8'
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 Expected Remote Options hash (VER=V4): 'cfddd6e8'
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 TLS: Initial packet from [AF_INET]192.168.100.130:41231, sid=cf87320c a7fa36e1
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 CRL CHECK OK: C=US, ST=Idaho, L=Viola, O=Gnatcreek (Dad Net), CN=magnus.gnatcreek.org, emailAddress=admin@gnatcreek.org
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 VERIFY OK: depth=1, C=US, ST=Idaho, L=Viola, O=Gnatcreek (Dad Net), CN=magnus.gnatcreek.org, emailAddress=admin@gnatcreek.org
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 CRL CHECK OK: C=US, ST=Idaho, O=Gnatcreek (Dad Net), CN=moto-e, emailAddress=hyedad@gnatcreek.org
Apr 18 13:24:41 magnus openvpn[21984]: 192.168.100.130:41231 VERIFY OK: depth=0, C=US, ST=Idaho, O=Gnatcreek (Dad Net), CN=moto-e, emailAddress=hyedad@gnatcreek.org
Apr 18 13:25:24 magnus openvpn[21984]: MULTI: multi_create_instance called
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 Re-using SSL/TLS context
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 LZO compression initialized
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 858)
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 Control Channel MTU parms [ L:900 D:138 EF:38 EB:0 ET:0 EL:0 ]
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 Data Channel MTU parms [ L:900 D:900 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 Local Options String: 'V4,dev-type tun,link-mtu 900,tun-mtu 858,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 Expected Remote Options String: 'V4,dev-type tun,link-mtu 900,tun-mtu 858,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 Local Options hash (VER=V4): '55331fa8'
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 Expected Remote Options hash (VER=V4): 'cfddd6e8'
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 TLS: Initial packet from [AF_INET]192.168.100.130:34761, sid=196264e0 c6c2408d
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 CRL CHECK OK: C=US, ST=Idaho, L=Viola, O=Gnatcreek (Dad Net), CN=magnus.gnatcreek.org, emailAddress=admin@gnatcreek.org
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 VERIFY OK: depth=1, C=US, ST=Idaho, L=Viola, O=Gnatcreek (Dad Net), CN=magnus.gnatcreek.org, emailAddress=admin@gnatcreek.org
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 CRL CHECK OK: C=US, ST=Idaho, O=Gnatcreek (Dad Net), CN=moto-e, emailAddress=hyedad@gnatcreek.org
Apr 18 13:25:24 magnus openvpn[21984]: 192.168.100.130:34761 VERIFY OK: depth=0, C=US, ST=Idaho, O=Gnatcreek (Dad Net), CN=moto-e, emailAddress=hyedad@gnatcreek.org
Apr 18 13:25:41 magnus openvpn[21984]: 192.168.100.130:41231 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 18 13:25:41 magnus openvpn[21984]: 192.168.100.130:41231 TLS Error: TLS handshake failed
Apr 18 13:25:41 magnus openvpn[21984]: 192.168.100.130:41231 SIGUSR1[soft,tls-error] received, client-instance restarting
Watching the traffic using tcpdump on the server shows that the server is the last to send a packet and the android never responds. From the logs on the android it looks like it is waiting for the server to do something and eventually times out, so whatever the server said, it either did not see or did not understand.

What I need is either a way to get the proper keys working on the android (no more header too long errors) or a way to get these older keys to be properly understood and the negotiation to finish.

Anyone have any ideas?
Top
User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: TLS failure on android 4.4.4

Post by Traffic » Mon Apr 20, 2015 1:32 pm

Is that your full client config ?

Please post your server config ..

Your log file:
hyegeek wrote:WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 858)
this look ominous :roll:
hyegeek wrote:a way to get the proper keys working on the android (no more header too long errors)
when you import the keys they must be with "linefeed" character not "carriage return + line feed" characters .. what did you use to create the keys .. how did you transfer them to the andriod.

Perhaps this thread will be of some help:
topic16236.html
Top
Post Reply

Return to “OpenVPN Connect (Android)”