[Solved]constant reconnect problem

[dusan.ilic]

Hi all,

I am using OpenVPN Connect on Samsung S4 with 5.0.1 android,

The problem is when i connect to my office server(always successfully) i can't ping anything, nor to connect on any server in office, when i try to connect i get disconnected and then the app tries a reconnect and says again that it is a success but same problem pops, again the reconnect... i think i isolated the problem within the logs so any help with setting it up will be appreciated:

The log file errors:

Code: Select all

Mon Apr 27 10:28:52 2015 212.200.65.245:27290 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mon Apr 27 10:29:33 2015 Ios_Test/212.200.65.245:27290 Authenticate/Decrypt packet error: cipher final failed
Mon Apr 27 10:29:43 2015 Ios_Test/212.200.65.245:27290 Authenticate/Decrypt packet error: cipher final failed
Mon Apr 27 10:29:53 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

On my phone i am using a unified .ovpn file :

Code: Select all

tls-client
dev tun
remote MyServIP 1194
resolv-retry infinite
explicit-exit-notify 3
nobind
persist-key
persist-tun
cipher BF-CBC
keysize 256
comp-lzo
verb 1

<ca>
-----BEGIN CERTIFICATE-----
my ca...
-----END CERTIFICATE-----

</ca>

<cert>
-----BEGIN CERTIFICATE-----
my crt
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
my key
-----END RSA PRIVATE KEY-----

</key>

ns-cert-type server

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
my serv key...
-----END OpenVPN Static key V1-----

</tls-auth>

pull

my server config is:

Code: Select all

tls-client
dev tun0
remote MyIP 1194
resolv-retry infinite
explicit-exit-notify 3
nobind
persist-key
persist-tun
ca ca.crt
cert certName
key KeyName
ns-cert-type server
tls-auth KeyName 1
cipher BF-CBC
keysize 256
comp-lzo
verb 1
log-append      /var/log/openvpn/openvpn.log
status          /var/log/openvpn/status.log 10
pull

Thank you again for help, any info will be appreciated

[maikcat]

your configs are a liiiiitle messed up...

first remove from your server config:

Code: Select all

tls-client
explicit-exit-notify 3
cert certName  *** is this your server crt?
key KeyName   *** is this your server key?
ns-cert-type server
tls-auth KeyName 1  *** this should be a file generated using openvpn --genkey --secret
keysize 256   *** blowfish supports 256 key size???
pull

also use client directive in your client config

Michael.

[dusan.ilic]

Hi Michael, thanks for answering,

Blowfish supports variable key lengths from 32 bit up to 448 bit keys, so it supports 256bit key for sure,

But i am terribly sorry i posted the wrong config file because i have multiple config files... here is the real one:

Code: Select all

dev tun4
proto udp
local #myipaddress#
port 1194
topology subnet
server #server ip and mask#
push "echo ***********************************"
push "echo ** WELCOME TO COMPANY**"
push "echo ***********************************"
tls-server
script-security 2
tls-auth serverKey-ta.key 0
dh dh1024.pem
ca server-ca.crt
cert company-cert.crt
key company-key.key
crl-verify company-crl.pem
cipher BF-CBC
keysize 256
user nobody
group nogroup
chroot /path/to/chroot
#client-connect "python2.7 /etc/openvpn/path/mail.py"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
inactive 28800
log-append      /var/log/openvpn/openvpn-incoming.log
status          /var/log/openvpn/status-incoming.log 10
client-config-dir ./ccd
ccd-exclusive
mute-replay-warnings
verb 3
duplicate-cn
management #mngmntIpAndPort#

[maikcat]

Mon Apr 27 10:28:52 2015 212.200.65.245:27290 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

can you please comment out keysize for now?

also please post the output of:

Code: Select all

openvpn --show-ciphers | grep  BF

Michael.

[dusan.ilic]

Ok,

I have commented the keysize tried and it didn't work,

for the command the output is:
BF-CBC 128 bit default key (variable)
BF-CFB 128 bit default key (variable)
BF-OFB 128 bit default key (variable)

[maikcat]

can you please post the logs using verb 4?

Michael.

[dusan.ilic]

Hello Michael, I am very sorry for responding late, but I had other issues,

Okay you were right, i found the problem but i am stuck with it,

When you said that i should comment out keysize I did it on client side only because I couldn't afford to compromise the vpn server at a time, and that didn't work, but when i could i commented out the keysize on the server config, and the OpenVPN Connect worked and was ok. but on the other side, all desktop VPN clients(OpenVPN GUI 1.0.3) now couldn't connect to my server, so I had to return it to previous state.

The error for desktop clients was similar but reversed like the previous in logs.

it was:

Code: Select all

Mon Apr 27 10:28:52 2015 212.200.65.245:27290 WARNING: 'keysize' is used inconsistently,[b] local='keysize 256'[/b], [b]remote='keysize 128'[/b]

And now it is:

Code: Select all

Thu May  7 12:05:46 2015 212.178.228.151:15651 WARNING: 'keysize' is used inconsistently, [b]local='keysize 128'[/b], [b]remote='keysize 256'[/b]

So because i need 256 encryption, i will try to change to AES-256.
Do you know if i can just change server and client config to AES-256-CBC 256 bit, and not change the key, or i would have to generate new key or something more ?

[maikcat]

Do you know if i can just change server and client config to AES-256-CBC 256 bit, and not change the key, or i would have to generate new key or something more ?

if you can add the cipher directive to your configs then probably you will be ok...

keep in mind that this must be present in both sides.

Michael.

[dusan.ilic]

Thanks maikcat for the help and your time !

I found the time with minimal impact for users to change the config and reboot the server finally.

Anyhow the problem is solved, the cipher in use can be changed as long as the key fits, so i migrated to AES 256 CBC and it works even better now on Android, IOS and Windows desktop clients, and for the client side it just needs the adjustment of the config file on the cipher line, so win win

Tnx again, I will try to contribute to the forum in future!

[maikcat]

You welcome,

Marked as Solved

Closing topic

Regards,

Michael.