In my country top-level provider blocks openvpn, but android client still works.
Linux and Openwrt OpenVPN client's doesn't want to connect to server with this config:
Client Config
client
dev tun
proto tcp
port 443
remote 185.178.47.61 #IP сервера
script-security 2
dhcp-option DNS 8.8.8.8
tls-client
reneg-sec 36000
cipher AES-128-CBC
auth SHA1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
----
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
---
</cert>
<key>
-----BEGIN PRIVATE KEY-----
---
-----END PRIVATE KEY-----
</key>
verb 5
dev tun
proto tcp
port 443
remote 185.178.47.61 #IP сервера
script-security 2
dhcp-option DNS 8.8.8.8
tls-client
reneg-sec 36000
cipher AES-128-CBC
auth SHA1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
----
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
---
</cert>
<key>
-----BEGIN PRIVATE KEY-----
---
-----END PRIVATE KEY-----
</key>
verb 5
Log from Ubuntu linux 18.11:
Code: Select all
Fri May 10 17:23:29 2019 us=991766 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 3 2018
Fri May 10 17:23:29 2019 us=991781 library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.10
Fri May 10 17:23:29 2019 us=991883 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri May 10 17:23:29 2019 us=992092 Deprecated TLS cipher name 'ECDHE-RSA-AES256-GCM-SHA384', please use IANA name 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'
Fri May 10 17:23:29 2019 us=992423 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 17:23:29 2019 us=992438 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 17:23:29 2019 us=992528 Control Channel MTU parms [ L:1623 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Fri May 10 17:23:29 2019 us=992570 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Fri May 10 17:23:29 2019 us=992592 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri May 10 17:23:29 2019 us=992601 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri May 10 17:23:29 2019 us=992619 TCP/UDP: Preserving recently used remote address: [AF_INET]185.178.47.61:443
Fri May 10 17:23:29 2019 us=992665 Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri May 10 17:23:29 2019 us=992684 Attempting to establish TCP connection with [AF_INET]185.178.47.61:443 [nonblock]
Fri May 10 17:23:30 2019 us=992855 TCP connection established with [AF_INET]185.178.47.61:443
Fri May 10 17:23:30 2019 us=992904 TCP_CLIENT link local: (not bound)
Fri May 10 17:23:30 2019 us=992921 TCP_CLIENT link remote: [AF_INET]185.178.47.61:443
WRFri May 10 17:23:31 2019 us=61548 TLS: Initial packet from [AF_INET]185.178.47.61:443, sid=c87dc78a e916def9
WWW^CFri May 10 17:23:34 2019 us=171293 event_wait : Interrupted system call (code=4)
Fri May 10 17:23:34 2019 us=171463 TCP/UDP: Closing socket
Fri May 10 17:23:34 2019 us=171518 SIGINT[hard,] received, process exiting
I grab traffic via tcpdump and analise it via WireShark. And that's what I see:
In top window - Android client connected perfectly to OpenVPN server
In middle - Openwrt CC15.01 router with OpenVPN 2.3.6
In bottom - Linux Ubuntu 18.11 with OpenVPN 2.4.6
As we can see - Openwrt and Ubuntu use SSL protocol to auth and dont wont to connect to server, but Android client use TLSv1.2 and connects perfectly. All clients use the same config file.
Why Openwrt (and linux) client uses SSL auth? How to force use TLSv1.2 auth?