OpenVPN client force to use TLSv1.2 auth

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Real Root
OpenVpn Newbie
Posts: 3
Joined: Fri May 10, 2019 1:48 pm

OpenVPN client force to use TLSv1.2 auth

Post by Real Root » Fri May 10, 2019 2:05 pm

Hi everyone.
In my country top-level provider blocks openvpn, but android client still works.
Linux and Openwrt OpenVPN client's doesn't want to connect to server with this config:
Client Config
client
dev tun
proto tcp
port 443
remote 185.178.47.61 #IP сервера
script-security 2
dhcp-option DNS 8.8.8.8
tls-client
reneg-sec 36000
cipher AES-128-CBC
auth SHA1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
----
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
---
</cert>
<key>
-----BEGIN PRIVATE KEY-----
---
-----END PRIVATE KEY-----
</key>
verb 5

Log from Ubuntu linux 18.11:

Code: Select all

Fri May 10 17:23:29 2019 us=991766 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  3 2018
Fri May 10 17:23:29 2019 us=991781 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.10
Fri May 10 17:23:29 2019 us=991883 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri May 10 17:23:29 2019 us=992092 Deprecated TLS cipher name 'ECDHE-RSA-AES256-GCM-SHA384', please use IANA name 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'
Fri May 10 17:23:29 2019 us=992423 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 17:23:29 2019 us=992438 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 17:23:29 2019 us=992528 Control Channel MTU parms [ L:1623 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Fri May 10 17:23:29 2019 us=992570 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Fri May 10 17:23:29 2019 us=992592 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri May 10 17:23:29 2019 us=992601 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri May 10 17:23:29 2019 us=992619 TCP/UDP: Preserving recently used remote address: [AF_INET]185.178.47.61:443
Fri May 10 17:23:29 2019 us=992665 Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri May 10 17:23:29 2019 us=992684 Attempting to establish TCP connection with [AF_INET]185.178.47.61:443 [nonblock]
Fri May 10 17:23:30 2019 us=992855 TCP connection established with [AF_INET]185.178.47.61:443
Fri May 10 17:23:30 2019 us=992904 TCP_CLIENT link local: (not bound)
Fri May 10 17:23:30 2019 us=992921 TCP_CLIENT link remote: [AF_INET]185.178.47.61:443
WRFri May 10 17:23:31 2019 us=61548 TLS: Initial packet from [AF_INET]185.178.47.61:443, sid=c87dc78a e916def9
WWW^CFri May 10 17:23:34 2019 us=171293 event_wait : Interrupted system call (code=4)
Fri May 10 17:23:34 2019 us=171463 TCP/UDP: Closing socket
Fri May 10 17:23:34 2019 us=171518 SIGINT[hard,] received, process exiting
Android device, connected via same router connect to server perfectly with same config (OpenVPN Connect 3.0.5 b1816).
I grab traffic via tcpdump and analise it via WireShark. And that's what I see:
Image
In top window - Android client connected perfectly to OpenVPN server
In middle - Openwrt CC15.01 router with OpenVPN 2.3.6
In bottom - Linux Ubuntu 18.11 with OpenVPN 2.4.6
As we can see - Openwrt and Ubuntu use SSL protocol to auth and dont wont to connect to server, but Android client use TLSv1.2 and connects perfectly. All clients use the same config file.

Why Openwrt (and linux) client uses SSL auth? How to force use TLSv1.2 auth?
Last edited by Real Root on Fri May 10, 2019 5:43 pm, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5920
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN client force to use TLSv1.2 auth

Post by TinCanTech » Fri May 10, 2019 2:49 pm

See your server log for errors.

Real Root
OpenVpn Newbie
Posts: 3
Joined: Fri May 10, 2019 1:48 pm

Re: OpenVPN client force to use TLSv1.2 auth

Post by Real Root » Fri May 10, 2019 5:55 pm

TinCanTech wrote:
Fri May 10, 2019 2:49 pm
See your server log for errors.
I don't have access to server. I have only client config file. From linux I connect to server via other VPN tunnel, in my case - Wire Guard. My Wire Guard server placed in Europe, but I need Russian IP provided OpenVPN's server's.

Config file is the same for all clients, but android client uses TLSv1.2 for auth, linux - SSL. See WireShark screenshot.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5920
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN client force to use TLSv1.2 auth

Post by TinCanTech » Fri May 10, 2019 7:48 pm

Real Root wrote:
Fri May 10, 2019 5:55 pm
TinCanTech wrote:
Fri May 10, 2019 2:49 pm
See your server log for errors.
I don't have access to server.
Try setting up your own server and testing that.

Without the server config/log there is nothing I can do.

Somebody else may have some half baked idea but I do not.

Real Root
OpenVpn Newbie
Posts: 3
Joined: Fri May 10, 2019 1:48 pm

Re: OpenVPN client force to use TLSv1.2 auth

Post by Real Root » Sat May 11, 2019 9:18 am

TinCanTech wrote:
Fri May 10, 2019 7:48 pm
Without the server config/log there is nothing I can do.
Somebody else may have some half baked idea but I do not.
I wrote at begining of topic that in my country top-level provider blocks openvpn.
VPN Server works fine, but provider's DPI blocks SSL auth.
Android OpenConnect uses TLSv1.2 instead SSL and connects and works fine.

I want to know if OpenVpn for linux can use TLSv1.2 . It would be a better solution.

Anyway, I've solved my problem, using nfque module for iptables and nfqws from bol-van zapret
If someone met the DPI block, try to use next solution:

Install raw and nfque modules for iptables, and add next line into iptables:
iptables -t raw -I PREROUTING -s $_openvpn_serverip -p tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 200 --queue-bypass
and start nfqws: nfqws --daemon --qnum=200 --wsize=20

In my solution nfqws devides all SYN,ACK packets addressed to port 443 to 20 byte fragments. Provider's DPI monitors only not fragmented SYN,ACK packets and OpenVPN works fine.

300000
OpenVPN User
Posts: 30
Joined: Tue May 01, 2012 9:30 pm

Re: OpenVPN client force to use TLSv1.2 auth

Post by 300000 » Mon May 13, 2019 4:12 pm

you can force client to use tls 1.2 just add this into you client ovpn


tls-version-min "1.2" version

Post Reply