[Worked around] OpenVPN Connect 3.0.3 != OpenVPN FreeBSD w/ OpenSSL

[pirzyk]

I nave just discovered a problem (and a workaround). My setup:

OpenVPN 2.4.7 server running on FreeBSD 12.0-RELEASE-p10

Code: Select all

216>openvpn --version
OpenVPN 2.4.7 amd64-portbld-freebsd12.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep  5 2019
library versions: OpenSSL 1.1.1a-freebsd  20 Nov 2018, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

OpenVPN Connect 3.0.3-2104 client running on IOS 12.4.1

The connect client would not establish a connection, the server log showed this, over and over again:

Code: Select all

Sep 13 00:05:17 <daemon.notice> $HOSTNAME openvpn[1687]: TCP connection established with [AF_INET6]::ffff:$IP:61493
Sep 13 00:05:17 <daemon.notice> $HOSTNAME openvpn[1687]: $IP:61493 TLS: Initial packet from [AF_INET6]::ffff:$IP:61493, sid=53a5e20c d9b8bf94
Sep 13 00:05:17 <daemon.err> zephyr openvpn[1687]: $IP:61493 Connection reset, restarting [0]

The client log shows this:

Code: Select all

2019-09-09 09:08:00 Client exception in transport_recv_exclode: mbed TLS: SSL read error : SSL - The requested feature is not available
2019-09-09 09:08:00 Client terminated, restarting in 2000 ms...

The workaround is to re-compile the openvpn server with mbed TLS:

Code: Select all

225>openvpn --version
OpenVPN 2.4.7 amd64-portbld-freebsd12.0 [SSL (mbed TLS)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 13 2019
library versions: mbed TLS 2.16.2, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=yes enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=mbedtls with_gnu_ld=yes with_mem_check=no with_sysroot=no

Now OpenVPN Connect client for IOS works.

[dazo]

Can you please provide the complete client and server logs? In addition, we need to see server and client configuration files. The "SSL - The requested feature is not available" is typically some corner cases with features TLS protocol features mbed TLS has not implemented, and with the server rebuilt with mbed TLS these features are not even attempted used. But to better understand which features we're talking about, we need to see complete log files and configs.

[TinCanTech]

Can you please provide the complete client and server logs? In addition, we need to see server and client configuration files.

Please see this example:

viewtopic.php?f=30&t=22603#p68963

[pirzyk]

Here are redacted configs and logs for both the ipad and FreeBSD server:

IPAD.crt

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Illinois, L=CITY, O=ISSUER, OU=IT, CN=ISSUER CA/emailAddress=webmaster@DOMAIN
        Validity
            Not Before: Sep  6 21:24:05 2019 GMT
            Not After : Sep  5 21:24:05 2021 GMT
        Subject: C=US, ST=Illinois, O=DOMAIN, CN=IPAD
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    <REDACTED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                SUBJECTKEYID#2
            X509v3 Authority Key Identifier: 
                keyid:SUBJECTKEYID#1

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
    Signature Algorithm: sha1WithRSAEncryption
        <REDACTED>
-----BEGIN CERTIFICATE-----
<REDACTED>
-----END CERTIFICATE-----

IPAD.key

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
<REDACTED>
-----END RSA PRIVATE KEY-----

IPAD.log

Code: Select all

19-08-13 00:08:49 Creds: UsernameEmpty/PasswordEmpty

2019-08-13 00:08:49 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.3-2104
IV_VER=3.git::728733ae
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_BS64DL=1


2019-08-13 00:08:49 VERIFY OK : depth=1
cert. version    : 3
serial number    : A3:D7:3C:93:57:B0:06:2A
issuer name      : C=US, ST=Illinois, L=CITY, O=ISSUER, OU=IT, CN=ISSUER CA, emailAddress=webmaster@DOMAIN
subject name      : C=US, ST=Illinois, L=CITY, O=ISSUER, OU=IT, CN=ISSUER CA, emailAddress=webmaster@DOMAIN
issued  on        : 2015-04-08 22:49:12
expires on        : 2025-04-05 22:49:12
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true


2019-08-13 00:08:49 VERIFY OK : depth=0
cert. version    : 3
serial number    : 10:31
issuer name      : C=US, ST=Illinois, L=CITY, O=ISSUER, OU=IT, CN=ISSUER CA, emailAddress=webmaster@DOMAIN
subject name      : C=US, ST=Illinois, O=DOMAIN, CN=VPNSERVER
issued  on        : 2019-09-06 01:35:01
expires on        : 2021-09-05 01:35:01
signed using      : RSA with SHA1
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : VPNSERVER, DOMAIN, ALTERNATENAME
ext key usage    : TLS Web Server Authentication, TLS Web Client Authentication


2019-08-13 00:08:49 Client exception in transport_recv_excode: mbed TLS: SSL read error : SSL - The requested feature is not available

2019-08-13 00:08:49 Client terminated, restarting in 2000 ms...

2019-08-13 00:08:52 EVENT: RECONNECTING

2019-08-13 00:08:52 EVENT: RESOLVE

2019-08-13 00:08:52 Contacting [IPv6]:1194/TCP via TCPv4

2019-08-13 00:08:52 EVENT: WAIT

2019-08-13 00:08:52 Connecting to [VPNSERVER]:1194 (IPv6) via TCPv4

2019-08-13 00:08:52 EVENT: CONNECTING

2019-08-13 00:08:52 Tunnel Options:V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client

IPAD.opvn

Code: Select all

client
dev tun
proto tcp
remote VPNSERVER 1194
nobind
ca $ISSUER.pem
cert IPAD.crt
key IPAD.key
tls-auth ta.key 1

ISSUER.pem

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            SERIAL#1
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Illinois, L = CITY, O = ISSUER, OU = IT, CN = ISSUER CA, emailAddress = webmaster@DOMAIN
        Validity
            Not Before: Apr  8 22:49:12 2015 GMT
            Not After : Apr  5 22:49:12 2025 GMT
        Subject: C = US, ST = Illinois, L = CITY, O = ISSUER, OU = IT, CN = ISSUER CA, emailAddress = webmaster@DOMAIN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    <REDACTED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                SUBJECTKEYID#1
            X509v3 Authority Key Identifier: 
                keyid:SUBJECTKEYID#1
                DirName:/C=US/ST=Illinois/L=CITY/O=ISSUER/OU=IT/CN=ISSUER CA/emailAddress=webmaster@DOMAIN
                serial:SERIAL#1

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
        <REDACTED>
-----BEGIN CERTIFICATE-----
<REDACTED>
-----END CERTIFICATE-----

VPNSERVER.conf

Code: Select all

port 1194
proto tcp
dev tun
ca /usr/local/etc/ssl/cert.pem
cert /usr/local/etc/ssl/VPNSERVER.crt
key /usr/local/etc/ssl/VPNSERVER.key
dh /usr/local/etc/ssl/dhparams.pem
topology subnet
server VPN-NET 255.255.255.240
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "remote-gateway VPNSERVERIP"
client-config-dir ccd
route VPN-NET 255.255.255.240
push "dhcp-option DNS 208.67.222.2"
push "dhcp-option DNS 208.67.220.2"
keepalive 10 120
tls-auth ta.key 0 
cipher AES-256-GCM
compress lz4-v2
push "compress lz4-v2"
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3

VPNSERVER.crt

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: SERIAL
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Illinois, L=CITY, O=ISSUER, OU=IT, CN=ISSUER CA/emailAddress=webmaster@DOMAIN
        Validity
            Not Before: Sep  6 01:35:01 2019 GMT
            Not After : Sep  5 01:35:01 2021 GMT
        Subject: C=US, ST=Illinois, O=DOMAIN, CN=VPNSERVER
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    <REDACTED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                SUBJECTKEYID#2
            X509v3 Authority Key Identifier: 
                keyid:SUBJECTKEYID#1

            X509v3 Subject Alternative Name: 
                DNS:VPNSERVER, DNS:DOMAIN, DNS:ALTERNATENAME
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
    Signature Algorithm: sha1WithRSAEncryption
        <REDACTED>
-----BEGIN CERTIFICATE-----
<REDACTED>
-----END CERTIFICATE-----

VPNSERVER.key

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
<REDACTED>
-----END RSA PRIVATE KEY-----

VPNSERVER.log

Code: Select all

Sep 13 00:20:46 <daemon.notice> VPNSERVER openvpn[1687]: TCP connection established with [AF_INET6]::ffff:IPv4:57748
Sep 13 00:20:46 <daemon.notice> VPNSERVER openvpn[1687]: IPv4:57748 TLS: Initial packet from [AF_INET6]::ffff:IPv4:57748, sid=937e2ec6 42d8d230
Sep 13 00:20:47 <daemon.err> VPNSERVER openvpn[1687]: IPv4:57748 Connection reset, restarting [0]
Sep 13 00:20:47 <daemon.notice> VPNSERVER openvpn[1687]: IPv4:57748 SIGUSR1[soft,connection-reset] received, client-instance restarting
Sep 13 00:20:49 <daemon.notice> VPNSERVER openvpn[1687]: TCP connection established with [AF_INET6]::ffff:IPv4:44547
Sep 13 00:20:49 <daemon.notice> VPNSERVER openvpn[1687]: IPv4:44547 TLS: Initial packet from [AF_INET6]::ffff:IPv4:44547, sid=77e7f555 894fb55f
Sep 13 00:20:49 <daemon.err> VPNSERVER openvpn[1687]: IPv4:44547 Connection reset, restarting [0]
Sep 13 00:20:49 <daemon.notice> VPNSERVER openvpn[1687]: IPv4:44547 SIGUSR1[soft,connection-reset] received, client-instance restarting

ta.key

Code: Select all

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
<REDACTED>
-----END OpenVPN Static key V1-----