I have a Raspberry Pi 4B running an OpenVPN server using the configuration below.
Code: Select all
[oconf=server]# Raspberry Pi 4B OpenVPN server configuration
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh4096.pem
crl-verify /etc/openvpn/server/crl.pem
server 10.199.10.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "block-outside-dns"
duplicate-cn
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-server
tls-auth /etc/openvpn/server/ta.key 0
remote-cert-tls client
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
tls-version-min 1.2
keepalive 10 120
persist-key
persist-tun
user nobody
group nogroup
comp-lzo
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3[/oconf]
GalaxyS7 and a last one on an Ubuntu 18.04 using NetworkManager.
Code: Select all
[oconf=client]# galaxy client OpenVPN configuration
client
proto udp
dev tun
remote <serverURL> 1194
pkcs12 galaxy-to-server.p12
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-client
tls-auth ta.key 1
remote-cert-tls server
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
tls-version-min 1.2
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3[/oconf]
Code: Select all
UBUNTU 18.04 NetworkManager OpenVPN settings
Identity Tab
Name: server TEST
Gateway: <serverURL>:1194
Type: Certificates (TLS)
CA certificate: ca.crt
User certificate: ubuntu-to-server.crt
User private key: ubuntu-to-server.key
User key password: ********
Advanced...
General Tab
Use LZO data compression: checked + adaptive
Set virtual device type: checked + TUN and name: tun
Security Tab
Cipher: AES-256-CBC
HMAC Authentication: SHA-512
TLS Authentication Tab
Verify peer (server) certificate usage signature: checked
Remote peer certificate TLS type: Server
Verify peer (server) certificate nsCertType designation: checked
Remote peer certificate nsCert designation: Server
Additional TLS authentication or encryption
Mode: TLS-Auth
Key File: ta.key
Key Direction: 1
after disconnecting the clients.
After disconnecting the iPad and the Galaxy clients the server logfile show a
line like this:
Thu Jan 23 15:43:00 2020 galaxy-to-server/XX.XX.XX.XX:65079 SIGTERM[soft,remote-exit] received, client-instance exiting
Disconnecting the Ubuntu client with the NetworkManager doesn't send any SIGTERM[soft,remote-exit] to
the server (or at least the server log doesn't has a such line).
From the Ubuntu side the connection seams closed and it's also possible to reconnect again to the OpenVPN server using
the NetworkManager. In this case, in the server log the corresponding connection lines are logged again.
When the connection from the Ubuntu client to the server is disconnected, a few
minutes later it seems that the server tries to reconnect to the Ubuntu client (see below).
This behaviour doesn't happen after disconnecting iPad or Galaxy clients.
Thu Jan 23 15:19:34 2020 ubuntu-to-server/XX.XX.XX.XX:44634 [ubuntu-to-server] Inactivity timeout (--ping-restart), restarting
Thu Jan 23 15:19:34 2020 ubuntu-to-server/XX.XX.XX.XX:44634 SIGUSR1[soft,ping-restart] received, client-instance restarting
Thu Jan 23 15:19:44 2020 ubuntu-to-server/XX.XX.XX.XX:39780 [ubuntu-to-server] Inactivity timeout (--ping-restart), restarting
Thu Jan 23 15:19:44 2020 ubuntu-to-server/XX.XX.XX.XX:39780 SIGUSR1[soft,ping-restart] received, client-instance restarting
Looking at the server log, it seems that the iPad and the GalaxyS7 are using TLSv1.2 and
Ubuntu is using TLSv1.3
What is wrong? Should I change any other setting in the NetworkManager?
Many thx!