OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

[Solved]constant reconnect problem

https://forums.openvpn.net/viewtopic.php?t=18733

Page 1 of 1

[Solved]constant reconnect problem

Posted: Mon Apr 27, 2015 10:51 am
by dusan.ilic
Hi all,

I am using OpenVPN Connect on Samsung S4 with 5.0.1 android,

The problem is when i connect to my office server(always successfully) i can't ping anything, nor to connect on any server in office, when i try to connect i get disconnected and then the app tries a reconnect and says again that it is a success but same problem pops, again the reconnect... i think i isolated the problem within the logs so any help with setting it up will be appreciated:

The log file errors:

Code: Select all

Mon Apr 27 10:28:52 2015 212.200.65.245:27290 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mon Apr 27 10:29:33 2015 Ios_Test/212.200.65.245:27290 Authenticate/Decrypt packet error: cipher final failed
Mon Apr 27 10:29:43 2015 Ios_Test/212.200.65.245:27290 Authenticate/Decrypt packet error: cipher final failed
Mon Apr 27 10:29:53 2015 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
On my phone i am using a unified .ovpn file :

Code: Select all

tls-client
dev tun
remote MyServIP 1194
resolv-retry infinite
explicit-exit-notify 3
nobind
persist-key
persist-tun
cipher BF-CBC
keysize 256
comp-lzo
verb 1

<ca>
-----BEGIN CERTIFICATE-----
my ca...
-----END CERTIFICATE-----

</ca>

<cert>
-----BEGIN CERTIFICATE-----
my crt
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
my key
-----END RSA PRIVATE KEY-----

</key>

ns-cert-type server

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
my serv key...
-----END OpenVPN Static key V1-----

</tls-auth>

pull
my server config is:

Code: Select all

tls-client
dev tun0
remote MyIP 1194
resolv-retry infinite
explicit-exit-notify 3
nobind
persist-key
persist-tun
ca ca.crt
cert certName
key KeyName
ns-cert-type server
tls-auth KeyName 1
cipher BF-CBC
keysize 256
comp-lzo
verb 1
log-append      /var/log/openvpn/openvpn.log
status          /var/log/openvpn/status.log 10
pull
Thank you again for help, any info will be appreciated

Re: constant reconnect problem

Posted: Tue Apr 28, 2015 9:57 am
by maikcat
your configs are a liiiiitle messed up...

first remove from your server config:

Code: Select all

tls-client
explicit-exit-notify 3
cert certName  *** is this your server crt?
key KeyName   *** is this your server key?
ns-cert-type server
tls-auth KeyName 1  *** this should be a file generated using openvpn --genkey --secret
keysize 256   *** blowfish supports 256 key size???
pull
also use client directive in your client config

Michael.

Re: constant reconnect problem

Posted: Tue Apr 28, 2015 11:40 am
by dusan.ilic
Hi Michael, thanks for answering,

Blowfish supports variable key lengths from 32 bit up to 448 bit keys, so it supports 256bit key for sure,

But i am terribly sorry i posted the wrong config file because i have multiple config files... here is the real one:

Code: Select all

dev tun4
proto udp
local #myipaddress#
port 1194
topology subnet
server #server ip and mask#
push "echo ***********************************"
push "echo ** WELCOME TO COMPANY**"
push "echo ***********************************"
tls-server
script-security 2
tls-auth serverKey-ta.key 0
dh dh1024.pem
ca server-ca.crt
cert company-cert.crt
key company-key.key
crl-verify company-crl.pem
cipher BF-CBC
keysize 256
user nobody
group nogroup
chroot /path/to/chroot
#client-connect "python2.7 /etc/openvpn/path/mail.py"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
inactive 28800
log-append      /var/log/openvpn/openvpn-incoming.log
status          /var/log/openvpn/status-incoming.log 10
client-config-dir ./ccd
ccd-exclusive
mute-replay-warnings
verb 3
duplicate-cn
management #mngmntIpAndPort#

Re: constant reconnect problem

Posted: Tue Apr 28, 2015 11:49 am
by maikcat
Mon Apr 27 10:28:52 2015 212.200.65.245:27290 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
can you please comment out keysize for now?

also please post the output of:

Code: Select all

openvpn --show-ciphers | grep  BF
Michael.

Re: constant reconnect problem

Posted: Tue Apr 28, 2015 12:04 pm
by dusan.ilic
Ok,

I have commented the keysize tried and it didn't work,

for the command the output is:
BF-CBC 128 bit default key (variable)
BF-CFB 128 bit default key (variable)
BF-OFB 128 bit default key (variable)

Re: constant reconnect problem

Posted: Tue Apr 28, 2015 12:39 pm
by maikcat
can you please post the logs using verb 4?

Michael.

Re: constant reconnect problem

Posted: Thu May 07, 2015 12:54 pm
by dusan.ilic
Hello Michael, I am very sorry for responding late, but I had other issues,

Okay you were right, i found the problem but i am stuck with it,

When you said that i should comment out keysize I did it on client side only because I couldn't afford to compromise the vpn server at a time, and that didn't work, but when i could i commented out the keysize on the server config, and the OpenVPN Connect worked and was ok. but on the other side, all desktop VPN clients(OpenVPN GUI 1.0.3) now couldn't connect to my server, so I had to return it to previous state.

The error for desktop clients was similar but reversed like the previous in logs.

it was:

Code: Select all

Mon Apr 27 10:28:52 2015 212.200.65.245:27290 WARNING: 'keysize' is used inconsistently,[b] local='keysize 256'[/b], [b]remote='keysize 128'[/b]
And now it is:

Code: Select all

Thu May  7 12:05:46 2015 212.178.228.151:15651 WARNING: 'keysize' is used inconsistently, [b]local='keysize 128'[/b], [b]remote='keysize 256'[/b]
So because i need 256 encryption, i will try to change to AES-256.
Do you know if i can just change server and client config to AES-256-CBC 256 bit, and not change the key, or i would have to generate new key or something more ?

Re: constant reconnect problem

Posted: Thu May 07, 2015 4:31 pm
by maikcat
Do you know if i can just change server and client config to AES-256-CBC 256 bit, and not change the key, or i would have to generate new key or something more ?
if you can add the cipher directive to your configs then probably you will be ok...

keep in mind that this must be present in both sides.

Michael.

Re: constant reconnect problem

Posted: Mon May 11, 2015 8:25 am
by dusan.ilic
Thanks maikcat for the help and your time !

I found the time with minimal impact for users to change the config and reboot the server finally.

Anyhow the problem is solved, the cipher in use can be changed as long as the key fits, so i migrated to AES 256 CBC and it works even better now on Android, IOS and Windows desktop clients, and for the client side it just needs the adjustment of the config file on the cipher line, so win win

Tnx again, I will try to contribute to the forum in future! :)

Re: [Solved]constant reconnect problem

Posted: Mon May 11, 2015 9:53 am
by maikcat
You welcome,

Marked as Solved

Closing topic

Regards,

Michael.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/