OpenVPN Support Forum

I wanted to change the type of key used in OpenVPN so I started with a fresh /etc/openvpn on my server,

I change part of my intiale server.conf, redo all the key, certificate, ... for both the server and the cilents.

Everything is working fine with my PC but I can't manage to connect from both android and ios openvpn connect client.

On the device I have the following error:
TCP recv EOF
Transport Error: Transport error on 'MY_IP_XXXXXX: NETWORK_EOF_ERROR'

On the server I have
TLS: Initial packet from [AF_INET]
TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, client-instance restarting

On both output I've removed the IP/PORTS for anonimity

My previous config was functional on all devices. I'm generating certificates/keys specific for each device so I can connect at the same time from different devices.

On both config (old and new) I have cipher AES-256-CBC

But on new config I have
tls-cipher TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
and: tls-version-min 1.2
(no parameter on previous config, I used easy-rsa to create the keys)

android app says: OPenVPN Connect 1.1.17 (build 76), core 3.0.12, Android version is 7.0, I have turn on the openvpn toggle "Force AES-CBC Ciphersuites"

oxygen77 wrote: ↑

Wed Oct 11, 2017 8:19 pm

TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

oxygen77 wrote: ↑

Wed Oct 11, 2017 8:19 pm

on new config I have
tls-cipher TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA

Just remove tls-cipher and restart ..

Thx TinCanTech for your answer

I tryed removing the tls-cipher option in both client and server config files,
=> on android device no change, still can't connect, also tested putting back the option in client config file
=> I had to put back the option in the pc config file in order to have it working

not that I generated EC keys using this command line: openssl ecparam -genkey -name secp384r1 -noout -out my_file.key

I'm pretty new to openvpn config & management, so I'm not sure how to understand the log output. I can't decide if
- the issue is that the key I generated are not supported by openvpn connect (while supported by the server and computer)
- the issue is elsewhere in the communication or in the param

oxygen77 wrote: ↑

Thu Oct 12, 2017 6:07 am

I tryed removing the tls-cipher option in both client and server config files,
..
=> I had to put back the option in the pc config file in order to have it working

The message is clear "No shared cipher" .: Do not specify the cipher, let openvpn decide on the best available "shared" cipher .. perhaps you did something wrong ?

oxygen77 wrote: ↑

Thu Oct 12, 2017 6:07 am

=> on android device no change, still can't connect, also tested putting back the option in client config file
..
not that I generated EC keys using this command line: openssl ecparam -genkey -name secp384r1 -noout -out my_file.key

I think also, you may have created incompatible certificates .. try using EasyRSA303 to create your PKI:
https://github.com/OpenVPN/easy-rsa/releases

I would like to understand my error before going to automated tools

I've removed the tls-cipher param

I've restart from scratch the param of the server and the client.

In order to create server key & certificate I'm doing:
#pki
openssl ecparam -genkey -name secp384r1 -noout -out ca.key
openssl req -new -sha256 -key ca.key -out ca.csr -subj "/CN=aturys.vpn"
openssl x509 -req -sha256 -days 365 -in ca.csr -signkey ca.key -out ca.crt
# server key
openssl ecparam -genkey -name secp384r1 -noout -out server.key
openssl req -new -config server_ssl.cnf -key server.key -out server.csr
yes | openssl ca -config server_ssl.cnf -out server.crt -infiles server.csr
openssl dhparam 2048 -dsaparam -out dh2048.pem
openvpn --genkey --secret ta.key

and for client
openssl ecparam -genkey -name secp384r1 -noout -out client.key
openssl req -new -config client_ssl.cnf -key client.key -out client.csr
yes | openssl ca -config client_ssl.cnf -out client.crt -infiles client.csr

client & server cnf files are similar:
[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /etc/openvpn/keys
new_certs_dir = $dir
unique_subject = no
certificate = $dir/ca.crt
database = $dir/index
private_key = $dir/ca.key
serial = $dir/serial
default_days = 365
default_md = sha256
policy = ca_policy
x509_extensions = ca_extensions
copy_extensions = copy
crlnumber = $dir/crlnumber
default_crl_days = 1825

[ ca_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ ca_extensions ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

[ req ]
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[ dn ]
CN = server.vpn

[ req_ext ]
keyUsage = digitalSignature, keyAgreement
extendedKeyUsage = serverAuth

my guess is that the secp384r1 is not supported on mobile platform ?