OpenVPN Support Forum

Posted: **Thu Dec 21, 2017 9:55 pm**

Hi,
I've setup OpenVPN on a freebsd jail. The configuration is working fine on my Mac, with Tunnelblick. However, on my Android, I'm unable to make it work... The connection won't establish and I'm greeted with the following log message on the server:

Code: Select all

Dec 10 19:46:24 openvpn openvpn[91848]: 158...:58013 TLS: Initial packet from [AF_INET]158...:58013, sid=414ce6a3 656a09db
Dec 10 19:46:24 openvpn openvpn[91848]: 158...*:58013 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Dec 10 19:46:24 openvpn openvpn[91848]: 158...*:58013 OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
Dec 10 19:46:24 openvpn openvpn[91848]: 158...*:58013 TLS_ERROR: BIO read tls_read_plaintext error
Dec 10 19:46:24 openvpn openvpn[91848]: 158...*:58013 TLS Error: TLS object -> incoming plaintext read error
Dec 10 19:46:24 openvpn openvpn[91848]: 158...*:58013 TLS Error: TLS handshake failed

The configuration is the following:
Server:

Code: Select all

local 172.16.1.35
port 443
proto udp
dev tun
ca /usr/local/etc/openvpn/pki/ca.crt
cert /usr/local/etc/openvpn/pki/issued/VPNSERVER.crt
key /usr/local/etc/openvpn/pki/private/VPNSERVER.key
dh /usr/local/etc/openvpn/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
push "route 172.16.1.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/pki/private/ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
crl-verify /usr/local/etc/openvpn/easy-rsa/pki/crl.pem

Client:

Code: Select all

client
dev tun
proto udp
remote 172.16.1.35 443
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert cert.crt
key pkey.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

Can anyone help me with this issue? I've already tried to enable the force CBC ciphers option on the client without success... I have also analysed a pcap to check which TLS ciphers were being negotiated and matched the tls-ciphers to one of the proposed ciphers without success.

Posted: **Thu Dec 21, 2017 10:11 pm**

Try without the --tls-cipher line ..

Posted: **Fri Dec 22, 2017 2:54 pm**

TinCanTech is right.

ECDSA is not yet supported in ovpn3 core and thus in OpenVPN Connect for Android. It is on the roadmap, but not yet there. Therefore, if you force using it, there will be no common tls-ciphersuite.

Although TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA should work...

Posted: **Sat Dec 23, 2017 6:58 am**

I'm guessing you have to tick the "Force AES-CBC ciphersuites" in client preferences

Posted: **Sun Dec 24, 2017 1:29 am**

Damn it, I should have said that I had already tried without the tls-ciphers line. Totally forgot about that...
I have tried to match the ciphers negotiated by openvpn connect with the tls-ciphers line without success.

Could this be an issue with the certificate as well?

Posted: **Sun Dec 24, 2017 11:41 am**

I don't think so.
What client are you using on android? what version? I guess the tls-version-min option is what's left that could be creating the issue.

Posted: **Wed Dec 27, 2017 2:03 pm**

I'm using openvpn connect 1.1.27. I have also tried disabling the tls-version-min from the configuration without success.

Any ideas on how to troubleshoot this?

Posted: **Wed Dec 27, 2017 3:52 pm**

as i said , try

TiTex wrote: ↑
Sat Dec 23, 2017 6:58 am
to tick the "Force AES-CBC ciphersuites" in client preferences

Posted: **Thu Dec 28, 2017 1:59 pm**

TiTex wrote: ↑
Wed Dec 27, 2017 3:52 pm
as i said , try
TiTex wrote: ↑
Sat Dec 23, 2017 6:58 am
to tick the "Force AES-CBC ciphersuites" in client preferences

Pestaninha wrote: ↑
Thu Dec 21, 2017 9:55 pm
Can anyone help me with this issue? I've already tried to enable the force CBC ciphers option on the client without success...

Did that already...

OpenVPN Support Forum

No shared TLS ciphers

No shared TLS ciphers

Re: No shared TLS ciphers

Re: No shared TLS ciphers

Re: No shared TLS ciphers

Re: No shared TLS ciphers

Re: No shared TLS ciphers

Re: No shared TLS ciphers

Re: No shared TLS ciphers

Re: No shared TLS ciphers