OpenVPN Support Forum

Hello,
I use Openvpn Connect 3.0.6 on Android and OpenVPN 2.4.6 on linux server.
I have .ovpn conf file working on Windows, but not workind on Android

I got these logs:
//////////
client log
//////////
08:34:37.792 -- ----- OpenVPN Start -----
08:34:37.793 -- EVENT: CORE_THREAD_ACTIVE
08:34:37.798 -- Frame=512/2048/512 mssfix-ctrl=1250
08:34:37.800 -- UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [persist-key]
6 [persist-tun]
11 [verb] [4]

08:34:37.802 -- EVENT: RESOLVE
08:34:37.814 -- Contacting x.x.x.x:1196 via UDP
08:34:37.815 -- EVENT: WAIT
08:34:37.916 -- Connecting to [x.x.x.x]:1196 (x.x.x.x) via UDPv4
08:34:37.917 -- EVENT: CONNECTING
08:34:37.921 -- Tunnel Options:V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client

08:34:37.922 -- Creds: UsernameEmpty/PasswordEmpty

08:34:37.923 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.2
IV_PLAT=android
IV_LZO=1
IV_AUTO_SESS=1
IV_BS64DL=1

08:34:37.923 -- VERIFY OK : depth=1
cert. version : 3
serial number : 5C:90:69:CF:5D:FB:DE:9C:44:2A:6D:09:80:C2:62:23
issuer name : L=Town, OU=Centrala, O=COMPANY spol. s r. o., DC=cz, DC=COMPANY, CN=COMPANY VPN CA 5
subject name : L=Town, OU=Centrala, O=COMPANY spol. s r. o., DC=cz, DC=COMPANY, CN=COMPANY VPN CA 5
issued on : 2018-03-02 14:56:28
expires on : 2038-03-02 15:06:26
signed using : RSA with SHA-256
RSA key size : 4096 bits
basic constraints : CA=true
key usage : Digital Signature, Key Cert Sign, CRL Sign

08:34:37.924 -- VERIFY OK : depth=0
cert. version : 3
serial number : 44:00:00:00:39:E3:8B:5B:32:A3:0D:61:79:00:00:00:00:00:39
issuer name : L=Town, OU=Centrala, O=COMPANY spol. s r. o., DC=cz, DC=COMPANY, CN=COMPANY VPN CA 5
subject name : L=Town, O=COMPANY spol. s r.o., OU=centrala, CN=ovpn2-ji.COMPANY.cz
issued on : 2018-03-22 10:34:10
expires on : 2020-03-22 10:44:10
signed using : RSA with SHA-256
RSA key size : 2048 bits
key usage : Key Encipherment, Data Encipherment
ext key usage : TLS Web Server Authentication

08:34:37.925 -- Client exception in transport_recv_excode: mbed TLS: SSL read error : SSL - Processing of the Certificate handshake message failed
08:34:37.926 -- Client terminated, restarting in 2000 ms...
08:34:39.849 -- EVENT: RECONNECTING
///////////
server log
///////////
Fri Jun 29 08:47:33 2018 us=416479 192.168.50.2:56403 TLS: Initial packet from [AF_INET]192.168.50.2:56403, sid=9881ecb9 e17973ef
Fri Jun 29 08:47:35 2018 us=517479 MULTI: multi_create_instance called
Fri Jun 29 08:47:35 2018 us=517598 192.168.50.2:58225 Re-using SSL/TLS context
Fri Jun 29 08:47:35 2018 us=517635 192.168.50.2:58225 LZO compression initializing
Fri Jun 29 08:47:35 2018 us=517749 192.168.50.2:58225 Control Channel MTU parms [ L:1622 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Fri Jun 29 08:47:35 2018 us=517786 192.168.50.2:58225 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Fri Jun 29 08:47:35 2018 us=517854 192.168.50.2:58225 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Jun 29 08:47:35 2018 us=517889 192.168.50.2:58225 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
///////////

Keyusage of the certificate on server side is "server"
Could you advice me ?
Pavel

How did you create your certificates ?

Also, you could post the successful Windows client log.

Hello,

Were you able to fix this error? I am facing exactly similar issue, but no ticks worked as of now

JJK

Old thread, but before some days I had the same problem: Android OpenVPN Client cannot connect to my MikroTik RB with this error.

Updating RB OS and rebuild all certificates not help. After many and many attempts I found a solution: the problem was in parameters on MikroTik terminal console during certificates creating. I´am not sure which exactly, but I think that trick is validity time: "days-valid=820".

My terminal commands was:
certificate add name=ovpn_ca-tpl country="XX" state="xxx" organization="xxx" locality="xxx" unit="xx" common-name=ovpn_ca key-size=4096 days-valid=820 key-usage=key-cert-sign,crl-sign
certificate add name=ovpn_server-tpl country="XX" state="xxx" organization="xxx" locality="xxx" unit="xx" common-name=ovpn_server key-size=4096 days-valid=820 key-usage=digital-signature,key-encipherment,tls-server

With new certificates I connect to my MikroTik from Android OpenVPN client successfully. I hope it will help you.

2019-05-07 14:32:15 officiellt bygge 0.7.8 körs på samsung SM-G973F (universal9820), Android 9 (PPR1.180610.011) API 28, ABI arm64-v8a, (samsung/beyond1lteeea/beyond1:9/PPR1.180610.011/G973FXXU1ASD5:user/release-keys)
2019-05-07 14:32:18 Bygger konfiguration…
2019-05-07 14:32:18 started Socket Thread
2019-05-07 14:32:18 Nätverksstatus: CONNECTED LTE to MOBILE 4g.tele2.se
2019-05-07 14:32:18 Debug state info: CONNECTED LTE to MOBILE 4g.tele2.se, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-05-07 14:32:18 Debug state info: CONNECTED LTE to MOBILE 4g.tele2.se, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-05-07 14:32:18 Vänta 0s sekunder mellan anslutningsförsök
2019-05-07 14:32:18 WARNING: Compression enabled, Compression has been used in the past to break encryption. Enabling decompression of received packet only. Sent packets are not compressed.
2019-05-07 14:32:18 Current Parameter Settings:
2019-05-07 14:32:18 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2019-05-07 14:32:18 mode = 0
2019-05-07 14:32:18 show_ciphers = DISABLED
2019-05-07 14:32:18 show_digests = DISABLED
2019-05-07 14:32:18 show_engines = DISABLED
2019-05-07 14:32:18 genkey = DISABLED
2019-05-07 14:32:18 key_pass_file = '[UNDEF]'
2019-05-07 14:32:18 show_tls_ciphers = DISABLED
2019-05-07 14:32:18 connect_retry_max = 0
2019-05-07 14:32:18 Connection profiles [0]:
2019-05-07 14:32:18 proto = udp
2019-05-07 14:32:18 local = '[UNDEF]'
2019-05-07 14:32:18 local_port = '[UNDEF]'
2019-05-07 14:32:18 remote = 'u855653.nvpn.so'
2019-05-07 14:32:18 remote_port = '1194'
2019-05-07 14:32:18 remote_float = DISABLED
2019-05-07 14:32:18 bind_defined = DISABLED
2019-05-07 14:32:18 bind_local = DISABLED
2019-05-07 14:32:18 bind_ipv6_only = DISABLED
2019-05-07 14:32:18 connect_retry_seconds = 2
2019-05-07 14:32:18 connect_timeout = 120
2019-05-07 14:32:18 socks_proxy_server = '[UNDEF]'
2019-05-07 14:32:18 socks_proxy_port = '[UNDEF]'
2019-05-07 14:32:18 tun_mtu = 1500
2019-05-07 14:32:18 tun_mtu_defined = ENABLED
2019-05-07 14:32:18 link_mtu = 1500
2019-05-07 14:32:18 link_mtu_defined = DISABLED
2019-05-07 14:32:18 tun_mtu_extra = 0
2019-05-07 14:32:18 tun_mtu_extra_defined = DISABLED
2019-05-07 14:32:18 mtu_discover_type = -1
2019-05-07 14:32:18 fragment = 1400
2019-05-07 14:32:18 mssfix = 1400
2019-05-07 14:32:18 explicit_exit_notification = 0
2019-05-07 14:32:18 tls_auth_file = '[UNDEF]'
2019-05-07 14:32:18 key_direction = not set
2019-05-07 14:32:18 tls_crypt_file = '[UNDEF]'
2019-05-07 14:32:18 tls_crypt_v2_file = '[UNDEF]'
2019-05-07 14:32:18 Connection profiles END
2019-05-07 14:32:18 remote_random = DISABLED
2019-05-07 14:32:18 ipchange = '[UNDEF]'
2019-05-07 14:32:18 dev = 'tun'
2019-05-07 14:32:18 dev_type = '[UNDEF]'
2019-05-07 14:32:18 dev_node = '[UNDEF]'
2019-05-07 14:32:18 lladdr = '[UNDEF]'
2019-05-07 14:32:18 topology = 1
2019-05-07 14:32:18 ifconfig_local = '[UNDEF]'
2019-05-07 14:32:18 ifconfig_remote_netmask = '[UNDEF]'
2019-05-07 14:32:18 ifconfig_noexec = DISABLED
2019-05-07 14:32:18 ifconfig_nowarn = ENABLED
2019-05-07 14:32:18 ifconfig_ipv6_local = '[UNDEF]'
2019-05-07 14:32:18 ifconfig_ipv6_netbits = 0
2019-05-07 14:32:18 ifconfig_ipv6_remote = '[UNDEF]'
2019-05-07 14:32:18 shaper = 0
2019-05-07 14:32:18 mtu_test = 0
2019-05-07 14:32:18 mlock = DISABLED
2019-05-07 14:32:18 keepalive_ping = 0
2019-05-07 14:32:18 keepalive_timeout = 0
2019-05-07 14:32:18 inactivity_timeout = 0
2019-05-07 14:32:18 ping_send_timeout = 0
2019-05-07 14:32:18 ping_rec_timeout = 0
2019-05-07 14:32:18 ping_rec_timeout_action = 0
2019-05-07 14:32:18 ping_timer_remote = DISABLED
2019-05-07 14:32:18 remap_sigusr1 = 0
2019-05-07 14:32:18 persist_tun = ENABLED
2019-05-07 14:32:18 persist_local_ip = DISABLED
2019-05-07 14:32:18 persist_remote_ip = DISABLED
2019-05-07 14:32:18 persist_key = DISABLED
2019-05-07 14:32:18 passtos = DISABLED
2019-05-07 14:32:18 resolve_retry_seconds = 1000000000
2019-05-07 14:32:18 resolve_in_advance = ENABLED
2019-05-07 14:32:18 username = '[UNDEF]'
2019-05-07 14:32:18 groupname = '[UNDEF]'
2019-05-07 14:32:18 chroot_dir = '[UNDEF]'
2019-05-07 14:32:18 cd_dir = '[UNDEF]'
2019-05-07 14:32:18 writepid = '[UNDEF]'
2019-05-07 14:32:18 up_script = '[UNDEF]'
2019-05-07 14:32:18 down_script = '[UNDEF]'
2019-05-07 14:32:18 down_pre = DISABLED
2019-05-07 14:32:18 up_restart = DISABLED
2019-05-07 14:32:18 up_delay = DISABLED
2019-05-07 14:32:18 daemon = DISABLED
2019-05-07 14:32:18 inetd = 0
2019-05-07 14:32:18 log = DISABLED
2019-05-07 14:32:18 suppress_timestamps = DISABLED
2019-05-07 14:32:18 machine_readable_output = ENABLED
2019-05-07 14:32:18 nice = 0
2019-05-07 14:32:18 verbosity = 4
2019-05-07 14:32:18 mute = 0
2019-05-07 14:32:18 gremlin = 0
2019-05-07 14:32:18 status_file = '[UNDEF]'
2019-05-07 14:32:18 status_file_version = 1
2019-05-07 14:32:18 status_file_update_freq = 60
2019-05-07 14:32:18 occ = ENABLED
2019-05-07 14:32:18 rcvbuf = 0
2019-05-07 14:32:18 sndbuf = 0
2019-05-07 14:32:18 sockflags = 0
2019-05-07 14:32:18 fast_io = DISABLED
2019-05-07 14:32:18 comp.alg = 2
2019-05-07 14:32:18 comp.flags = 1
2019-05-07 14:32:18 route_script = '[UNDEF]'
2019-05-07 14:32:18 route_default_gateway = '[UNDEF]'
2019-05-07 14:32:18 route_default_metric = 0
2019-05-07 14:32:18 route_noexec = DISABLED
2019-05-07 14:32:18 route_delay = 0
2019-05-07 14:32:18 route_delay_window = 30
2019-05-07 14:32:18 route_delay_defined = DISABLED
2019-05-07 14:32:18 route_nopull = DISABLED
2019-05-07 14:32:18 route_gateway_via_dhcp = DISABLED
2019-05-07 14:32:18 allow_pull_fqdn = DISABLED
2019-05-07 14:32:18 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2019-05-07 14:32:18 management_port = 'unix'
2019-05-07 14:32:18 management_user_pass = '[UNDEF]'
2019-05-07 14:32:18 management_log_history_cache = 250
2019-05-07 14:32:18 management_echo_buffer_size = 100
2019-05-07 14:32:18 management_write_peer_info_file = '[UNDEF]'
2019-05-07 14:32:18 management_client_user = '[UNDEF]'
2019-05-07 14:32:18 management_client_group = '[UNDEF]'
2019-05-07 14:32:18 management_flags = 16678
2019-05-07 14:32:18 shared_secret_file = '[UNDEF]'
2019-05-07 14:32:18 key_direction = not set
2019-05-07 14:32:18 ciphername = 'AES-256-CBC'
2019-05-07 14:32:18 ncp_enabled = ENABLED
2019-05-07 14:32:18 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2019-05-07 14:32:18 authname = 'SHA512'
2019-05-07 14:32:18 prng_hash = 'SHA1'
2019-05-07 14:32:18 prng_nonce_secret_len = 16
2019-05-07 14:32:18 keysize = 0
2019-05-07 14:32:18 engine = DISABLED
2019-05-07 14:32:18 replay = ENABLED
2019-05-07 14:32:18 mute_replay_warnings = ENABLED
2019-05-07 14:32:18 replay_window = 64
2019-05-07 14:32:18 replay_time = 15
2019-05-07 14:32:18 packet_id_file = '[UNDEF]'
2019-05-07 14:32:18 test_crypto = DISABLED
2019-05-07 14:32:18 tls_server = DISABLED
2019-05-07 14:32:18 tls_client = ENABLED
2019-05-07 14:32:18 key_method = 2
2019-05-07 14:32:18 ca_file = '[[INLINE]]'
2019-05-07 14:32:18 ca_path = '[UNDEF]'
2019-05-07 14:32:18 dh_file = '[UNDEF]'
2019-05-07 14:32:18 cert_file = '[UNDEF]'
2019-05-07 14:32:18 extra_certs_file = '[UNDEF]'
2019-05-07 14:32:18 priv_key_file = '[UNDEF]'
2019-05-07 14:32:18 pkcs12_file = '[UNDEF]'
2019-05-07 14:32:18 cipher_list = '[UNDEF]'
2019-05-07 14:32:18 cipher_list_tls13 = '[UNDEF]'
2019-05-07 14:32:18 tls_cert_profile = '[UNDEF]'
2019-05-07 14:32:18 tls_verify = '[UNDEF]'
2019-05-07 14:32:18 tls_export_cert = '[UNDEF]'
2019-05-07 14:32:18 verify_x509_type = 0
2019-05-07 14:32:18 verify_x509_name = '[UNDEF]'
2019-05-07 14:32:18 crl_file = '[UNDEF]'
2019-05-07 14:32:18 ns_cert_type = 0
2019-05-07 14:32:18 remote_cert_ku = 0
2019-05-07 14:32:18 remote_cert_ku = 0
2019-05-07 14:32:18 remote_cert_ku = 0
2019-05-07 14:32:18 remote_cert_ku = 0
2019-05-07 14:32:18 remote_cert_ku = 0
2019-05-07 14:32:18 remote_cert_ku = 0
2019-05-07 14:32:18 remote_cert_ku = 0
2019-05-07 14:32:18 remote_cert_ku = 0
2019-05-07 14:32:18 remote_cert_ku = 0
2019-05-07 14:32:18 remote_cert_ku = 0
2019-05-07 14:32:18 remote_cert_ku[i] = 0
2019-05-07 14:32:18 remote_cert_ku[i] = 0
2019-05-07 14:32:18 remote_cert_ku[i] = 0
2019-05-07 14:32:18 remote_cert_ku[i] = 0
2019-05-07 14:32:18 remote_cert_ku[i] = 0
2019-05-07 14:32:18 remote_cert_ku[i] = 0
2019-05-07 14:32:18 remote_cert_eku = '[UNDEF]'
2019-05-07 14:32:18 ssl_flags = 0
2019-05-07 14:32:18 tls_timeout = 2
2019-05-07 14:32:18 renegotiate_bytes = -1
2019-05-07 14:32:18 renegotiate_packets = 0
2019-05-07 14:32:18 renegotiate_seconds = 0
2019-05-07 14:32:18 handshake_window = 60
2019-05-07 14:32:18 transition_window = 3600
2019-05-07 14:32:18 single_session = DISABLED
2019-05-07 14:32:18 push_peer_info = DISABLED
2019-05-07 14:32:18 tls_exit = DISABLED
2019-05-07 14:32:18 tls_crypt_v2_genkey_type = '[UNDEF]'
2019-05-07 14:32:18 tls_crypt_v2_genkey_file = '[UNDEF]'
2019-05-07 14:32:18 tls_crypt_v2_metadata = '[UNDEF]'
2019-05-07 14:32:18 client = ENABLED
2019-05-07 14:32:18 pull = ENABLED
2019-05-07 14:32:18 auth_user_pass_file = 'stdin'
2019-05-07 14:32:18 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.8-0-g168367a5] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 22 2019
2019-05-07 14:32:18 library versions: OpenSSL 1.1.1a 20 Nov 2018, LZO 2.10
2019-05-07 14:32:18 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2019-05-07 14:32:18 MANAGEMENT: CMD 'version 3'
2019-05-07 14:32:18 MANAGEMENT: CMD 'hold release'
2019-05-07 14:32:18 MANAGEMENT: CMD 'username 'Auth' rjqrpe27'
2019-05-07 14:32:18 MANAGEMENT: CMD 'bytecount 2'
2019-05-07 14:32:18 MANAGEMENT: CMD 'password [...]'
2019-05-07 14:32:18 MANAGEMENT: CMD 'state on'
2019-05-07 14:32:18 MANAGEMENT: CMD 'proxy NONE'
2019-05-07 14:32:19 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2019-05-07 14:32:19 LZO compression initializing
2019-05-07 14:32:19 Control Channel MTU parms [ L:1626 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2019-05-07 14:32:19 Data Channel MTU parms [ L:1626 D:1400 EF:126 EB:407 ET:0 EL:3 ]
2019-05-07 14:32:19 Fragmentation MTU parms [ L:1626 D:1400 EF:125 EB:407 ET:1 EL:3 ]
2019-05-07 14:32:19 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2019-05-07 14:32:19 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2019-05-07 14:32:19 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.209.164:1194
2019-05-07 14:32:19 Socket Buffers: R=[262144->262144] S=[262144->262144]
2019-05-07 14:32:19 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-05-07 14:32:19 UDP link local: (not bound)
2019-05-07 14:32:19 UDP link remote: [AF_INET]184.75.209.164:1194
2019-05-07 14:32:19 MANAGEMENT: >STATE:1557232339,WAIT,,,,,,
2019-05-07 14:32:20 MANAGEMENT: >STATE:1557232340,AUTH,,,,,,
2019-05-07 14:32:20 TLS: Initial packet from [AF_INET]184.75.209.164:1194, sid=4c5fc78f 62b53d76
2019-05-07 14:32:20 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-05-07 14:32:20 VERIFY OK: depth=1, C=BA, ST=NV, L=nVPN, O=nVpn, CN=nVpn CA, emailAddress=support@nvpn.net
2019-05-07 14:32:20 VERIFY OK: depth=0, C=BA, ST=NV, L=nVPN, O=nVpn, CN=server, emailAddress=support@nvpn.net
2019-05-07 14:32:20 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2019-05-07 14:32:20 [server] Peer Connection Initiated with [AF_INET]184.75.209.164:1194
2019-05-07 14:32:22 MANAGEMENT: >STATE:1557232341,GET_CONFIG,,,,,,
2019-05-07 14:32:22 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2019-05-07 14:32:22 AUTH: Received control message: AUTH_FAILED
2019-05-07 14:32:22 TCP/UDP: Closing socket
2019-05-07 14:32:22 SIGTERM[soft,auth-failure] received, process exiting
2019-05-07 14:32:22 MANAGEMENT: >STATE:1557232342,EXITING,auth-failure,,,,,


I need some feedback how too make it work!!