Page 1 of 1
OpenVPN Connect Android not able to connect, TLS error
Posted: Fri Nov 01, 2019 3:30 pm
by sha_dows
Hi,
I have a openvpn server instance on a ubuntu 18 server. I already have clients on linux that are able to connect to it.
I try to connect an Android phone (Huawei P30 lite). I generated a .ovpn file with certificates included, like my other computers.
Edit: I just tested with a Samsung S7 and it works... seems that something is wrong with huawei phones.
My server settings:
Code: Select all
port 443
proto tcp
dev tun
<certificate files...>
server 10.1.0.0 255.255.0.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
client-to-client
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 0
Client settings example (excluding certificates):
Code: Select all
client
dev tun
proto tcp
remote X.X.X.X 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3
I get these error messages on the server logs when I attempt to connect my android device:
Sometimes this is the error:
Code: Select all
Fri Nov 1 15:18:29 2019 TCP connection established with [AF_INET]67.218.223.210:43586
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 TLS: Initial packet from [AF_INET]67.218.223.210:43586, sid=0c6e2d1c e1fa28b9
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 VERIFY OK: depth=1, CN=Easy-RSA CA
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 VERIFY OK: depth=0, CN=mobile_marc
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 OpenSSL: error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 OpenSSL: error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 OpenSSL: error:1417B07B:SSL routines:tls_process_cert_verify:bad signature
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 TLS_ERROR: BIO read tls_read_plaintext error
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 TLS Error: TLS object -> incoming plaintext read error
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 TLS Error: TLS handshake failed
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 Fatal TLS error (check_tls_errors_co), restarting
Fri Nov 1 15:18:29 2019 67.218.223.210:43586 SIGUSR1[soft,tls-error] received, client-instance restarting
And other time this is the one:
Code: Select all
Fri Nov 1 15:16:42 2019 TCP connection established with [AF_INET]67.218.223.210:43584
Fri Nov 1 15:16:42 2019 67.218.223.210:43584 TLS: Initial packet from [AF_INET]67.218.223.210:43584, sid=cd755526 5999b01c
Fri Nov 1 15:16:43 2019 67.218.223.210:43584 VERIFY OK: depth=1, CN=Easy-RSA CA
Fri Nov 1 15:16:43 2019 67.218.223.210:43584 VERIFY OK: depth=0, CN=mobile_marc
Fri Nov 1 15:16:43 2019 67.218.223.210:43584 OpenSSL: error:04067084:rsa routines:rsa_ossl_public_decrypt:data too large for modulus
Fri Nov 1 15:16:43 2019 67.218.223.210:43584 OpenSSL: error:1417B07B:SSL routines:tls_process_cert_verify:bad signature
Fri Nov 1 15:16:43 2019 67.218.223.210:43584 TLS_ERROR: BIO read tls_read_plaintext error
Fri Nov 1 15:16:43 2019 67.218.223.210:43584 TLS Error: TLS object -> incoming plaintext read error
Fri Nov 1 15:16:43 2019 67.218.223.210:43584 TLS Error: TLS handshake failed
Fri Nov 1 15:16:43 2019 67.218.223.210:43584 Fatal TLS error (check_tls_errors_co), restarting
Fri Nov 1 15:16:43 2019 67.218.223.210:43584 SIGUSR1[soft,tls-error] received, client-instance restarting
Do you have any clues on what would cause this issue?
Thanks
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Fri Nov 01, 2019 3:54 pm
by TinCanTech
Which versions of openvpn are you using, server and client ?
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Fri Nov 01, 2019 5:22 pm
by sha_dows
Android:
OpenVPN Connect 3.0.7.(3565)
Server:
OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
library versions: OpenSSL 1.1.1 11 Sep 2018, LZO 2.08
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Fri Nov 01, 2019 6:55 pm
by TinCanTech
I cannot say what the problem could be with your phone but you should try to get your server upto date.
Current version: 2.4.8
https://community.openvpn.net/openvpn/w ... twareRepos
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Wed Jan 15, 2020 10:00 pm
by sha_dows
Hi,
Sorry for the delay, I didn't received any notice of your reply.
I installed the latest version:
OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
Same issue. The mobile app keeps trying but fails to connect.
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Wed Jan 15, 2020 10:15 pm
by TinCanTech
Your client config above is missing the --tls-auth file line.
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Thu Jan 16, 2020 6:38 pm
by sha_dows
I excluded the certificates from the message but yes it is included:
client ovpn file:
Code: Select all
client
dev tun
proto tcp
remote X.X.X.X 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Thu Jan 16, 2020 7:38 pm
by TinCanTech
sha_dows wrote: ↑Fri Nov 01, 2019 5:22 pm
Android:
OpenVPN Connect 3.0.7.(3565)
You could try this version:
https://github.com/schwabe/ics-openvpn
Or possibly report a bug here:
https://openvpn.net/portal/login/?ABS=L ... al-sign-in (Login required)
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Thu Jan 16, 2020 10:12 pm
by Pippin
Just a remark,
You are using --client-config-dir together with --duplicate-cn.
That can become problematic when assigning static tunnel IP's to clients that need multiple connections.
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Thu Jan 16, 2020 11:26 pm
by TinCanTech
No doubt a more complete log would have shown us this in the first place
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Fri Jan 17, 2020 3:35 pm
by sha_dows
In my server setup, only a specific set of configs/cert has their IP configured. I don't have issues with IP assignation.
https://github.com/schwabe/ics-openvpn doesn't work either. This time something seems to be wrong with my config file. I have no passphrase but says: FATAL:Error: private key password verification failed
Client logs:
Code: Select all
2020-01-16 15:00:51 version officielle 0.7.8 courir sur HUAWEI MAR-LX3A (MAR), Android 9 (HUAWEIMAR-L23A) API 28, ABI arm64-v8a, (HUAWEI/MAR-LX3A/HWMAR:9/HUAWEIMAR-L23A/9.1.0.318C605:user/release-keys)
2020-01-16 15:00:51 Création de la configuration…
2020-01-16 15:00:51 started Socket Thread
2020-01-16 15:00:51 État du réseau : CONNECTED to WIFI
2020-01-16 15:00:51 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2020-01-16 15:00:51 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2020-01-16 15:00:51 Current Parameter Settings:
2020-01-16 15:00:51 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2020-01-16 15:00:51 mode = 0
2020-01-16 15:00:51 show_ciphers = DISABLED
2020-01-16 15:00:51 show_digests = DISABLED
2020-01-16 15:00:51 show_engines = DISABLED
2020-01-16 15:00:51 genkey = DISABLED
2020-01-16 15:00:51 key_pass_file = '[UNDEF]'
2020-01-16 15:00:51 show_tls_ciphers = DISABLED
2020-01-16 15:00:51 0 secondes avant la prochaine tentative de connexion
2020-01-16 15:00:51 connect_retry_max = 0
2020-01-16 15:00:51 Connection profiles [0]:
2020-01-16 15:00:51 proto = tcp-client
2020-01-16 15:00:51 local = '[UNDEF]'
2020-01-16 15:00:51 local_port = '[UNDEF]'
2020-01-16 15:00:51 remote = '3.223.56.54'
2020-01-16 15:00:51 remote_port = '443'
2020-01-16 15:00:51 remote_float = DISABLED
2020-01-16 15:00:51 bind_defined = DISABLED
2020-01-16 15:00:51 bind_local = DISABLED
2020-01-16 15:00:51 bind_ipv6_only = DISABLED
2020-01-16 15:00:51 connect_retry_seconds = 2
2020-01-16 15:00:51 connect_timeout = 120
2020-01-16 15:00:51 socks_proxy_server = '[UNDEF]'
2020-01-16 15:00:51 socks_proxy_port = '[UNDEF]'
2020-01-16 15:00:51 tun_mtu = 1500
2020-01-16 15:00:51 tun_mtu_defined = ENABLED
2020-01-16 15:00:51 link_mtu = 1500
2020-01-16 15:00:51 link_mtu_defined = DISABLED
2020-01-16 15:00:51 tun_mtu_extra = 0
2020-01-16 15:00:51 tun_mtu_extra_defined = DISABLED
2020-01-16 15:00:51 mtu_discover_type = -1
2020-01-16 15:00:51 fragment = 0
2020-01-16 15:00:51 mssfix = 1450
2020-01-16 15:00:51 explicit_exit_notification = 0
2020-01-16 15:00:51 tls_auth_file = '[[INLINE]]'
2020-01-16 15:00:51 key_direction = 1
2020-01-16 15:00:51 tls_crypt_file = '[UNDEF]'
2020-01-16 15:00:51 tls_crypt_v2_file = '[UNDEF]'
2020-01-16 15:00:51 Connection profiles END
2020-01-16 15:00:51 remote_random = DISABLED
2020-01-16 15:00:51 ipchange = '[UNDEF]'
2020-01-16 15:00:51 dev = 'tun'
2020-01-16 15:00:51 dev_type = '[UNDEF]'
2020-01-16 15:00:51 dev_node = '[UNDEF]'
2020-01-16 15:00:51 lladdr = '[UNDEF]'
2020-01-16 15:00:51 topology = 1
2020-01-16 15:00:51 ifconfig_local = '[UNDEF]'
2020-01-16 15:00:51 ifconfig_remote_netmask = '[UNDEF]'
2020-01-16 15:00:51 ifconfig_noexec = DISABLED
2020-01-16 15:00:51 ifconfig_nowarn = ENABLED
2020-01-16 15:00:51 ifconfig_ipv6_local = '[UNDEF]'
2020-01-16 15:00:51 ifconfig_ipv6_netbits = 0
2020-01-16 15:00:51 ifconfig_ipv6_remote = '[UNDEF]'
2020-01-16 15:00:51 shaper = 0
2020-01-16 15:00:51 mtu_test = 0
2020-01-16 15:00:51 mlock = DISABLED
2020-01-16 15:00:51 keepalive_ping = 0
2020-01-16 15:00:51 keepalive_timeout = 0
2020-01-16 15:00:51 inactivity_timeout = 0
2020-01-16 15:00:51 ping_send_timeout = 0
2020-01-16 15:00:51 ping_rec_timeout = 0
2020-01-16 15:00:51 ping_rec_timeout_action = 0
2020-01-16 15:00:51 ping_timer_remote = DISABLED
2020-01-16 15:00:51 remap_sigusr1 = 0
2020-01-16 15:00:51 persist_tun = ENABLED
2020-01-16 15:00:51 persist_local_ip = DISABLED
2020-01-16 15:00:51 persist_remote_ip = DISABLED
2020-01-16 15:00:51 persist_key = DISABLED
2020-01-16 15:00:51 passtos = DISABLED
2020-01-16 15:00:51 resolve_retry_seconds = 1000000000
2020-01-16 15:00:51 resolve_in_advance = ENABLED
2020-01-16 15:00:51 username = '[UNDEF]'
2020-01-16 15:00:51 groupname = '[UNDEF]'
2020-01-16 15:00:51 chroot_dir = '[UNDEF]'
2020-01-16 15:00:51 cd_dir = '[UNDEF]'
2020-01-16 15:00:51 writepid = '[UNDEF]'
2020-01-16 15:00:51 up_script = '[UNDEF]'
2020-01-16 15:00:51 down_script = '[UNDEF]'
2020-01-16 15:00:51 down_pre = DISABLED
2020-01-16 15:00:51 up_restart = DISABLED
2020-01-16 15:00:51 up_delay = DISABLED
2020-01-16 15:00:51 daemon = DISABLED
2020-01-16 15:00:51 inetd = 0
2020-01-16 15:00:51 log = DISABLED
2020-01-16 15:00:51 suppress_timestamps = DISABLED
2020-01-16 15:00:51 machine_readable_output = ENABLED
2020-01-16 15:00:51 nice = 0
2020-01-16 15:00:51 verbosity = 4
2020-01-16 15:00:51 mute = 0
2020-01-16 15:00:51 gremlin = 0
2020-01-16 15:00:51 status_file = '[UNDEF]'
2020-01-16 15:00:51 status_file_version = 1
2020-01-16 15:00:51 status_file_update_freq = 60
2020-01-16 15:00:51 occ = ENABLED
2020-01-16 15:00:51 rcvbuf = 0
2020-01-16 15:00:51 sndbuf = 0
2020-01-16 15:00:51 sockflags = 0
2020-01-16 15:00:51 fast_io = DISABLED
2020-01-16 15:00:51 comp.alg = 0
2020-01-16 15:00:51 comp.flags = 0
2020-01-16 15:00:51 route_script = '[UNDEF]'
2020-01-16 15:00:51 route_default_gateway = '[UNDEF]'
2020-01-16 15:00:51 route_default_metric = 0
2020-01-16 15:00:51 route_noexec = DISABLED
2020-01-16 15:00:51 route_delay = 0
2020-01-16 15:00:51 route_delay_window = 30
2020-01-16 15:00:51 route_delay_defined = DISABLED
2020-01-16 15:00:51 route_nopull = DISABLED
2020-01-16 15:00:51 route_gateway_via_dhcp = DISABLED
2020-01-16 15:00:51 allow_pull_fqdn = DISABLED
2020-01-16 15:00:51 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2020-01-16 15:00:51 management_port = 'unix'
2020-01-16 15:00:51 management_user_pass = '[UNDEF]'
2020-01-16 15:00:51 management_log_history_cache = 250
2020-01-16 15:00:51 management_echo_buffer_size = 100
2020-01-16 15:00:51 management_write_peer_info_file = '[UNDEF]'
2020-01-16 15:00:51 management_client_user = '[UNDEF]'
2020-01-16 15:00:51 management_client_group = '[UNDEF]'
2020-01-16 15:00:51 management_flags = 16678
2020-01-16 15:00:51 shared_secret_file = '[UNDEF]'
2020-01-16 15:00:51 key_direction = 1
2020-01-16 15:00:51 ciphername = 'AES-256-CBC'
2020-01-16 15:00:51 ncp_enabled = ENABLED
2020-01-16 15:00:51 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2020-01-16 15:00:51 authname = 'SHA256'
2020-01-16 15:00:51 prng_hash = 'SHA1'
2020-01-16 15:00:51 prng_nonce_secret_len = 16
2020-01-16 15:00:51 keysize = 0
2020-01-16 15:00:51 engine = DISABLED
2020-01-16 15:00:51 replay = ENABLED
2020-01-16 15:00:51 mute_replay_warnings = DISABLED
2020-01-16 15:00:51 replay_window = 64
2020-01-16 15:00:51 replay_time = 15
2020-01-16 15:00:51 packet_id_file = '[UNDEF]'
2020-01-16 15:00:51 test_crypto = DISABLED
2020-01-16 15:00:51 tls_server = DISABLED
2020-01-16 15:00:51 tls_client = ENABLED
2020-01-16 15:00:51 key_method = 2
2020-01-16 15:00:51 ca_file = '[[INLINE]]'
2020-01-16 15:00:51 ca_path = '[UNDEF]'
2020-01-16 15:00:51 dh_file = '[UNDEF]'
2020-01-16 15:00:51 cert_file = '[[INLINE]]'
2020-01-16 15:00:51 extra_certs_file = '[UNDEF]'
2020-01-16 15:00:51 priv_key_file = '[[INLINE]]'
2020-01-16 15:00:51 pkcs12_file = '[UNDEF]'
2020-01-16 15:00:51 cipher_list = '[UNDEF]'
2020-01-16 15:00:51 cipher_list_tls13 = '[UNDEF]'
2020-01-16 15:00:51 tls_cert_profile = '[UNDEF]'
2020-01-16 15:00:51 tls_verify = '[UNDEF]'
2020-01-16 15:00:51 tls_export_cert = '[UNDEF]'
2020-01-16 15:00:51 verify_x509_type = 0
2020-01-16 15:00:51 verify_x509_name = '[UNDEF]'
2020-01-16 15:00:51 crl_file = '[UNDEF]'
2020-01-16 15:00:51 ns_cert_type = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 65535
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_ku[i] = 0
2020-01-16 15:00:51 remote_cert_eku = 'TLS Web Server Authentication'
2020-01-16 15:00:51 ssl_flags = 0
2020-01-16 15:00:51 tls_timeout = 2
2020-01-16 15:00:51 renegotiate_bytes = -1
2020-01-16 15:00:51 renegotiate_packets = 0
2020-01-16 15:00:51 renegotiate_seconds = 3600
2020-01-16 15:00:51 handshake_window = 60
2020-01-16 15:00:51 transition_window = 3600
2020-01-16 15:00:51 single_session = DISABLED
2020-01-16 15:00:51 push_peer_info = DISABLED
2020-01-16 15:00:51 tls_exit = DISABLED
2020-01-16 15:00:51 tls_crypt_v2_genkey_type = '[UNDEF]'
2020-01-16 15:00:51 tls_crypt_v2_genkey_file = '[UNDEF]'
2020-01-16 15:00:51 tls_crypt_v2_metadata = '[UNDEF]'
2020-01-16 15:00:51 client = ENABLED
2020-01-16 15:00:51 pull = ENABLED
2020-01-16 15:00:51 auth_user_pass_file = '[UNDEF]'
2020-01-16 15:00:51 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.8-0-g168367a5] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 22 2019
2020-01-16 15:00:51 library versions: OpenSSL 1.1.1a 20 Nov 2018, LZO 2.10
2020-01-16 15:00:51 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2020-01-16 15:00:51 MANAGEMENT: CMD 'version 3'
2020-01-16 15:00:51 MANAGEMENT: CMD 'hold release'
2020-01-16 15:00:51 MANAGEMENT: CMD 'proxy NONE'
2020-01-16 15:00:51 MANAGEMENT: CMD 'bytecount 2'
2020-01-16 15:00:51 MANAGEMENT: CMD 'state on'
2020-01-16 15:00:52 MGMT: Got unrecognized command>FATAL:Error: private key password verification failed
2020-01-16 15:00:52 OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
2020-01-16 15:00:52 Cannot load private key file [[INLINE]]
2020-01-16 15:00:52 MANAGEMENT: Client disconnected
2020-01-16 15:00:52 Error: private key password verification failed
2020-01-16 15:00:52 Exiting due to fatal error
2020-01-16 15:00:52 Process exited with exit value 1
Re: OpenVPN Connect Android not able to connect, TLS error
Posted: Fri Jan 17, 2020 3:43 pm
by sha_dows
I just retried with a new .ovpn file and it works now. Looks like something was wrong with my original ovpn file. The new server version might have helped also.
Thanks