Android client cipher negoation problem

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
osmanakol
OpenVpn Newbie
Posts: 3
Joined: Mon May 03, 2021 6:31 am

Android client cipher negoation problem

Post by osmanakol » Mon May 03, 2021 2:18 pm

I want to client and server negotiation for cipher with respect to "data-cipher" and client should choose automatically correct cipher type through data-channel but I take an error that is "Authentication failed: Data channel cipher negotiation failed (no shared cipher)". What is wrong? Could you help me?

Android Client Openvpn Version 3.5.6 with OPENSSL 1.1.1k
client
client

dev tun
dev tun-ipv6
proto tcp-client
# vpn server ip and port
remote <ip> <port>
resolv-retry infinite
nobind
persist-key
persist-tun
# sslvpn server CA crt in raw format
<ca>
--STRIPPED INLINE CA CERT--
</ca>
ns-cert-type server
auth-nocache
auth SHA1
verb 4
compress lz4-v2
reneg-sec 0
tls-client
# sslvpn server cipher
route-method exe
route-delay 2
connect-retry 1 1
connect-retry-max 5
connect-timeout 10
auth-user-pass


Client_Log_File

05/03 15:24:21: Launching 'app' on pixel.
Install successfully finished in 3 s 583 ms.
$ adb shell am start -n "sslvpn.client/sslvpn.client.SplashScreen" -a android.intent.action.MAIN -c android.intent.category.LAUNCHER
Connected to process 4331 on device 'pixel [emulator-5554]'.
Capturing and displaying logcat messages from application. This behavior can be disabled in the "Logcat output" section of the "Debugger" settings page.
I/s.sslvpn.clien: Not late-enabling -Xcheck:jni (already on)
I/s.sslvpn.clien: Unquickening 12 vdex files!
W/s.sslvpn.clien: Unexpected CPU variant for X86 using defaults: x86
D/NetworkSecurityConfig: No Network Security Config specified, using platform default
D/NetworkSecurityConfig: No Network Security Config specified, using platform default
D/libEGL: loaded /vendor/lib/egl/libEGL_emulation.so
D/libEGL: loaded /vendor/lib/egl/libGLESv1_CM_emulation.so
D/libEGL: loaded /vendor/lib/egl/libGLESv2_emulation.so
W/s.sslvpn.clien: Accessing hidden method Landroid/view/View;->computeFitSystemWindows(Landroid/graphics/Rect;Landroid/graphics/Rect;)Z (greylist, reflection, allowed)
W/s.sslvpn.clien: Accessing hidden method Landroid/view/ViewGroup;->makeOptionalFitsSystemWindows()V (greylist, reflection, allowed)
D/HostConnection: HostConnection::get() New Host Connection established 0xf0ca0a70, tid 4391
D/HostConnection: HostComposition ext ANDROID_EMU_CHECKSUM_HELPER_v1 ANDROID_EMU_native_sync_v2 ANDROID_EMU_dma_v1 ANDROID_EMU_direct_mem ANDROID_EMU_host_composition_v1 ANDROID_EMU_host_composition_v2 ANDROID_EMU_vulkan ANDROID_EMU_deferred_vulkan_commands ANDROID_EMU_vulkan_null_optional_strings ANDROID_EMU_vulkan_create_resources_with_requirements ANDROID_EMU_YUV_Cache ANDROID_EMU_async_unmap_buffer ANDROID_EMU_vulkan_ignored_handles ANDROID_EMU_vulkan_free_memory_sync ANDROID_EMU_vulkan_shader_float16_int8 ANDROID_EMU_vulkan_async_queue_submit GL_OES_vertex_array_object GL_KHR_texture_compression_astc_ldr ANDROID_EMU_host_side_tracing ANDROID_EMU_async_frame_commands ANDROID_EMU_gles_max_version_2
D/EGL_emulation: eglCreateContext: 0xf0ca1020: maj 2 min 0 rcv 2
D/EGL_emulation: eglMakeCurrent: 0xf0ca1020: ver 2 0 (tinfo 0xf0ff01d0) (first time)
I/Gralloc4: mapper 4.x is not supported
D/HostConnection: createUnique: call
D/HostConnection: HostConnection::get() New Host Connection established 0xf0ca0530, tid 4391
D/goldfish-address-space: allocate: Ask for block of size 0x100
D/goldfish-address-space: allocate: ioctl allocate returned offset 0x3fe757000 size 0x2000
D/HostConnection: HostComposition ext ANDROID_EMU_CHECKSUM_HELPER_v1 ANDROID_EMU_native_sync_v2 ANDROID_EMU_dma_v1 ANDROID_EMU_direct_mem ANDROID_EMU_host_composition_v1 ANDROID_EMU_host_composition_v2 ANDROID_EMU_vulkan ANDROID_EMU_deferred_vulkan_commands ANDROID_EMU_vulkan_null_optional_strings ANDROID_EMU_vulkan_create_resources_with_requirements ANDROID_EMU_YUV_Cache ANDROID_EMU_async_unmap_buffer ANDROID_EMU_vulkan_ignored_handles ANDROID_EMU_vulkan_free_memory_sync ANDROID_EMU_vulkan_shader_float16_int8 ANDROID_EMU_vulkan_async_queue_submit GL_OES_vertex_array_object GL_KHR_texture_compression_astc_ldr ANDROID_EMU_host_side_tracing ANDROID_EMU_async_frame_commands ANDROID_EMU_gles_max_version_2
I/OpenGLRenderer: Davey! duration=1445ms; Flags=1, IntendedVsync=67665624740738, Vsync=67665624740738, OldestInputEvent=9223372036854775807, NewestInputEvent=0, HandleInputStart=67665628069330, AnimationStart=67665628081252, PerformTraversalsStart=67665628092286, DrawStart=67666273346893, SyncQueued=67666294028780, SyncStart=67666306270901, IssueDrawCommandsStart=67666306947385, SwapBuffers=67666922013067, FrameCompleted=67667082888689, DequeueBufferDuration=110005, QueueBufferDuration=2350877, GpuCompleted=0,
I/EngineFactory: Provider GmsCore_OpenSSL not available
D/Act: Activity not found
I/AppCompatViewInflater: app:theme is now deprecated. Please move to using android:theme instead.
I/s.sslvpn.clien: Waiting for a blocking GC ProfileSaver
I/s.sslvpn.clien: WaitForGcToComplete blocked ProfileSaver on RunEmptyCheckpoint for 10.875ms
D/CompatibilityChangeReporter: Compat change id reported: 147798919; UID 10160; state: ENABLED
I/s.sslvpn.clien: JIT allocated 74KB for compiled code of void android.view.View.<init>(android.content.Context, android.util.AttributeSet, int, int)
D/OpenVPNClient: CLI: onStart
D/OpenVPNService: SERV: Service onCreate called
I/JellyBeanHack: Build.VERSION.SDK_INT=30
D/OpenVPNService: SERV: onStartCommand action=net.openvpn.openvpn.ACTION_IMPORT_PROFILE_VIA_PATH
D/PrefUtil: get_string_by_profile: key='epki_alias.ip [dsadsadsadsa]' value='DISABLE_CLIENT_CERT'
D/OpenVPNService: SERV: refresh profiles:
D/OpenVPNService: SERV: Profile name='ip [dsadsadsadsa]' ofn='dsadsadsadsa.ovpn' userlock= auto=false epki=true/DISABLE_CLIENT_CERT sl= sc=null dc=null
D/OpenVPNService: SERV: onBind intent=Intent { act=net.openvpn.openvpn.BIND cmp=sslvpn.client/.OpenVPNService }
I/OpenGLRenderer: Davey! duration=1218ms; Flags=1, IntendedVsync=67671025058731, Vsync=67671308392053, OldestInputEvent=9223372036854775807, NewestInputEvent=0, HandleInputStart=67671320840933, AnimationStart=67671320850672, PerformTraversalsStart=67671320866704, DrawStart=67671654705055, SyncQueued=67671666264374, SyncStart=67671677989148, IssueDrawCommandsStart=67671678226864, SwapBuffers=67672224874642, FrameCompleted=67672255233044, DequeueBufferDuration=141673, QueueBufferDuration=11116143, GpuCompleted=72904454231491230,
D/PrefUtil: get_boolean: pause_vpn_on_blanked_screen=false
I/OpenVPNService: ConnectivityReceiver: CONNECTIVITY_ACTION conn=true fo=false
D/OpenVPNService: SERV: client attach n_clients=1
D/OpenVPNClient: CLI: post bind
D/PrefUtil: get_string_by_profile: key='username.ip [dsadsadsadsa]' value='asdsad'
D/PrefUtil: get_boolean_by_profile: key='auth_password_save.ip [dsadsadsadsa]' value=false
D/PrefUtil: get_boolean: auto_keyboard=true
I/Choreographer: Skipped 64 frames! The application may be doing too much work on its main thread.
I/OpenGLRenderer: Davey! duration=2454ms; Flags=1, IntendedVsync=67671333338953, Vsync=67672400005577, OldestInputEvent=9223372036854775807, NewestInputEvent=0, HandleInputStart=67672402921283, AnimationStart=67672402930745, PerformTraversalsStart=67672403622774, DrawStart=67672453316640, SyncQueued=67672534339643, SyncStart=67672547237141, IssueDrawCommandsStart=67672547501923, SwapBuffers=67673761788085, FrameCompleted=67673800302463, DequeueBufferDuration=644236, QueueBufferDuration=10423825, GpuCompleted=43984843964424,
I/AssistStructure: Flattened final assist data: 5704 bytes, containing 1 windows, 45 views
W/IInputConnectionWrapper: getTextBeforeCursor on inactive InputConnection
W/IInputConnectionWrapper: getSelectedText on inactive InputConnection
W/IInputConnectionWrapper: getTextAfterCursor on inactive InputConnection
W/IInputConnectionWrapper: getTextBeforeCursor on inactive InputConnection
W/IInputConnectionWrapper: getSelectedText on inactive InputConnection
W/IInputConnectionWrapper: getTextAfterCursor on inactive InputConnection
W/IInputConnectionWrapper: beginBatchEdit on inactive InputConnection
getTextBeforeCursor on inactive InputConnection
W/IInputConnectionWrapper: endBatchEdit on inactive InputConnection
D/PrefUtil: set_string_by_profile: key='username.ip [dsadsadsadsa]' value='uouo'
D/PrefUtil: set_boolean_by_profile: key='auth_password_save.ip [dsadsadsadsa]' value=false
D/PrefUtil: get_string: vpn_proto='adaptive'
D/PrefUtil: get_string: conn_timeout='60'
get_string: compression_mode='yes'
D/OpenVPNService: SERV: client attach n_clients=1
D/OpenVPNClientBase: CLI: submitConnectIntent: ip [dsadsadsadsa]
D/OpenVPNService: SERV: onStartCommand action=net.openvpn.openvpn.CONNECT
D/OpenVPNService: SERV: profile file len=1734
D/PrefUtil: get_boolean: tun_persist=false
D/PrefUtil: get_boolean: google_dns_fallback=true
get_boolean: force_aes_cbc_ciphersuites=true
I/OpenVPNService: SERV: CONNECT prof=ip [dsadsadsadsa] user=uouo proxy= serv=ip proto=adaptive to=60 resp=null epki_alias=DISABLE_CLIENT_CERT comp=yes
D/PrefUtil: set_string: autostart_profile_name='ip [dsadsadsadsa]'
I/OpenVPNService: EVENT: CORE_THREAD_ACTIVE
D/OpenVPNService: SOCKET PROTECT: fd=74 protected status=true
D/PrefUtil: get_boolean: auto_keyboard=true
I/OpenVPNService: LOG: OpenVPN core 3.5.6 android i386 32-bit
I/OpenVPNService: LOG: Frame=512/2048/512 mssfix-ctrl=1250
I/OpenVPNService: LOG: UNUSED OPTIONS
1 [dev] [tun]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
11 [auth-nocache]
13 [verb] [3]
15 [tls-client]
16 [route-method] [exe]
17 [route-delay] [2]
18 [connect-retry] [1] [1]
19 [connect-retry-max] [5]
20 [connect-timeout] [10]
I/OpenVPNService: EVENT: RESOLVE
I/OpenVPNService: LOG: Contacting ip:port via TCPv4
I/OpenVPNService: EVENT: WAIT
I/OpenVPNService: LOG: Connecting to [ip]:port (ip) via TCPv4
I/OpenVPNService: EVENT: CONNECTING
I/OpenVPNService: LOG: Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
I/OpenVPNService: LOG: Creds: Username/Password
I/OpenVPNService: LOG: Peer Info:
IV_VER=3.5.6
IV_PLAT=android
IV_LZO=1
IV_GUI_VER=sslvpn.client.android 2.3.0-1
IV_BS64DL=1
D/OpenVPNService: EXIT: connect() exited, err=false, msg=''
I/OpenVPNService: STAT BYTES_IN=2091
STAT BYTES_OUT=900
STAT PACKETS_IN=6
STAT PACKETS_OUT=7
I/OpenVPNService: STAT AUTH_FAILED=1
I/OpenVPNService: LOG: VERIFY OK: depth=1
I/OpenVPNService: LOG: VERIFY OK: depth=0
I/OpenVPNService: LOG: SSL Handshake:
I/OpenVPNService: LOG: Session is ACTIVE
I/OpenVPNService: EVENT: GET_CONFIG
I/OpenVPNService: LOG: Sending PUSH_REQUEST to server...
I/OpenVPNService: LOG: AUTH_FAILED
I/OpenVPNService: EVENT: AUTH_FAILED info='Data channel cipher negotiation failed (no shared cipher)'
I/OpenVPNService: EVENT: DISCONNECTED
D/PrefUtil: delete_key: key='autostart_profile_name'
I/OpenVPNService: EVENT: CORE_THREAD_INACTIVE
D/PrefUtil: get_boolean_by_profile: key='auth_password_save.ip [dsadsadsadsa]' value=false
D/PrefUtil: get_boolean: auto_keyboard=true
I/Choreographer: Skipped 31 frames! The application may be doing too much work on its main thread.
I/OpenGLRenderer: Davey! duration=818ms; Flags=0, IntendedVsync=67680608310361, Vsync=67681124977007, OldestInputEvent=9223372036854775807, NewestInputEvent=0, HandleInputStart=67681138996287, AnimationStart=67681139005177, PerformTraversalsStart=67681150366304, DrawStart=67681156690293, SyncQueued=67681160022174, SyncStart=67681199070494, IssueDrawCommandsStart=67681199376168, SwapBuffers=67681269911306, FrameCompleted=67681465407948, DequeueBufferDuration=144525, QueueBufferDuration=2069990, GpuCompleted=0,


Server Openvpn Version 2.5.1 with OPENSSL 1.0.2
server

topology subnet

script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
tls-server
client-config-dir ccd
ifconfig-pool-persist ipp.txt 0

verify-client-cert none
management-client-auth
username-as-common-name
ca <tt-root-s3.pem>
cert <server.crt>
key <server.key>
dh <dh2048.dem>

reneg-sec 0
status <status log>
management <management app unix socket>
dev tun1
dev-type tun
port <port>
proto tcp-server
data-ciphers "AES-256-GCM:AES-192-GCM:AES-128-GCM:AES-256-CBC:AES-192-CBC:AES-128-CBC"
data-ciphers-fallback "AES-256-CBC"
auth SHA1
compress lz4
push "compress lz4"
;local any
server x.x.x.x y.y.y.y
max-clients 100
;client-to-client
;duplicate-cn
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DOMAIN DOMAIN"
;push "dhcp-option DNS IP_ADDRESS"
;push "dhcp-option DNS IP_ADDRESS"
;float
;no push route


Server Log

May 3 14:00:48 2021 SSLVPN: osman@localhost.localdomain/192.168.0.120:34014 Connection reset, restarting [0]
May 3 14:00:48 2021 SSLVPN: action=client-connect auth_type=user two_factor_auth=False login=Success message=Valid config=ssl-vpn dev=tun1 username=osman@localhost.localdomain common_name=osman@localhost.localdomain client_ip=10.8.3.2 remote_ip=192.168.0.120 connect_time_unix=1620039646 disconnect_time_unix= duration_time= duration_time_seconds= sent_bytes= received_bytes=
May 3 14:02:03 2021 SSLVPN: OpenVPN CLIENT LIST
May 3 14:02:03 2021 SSLVPN: Updated,2021-05-03 14:02:03
May 3 14:02:03 2021 SSLVPN: Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
May 3 14:02:03 2021 SSLVPN: ROUTING TABLE
May 3 14:02:03 2021 SSLVPN: Virtual Address,Common Name,Real Address,Last Ref
May 3 14:02:03 2021 SSLVPN: GLOBAL STATS
May 3 14:02:03 2021 SSLVPN: Max bcast/mcast queue length,0
May 3 14:02:03 2021 SSLVPN: END
May 3 14:03:18 2021 SSLVPN: TCP connection established with [AF_INET6]::ffff:192.168.0.120:34140
May 3 14:03:18 2021 SSLVPN: 192.168.0.120:34140 peer info: IV_VER=3.5.6
May 3 14:03:18 2021 SSLVPN: 192.168.0.120:34140 peer info: IV_PLAT=android
May 3 14:03:18 2021 SSLVPN: 192.168.0.120:34140 peer info: IV_LZO=1
May 3 14:03:18 2021 SSLVPN: 192.168.0.120:34140 peer info: IV_GUI_VER=sslvpn.client.android_2.3.0-1
May 3 14:03:18 2021 SSLVPN: 192.168.0.120:34140 peer info: IV_BS64DL=1
May 3 14:03:18 2021 SSLVPN: 192.168.0.120:34140 WARNING: \'link-mtu\' is used inconsistently, local=\'link-mtu 1552\', remote=\'link-mtu 1544\'
May 3 14:03:18 2021 SSLVPN: 192.168.0.120:34140 WARNING: \'auth\' is used inconsistently, local=\'auth [null-digest]\', remote=\'auth SHA1\'
May 3 14:03:18 2021 SSLVPN: 192.168.0.120:34140 WARNING: \'keysize\' is used inconsistently, local=\'keysize 256\', remote=\'keysize 128\'
May 3 14:03:18 2021 SSLVPN: 192.168.0.120:34140 [osman@localhost.localdomain] Peer Connection Initiated with [AF_INET6]::ffff:192.168.0.120:34140
May 3 14:03:19 2021 SSLVPN: osman@localhost.localdomain/192.168.0.120:34140 MULTI_sva: pool returned IPv4=10.8.3.2, IPv6=(Not enabled)
May 3 14:03:19 2021 SSLVPN: osman@localhost.localdomain/192.168.0.120:34140 PUSH: No common cipher between server and client. Server data-ciphers: \'AES-256-GCM:AES-128-GCM\', client supports cipher \'BF-CBC\'
May 3 14:03:19 2021 SSLVPN: osman@localhost.localdomain/192.168.0.120:34140 Connection reset, restarting [0]
May 3 14:03:19 2021 SSLVPN: action=client-connect auth_type=user two_factor_auth=False login=Success message=Valid config=ssl-vpn dev=tun1 username=osman@localhost.localdomain common_name=osman@localhost.localdomain client_ip=10.8.3.2 remote_ip=192.168.0.120 connect_time_unix=1620039798 disconnect_time_unix= duration_time= duration_time_seconds= sent_bytes= received_bytes=

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Android client cipher negoation problem

Post by TinCanTech » Mon May 03, 2021 2:49 pm

Try adding some --data-ciphers to your client or removing them from your server ..

osmanakol
OpenVpn Newbie
Posts: 3
Joined: Mon May 03, 2021 6:31 am

Re: Android client cipher negoation problem

Post by osmanakol » Wed May 05, 2021 7:14 am

I tried all possible combination :) For example, adding some --data-ciphers just client or adding both some --data-cipher server and client or adding some --data-ciphers just server but all of them is not working. I have one more test case different from others, that is adding some --data-ciphers to server and adding one of the data-cipher parameter to cipher parameter in client but that is not a data channel negotiation :(

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Android client cipher negoation problem

Post by TinCanTech » Wed May 05, 2021 11:08 am

osmanakol wrote:
Wed May 05, 2021 7:14 am
I tried all possible combination
I doubt that ..
osmanakol wrote:
Mon May 03, 2021 2:18 pm
PUSH: No common cipher between server and client. Server data-ciphers: \'AES-256-GCM:AES-128-GCM\', client supports cipher \'BF-CBC\'
Add

Code: Select all

data-ciphers "AES-256-GCM:AES-192-GCM:AES-128-GCM:AES-256-CBC:AES-192-CBC:AES-128-CBC"
data-ciphers-fallback "AES-256-CBC"
to your client.

osmanakol
OpenVpn Newbie
Posts: 3
Joined: Mon May 03, 2021 6:31 am

Re: Android client cipher negoation problem

Post by osmanakol » Fri May 07, 2021 7:35 am

TinCanTech wrote:
Wed May 05, 2021 11:08 am
osmanakol wrote:
Wed May 05, 2021 7:14 am
I tried all possible combination
I doubt that ..
osmanakol wrote:
Mon May 03, 2021 2:18 pm
PUSH: No common cipher between server and client. Server data-ciphers: \'AES-256-GCM:AES-128-GCM\', client supports cipher \'BF-CBC\'
Add

Code: Select all

data-ciphers "AES-256-GCM:AES-192-GCM:AES-128-GCM:AES-256-CBC:AES-192-CBC:AES-128-CBC"
data-ciphers-fallback "AES-256-CBC"
to your client.
Same error, Authentication failed: Data channel cipher negotiation failed(no shared cipher)

Server Log

May 7 07:28:24 2021 SSLVPN: 192.168.0.120:54272 peer info: IV_LZO=1
May 7 07:28:24 2021 SSLVPN: 192.168.0.120:54272 peer info: IV_GUI_VER=sslvpn.client.android_2.3.0-1
May 7 07:28:24 2021 SSLVPN: 192.168.0.120:54272 peer info: IV_BS64DL=1
May 7 07:28:24 2021 SSLVPN: 192.168.0.120:54272 WARNING: \'link-mtu\' is used inconsistently, local=\'link-mtu 1560\', remote=\'link-mtu 1544\'
May 7 07:28:24 2021 SSLVPN: 192.168.0.120:54272 WARNING: \'keysize\' is used inconsistently, local=\'keysize 256\', remote=\'keysize 128\'
May 7 07:28:24 2021 SSLVPN: 192.168.0.120:54272 [osman@localhost.localdomain] Peer Connection Initiated with [AF_INET6]::ffff:192.168.0.120:54272
May 7 07:28:25 2021 SSLVPN: osman@localhost.localdomain/192.168.0.120:54272 MULTI_sva: pool returned IPv4=10.8.3.2, IPv6=(Not enabled)
May 7 07:28:25 2021 SSLVPN: osman@localhost.localdomain/192.168.0.120:54272 PUSH: No common cipher between server and client. Server data-ciphers: \'AES-256-GCM:AES-192-GCM:AES-128-GCM:AES-256-CBC:AES-192-CBC:AES-128-CBC\', client supports cipher \'BF-CBC\'
May 7 07:28:25 2021 SSLVPN: osman@localhost.localdomain/192.168.0.120:54272 Connection reset, restarting [0]
May 7 07:28:25 2021 SSLVPN: action=client-connect auth_type=user two_factor_auth=False login=Success message=Valid config=ssl-vpn dev=tun1 username=osman@localhost.localdomain common_name=osman@localhost.localdomain client_ip=10.8.3.2 remote_ip=192.168.0.120 connect_time_unix=1620361704 disconnect_time_unix= duration_time= duration_time_seconds= sent_bytes= received_bytes=
May 7 07:28:44 2021 SSLVPN: TCP connection established with [AF_INET6]::ffff:192.168.0.120:54288
May 7 07:28:45 2021 SSLVPN: 192.168.0.120:54288 peer info: IV_VER=3.5.6
May 7 07:28:45 2021 SSLVPN: 192.168.0.120:54288 peer info: IV_PLAT=android
May 7 07:28:45 2021 SSLVPN: 192.168.0.120:54288 peer info: IV_LZO=1
May 7 07:28:45 2021 SSLVPN: 192.168.0.120:54288 peer info: IV_GUI_VER=sslvpn.client.android_2.3.0-1
May 7 07:28:45 2021 SSLVPN: 192.168.0.120:54288 peer info: IV_BS64DL=1
May 7 07:28:45 2021 SSLVPN: 192.168.0.120:54288 WARNING: \'link-mtu\' is used inconsistently, local=\'link-mtu 1560\', remote=\'link-mtu 1544\'
May 7 07:28:45 2021 SSLVPN: 192.168.0.120:54288 WARNING: \'keysize\' is used inconsistently, local=\'keysize 256\', remote=\'keysize 128\'
May 7 07:28:45 2021 SSLVPN: 192.168.0.120:54288 [osman@localhost.localdomain] Peer Connection Initiated with [AF_INET6]::ffff:192.168.0.120:54288
May 7 07:28:45 2021 SSLVPN: osman@localhost.localdomain/192.168.0.120:54288 MULTI_sva: pool returned IPv4=10.8.3.2, IPv6=(Not enabled)
May 7 07:28:45 2021 SSLVPN: osman@localhost.localdomain/192.168.0.120:54288 PUSH: No common cipher between server and client. Server data-ciphers: \'AES-256-GCM:AES-192-GCM:AES-128-GCM:AES-256-CBC:AES-192-CBC:AES-128-CBC\', client supports cipher \'BF-CBC\'
May 7 07:28:45 2021 SSLVPN: osman@localhost.localdomain/192.168.0.120:54288 Connection reset, restarting [0]
May 7 07:28:45 2021 SSLVPN: action=client-connect auth_type=user two_factor_auth=False login=Success message=Valid config=ssl-vpn dev=tun1 username=osman@localhost.localdomain common_name=osman@localhost.localdomain client_ip=10.8.3.2 remote_ip=192.168.0.120 connect_time_unix=1620361724 disconnect_time_unix= duration_time= duration_time_seconds= sent_bytes= received_bytes=


Client log

D/PrefUtil: set_string_by_profile: key='username.192.168.0.21 [sfsdfdsf]' value='osman@localhost.localdomain'
D/PrefUtil: set_boolean_by_profile: key='auth_password_save.192.168.0.21 [sfsdfdsf]' value=false
get_string: vpn_proto='adaptive'
get_string: conn_timeout='60'
get_string: compression_mode='yes'
D/OpenVPNService: SERV: client attach n_clients=1
D/OpenVPNClientBase: CLI: submitConnectIntent: 192.168.0.21 [sfsdfdsf]
D/OpenVPNService: SERV: onStartCommand action=net.openvpn.openvpn.CONNECT
D/OpenVPNService: SERV: profile file len=1856
D/PrefUtil: get_boolean: tun_persist=false
D/PrefUtil: get_boolean: google_dns_fallback=true
get_boolean: force_aes_cbc_ciphersuites=true
I/OpenVPNService: SERV: CONNECT prof=192.168.0.21 [sfsdfdsf] user=osman@localhost.localdomain proxy= serv=192.168.0.21 proto=adaptive to=60 resp=null epki_alias=DISABLE_CLIENT_CERT comp=yes
D/PrefUtil: set_string: autostart_profile_name='192.168.0.21 [sfsdfdsf]'
I/OpenVPNService: EVENT: CORE_THREAD_ACTIVE
D/OpenVPNService: SOCKET PROTECT: fd=95 protected status=true
D/PrefUtil: get_boolean: auto_keyboard=true
I/OpenVPNService: LOG: OpenVPN core 3.5.6 android i386 32-bit
I/OpenVPNService: LOG: Frame=512/2048/512 mssfix-ctrl=1250
I/OpenVPNService: LOG: UNUSED OPTIONS
1 [dev] [tun]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
11 [auth-nocache]
13 [verb] [3]
15 [tls-client]
16 [data-ciphers] [AES-256-GCM:AES-192-GCM:AES-128-GCM:AES-256-CBC:AES-192-CBC:AES-...]
17 [data-ciphers-fallback] [AES-256-CBC]
18 [route-method] [exe]
19 [route-delay] [2]
20 [connect-retry] [1] [1]
21 [connect-retry-max] [5]
22 [connect-timeout] [10]
I/OpenVPNService: EVENT: RESOLVE
I/OpenVPNService: LOG: Contacting 192.168.0.21:4443 via TCPv4
I/OpenVPNService: EVENT: WAIT
I/OpenVPNService: LOG: Connecting to [192.168.0.21]:4443 (192.168.0.21) via TCPv4
I/OpenVPNService: EVENT: CONNECTING
I/OpenVPNService: LOG: Tunnel Options:V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
I/OpenVPNService: LOG: Creds: Username/Password
I/OpenVPNService: LOG: Peer Info:
IV_VER=3.5.6
IV_PLAT=android
IV_LZO=1
IV_GUI_VER=sslvpn.client.android 2.3.0-1
IV_BS64DL=1
I/OpenVPNService: LOG: VERIFY OK: depth=
I/OpenVPNService: LOG: VERIFY OK:
I/OpenVPNService: LOG: SSL Handshake: TLSv1.2, cipher SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
I/OpenVPNService: LOG: Session is ACTIVE
I/OpenVPNService: EVENT: GET_CONFIG
D/OpenVPNService: EXIT: connect() exited, err=false, msg=''
I/OpenVPNService: STAT BYTES_IN=2400
STAT BYTES_OUT=1251
I/OpenVPNService: STAT PACKETS_IN=6
STAT PACKETS_OUT=7
STAT AUTH_FAILED=1
I/OpenVPNService: LOG: Sending PUSH_REQUEST to server...
I/OpenVPNService: LOG: AUTH_FAILED
I/OpenVPNService: EVENT: AUTH_FAILED info='Data channel cipher negotiation failed (no shared cipher)'
I/OpenVPNService: EVENT: DISCONNECTED
D/PrefUtil: delete_key: key='autostart_profile_name'
I/OpenVPNService: EVENT: CORE_THREAD_INACTIVE
D/PrefUtil: get_boolean_by_profile: key='auth_password_save.192.168.0.21 [sfsdfdsf]' value=false
D/PrefUtil: get_boolean: auto_keyboard=true


TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Android client cipher negoation problem

Post by TinCanTech » Fri May 07, 2021 11:47 am

osmanakol wrote:
Fri May 07, 2021 7:35 am
I/OpenVPNService: LOG: UNUSED OPTIONS
1 [dev] [tun]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
11 [auth-nocache]
13 [verb] [3]
15 [tls-client]
16 [data-ciphers] [AES-256-GCM:AES-192-GCM:AES-128-GCM:AES-256-CBC:AES-192-CBC:AES-...]
17 [data-ciphers-fallback] [AES-256-CBC]
Your client does not do Cipher Negotiation.

I don't know much about Android clients but I suggest you search for Arne Schwabe's version.

endeavoror
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 09, 2022 6:12 am

Re: Android client cipher negoation problem

Post by endeavoror » Thu Jun 09, 2022 6:16 am

I was having this very same problem, except that the problem developed as I updated the OpenVPN Connect Software to a new version. Where the ovpn configuration was working previously, it just stopped working after the update.

Eventually, I determine that the newer OpenVPN Connect are NOT honoring --data-ciphers parameter. That parameter is not recognized and is thus being put into the "unused" category.

However, OpenVPN Connect IS recognizing the older command (--cipher), which is weird because that should be deprecated.

I'm guessing it's a regression/bug.

Regardless, once I added "cipher" and the cipher being used back to my .ovpn file, and imported it, everything works again.

endeavoror
OpenVpn Newbie
Posts: 2
Joined: Thu Jun 09, 2022 6:12 am

Re: Android client cipher negoation problem

Post by endeavoror » Thu Jun 09, 2022 6:19 am

BTW- The same problem is happening in the Windows version of OpenVPN connect. "--data-ciphers" is "unused," but "--ciphers" works just fine.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Android client cipher negoation problem

Post by TinCanTech » Thu Jun 09, 2022 11:53 am

Client:
osmanakol wrote:
Mon May 03, 2021 2:18 pm
compress lz4-v2
Server:
osmanakol wrote:
Mon May 03, 2021 2:18 pm
compress lz4
push "compress lz4"
If the client cannot connect then the server cannot push ..

Post Reply