Page 1 of 1
TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 4:35 pm
by amresh
Hi,
I am new to openvpn and VPN in general. But trying to set up a VPN server for my home network for remote access. My ASUS router is running openvpn v 2.3.2:
Code: Select all
admin@RT-AC56U:/tmp/home/root# openvpn --version
OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Nov 4 2019
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=no enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=no enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no
admin@RT-AC56U:/tmp/home/root#
I can connect fine from Ubuntu 20.04 clients:
Code: Select all
Sun Sep 25 09:17:40 2022 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Sun Sep 25 09:17:40 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Sun Sep 25 09:17:46 2022 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Sun Sep 25 09:17:46 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]98.42.229.135:1194
Sun Sep 25 09:17:46 2022 UDP link local: (not bound)
Sun Sep 25 09:17:46 2022 UDP link remote: [AF_INET]98.42.229.135:1194
Sun Sep 25 09:17:46 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Sep 25 09:17:47 2022 [server] Peer Connection Initiated with [AF_INET]98.42.229.135:1194
Sun Sep 25 09:17:48 2022 TUN/TAP device tun0 opened
Sun Sep 25 09:17:48 2022 /sbin/ip link set dev tun0 up mtu 1500
Sun Sep 25 09:17:48 2022 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Sun Sep 25 09:17:48 2022 Initialization Sequence Completed
^CSun Sep 25 09:17:57 2022 event_wait : Interrupted system call (code=4)
Sun Sep 25 09:17:57 2022 /sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
Sun Sep 25 09:17:57 2022 SIGINT[hard,] received, process exiting
But from Ubuntu 22.04 clients I get this error and restart/reconnect loop:
Code: Select all
2022-09-25 09:18:48 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-09-25 09:18:48 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-09-25 09:18:48 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-25 09:18:48 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-09-25 09:18:54 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2022-09-25 09:18:54 TCP/UDP: Preserving recently used remote address: [AF_INET]98.42.229.135:1194
2022-09-25 09:18:54 UDP link local: (not bound)
2022-09-25 09:18:54 UDP link remote: [AF_INET]98.42.229.135:1194
2022-09-25 09:18:54 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-09-25 09:18:54 TLS_ERROR: BIO read tls_read_plaintext error
2022-09-25 09:18:54 TLS Error: TLS object -> incoming plaintext read error
2022-09-25 09:18:54 TLS Error: TLS handshake failed
2022-09-25 09:18:54 SIGUSR1[soft,tls-error] received, process restarting
2022-09-25 09:18:59 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2022-09-25 09:18:59 TCP/UDP: Preserving recently used remote address: [AF_INET]98.42.229.135:1194
2022-09-25 09:18:59 UDP link local: (not bound)
2022-09-25 09:18:59 UDP link remote: [AF_INET]98.42.229.135:1194
^C2022-09-25 09:19:00 event_wait : Interrupted system call (code=4)
2022-09-25 09:19:00 SIGINT[hard,] received, process exiting
The difference in the clients is that Ubuntu 20.04 uses:
Code: Select all
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
while Ubuntu 22.04 uses:
Code: Select all
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
The server config looks like (this is on the ASUS router and is generated from the fields in the admin UI):
Code: Select all
# Automatically generated configuration
# Tunnel options
proto udp
multihome
port 1194
dev tun21
sndbuf 0
rcvbuf 0
keepalive 15 60
daemon vpnserver1
verb 3
status-version 2
status status 10
comp-lzo adaptive
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
# Server Mode
server 10.8.0.0 255.255.255.0
duplicate-cn
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"
client-cert-not-required
username-as-common-name
# Data Channel Encryption Options
auth SHA256
cipher AES-256-CBC
# TLS Mode Options
ca ca.crt
dh dh.pem
cert server.crt
key server.key
reneg-sec 18000
# Custom Configuration
and the client ovpn file looks like (it was generated by the ASUS router, with placeholders for the client cert and key that I populated):
Code: Select all
remote 98.42.229.135 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 15 60
comp-lzo adaptive
auth-user-pass
client
auth SHA256
cipher AES-256-CBC
reneg-sec 18000
ns-cert-type server
<ca>
...... Inline CA cert here.......
</ca>
<cert>
...... Inline client cert here.......
</cert>
<key>
...... Inline client key here.......
</key>
There are no firmware updates for the ASUS router by which I could get a more recent openvpn server that may work with both Ubuntu 20.04 (openvpn 2.4.7) and Ubuntu 22.04 (openvpn 2.5.5) clients. So I am stuck with it.
Would appreciate any help I can get on this. I am stuck.
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 4:51 pm
by amresh
Forgot to mention that the Ubuntu openvpn clients are the stock versions that come with the distro.
Also, this issue seems (at least superficially) to be similar to the one discussed here:
viewtopic.php?t=30880
But in that one the suggested fix was to use openvpn 2.5-beta3 (not sure whether for client or server). I can't change the server version (ASUS router), and the failing client is the openvpn 2.5.5 one, so that should supposedly have the fix.
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 5:31 pm
by TinCanTech
Set --verb 4 in your server config and then read your server log.
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 6:11 pm
by amresh
I'll have to figure out how to do that as the ASUS router controls the running process. I see 2 openvpn processes on the router:
Code: Select all
admin@RT-AC56U:/tmp/home/root# ps | grep vpn
13472 admin 3764 S /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
13475 admin 4644 S /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn
14152 admin 1532 D grep vpn
admin@RT-AC56U:/tmp/home/root#
Don't know if I kill them, how to restart them correctly.
In the meantime, here are the logs with verb level 3:
Code: Select all
Sep 25 09:17:48 vpnserver1[13475]: amresh/192.168.1.109:51593 SENT CONTROL [amresh]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,dhcp-option DNS 192.168.1.1,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Sep 25 09:18:54 vpnserver1[13475]: 192.168.1.154:42115 TLS: Initial packet from [AF_INET]192.168.1.154:42115 (via [AF_INET]98.42.229.135%br0), sid=cdd4388c b641b28e
Sep 25 09:18:59 vpnserver1[13475]: 192.168.1.154:44457 TLS: Initial packet from [AF_INET]192.168.1.154:44457 (via [AF_INET]98.42.229.135%br0), sid=2019ae5c baa7ada6
Sep 25 09:19:54 vpnserver1[13475]: 192.168.1.154:42115 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 25 09:19:54 vpnserver1[13475]: 192.168.1.154:42115 TLS Error: TLS handshake failed
Sep 25 09:19:54 vpnserver1[13475]: 192.168.1.154:42115 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 25 09:19:59 vpnserver1[13475]: 192.168.1.154:44457 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 25 09:19:59 vpnserver1[13475]: 192.168.1.154:44457 TLS Error: TLS handshake failed
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 6:16 pm
by amresh
The logs for the client at 192.168.1.154 are the relevant ones.
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 6:28 pm
by amresh
client output with 'verb4':
Code: Select all
2022-09-25 11:20:02 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-09-25 11:20:02 us=780299 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-09-25 11:20:02 us=780715 Current Parameter Settings:
2022-09-25 11:20:02 us=780788 config = 'client3.ovpn'
2022-09-25 11:20:02 us=780870 mode = 0
2022-09-25 11:20:02 us=780908 persist_config = DISABLED
2022-09-25 11:20:02 us=780927 persist_mode = 1
2022-09-25 11:20:02 us=781010 show_ciphers = DISABLED
2022-09-25 11:20:02 us=781084 show_digests = DISABLED
2022-09-25 11:20:02 us=781156 show_engines = DISABLED
2022-09-25 11:20:02 us=781176 genkey = DISABLED
2022-09-25 11:20:02 us=781215 genkey_filename = '[UNDEF]'
2022-09-25 11:20:02 us=781249 key_pass_file = '[UNDEF]'
2022-09-25 11:20:02 us=781283 show_tls_ciphers = DISABLED
2022-09-25 11:20:02 us=781316 connect_retry_max = 0
2022-09-25 11:20:02 us=781373 Connection profiles [0]:
2022-09-25 11:20:02 us=781448 proto = udp
2022-09-25 11:20:02 us=781478 local = '[UNDEF]'
2022-09-25 11:20:02 us=781521 local_port = '[UNDEF]'
2022-09-25 11:20:02 us=781553 remote = '98.42.229.135'
2022-09-25 11:20:02 us=781630 remote_port = '1194'
2022-09-25 11:20:02 us=781725 remote_float = ENABLED
2022-09-25 11:20:02 us=781779 bind_defined = DISABLED
2022-09-25 11:20:02 us=781837 bind_local = DISABLED
2022-09-25 11:20:02 us=781874 bind_ipv6_only = DISABLED
2022-09-25 11:20:02 us=781947 connect_retry_seconds = 5
2022-09-25 11:20:02 us=782014 connect_timeout = 120
2022-09-25 11:20:02 us=782035 socks_proxy_server = '[UNDEF]'
2022-09-25 11:20:02 us=782053 socks_proxy_port = '[UNDEF]'
2022-09-25 11:20:02 us=782109 tun_mtu = 1500
2022-09-25 11:20:02 us=782171 tun_mtu_defined = ENABLED
2022-09-25 11:20:02 us=782239 link_mtu = 1500
2022-09-25 11:20:02 us=782323 link_mtu_defined = DISABLED
2022-09-25 11:20:02 us=782392 tun_mtu_extra = 0
2022-09-25 11:20:02 us=782464 tun_mtu_extra_defined = DISABLED
2022-09-25 11:20:02 us=782528 mtu_discover_type = -1
2022-09-25 11:20:02 us=782596 fragment = 0
2022-09-25 11:20:02 us=782669 mssfix = 1450
2022-09-25 11:20:02 us=782689 explicit_exit_notification = 0
2022-09-25 11:20:02 us=782734 tls_auth_file = '[UNDEF]'
2022-09-25 11:20:02 us=782803 key_direction = not set
2022-09-25 11:20:02 us=782870 tls_crypt_file = '[UNDEF]'
2022-09-25 11:20:02 us=782890 tls_crypt_v2_file = '[UNDEF]'
2022-09-25 11:20:02 us=782944 Connection profiles END
2022-09-25 11:20:02 us=783002 remote_random = DISABLED
2022-09-25 11:20:02 us=783074 ipchange = '[UNDEF]'
2022-09-25 11:20:02 us=783141 dev = 'tun'
2022-09-25 11:20:02 us=783224 dev_type = '[UNDEF]'
2022-09-25 11:20:02 us=783293 dev_node = '[UNDEF]'
2022-09-25 11:20:02 us=783371 lladdr = '[UNDEF]'
2022-09-25 11:20:02 us=783401 topology = 1
2022-09-25 11:20:02 us=783462 ifconfig_local = '[UNDEF]'
2022-09-25 11:20:02 us=783533 ifconfig_remote_netmask = '[UNDEF]'
2022-09-25 11:20:02 us=783586 ifconfig_noexec = DISABLED
2022-09-25 11:20:02 us=783606 ifconfig_nowarn = DISABLED
2022-09-25 11:20:02 us=783639 ifconfig_ipv6_local = '[UNDEF]'
2022-09-25 11:20:02 us=783714 ifconfig_ipv6_netbits = 0
2022-09-25 11:20:02 us=783748 ifconfig_ipv6_remote = '[UNDEF]'
2022-09-25 11:20:02 us=783829 shaper = 0
2022-09-25 11:20:02 us=783866 mtu_test = 0
2022-09-25 11:20:02 us=783930 mlock = DISABLED
2022-09-25 11:20:02 us=783965 keepalive_ping = 15
2022-09-25 11:20:02 us=784023 keepalive_timeout = 60
2022-09-25 11:20:02 us=784129 inactivity_timeout = 0
2022-09-25 11:20:02 us=784180 ping_send_timeout = 15
2022-09-25 11:20:02 us=784246 ping_rec_timeout = 60
2022-09-25 11:20:02 us=784311 ping_rec_timeout_action = 2
2022-09-25 11:20:02 us=784338 ping_timer_remote = DISABLED
2022-09-25 11:20:02 us=784364 remap_sigusr1 = 0
2022-09-25 11:20:02 us=784410 persist_tun = DISABLED
2022-09-25 11:20:02 us=784475 persist_local_ip = DISABLED
2022-09-25 11:20:02 us=784496 persist_remote_ip = DISABLED
2022-09-25 11:20:02 us=784556 persist_key = DISABLED
2022-09-25 11:20:02 us=784629 passtos = DISABLED
2022-09-25 11:20:02 us=784700 resolve_retry_seconds = 1000000000
2022-09-25 11:20:02 us=784778 resolve_in_advance = DISABLED
2022-09-25 11:20:02 us=784812 username = '[UNDEF]'
2022-09-25 11:20:02 us=784874 groupname = '[UNDEF]'
2022-09-25 11:20:02 us=784950 chroot_dir = '[UNDEF]'
2022-09-25 11:20:02 us=784982 cd_dir = '[UNDEF]'
2022-09-25 11:20:02 us=785055 writepid = '[UNDEF]'
2022-09-25 11:20:02 us=785116 up_script = '[UNDEF]'
2022-09-25 11:20:02 us=785188 down_script = '[UNDEF]'
2022-09-25 11:20:02 us=785263 down_pre = DISABLED
2022-09-25 11:20:02 us=785295 up_restart = DISABLED
2022-09-25 11:20:02 us=785347 up_delay = DISABLED
2022-09-25 11:20:02 us=785407 daemon = DISABLED
2022-09-25 11:20:02 us=785468 inetd = 0
2022-09-25 11:20:02 us=785539 log = DISABLED
2022-09-25 11:20:02 us=785613 suppress_timestamps = DISABLED
2022-09-25 11:20:02 us=785647 machine_readable_output = DISABLED
2022-09-25 11:20:02 us=785735 nice = 0
2022-09-25 11:20:02 us=785806 verbosity = 4
2022-09-25 11:20:02 us=785867 mute = 0
2022-09-25 11:20:02 us=785899 gremlin = 0
2022-09-25 11:20:02 us=785929 status_file = '[UNDEF]'
2022-09-25 11:20:02 us=785971 status_file_version = 1
2022-09-25 11:20:02 us=786022 status_file_update_freq = 60
2022-09-25 11:20:02 us=786096 occ = ENABLED
2022-09-25 11:20:02 us=786168 rcvbuf = 0
2022-09-25 11:20:02 us=786244 sndbuf = 0
2022-09-25 11:20:02 us=786275 mark = 0
2022-09-25 11:20:02 us=786333 sockflags = 0
2022-09-25 11:20:02 us=786407 fast_io = DISABLED
2022-09-25 11:20:02 us=786472 comp.alg = 2
2022-09-25 11:20:02 us=786534 comp.flags = 1
2022-09-25 11:20:02 us=786602 route_script = '[UNDEF]'
2022-09-25 11:20:02 us=786669 route_default_gateway = '[UNDEF]'
2022-09-25 11:20:02 us=786690 route_default_metric = 0
2022-09-25 11:20:02 us=786781 route_noexec = DISABLED
2022-09-25 11:20:02 us=786850 route_delay = 0
2022-09-25 11:20:02 us=786927 route_delay_window = 30
2022-09-25 11:20:02 us=786980 route_delay_defined = DISABLED
2022-09-25 11:20:02 us=787000 route_nopull = DISABLED
2022-09-25 11:20:02 us=787061 route_gateway_via_dhcp = DISABLED
2022-09-25 11:20:02 us=787139 allow_pull_fqdn = DISABLED
2022-09-25 11:20:02 us=787212 management_addr = '[UNDEF]'
2022-09-25 11:20:02 us=787288 management_port = '[UNDEF]'
2022-09-25 11:20:02 us=787320 management_user_pass = '[UNDEF]'
2022-09-25 11:20:02 us=787395 management_log_history_cache = 250
2022-09-25 11:20:02 us=787456 management_echo_buffer_size = 100
2022-09-25 11:20:02 us=787522 management_write_peer_info_file = '[UNDEF]'
2022-09-25 11:20:02 us=787607 management_client_user = '[UNDEF]'
2022-09-25 11:20:02 us=787675 management_client_group = '[UNDEF]'
2022-09-25 11:20:02 us=787760 management_flags = 0
2022-09-25 11:20:02 us=787829 shared_secret_file = '[UNDEF]'
2022-09-25 11:20:02 us=787912 key_direction = not set
2022-09-25 11:20:02 us=787980 ciphername = 'AES-256-CBC'
2022-09-25 11:20:02 us=788057 ncp_enabled = ENABLED
2022-09-25 11:20:02 us=788129 ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
2022-09-25 11:20:02 us=788206 authname = 'SHA256'
2022-09-25 11:20:02 us=788238 prng_hash = 'SHA1'
2022-09-25 11:20:02 us=788291 prng_nonce_secret_len = 16
2022-09-25 11:20:02 us=788352 keysize = 0
2022-09-25 11:20:02 us=788415 engine = DISABLED
2022-09-25 11:20:02 us=788450 replay = ENABLED
2022-09-25 11:20:02 us=788511 mute_replay_warnings = DISABLED
2022-09-25 11:20:02 us=788575 replay_window = 64
2022-09-25 11:20:02 us=788609 replay_time = 15
2022-09-25 11:20:02 us=788643 packet_id_file = '[UNDEF]'
2022-09-25 11:20:02 us=788678 test_crypto = DISABLED
2022-09-25 11:20:02 us=788741 tls_server = DISABLED
2022-09-25 11:20:02 us=788775 tls_client = ENABLED
2022-09-25 11:20:02 us=788825 ca_file = '[INLINE]'
2022-09-25 11:20:02 us=788876 ca_path = '[UNDEF]'
2022-09-25 11:20:02 us=788955 dh_file = '[UNDEF]'
2022-09-25 11:20:02 us=789040 cert_file = '[INLINE]'
2022-09-25 11:20:02 us=789107 extra_certs_file = '[UNDEF]'
2022-09-25 11:20:02 us=789179 priv_key_file = '[INLINE]'
2022-09-25 11:20:02 us=789257 pkcs12_file = '[UNDEF]'
2022-09-25 11:20:02 us=789326 cipher_list = '[UNDEF]'
2022-09-25 11:20:02 us=789400 cipher_list_tls13 = '[UNDEF]'
2022-09-25 11:20:02 us=789424 tls_cert_profile = '[UNDEF]'
2022-09-25 11:20:02 us=789476 tls_verify = '[UNDEF]'
2022-09-25 11:20:02 us=789542 tls_export_cert = '[UNDEF]'
2022-09-25 11:20:02 us=789614 verify_x509_type = 0
2022-09-25 11:20:02 us=789713 verify_x509_name = '[UNDEF]'
2022-09-25 11:20:02 us=789794 crl_file = '[UNDEF]'
2022-09-25 11:20:02 us=789849 ns_cert_type = 1
2022-09-25 11:20:02 us=789869 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=789938 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=789967 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790027 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790104 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790135 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790182 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790218 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790279 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790315 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790353 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790435 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790507 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790584 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790615 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790668 remote_cert_ku[i] = 0
2022-09-25 11:20:02 us=790719 remote_cert_eku = '[UNDEF]'
2022-09-25 11:20:02 us=790754 ssl_flags = 0
2022-09-25 11:20:02 us=790815 tls_timeout = 2
2022-09-25 11:20:02 us=790874 renegotiate_bytes = -1
2022-09-25 11:20:02 us=790899 renegotiate_packets = 0
2022-09-25 11:20:02 us=790932 renegotiate_seconds = 18000
2022-09-25 11:20:02 us=790967 handshake_window = 60
2022-09-25 11:20:02 us=791050 transition_window = 3600
2022-09-25 11:20:02 us=791119 single_session = DISABLED
2022-09-25 11:20:02 us=791185 push_peer_info = DISABLED
2022-09-25 11:20:02 us=791205 tls_exit = DISABLED
2022-09-25 11:20:02 us=791257 tls_crypt_v2_metadata = '[UNDEF]'
2022-09-25 11:20:02 us=791319 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791403 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791471 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791544 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791612 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791647 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791731 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791807 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791887 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=791955 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792027 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792100 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792184 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792256 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792332 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792365 pkcs11_protected_authentication = DISABLED
2022-09-25 11:20:02 us=792456 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792523 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792556 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792606 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792671 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792693 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792725 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792804 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792840 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792924 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=792992 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793063 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793135 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793196 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793263 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793334 pkcs11_private_mode = 00000000
2022-09-25 11:20:02 us=793417 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793490 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793565 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793597 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793658 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793744 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793772 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793788 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793880 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793900 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793973 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=793998 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=794055 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=794127 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=794192 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=794253 pkcs11_cert_private = DISABLED
2022-09-25 11:20:02 us=794321 pkcs11_pin_cache_period = -1
2022-09-25 11:20:02 us=794392 pkcs11_id = '[UNDEF]'
2022-09-25 11:20:02 us=794464 pkcs11_id_management = DISABLED
2022-09-25 11:20:02 us=794563 server_network = 0.0.0.0
2022-09-25 11:20:02 us=794643 server_netmask = 0.0.0.0
2022-09-25 11:20:02 us=794730 server_network_ipv6 = ::
2022-09-25 11:20:02 us=794804 server_netbits_ipv6 = 0
2022-09-25 11:20:02 us=794859 server_bridge_ip = 0.0.0.0
2022-09-25 11:20:02 us=794879 server_bridge_netmask = 0.0.0.0
2022-09-25 11:20:02 us=794942 server_bridge_pool_start = 0.0.0.0
2022-09-25 11:20:02 us=795001 server_bridge_pool_end = 0.0.0.0
2022-09-25 11:20:02 us=795036 ifconfig_pool_defined = DISABLED
2022-09-25 11:20:02 us=795075 ifconfig_pool_start = 0.0.0.0
2022-09-25 11:20:02 us=795140 ifconfig_pool_end = 0.0.0.0
2022-09-25 11:20:02 us=795178 ifconfig_pool_netmask = 0.0.0.0
2022-09-25 11:20:02 us=795211 ifconfig_pool_persist_filename = '[UNDEF]'
2022-09-25 11:20:02 us=795241 ifconfig_pool_persist_refresh_freq = 600
2022-09-25 11:20:02 us=795267 ifconfig_ipv6_pool_defined = DISABLED
2022-09-25 11:20:02 us=795305 ifconfig_ipv6_pool_base = ::
2022-09-25 11:20:02 us=795371 ifconfig_ipv6_pool_netbits = 0
2022-09-25 11:20:02 us=795445 n_bcast_buf = 256
2022-09-25 11:20:02 us=795512 tcp_queue_limit = 64
2022-09-25 11:20:02 us=795537 real_hash_size = 256
2022-09-25 11:20:02 us=795586 virtual_hash_size = 256
2022-09-25 11:20:02 us=795622 client_connect_script = '[UNDEF]'
2022-09-25 11:20:02 us=795699 learn_address_script = '[UNDEF]'
2022-09-25 11:20:02 us=795733 client_disconnect_script = '[UNDEF]'
2022-09-25 11:20:02 us=795835 client_config_dir = '[UNDEF]'
2022-09-25 11:20:02 us=795898 ccd_exclusive = DISABLED
2022-09-25 11:20:02 us=795982 tmp_dir = '/tmp'
2022-09-25 11:20:02 us=796056 push_ifconfig_defined = DISABLED
2022-09-25 11:20:02 us=796110 push_ifconfig_local = 0.0.0.0
2022-09-25 11:20:02 us=796180 push_ifconfig_remote_netmask = 0.0.0.0
2022-09-25 11:20:02 us=796261 push_ifconfig_ipv6_defined = DISABLED
2022-09-25 11:20:02 us=796336 push_ifconfig_ipv6_local = ::/0
2022-09-25 11:20:02 us=796413 push_ifconfig_ipv6_remote = ::
2022-09-25 11:20:02 us=796488 enable_c2c = DISABLED
2022-09-25 11:20:02 us=796560 duplicate_cn = DISABLED
2022-09-25 11:20:02 us=796611 cf_max = 0
2022-09-25 11:20:02 us=796684 cf_per = 0
2022-09-25 11:20:02 us=796757 max_clients = 1024
2022-09-25 11:20:02 us=796783 max_routes_per_client = 256
2022-09-25 11:20:02 us=796846 auth_user_pass_verify_script = '[UNDEF]'
2022-09-25 11:20:02 us=796924 auth_user_pass_verify_script_via_file = DISABLED
2022-09-25 11:20:02 us=797000 auth_token_generate = DISABLED
2022-09-25 11:20:02 us=797041 auth_token_lifetime = 0
2022-09-25 11:20:02 us=797123 auth_token_secret_file = '[UNDEF]'
2022-09-25 11:20:02 us=797190 port_share_host = '[UNDEF]'
2022-09-25 11:20:02 us=797252 port_share_port = '[UNDEF]'
2022-09-25 11:20:02 us=797287 vlan_tagging = DISABLED
2022-09-25 11:20:02 us=797349 vlan_accept = all
2022-09-25 11:20:02 us=797419 vlan_pvid = 1
2022-09-25 11:20:02 us=797455 client = ENABLED
2022-09-25 11:20:02 us=797525 pull = ENABLED
2022-09-25 11:20:02 us=797615 auth_user_pass_file = 'stdin'
2022-09-25 11:20:02 us=797709 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-25 11:20:02 us=797802 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Enter Auth Username: foo
🔐 Enter Auth Password: *********
2022-09-25 11:20:13 us=590590 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2022-09-25 11:20:13 us=602794 LZO compression initializing
2022-09-25 11:20:13 us=603159 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2022-09-25 11:20:13 us=603311 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2022-09-25 11:20:13 us=603446 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
2022-09-25 11:20:13 us=603505 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
2022-09-25 11:20:13 us=603580 TCP/UDP: Preserving recently used remote address: [AF_INET]98.42.229.135:1194
2022-09-25 11:20:13 us=603704 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-09-25 11:20:13 us=603760 UDP link local: (not bound)
2022-09-25 11:20:13 us=603805 UDP link remote: [AF_INET]98.42.229.135:1194
2022-09-25 11:20:13 us=608228 TLS: Initial packet from [AF_INET]98.42.229.135:1194, sid=7bf36b98 47414891
2022-09-25 11:20:16 us=75050 VERIFY OK: depth=1, CN=Easy-RSA CA
2022-09-25 11:20:16 us=75559 VERIFY OK: nsCertType=SERVER
2022-09-25 11:20:16 us=75615 VERIFY OK: depth=0, CN=server
2022-09-25 11:20:18 us=314364 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-09-25 11:20:18 us=314450 TLS_ERROR: BIO read tls_read_plaintext error
2022-09-25 11:20:18 us=314472 TLS Error: TLS object -> incoming plaintext read error
2022-09-25 11:20:18 us=314488 TLS Error: TLS handshake failed
2022-09-25 11:20:18 us=314791 TCP/UDP: Closing socket
2022-09-25 11:20:18 us=314881 SIGUSR1[soft,tls-error] received, process restarting
2022-09-25 11:20:18 us=314939 Restart pause, 5 second(s)
^C2022-09-25 11:20:20 us=359320 SIGINT[hard,init_instance] received, process exiting
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 6:34 pm
by amresh
Restarted the service on the ASUS router, but it regenerated the config file with the 'verb 3' option and overwrote the 'verb 4' line that I had put in
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 7:12 pm
by TinCanTech
This appears to be the problem:
amresh wrote: ↑Sun Sep 25, 2022 4:35 pm
admin@
RT-AC56U:/tmp/home/root# openvpn --version
OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Nov 4 2019
OpenVPN 2.3.2 is no longer supported:
https://community.openvpn.net/openvpn/w ... edVersions
Then:
amresh wrote: ↑Sun Sep 25, 2022 4:35 pm
2022-09-25 09:18:48
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-09-25 09:18:48
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-09-25 09:18:54 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2022-09-25 09:18:54 TCP/UDP: Preserving recently used remote address: [AF_INET]98.42.229.135:1194
2022-09-25 09:18:54 UDP link local: (not bound)
2022-09-25 09:18:54 UDP link remote: [AF_INET]98.42.229.135:1194
2022-09-25 09:18:54
OpenSSL: error:0A0C0103:SSL routines::internal error
It is an unusual error. Somebody else may be able to help.
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 8:12 pm
by amresh
Yes, unfortunately I can't do anything about the Openvpn server version. That's part of the router firmware.
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 8:21 pm
by amresh
Finally able to get it to run with verb 4 value (don't see anything unusual):
Code: Select all
Sep 25 13:16:39 vpnserver1[15775]: MULTI: multi_create_instance called
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Re-using SSL/TLS context
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 LZO compression initialized
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Control Channel MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Local Options hash (VER=V4): '79a26cd9'
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 Expected Remote Options hash (VER=V4): 'fc8ba345'
Sep 25 13:16:39 vpnserver1[15775]: 192.168.1.154:48144 TLS: Initial packet from [AF_INET]192.168.1.154:48144 (via [AF_INET]98.42.229.135%br0), sid=ee7c5f4f d4e6c98e
Sep 25 13:16:45 vpnserver1[15775]: MULTI: multi_create_instance called
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Re-using SSL/TLS context
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 LZO compression initialized
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Control Channel MTU parms [ L:1570 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:135 ET:0 EL:0 AF:3/1 ]
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Local Options hash (VER=V4): '79a26cd9'
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 Expected Remote Options hash (VER=V4): 'fc8ba345'
Sep 25 13:16:45 vpnserver1[15775]: 192.168.1.154:33171 TLS: Initial packet from [AF_INET]192.168.1.154:33171 (via [AF_INET]98.42.229.135%br0), sid=107aa226 be09fff8
[b]Sep 25 13:17:39 vpnserver1[15775]: 192.168.1.154:48144 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 25 13:17:39 vpnserver1[15775]: 192.168.1.154:48144 TLS Error: TLS handshake failed[/b]
Sep 25 13:17:39 vpnserver1[15775]: 192.168.1.154:48144 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 25 13:17:45 vpnserver1[15775]: 192.168.1.154:33171 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 25 13:17:45 vpnserver1[15775]: 192.168.1.154:33171 TLS Error: TLS handshake failed
Sep 25 13:17:45 vpnserver1[15775]: 192.168.1.154:33171 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 25 13:17:54 vpnserver1[15775]: MULTI: multi_create_instance called
I think the handshake is being rejected by the newer client, not the server.
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Sun Sep 25, 2022 8:32 pm
by TinCanTech
amresh wrote: ↑Sun Sep 25, 2022 8:12 pm
unfortunately I can't do anything about the Openvpn server version
Then throw it away.
amresh wrote: ↑Sun Sep 25, 2022 8:21 pm
I think the handshake is being rejected by the newer client, not the server.
The client is very upset obout something, I cannot say if that is something from the server or not.
You could upgrade the client. v2.5.7 is latest, stable.
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Mon Sep 26, 2022 7:10 am
by openvpn_inc
Hello amresh,
Version 2.3.2 dates back to 2015. That's 7 years old. You might understand then that over time things have changed a little and that you really should have a more up-to-date software. I know you say that you can't fix it. But you should try to contact the router manufacturer and request a newer firmware that includes an updated OpenVPN version. If that is not available, for example because the router is no longer under support and doesn't receive firmware updates anymore, I would recommend looking into an alternative firmware for this router with a more up-to-date OpenVPN version.
However I know 2.5 should still be able to connect to 2.3 server just fine. But there's just something being done that is not acceptable to the OpenSSL library.
The main difference between Ubuntu 20.04 LTS and Ubuntu 22.04 LTS is the OpenSSL version. In Ubuntu 20.04 LTS it is still OpenSSL 1.1.1 and in Ubuntu 22.04 LTS it is OpenSSL 3.0.2. In OpenSSL3 some changes have been made in regards to deprecating certain older methods of encryption by default. While I am not 100% certain, my guess would be that the server wants the client to do something that is now considered deprecated and insecure, and the OpenSSL3 library doesn't want to do this anymore. What that is exactly however I can't tell from this information.
Can you check what bit size your CA, server, and client certificates are? Are they 1024 bits by any chance? If so that might be the issue and you should replace them with RSA 2048. I would like to recommend secp384r1 instead but not sure that would work with that old of an OpenVPN version.
Kind regards,
Johan
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Mon Sep 26, 2022 12:43 pm
by ordex
Please also note that OpenVPN 2.5.5 is not expected to work well with OpenSSL3, since code to support the latter was introduced after OpenVPN 2.5.5.
You may want to upgrade to OpenVPN 2.5.7.
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Mon Sep 26, 2022 3:21 pm
by amresh
Johan,
Thanks for the detailed post. I figured the same, but was hoping that I could make it work through configuration changes and using 'backwards-compatibility' of Openvpn 2.5.5/openssl3 towards the older release. But likely not. Regarding your question, yes, I am using 2048 bits.
Ordex,
Are you saying that the stock Ubuntu 22.04 openvpn (2.5.5.) may have problems, since it is tied to OpenSSL3? ok, I will try doing upgrading to 2.5.7, if only as an academic exercise as I ordered a new ASUS router that hopefully has a newer version of openvpn that works right off the bat.
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Mon Sep 26, 2022 4:39 pm
by amresh
Tested with openvpn 2.5.7/openssl 3.0.2. Get the same result, no connection, restart loop with the same error:
2022-09-26 08:48:44 us=126102 VERIFY OK: depth=0, CN=server
2022-09-26 08:48:44 us=130726 OpenSSL: error:0A0C0103:SSL routines::internal error
2022-09-26 08:48:44 us=130808 TLS_ERROR: BIO read tls_read_plaintext error
2022-09-26 08:48:44 us=130878 TLS Error: TLS object -> incoming plaintext read error
2022-09-26 08:48:44 us=130969 TLS Error: TLS handshake failed
2022-09-26 08:48:44 us=131404 TCP/UDP: Closing socket
2022-09-26 08:48:44 us=131516 SIGUSR1[soft,tls-error] received, process restarting
2022-09-26 08:48:44 us=131610 Restart pause, 5 second(s)
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Mon Sep 26, 2022 10:36 pm
by ordex
@amresh then I'd say Johan is pointing you in the right direction.
Can you try passing this option
to the client? (can go in the config without the leading --)
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Tue Dec 20, 2022 4:03 pm
by rantanplan
ordex wrote: ↑Mon Sep 26, 2022 10:36 pm
@amresh then I'd say Johan is pointing you in the right direction.
Can you try passing this option
to the client? (can go in the config without the leading --)
I have the same issue on Pop!_OS 22.04 LTS (Ubuntu 22.04 LTS).
Adding these option didn't change the behavior...
Best regards
Re: TLS_ERROR: BIO read tls_read_plaintext error
Posted: Thu Dec 22, 2022 11:39 pm
by rantanplan
Problem "solved" by allowing weak algorithm:
openvpn --tls-cipher "DEFAULT:@SECLEVEL=0" --data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC