Does the commercial version of OpenVPN client not support the open-source version of OpenVPN server?

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
aes256ctr
OpenVpn Newbie
Posts: 7
Joined: Mon Feb 20, 2023 6:35 am

Does the commercial version of OpenVPN client not support the open-source version of OpenVPN server?

Post by aes256ctr » Mon Feb 20, 2023 7:09 am

【OpenVPN server】
OS: centos7.9
Server: openvpn-2.6.0-2.el7.x86_64

【OpenVPN GUI v2.6.0】on my windows10
Can connect successfully without any error.

【OpenVPN Connect 3.3.6(2752)】on my windows10
Connection failed. The root cause of the problem cannot be found.
The log is as follows:

Code: Select all

[Feb 20, 2023, 14:27:23] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Mar 17 2022 11:42:02
⏎[Feb 20, 2023, 14:27:23] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Feb 20, 2023, 14:27:23] UNUSED OPTIONS
4 [nobind]
5 [persist-key]
6 [persist-tun]
8 [verb] [11]
⏎[Feb 20, 2023, 14:27:23] EVENT: RESOLVE ⏎[Feb 20, 2023, 14:27:23] Contacting 173.173.173.173:1194 via UDP
⏎[Feb 20, 2023, 14:27:23] EVENT: WAIT ⏎[Feb 20, 2023, 14:27:23] WinCommandAgent: transmitting bypass route to 173.173.173.173
{
    "host" : "173.173.173.173",
    "ipv6" : false
}

⏎[Feb 20, 2023, 14:27:23] Connecting to [mydomian.domain.com]:1194 (173.173.173.173) via UDPv4
⏎[Feb 20, 2023, 14:27:33] Server poll timeout, trying next remote entry...
⏎[Feb 20, 2023, 14:27:33] EVENT: RECONNECTING ⏎[Feb 20, 2023, 14:27:33] EVENT: RESOLVE ⏎[Feb 20, 2023, 14:27:33] Contacting 173.173.173.173:1194 via UDP
⏎[Feb 20, 2023, 14:27:33] EVENT: WAIT ⏎[Feb 20, 2023, 14:27:33] WinCommandAgent: transmitting bypass route to 173.173.173.173
{
    "host" : "173.173.173.173",
    "ipv6" : false
}

⏎[Feb 20, 2023, 14:27:33] Connecting to [mydomian.domain.com]:1194 (173.173.173.173) via UDPv4
⏎[Feb 20, 2023, 14:27:43] Server poll timeout, trying next remote entry...
⏎[Feb 20, 2023, 14:27:43] EVENT: RECONNECTING ⏎[Feb 20, 2023, 14:27:43] EVENT: RESOLVE ⏎[Feb 20, 2023, 14:27:43] Contacting 173.173.173.173:1194 via UDP
⏎[Feb 20, 2023, 14:27:43] EVENT: WAIT ⏎[Feb 20, 2023, 14:27:43] WinCommandAgent: transmitting bypass route to 173.173.173.173
{
    "host" : "173.173.173.173",
    "ipv6" : false
}

⏎[Feb 20, 2023, 14:27:43] Connecting to [mydomian.domain.com]:1194 (173.173.173.173) via UDPv4
⏎[Feb 20, 2023, 14:27:53] Server poll timeout, trying next remote entry...
⏎[Feb 20, 2023, 14:27:53] EVENT: RECONNECTING ⏎[Feb 20, 2023, 14:27:53] EVENT: RESOLVE ⏎[Feb 20, 2023, 14:27:53] Contacting 173.173.173.173:1194 via UDP
⏎[Feb 20, 2023, 14:27:53] EVENT: WAIT ⏎[Feb 20, 2023, 14:27:53] WinCommandAgent: transmitting bypass route to 173.173.173.173
{
    "host" : "173.173.173.173",
    "ipv6" : false
}

⏎[Feb 20, 2023, 14:27:53] Connecting to [mydomian.domain.com]:1194 (173.173.173.173) via UDPv4
⏎[Feb 20, 2023, 14:28:03] Server poll timeout, trying next remote entry...
⏎[Feb 20, 2023, 14:28:03] EVENT: RECONNECTING ⏎[Feb 20, 2023, 14:28:03] EVENT: RESOLVE ⏎[Feb 20, 2023, 14:28:03] Contacting 173.173.173.173:1194 via UDP
⏎[Feb 20, 2023, 14:28:03] EVENT: WAIT ⏎[Feb 20, 2023, 14:28:03] WinCommandAgent: transmitting bypass route to 173.173.173.173
{
    "host" : "173.173.173.173",
    "ipv6" : false
}

⏎[Feb 20, 2023, 14:28:03] Connecting to [mydomian.domain.com]:1194 (173.173.173.173) via UDPv4
⏎[Feb 20, 2023, 14:28:13] Server poll timeout, trying next remote entry...
⏎[Feb 20, 2023, 14:28:13] EVENT: RECONNECTING ⏎[Feb 20, 2023, 14:28:13] EVENT: RESOLVE ⏎[Feb 20, 2023, 14:28:13] Contacting 173.173.173.173:1194 via UDP
⏎[Feb 20, 2023, 14:28:13] EVENT: WAIT ⏎[Feb 20, 2023, 14:28:13] WinCommandAgent: transmitting bypass route to 173.173.173.173
{
    "host" : "173.173.173.173",
    "ipv6" : false
}

⏎[Feb 20, 2023, 14:28:13] Connecting to [mydomian.domain.com]:1194 (173.173.173.173) via UDPv4
⏎[Feb 20, 2023, 14:28:23] EVENT: CONNECTION_TIMEOUT  BYTES_OUT : 21180
 PACKETS_OUT : 60
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 5
⏎[Feb 20, 2023, 14:28:23] EVENT: DISCONNECTED ⏎

aes256ctr
OpenVpn Newbie
Posts: 7
Joined: Mon Feb 20, 2023 6:35 am

Re: Does the commercial version of OpenVPN client not support the open-source version of OpenVPN server?

Post by aes256ctr » Tue Feb 21, 2023 3:53 am

wireshark analyze results:
【openvpn GUI can connect successfully】

Code: Select all

65  3.960273    SRC_IP  DST_IP  OpenVPN 395 MessageType: P_CONTROL_HARD_RESET_CLIENT_V3
66  3.964745    DST_IP  SRC_IP  OpenVPN 114 MessageType: P_CONTROL_HARD_RESET_SERVER_V2
【openvpn connect can NOT connect successfully】send the same message repeatly but do not get replies from server

Code: Select all

70  9.403892    SRC_IP  DST_IP OpenVPN 395 MessageType: P_CONTROL_HARD_RESET_CLIENT_V3
I compared the initial messages sent by the two clients to the server. The only real difference seems to be Replay-Packet-ID.
This field is used to prevent replay attacks.

What is the problem? Please help me!

aes256ctr
OpenVpn Newbie
Posts: 7
Joined: Mon Feb 20, 2023 6:35 am

Re: Does the commercial version of OpenVPN client not support the open-source version of OpenVPN server?

Post by aes256ctr » Tue Feb 21, 2023 7:23 am

I solved the problem, but I don't understand why. Maybe it is the bug of openvpn connect client.
On my server side, if tls-crypt-v2 opens force-cookie, the openvpn connect connection will fail (but the openvpn GUI can be used normally)

If you are interested in my question and are willing to help me, please do not hesitate to email me: 46ngdbiu@duck.com
Heartfelt thanks~

aes256ctr
OpenVpn Newbie
Posts: 7
Joined: Mon Feb 20, 2023 6:35 am

Re: Does the commercial version of OpenVPN client not support the open-source version of OpenVPN server?

Post by aes256ctr » Tue Feb 21, 2023 8:33 am

https://github.com/OpenVPN/openvpn/blob ... ypt-v2.txt

3. The server receives the P_CONTROL_HARD_RESET_CLIENT_V3 message, and

1. reads the WKc length field from the end of the message, and extracts WKc
from the message
2. unwraps ``WKc``
3. uses unwrapped ``Kc`` to verify the remaining
P_CONTROL_HARD_RESET_CLIENT_V3 message's (encryption and) authentication.
The message is dropped and no error response is sent when either 3.1, 3.2 or
3.3 fails (DoS protection).

Post Reply