Unable to connect to Draytek Open VPN on latest Open VPN application

[sambates123]

Hi,

I recently updated my Open VPN app to the latest which has caused the VPN to no longer connect. I was running a version that was about 2 or 3 years old!

Can anyone help with the following error?
2023-08-03 13:16:06 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-08-03 13:16:06 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
2023-08-03 13:16:06 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-08-03 13:16:06 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-08-03 13:16:06 DCO version: v0
2023-08-03 13:16:08 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2023-08-03 13:16:08 TCP/UDP: Preserving recently used remote address: [AF_INET]IP ADDRESS:PORT NUMBER (removed for privacy)
2023-08-03 13:16:08 ovpn-dco device [OpenVPN Data Channel Offload] opened
2023-08-03 13:16:08 UDP link local: (not bound)
2023-08-03 13:16:08 UDP link remote: [AF_INET]IP ADDRESS:PORT NUMBER (removed for privacy)
2023-08-03 13:16:10 OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled
2023-08-03 13:16:10 TLS_ERROR: BIO read tls_read_plaintext error
2023-08-03 13:16:10 TLS Error: TLS object -> incoming plaintext read error
2023-08-03 13:16:10 TLS Error: TLS handshake failed
2023-08-03 13:16:10 SIGUSR1[soft,tls-error] received, process restarting
2023-08-03 13:16:16 ERROR: could not read Auth username/password/ok/string from management interface
2023-08-03 13:16:16 Exiting due to fatal error

Let me know if you need anything else.

[JosephS]

Hi sambates123,

Judging from the logs you are using deprecated security options when connecting to the server.
You can try going to the Connect App Setting> Advance Settings > Security Level > Set to Insecure. And try and connect again afterwards.
But the best approach would probably be to apply the recommended security options server side. Like making sure that server certificate verification has been enabled.

[sambates123]

Thanks, I think Draytek are really behind on this. I believe a firmware upgrade is needed to bring the security standards in line with current OVPN security practices.

[kramms]

Did you ever get this working?
Running a Vigor 2952 and even with the "Set to Insecure" in the client i am getting the same error as you.
First error was i needed to remove "ping-exit 60"
Second error is
"Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=-1: error:0A000152:SSL routines::unsafe legacy renegotiation disabled"

Can't see any options or way to fix this.
Agree Draytek need to update their Firmware!