Can't connect to the server after updating to 0.7.37

[Makishima]

After installing new version connection stack on Attempting to establish TCP connection with

My logs

2022-05-17 12:15:38 official build 0.7.37 running on Sony XQ-BC72 (lahaina), Android 12 (61.1.A.7.35) API 31, ABI arm64-v8a, (Sony/XQ-BC72/XQ-BC72:12/61.1.A.7.35/061001A007003503147541197:user/release-keys)
2022-05-17 12:15:38 Building configuration…
2022-05-17 12:15:38 started Socket Thread
2022-05-17 12:15:38 Network Status: CONNECTED to WIFI
2022-05-17 12:15:38 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2022-05-17 12:15:39 P:WARNING: linker: Warning: "/data/app/~~N5_CVV4SvdGTCpevBccyEA==/de.blinkt.openvpn-6liFEFXDa8LsD2DUTCHtVA==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2022-05-17 12:15:39 Debug state info: CONNECTED to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2022-05-17 12:15:39 Current Parameter Settings:
2022-05-17 12:15:39 config = 'stdin'
2022-05-17 12:15:39 mode = 0
2022-05-17 12:15:39 show_ciphers = DISABLED
2022-05-17 12:15:39 show_digests = DISABLED
2022-05-17 12:15:39 show_engines = DISABLED
2022-05-17 12:15:39 genkey = DISABLED
2022-05-17 12:15:39 genkey_filename = '[UNDEF]'
2022-05-17 12:15:39 key_pass_file = '[UNDEF]'
2022-05-17 12:15:39 show_tls_ciphers = DISABLED
2022-05-17 12:15:39 connect_retry_max = 0
2022-05-17 12:15:39 Connection profiles [0]:
2022-05-17 12:15:39 proto = tcp-client
2022-05-17 12:15:39 local = '[UNDEF]'
2022-05-17 12:15:39 local_port = '[UNDEF]'
2022-05-17 12:15:39 remote = 'XXXXXXXX'
2022-05-17 12:15:39 remote_port = '11443'
2022-05-17 12:15:39 remote_float = DISABLED
2022-05-17 12:15:39 bind_defined = DISABLED
2022-05-17 12:15:39 bind_local = DISABLED
2022-05-17 12:15:39 bind_ipv6_only = DISABLED
2022-05-17 12:15:39 connect_retry_seconds = 2
2022-05-17 12:15:39 connect_timeout = 120
2022-05-17 12:15:39 socks_proxy_server = '[UNDEF]'
2022-05-17 12:15:39 socks_proxy_port = '[UNDEF]'
2022-05-17 12:15:39 tun_mtu = 1500
2022-05-17 12:15:39 tun_mtu_defined = ENABLED
2022-05-17 12:15:39 link_mtu = 1500
2022-05-17 12:15:39 link_mtu_defined = DISABLED
2022-05-17 12:15:39 tun_mtu_extra = 0
2022-05-17 12:15:39 tun_mtu_extra_defined = DISABLED
2022-05-17 12:15:39 tls_mtu = 1250
2022-05-17 12:15:39 mtu_discover_type = -1
2022-05-17 12:15:39 fragment = 0
2022-05-17 12:15:39 mssfix = 1492
2022-05-17 12:15:39 mssfix_encap = ENABLED
2022-05-17 12:15:39 mssfix_fixed = DISABLED
2022-05-17 12:15:39 explicit_exit_notification = 0
2022-05-17 12:15:39 tls_auth_file = '[UNDEF]'
2022-05-17 12:15:39 key_direction = not set
2022-05-17 12:15:39 tls_crypt_file = '[INLINE]'
2022-05-17 12:15:39 tls_crypt_v2_file = '[UNDEF]'
2022-05-17 12:15:39 Connection profiles END
2022-05-17 12:15:39 remote_random = ENABLED
2022-05-17 12:15:39 ipchange = '[UNDEF]'
2022-05-17 12:15:39 dev = 'tun'
2022-05-17 12:15:39 dev_type = '[UNDEF]'
2022-05-17 12:15:39 dev_node = '[UNDEF]'
2022-05-17 12:15:39 lladdr = '[UNDEF]'
2022-05-17 12:15:39 topology = 1
2022-05-17 12:15:39 ifconfig_local = '[UNDEF]'
2022-05-17 12:15:39 ifconfig_remote_netmask = '[UNDEF]'
2022-05-17 12:15:39 ifconfig_noexec = DISABLED
2022-05-17 12:15:39 ifconfig_nowarn = ENABLED
2022-05-17 12:15:39 ifconfig_ipv6_local = '[UNDEF]'
2022-05-17 12:15:39 ifconfig_ipv6_netbits = 0
2022-05-17 12:15:39 ifconfig_ipv6_remote = '[UNDEF]'
2022-05-17 12:15:39 shaper = 0
2022-05-17 12:15:39 mtu_test = 0
2022-05-17 12:15:39 mlock = DISABLED
2022-05-17 12:15:39 keepalive_ping = 0
2022-05-17 12:15:39 keepalive_timeout = 0
2022-05-17 12:15:39 inactivity_timeout = 0
2022-05-17 12:15:39 inactivity_minimum_bytes = 0
2022-05-17 12:15:39 ping_send_timeout = 0
2022-05-17 12:15:39 ping_rec_timeout = 0
2022-05-17 12:15:39 ping_rec_timeout_action = 0
2022-05-17 12:15:39 ping_timer_remote = DISABLED
2022-05-17 12:15:39 remap_sigusr1 = 0
2022-05-17 12:15:39 persist_tun = ENABLED
2022-05-17 12:15:39 persist_local_ip = DISABLED
2022-05-17 12:15:39 persist_remote_ip = DISABLED
2022-05-17 12:15:39 persist_key = DISABLED
2022-05-17 12:15:39 passtos = DISABLED
2022-05-17 12:15:39 resolve_retry_seconds = 60
2022-05-17 12:15:39 resolve_in_advance = ENABLED
2022-05-17 12:15:39 username = '[UNDEF]'
2022-05-17 12:15:39 groupname = '[UNDEF]'
2022-05-17 12:15:39 chroot_dir = '[UNDEF]'
2022-05-17 12:15:39 cd_dir = '[UNDEF]'
2022-05-17 12:15:39 writepid = '[UNDEF]'
2022-05-17 12:15:39 up_script = '[UNDEF]'
2022-05-17 12:15:39 down_script = '[UNDEF]'
2022-05-17 12:15:39 down_pre = DISABLED
2022-05-17 12:15:39 up_restart = DISABLED
2022-05-17 12:15:39 up_delay = DISABLED
2022-05-17 12:15:39 daemon = DISABLED
2022-05-17 12:15:39 log = DISABLED
2022-05-17 12:15:39 suppress_timestamps = DISABLED
2022-05-17 12:15:39 machine_readable_output = ENABLED
2022-05-17 12:15:39 nice = 0
2022-05-17 12:15:39 verbosity = 4
2022-05-17 12:15:39 mute = 0
2022-05-17 12:15:39 gremlin = 0
2022-05-17 12:15:39 status_file = '[UNDEF]'
2022-05-17 12:15:39 status_file_version = 1
2022-05-17 12:15:39 status_file_update_freq = 60
2022-05-17 12:15:39 occ = ENABLED
2022-05-17 12:15:39 rcvbuf = 0
2022-05-17 12:15:39 sndbuf = 0
2022-05-17 12:15:39 sockflags = 0
2022-05-17 12:15:39 fast_io = DISABLED
2022-05-17 12:15:39 comp.alg = 0
2022-05-17 12:15:39 comp.flags = 0
2022-05-17 12:15:39 route_script = '[UNDEF]'
2022-05-17 12:15:39 route_default_gateway = '[UNDEF]'
2022-05-17 12:15:39 route_default_metric = 0
2022-05-17 12:15:39 route_noexec = DISABLED
2022-05-17 12:15:39 route_delay = 0
2022-05-17 12:15:39 route_delay_window = 30
2022-05-17 12:15:39 route_delay_defined = DISABLED
2022-05-17 12:15:39 route_nopull = DISABLED
2022-05-17 12:15:39 route_gateway_via_dhcp = DISABLED
2022-05-17 12:15:39 allow_pull_fqdn = DISABLED
2022-05-17 12:15:39 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2022-05-17 12:15:39 management_port = 'unix'
2022-05-17 12:15:39 management_user_pass = '[UNDEF]'
2022-05-17 12:15:39 management_log_history_cache = 250
2022-05-17 12:15:39 management_echo_buffer_size = 100
2022-05-17 12:15:39 management_write_peer_info_file = '[UNDEF]'
2022-05-17 12:15:39 management_client_user = '[UNDEF]'
2022-05-17 12:15:39 management_client_group = '[UNDEF]'
2022-05-17 12:15:39 management_flags = 16678
2022-05-17 12:15:39 shared_secret_file = '[UNDEF]'
2022-05-17 12:15:39 key_direction = not set
2022-05-17 12:15:39 ciphername = 'AES-256-GCM'
2022-05-17 12:15:39 ncp_ciphers = 'AES-256-GCM'
2022-05-17 12:15:39 authname = 'SHA256'
2022-05-17 12:15:39 engine = DISABLED
2022-05-17 12:15:39 replay = ENABLED
2022-05-17 12:15:39 mute_replay_warnings = DISABLED
2022-05-17 12:15:39 replay_window = 64
2022-05-17 12:15:39 replay_time = 15
2022-05-17 12:15:39 packet_id_file = '[UNDEF]'
2022-05-17 12:15:39 test_crypto = DISABLED
2022-05-17 12:15:39 tls_server = DISABLED
2022-05-17 12:15:39 tls_client = ENABLED
2022-05-17 12:15:39 ca_file = '[INLINE]'
2022-05-17 12:15:39 ca_path = '[UNDEF]'
2022-05-17 12:15:39 dh_file = '[UNDEF]'
2022-05-17 12:15:39 cert_file = '[INLINE]'
2022-05-17 12:15:39 extra_certs_file = '[UNDEF]'
2022-05-17 12:15:39 priv_key_file = '[INLINE]'
2022-05-17 12:15:39 pkcs12_file = '[UNDEF]'
2022-05-17 12:15:39 cipher_list = '[UNDEF]'
2022-05-17 12:15:39 cipher_list_tls13 = '[UNDEF]'
2022-05-17 12:15:39 tls_cert_profile = 'preferred'
2022-05-17 12:15:39 tls_verify = '[UNDEF]'
2022-05-17 12:15:39 tls_export_cert = '[UNDEF]'
2022-05-17 12:15:39 verify_x509_type = 0
2022-05-17 12:15:39 verify_x509_name = '[UNDEF]'
2022-05-17 12:15:39 crl_file = '[UNDEF]'
2022-05-17 12:15:39 ns_cert_type = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 65535
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_ku[i] = 0
2022-05-17 12:15:39 remote_cert_eku = 'TLS Web Server Authentication'
2022-05-17 12:15:39 ssl_flags = 192
2022-05-17 12:15:39 tls_timeout = 2
2022-05-17 12:15:39 renegotiate_bytes = -1
2022-05-17 12:15:39 renegotiate_packets = 0
2022-05-17 12:15:39 renegotiate_seconds = 3600
2022-05-17 12:15:39 handshake_window = 60
2022-05-17 12:15:39 transition_window = 3600
2022-05-17 12:15:39 single_session = DISABLED
2022-05-17 12:15:39 push_peer_info = ENABLED
2022-05-17 12:15:39 tls_exit = DISABLED
2022-05-17 12:15:39 tls_crypt_v2_metadata = '[UNDEF]'
2022-05-17 12:15:39 server_network = 0.0.0.0
2022-05-17 12:15:39 server_netmask = 0.0.0.0
2022-05-17 12:15:39 server_network_ipv6 = ::
2022-05-17 12:15:39 server_netbits_ipv6 = 0
2022-05-17 12:15:39 server_bridge_ip = 0.0.0.0
2022-05-17 12:15:39 server_bridge_netmask = 0.0.0.0
2022-05-17 12:15:39 server_bridge_pool_start = 0.0.0.0
2022-05-17 12:15:39 server_bridge_pool_end = 0.0.0.0
2022-05-17 12:15:39 ifconfig_pool_defined = DISABLED
2022-05-17 12:15:39 ifconfig_pool_start = 0.0.0.0
2022-05-17 12:15:39 ifconfig_pool_end = 0.0.0.0
2022-05-17 12:15:39 ifconfig_pool_netmask = 0.0.0.0
2022-05-17 12:15:39 ifconfig_pool_persist_filename = '[UNDEF]'
2022-05-17 12:15:39 ifconfig_pool_persist_refresh_freq = 600
2022-05-17 12:15:39 ifconfig_ipv6_pool_defined = DISABLED
2022-05-17 12:15:39 ifconfig_ipv6_pool_base = ::
2022-05-17 12:15:39 ifconfig_ipv6_pool_netbits = 0
2022-05-17 12:15:39 n_bcast_buf = 256
2022-05-17 12:15:39 tcp_queue_limit = 64
2022-05-17 12:15:39 real_hash_size = 256
2022-05-17 12:15:39 virtual_hash_size = 256
2022-05-17 12:15:39 client_connect_script = '[UNDEF]'
2022-05-17 12:15:39 learn_address_script = '[UNDEF]'
2022-05-17 12:15:39 client_disconnect_script = '[UNDEF]'
2022-05-17 12:15:39 client_config_dir = '[UNDEF]'
2022-05-17 12:15:39 ccd_exclusive = DISABLED
2022-05-17 12:15:39 tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2022-05-17 12:15:39 push_ifconfig_defined = DISABLED
2022-05-17 12:15:39 push_ifconfig_local = 0.0.0.0
2022-05-17 12:15:39 push_ifconfig_remote_netmask = 0.0.0.0
2022-05-17 12:15:39 push_ifconfig_ipv6_defined = DISABLED
2022-05-17 12:15:39 push_ifconfig_ipv6_local = ::/0
2022-05-17 12:15:39 push_ifconfig_ipv6_remote = ::
2022-05-17 12:15:39 enable_c2c = DISABLED
2022-05-17 12:15:39 duplicate_cn = DISABLED
2022-05-17 12:15:39 cf_max = 0
2022-05-17 12:15:39 cf_per = 0
2022-05-17 12:15:39 max_clients = 1024
2022-05-17 12:15:39 max_routes_per_client = 256
2022-05-17 12:15:39 auth_user_pass_verify_script = '[UNDEF]'
2022-05-17 12:15:39 auth_user_pass_verify_script_via_file = DISABLED
2022-05-17 12:15:39 auth_token_generate = DISABLED
2022-05-17 12:15:39 auth_token_lifetime = 0
2022-05-17 12:15:39 auth_token_secret_file = '[UNDEF]'
2022-05-17 12:15:39 port_share_host = '[UNDEF]'
2022-05-17 12:15:39 port_share_port = '[UNDEF]'
2022-05-17 12:15:39 vlan_tagging = DISABLED
2022-05-17 12:15:39 vlan_accept = all
2022-05-17 12:15:39 vlan_pvid = 1
2022-05-17 12:15:39 client = ENABLED
2022-05-17 12:15:39 pull = ENABLED
2022-05-17 12:15:39 auth_user_pass_file = '[UNDEF]'
2022-05-17 12:15:39 OpenVPN 2.6-icsopenvpn [git:icsopenvpn/v0.7.37-0-g53560170] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 7 2022
2022-05-17 12:15:39 library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10
2022-05-17 12:15:39 Waiting 0s seconds between connection attempt
2022-05-17 12:15:39 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2022-05-17 12:15:39 MANAGEMENT: CMD 'version 3'
2022-05-17 12:15:39 MANAGEMENT: CMD 'hold release'
2022-05-17 12:15:39 MANAGEMENT: CMD 'bytecount 2'
2022-05-17 12:15:39 MANAGEMENT: CMD 'state on'
2022-05-17 12:15:39 MANAGEMENT: CMD 'proxy NONE'
2022-05-17 12:15:40 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-05-17 12:15:40 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA2-256' for HMAC authentication
2022-05-17 12:15:40 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-05-17 12:15:40 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA2-256' for HMAC authentication
2022-05-17 12:15:40 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 headroom:126 payload:1600 tailroom:126 ET:0 ]
2022-05-17 12:15:40 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 headroom:136 payload:1736 tailroom:557 ET:0 ]
2022-05-17 12:15:40 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
2022-05-17 12:15:40 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
2022-05-17 12:15:40 TCP/UDP: Preserving recently used remote address: [AF_INET]XXXXXXXX
2022-05-17 12:15:40 Socket Buffers: R=[1048576->1048576] S=[524288->524288]
2022-05-17 12:15:40 Attempting to establish TCP connection with [AF_INET]XXXXXXXX
2022-05-17 12:15:40 MANAGEMENT: >STATE:1652778940,TCP_CONNECT,,,,,,
2022-05-17 12:15:40 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'

OpenVPN Server Version

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc [email protected]
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

My server config

port 11443

proto tcp

dev tun

ca server/ca.crt
cert server/server.crt
key server/server.key # This file should be kept secret

dh none

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"

keepalive 10 120

tls-crypt server/ta.key

cipher AES-256-GCM
auth SHA256

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

log /var/log/openvpn/openvpn.log

verb 4

explicit-exit-notify 0

Not sure how I could get app to connect

[schwabe]

The clinet logs seems to be cut short. What happens? Just a timeout, does the server log say anything about this?

[Makishima]

Not sure why it is not in log but there one line after Attempting
12:39 SIGUSR1[connection failed(soft),init_instance] received, process restarting

To clarify that problem (as I see) is not server, I have 2nd client on older version that could connect

[schwabe]

Anything in the server log at all?

[Makishima]

Anything in the server log at all?

Sorry, nothing at server log even with verbose 11.
I switched back to 0.7.33 to get it work

[lulol]

Stumbled upon this same issue. Older client (using OpenSSL 1.1.1) connects, latest (OpenSSL 3.0.3) won't.

The server reports TLS Error: TLS handshake failed and the client TLS error: Unsupported protocol.

Have verified that both server and client support TLS-DHE-RSA-WITH-AES-128-CBC-SHA and as suggested tried tls-version-min 1.0 (and also with tls-version-max 1.0) but doesn't solve the issue.

OpenSSL 3 changed some names, may be causing the issue?

Server log with show-tls

$ openvpn --show-tls
Available TLS Ciphers,
listed in order of preference:
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-DSS-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-DSS-WITH-AES-128-CBC-SHA
KRB5-DES-CBC3-MD5 (No IANA name known to OpenVPN, use OpenSSL name.)
KRB5-DES-CBC3-SHA (No IANA name known to OpenVPN, use OpenSSL name.)

Server config

port 1194
proto udp
dev tun
ca   test/ca.crt
cert test/test.crt
key  test/test.key
dh   test/dh2048.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist test.txt
push "route 192.168.16.0 255.255.255.0"
client-config-dir ccd
push "dhcp-option DNS 172.16.0.x"
push "dhcp-option DOMAIN xxxxxxxx"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA
auth SHA256
cipher AES-128-CBC
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 6

Server connect log with verb 6

Tue May 31 01:38:41 2022 us=2432 MULTI: multi_create_instance called
Tue May 31 01:38:41 2022 us=2493 xx.xx.xx.xx:yyyyy Re-using SSL/TLS context
Tue May 31 01:38:41 2022 us=2540 xx.xx.xx.xx:yyyyy LZO compression initialized
Tue May 31 01:38:41 2022 us=2664 xx.xx.xx.xx:yyyyy Control Channel MTU parms [ L:1570 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Tue May 31 01:38:41 2022 us=2680 xx.xx.xx.xx:yyyyy Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
Tue May 31 01:38:41 2022 us=2710 xx.xx.xx.xx:yyyyy Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Tue May 31 01:38:41 2022 us=2720 xx.xx.xx.xx:yyyyy Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Tue May 31 01:38:41 2022 us=2743 xx.xx.xx.xx:yyyyy Local Options hash (VER=V4): '1089825c'
Tue May 31 01:38:41 2022 us=2759 xx.xx.xx.xx:yyyyy Expected Remote Options hash (VER=V4): '6907942a'
Tue May 31 01:38:41 2022 us=2814 xx.xx.xx.xx:yyyyy UDPv4 READ [54] from [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Tue May 31 01:38:41 2022 us=2833 xx.xx.xx.xx:yyyyy TLS: Initial packet from [AF_INET]xx.xx.xx.xx:yyyyy, sid=3df5039b c0e20796
Tue May 31 01:38:41 2022 us=2882 xx.xx.xx.xx:yyyyy UDPv4 WRITE [66] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
Tue May 31 01:38:41 2022 us=18032 xx.xx.xx.xx:yyyyy UDPv4 READ [343] from [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #2 ] [ 0 ] pid=1 DATA len=277
Tue May 31 01:38:41 2022 us=125488 xx.xx.xx.xx:yyyyy UDPv4 WRITE [62] to [AF_INET]xx.xx.xx.xx:yyyyy: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]
Tue May 31 01:38:41 2022 us=125754 xx.xx.xx.xx:yyyyy UDPv4 WRITE [1148] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=1 DATA len=1094
Tue May 31 01:38:41 2022 us=125970 xx.xx.xx.xx:yyyyy UDPv4 WRITE [1148] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=2 DATA len=1094
Tue May 31 01:38:41 2022 us=126038 xx.xx.xx.xx:yyyyy UDPv4 WRITE [404] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=3 DATA len=350
Tue May 31 01:38:43 2022 us=240156 xx.xx.xx.xx:yyyyy UDPv4 WRITE [1148] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #6 ] [ ] pid=1 DATA len=1094
Tue May 31 01:38:44 2022 us=360156 xx.xx.xx.xx:yyyyy UDPv4 WRITE [1148] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #7 ] [ ] pid=2 DATA len=1094
Tue May 31 01:38:45 2022 us=480166 xx.xx.xx.xx:yyyyy UDPv4 WRITE [404] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #8 ] [ ] pid=3 DATA len=350
Tue May 31 01:38:47 2022 us=720198 xx.xx.xx.xx:yyyyy UDPv4 WRITE [1148] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #9 ] [ ] pid=1 DATA len=1094
Tue May 31 01:38:48 2022 us=840162 xx.xx.xx.xx:yyyyy UDPv4 WRITE [1148] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #10 ] [ ] pid=2 DATA len=1094
Tue May 31 01:38:49 2022 us=960157 xx.xx.xx.xx:yyyyy UDPv4 WRITE [404] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #11 ] [ ] pid=3 DATA len=350
Tue May 31 01:38:55 2022 us=350163 xx.xx.xx.xx:yyyyy UDPv4 WRITE [1148] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #12 ] [ ] pid=1 DATA len=1094
Tue May 31 01:38:56 2022 us=430159 xx.xx.xx.xx:yyyyy UDPv4 WRITE [1148] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #13 ] [ ] pid=2 DATA len=1094
Tue May 31 01:38:57 2022 us=510174 xx.xx.xx.xx:yyyyy UDPv4 WRITE [404] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #14 ] [ ] pid=3 DATA len=350
Tue May 31 01:39:11 2022 us=460189 xx.xx.xx.xx:yyyyy UDPv4 WRITE [1148] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #15 ] [ ] pid=1 DATA len=1094
Tue May 31 01:39:12 2022 us=670164 xx.xx.xx.xx:yyyyy UDPv4 WRITE [1148] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #16 ] [ ] pid=2 DATA len=1094
Tue May 31 01:39:13 2022 us=880157 xx.xx.xx.xx:yyyyy UDPv4 WRITE [404] to [AF_INET]xx.xx.xx.xx:yyyyy: P_CONTROL_V1 kid=0 pid=[ #17 ] [ ] pid=3 DATA len=350
Tue May 31 01:39:41 2022 us=480093 xx.xx.xx.xx:yyyyy TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue May 31 01:39:41 2022 us=480126 xx.xx.xx.xx:yyyyy TLS Error: TLS handshake failed
Tue May 31 01:39:41 2022 us=480270 xx.xx.xx.xx:yyyyy SIGUSR1[soft,tls-error] received, client-instance restarting

Client connect log

...
2022-05-31 01:38:40 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA2-256,keysize 128,tls-auth,key-method 2,tls-client'
2022-05-31 01:38:40 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-128-CBC,auth SHA2-256,keysize 128,tls-auth,key-method 2,tls-server'
2022-05-31 01:38:40 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:yyyyy
2022-05-31 01:38:40 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-05-31 01:38:40 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-05-31 01:38:40 UDP link local (bound): [AF_INET][undef]:zzzzz
2022-05-31 01:38:40 UDP link remote: [AF_INET]xx.xx.xx.xx:yyyyy
2022-05-31 01:38:40 MANAGEMENT: >STATE:1653961120,WAIT,,,,,,
2022-05-31 01:38:40 Debug state info: CONNECTED  to WIFI "AP", pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-05-31 01:38:41 MANAGEMENT: >STATE:1653961121,AUTH,,,,,,
2022-05-31 01:38:41 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:yyyyy, sid=a4738d32 6371c62d
2022-05-31 01:38:41 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2022-05-31 01:38:41 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2022-05-31 01:38:41 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-31 01:38:41 TLS Error: TLS object -> incoming plaintext read error
2022-05-31 01:38:41 TLS Error: TLS handshake failed
2022-05-31 01:38:41 TCP/UDP: Closing socket
2022-05-31 01:38:41 SIGUSR1[soft,tls-error] received, process restarting
2022-05-31 01:38:41 MANAGEMENT: >STATE:1653961121,RECONNECTING,tls-error,,,,,
2022-05-31 01:38:41 Waiting 2s seconds between connection attempt
...

Client log with show-tls

2022-05-31 01:58:17 official build 0.7.37 running on Android (MT6753), Android 6.0 (Android_20161226) API 23, ABI arm64-v8a, (alps/full_wtk6753_65u_m0/wtk6753_65u_m0:6.0/MRA58K/1482734689:user/dev-keys)
2022-05-31 01:58:17 Building configuration…
2022-05-31 01:58:17 started Socket Thread
2022-05-31 01:58:17 P:WARNING: linker: /data/user/0/de.blinkt.openvpn/cache/c_pie_openvpn.arm64-v8a: unsupported flags DT_FLAGS_1=0x8000001
2022-05-31 01:58:17 Network Status: CONNECTED  to WIFI "AP"
2022-05-31 01:58:17 Debug state info: CONNECTED  to WIFI "AP", pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-05-31 01:58:17 Debug state info: CONNECTED  to WIFI "AP", pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-05-31 01:58:17 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-05-31 01:58:17 P:Available TLS Ciphers, listed in order of preference:
2022-05-31 01:58:17 P:
2022-05-31 01:58:17 P:For TLS 1.3 and newer (--tls-ciphersuites):
2022-05-31 01:58:17 P:
2022-05-31 01:58:17 P:TLS_AES_256_GCM_SHA384
2022-05-31 01:58:17 P:TLS_CHACHA20_POLY1305_SHA256
2022-05-31 01:58:17 P:TLS_AES_128_GCM_SHA256
2022-05-31 01:58:17 P:
2022-05-31 01:58:17 P:For TLS 1.2 and older (--tls-cipher):
2022-05-31 01:58:17 P:
2022-05-31 01:58:17 P:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
2022-05-31 01:58:17 P:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2022-05-31 01:58:17 P:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
2022-05-31 01:58:17 P:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
2022-05-31 01:58:17 P:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
2022-05-31 01:58:17 P:TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
2022-05-31 01:58:17 P:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
2022-05-31 01:58:17 P:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
2022-05-31 01:58:17 P:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
2022-05-31 01:58:17 P:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
2022-05-31 01:58:17 P:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
2022-05-31 01:58:17 P:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
2022-05-31 01:58:17 P:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
2022-05-31 01:58:17 P:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
2022-05-31 01:58:17 P:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
2022-05-31 01:58:17 P:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
2022-05-31 01:58:17 P:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
2022-05-31 01:58:17 P:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2022-05-31 01:58:17 P:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
2022-05-31 01:58:17 P:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
2022-05-31 01:58:17 P:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
2022-05-31 01:58:17 P:
2022-05-31 01:58:17 P:Be aware that that whether a cipher suite in this list can actually work
2022-05-31 01:58:17 P:depends on the specific setup of both peers. See the man page entries of
2022-05-31 01:58:17 P:--tls-cipher and --show-tls for more details.
2022-05-31 01:58:17 P:

---

Edit: Also tried with TLS-DHE-RSA-WITH-AES-256-CBC-SHA

[schwabe]

Hardcoding tls-cipher like that is usually a bad idea unless you know exactly what you are doing. But your problem is not tls-cipher but TLS version. It looks like your server does not support TLS 1.2. You are probably running a very old version on your server (< 2.3.7). You can try enabling compatibility with < 2.3 and you might also need to enable insecure tls security option to enable TLS 1.0 again.

[lulol]

The server in fact is old but did support TLSv1.2 although was compiled with OpenSSL 0.9.8a.

None of the legacy options helped with the issue.

Have been able to custom compile the server with more up to date OpenSSL libraries and now all works again in version 0.7.37 with modern and preferred default options.

Thanks for your help.

[schwabe]

Old OpenVPN versions before 2.3.7 use TLS 1.0 only even if compiled with an OpenSSL library that support newer versions. As the message indicates if your server is between 2.3.3 and 2.3.6 you can add the tls-version-min 1.0 to the server configuration