Getting TLS error when trying to use OpenVPN server

Hi there. I have setup an OpenVPN server following this tutorial: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server

The server starts and appears to be listening for connections fine.
This is the log from the openvpn startup sequence:

Fri Oct 22 17:14:29 2021 daemon.warn openvpn(server)[3757]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: OpenVPN 2.5.3 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Fri Oct 22 17:14:29 2021 daemon.warn openvpn(server)[3757]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: TUN/TAP device tun0 opened
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: net_iface_mtu_set: mtu 1500 for tun0
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: net_iface_up: set tun0 up
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: net_addr_v4_add: 192.168.18.1/24 dev tun0
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: /usr/libexec/openvpn-hotplug up server tun0 1500 1621 192.168.18.1 255.255.255.0 init
Fri Oct 22 17:14:29 2021 daemon.warn openvpn(server)[3757]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: UDPv4 link local (bound): [AF_INET][undef]:1194
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: UDPv4 link remote: [AF_UNSPEC]
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: GID set to nogroup
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: UID set to nobody
Fri Oct 22 17:14:29 2021 daemon.notice openvpn(server)[3757]: Initialization Sequence Completed

When I try to connect though using Viscosity I get this error in the OpenWRT log:

Fri Oct 22 18:39:12 2021 daemon.err openvpn(server)[3757]: TLS Error: could not determine wrapping from [AF_INET]172.16.9.1:63983

The VPN client keeps trying and this error keeps coming back until I eventually stop the client from trying.

OpenWRT runs on a vm on to of Fusion and it receives an IP address on the LAN via DHCP. The address is 172.16.9.2
172.16.9.1 is the IP address of the VMware virtual network host machine.

This is the log from Viscosity client:

2021-10-22 15:50:37: State changed to Connecting
2021-10-22 15:50:37: Checking reachability status of connection...
2021-10-22 15:50:37: Connection is reachable. Starting connection attempt.
2021-10-22 15:50:37: OpenVPN 2.4.11 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Aug 26 2021
2021-10-22 15:50:37: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2021-10-22 15:50:37: Valid endpoint found: 172.16.9.2:1194:udp
2021-10-22 15:50:37: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2021-10-22 15:50:37: TCP/UDP: Preserving recently used remote address: [AF_INET]172.16.9.2:1194
2021-10-22 15:50:37: UDP link local: (not bound)
2021-10-22 15:50:37: UDP link remote: [AF_INET]172.16.9.2:1194

The attempt to connect ends on the last line of the log... it will stay there pretty much until killed.

any help on will be welcomed!

Upgrade the client to OpenVPN 2.5 supporting TLS crypt v2.
Or use the following revision of the page:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server?rev=1632708683

Thanks for the help.
I checked my vpn client software, and I'm running the latest available version.

I re-run the configuration and replaced the ca cert on the client yet I still get the same result on OpenWRT logs.

This is not about certs, but the TLS crypt key v2, that is only supported by OpenVPN 2.5.
The current page revision generates keys and configs with tls-crypt-v2.
But you need to regenerate the TLS crypt key and use tls-crypt for OpenVPN 2.4.

I did regenerate the keys using tls-crypt I assume (I followed the instructions you shared).

I suppose this line cleans all previous keys that were created with tls-crypt-v2:

easyrsa init-pki

This is the first time I setup an OpenVPN Server, so forgive my ignorance. I've been scouring thorough all articles and blogs I can find to try to get this working.

This is the current server configuration:

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.18.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.18.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
...
-----END DH PARAMETERS-----
</dh>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

I supposed by this:

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>

that the server is effectively not using tls-crypt-v2 ?

1 Like

If the issue persists, try to comment out the TLS crypt section for both server and client.
Also make sure to disable compression on the client side.

Completly removed the section from the config file.
Restarted service.
Tried configuring the client using the ca, cert and private key from the server.
I got this in OpenWRT logs:

Fri Oct 22 21:44:58 2021 daemon.err openvpn(server)[9720]: 172.16.9.1:52290 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=server, serial=30587019811267326290794648221475258883
Fri Oct 22 21:44:58 2021 daemon.err openvpn(server)[9720]: 172.16.9.1:52290 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Fri Oct 22 21:44:58 2021 daemon.err openvpn(server)[9720]: 172.16.9.1:52290 TLS_ERROR: BIO read tls_read_plaintext error
Fri Oct 22 21:44:58 2021 daemon.err openvpn(server)[9720]: 172.16.9.1:52290 TLS Error: TLS object -> incoming plaintext read error
Fri Oct 22 21:44:58 2021 daemon.err openvpn(server)[9720]: 172.16.9.1:52290 TLS Error: TLS handshake failed

Client is more limited on what is supports configuring. Viscosity provides a visual interface with a few options. The only option that doesn't refer to TLS is called "static key" and expects a "secret file" to be linked to the config. Not sure if this is supported with OpenVPN in OpenWRT.

Got it working putting the right certs (client cert and key).
Now I have a routing dilema.

For some reason, the IP address I get has a gateway pointing to itself:

netstat -rn

192.168.18         192.168.18.2       UGSc        utun10       
192.168.18.2       192.168.18.2       UH          utun10       

I never seen something like this.
This is the server config:

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.18.0 255.255.255.0
topology subnet
keepalive 10 60
persist-tun
persist-key
# push "dhcp-option DNS 192.168.18.1"
# push "dhcp-option DOMAIN lan"
# push "redirect-gateway def1"
push "persist-tun"
push "persist-key"

The server config looks normal, so the problem should be on the client side.
I import the generated VPN profile to NetworkManager and it works just fine.

Since starting from scratch, perhaps you shouldn't even bother with OpenVPN.
WireGuard is preferable for better performance and easier configuration.

1 Like