[HELP] Configuration tap server/client Openvpn

JW0914 · April 21, 2018, 1:25pm

So the server isn't a web server? If it's not a web server, ports don't need to be forwarded. As to accessing Samba shares, the configs from the wiki will work.

Have you read the recommended OpenVPN HowTo and Man pages?

Keltere · April 21, 2018, 2:11pm

Yes but i really can't understand how to connect to my server behind my remote router without an ip assigned to it.
For now i just can access the router (openvpn server) without any problem.

EDIT: i'm a retard. I just need to access the LAN ip on the VPN. Lel, thanks a lot for your help.

Keltere · April 21, 2018, 11:00pm

I've tried to run on my home router but without success, it's not important but if you want could you please help me with this last one?

Server log:

Sat Apr 21 22:50:39 2018 us=962273 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Apr 21 22:50:39 2018 us=962345 library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.10
Sat Apr 21 22:50:39 2018 us=963032 Diffie-Hellman initialized with 2048 bit key
Sat Apr 21 22:50:39 2018 us=963142 No valid translation found for TLS cipher '!aNULL'
Sat Apr 21 22:50:39 2018 us=963194 No valid translation found for TLS cipher '!eNULL'
Sat Apr 21 22:50:39 2018 us=963258 No valid translation found for TLS cipher '!3DES'
Sat Apr 21 22:50:39 2018 us=963304 No valid translation found for TLS cipher '!MD5'
Sat Apr 21 22:50:39 2018 us=963351 No valid translation found for TLS cipher '!SHA'
Sat Apr 21 22:50:39 2018 us=963414 No valid translation found for TLS cipher '!PSK'
Sat Apr 21 22:50:39 2018 us=963477 No valid translation found for TLS cipher '!DSS'
Sat Apr 21 22:50:39 2018 us=963522 No valid translation found for TLS cipher '!RC4'
Sat Apr 21 22:50:39 2018 us=974164 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Apr 21 22:50:39 2018 us=974228 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Apr 21 22:50:39 2018 us=974274 TLS-Auth MTU parms [ L:48121 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sat Apr 21 22:50:39 2018 us=980241 TUN/TAP device tun0 opened
Sat Apr 21 22:50:39 2018 us=980550 TUN/TAP TX queue length set to 100
Sat Apr 21 22:50:39 2018 us=980622 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Apr 21 22:50:39 2018 us=980719 /sbin/ifconfig tun0 10.1.0.1 netmask 255.255.255.240 mtu 48000 broadcast 10.1.0.15
Sat Apr 21 22:50:39 2018 us=988581 Data Channel MTU parms [ L:48121 D:48121 EF:121 EB:8156 ET:0 EL:3 ]
Sat Apr 21 22:50:39 2018 us=988738 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sat Apr 21 22:50:39 2018 us=988807 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sat Apr 21 22:50:39 2018 us=988872 UDPv4 link local (bound): [AF_INET][undef]:5000
Sat Apr 21 22:50:39 2018 us=988914 UDPv4 link remote: [AF_UNSPEC]
Sat Apr 21 22:50:39 2018 us=989014 GID set to nogroup
Sat Apr 21 22:50:39 2018 us=989063 UID set to nobody
Sat Apr 21 22:50:39 2018 us=989103 MULTI: multi_init called, r=256 v=256
Sat Apr 21 22:50:39 2018 us=989157 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Sat Apr 21 22:50:39 2018 us=989807 Initialization Sequence Completed
Sat Apr 21 22:50:53 2018 us=614040 MULTI: multi_create_instance called
Sat Apr 21 22:50:53 2018 us=614192 79.50.176.249:53824 Re-using SSL/TLS context
Sat Apr 21 22:50:53 2018 us=615831 79.50.176.249:53824 Control Channel MTU parms [ L:48121 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sat Apr 21 22:50:53 2018 us=615893 79.50.176.249:53824 Data Channel MTU parms [ L:48121 D:48121 EF:121 EB:8156 ET:0 EL:3 ]
Sat Apr 21 22:50:53 2018 us=615988 79.50.176.249:53824 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Sat Apr 21 22:50:53 2018 us=616024 79.50.176.249:53824 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
RSat Apr 21 22:50:53 2018 us=616109 79.50.176.249:53824 TLS: Initial packet from [AF_INET]79.50.176.249:53824, sid=4c2c5c02 71f71528
WRRSat Apr 21 22:50:53 2018 us=661080 79.50.176.249:53824 OpenSSL: error:140760FC:lib(20):func(118):reason(252)
Sat Apr 21 22:50:53 2018 us=661139 79.50.176.249:53824 TLS_ERROR: BIO read tls_read_plaintext error
Sat Apr 21 22:50:53 2018 us=661172 79.50.176.249:53824 TLS Error: TLS object -> incoming plaintext read error
Sat Apr 21 22:50:53 2018 us=661202 79.50.176.249:53824 TLS Error: TLS handshake failed
Sat Apr 21 22:50:53 2018 us=662068 79.50.176.249:53824 SIGUSR1[soft,tls-error] received, client-instance restarting

Client (router) log

Apr 22 00:50:51 rc_service: httpd 9298:notify_rc restart_vpncall
Apr 22 00:50:53 vpnclient5[19555]: Current Parameter Settings:
Apr 22 00:50:53 vpnclient5[19555]:   config = 'config.ovpn'
Apr 22 00:50:53 vpnclient5[19555]:   mode = 0
Apr 22 00:50:53 vpnclient5[19555]:   persist_config = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   persist_mode = 1
Apr 22 00:50:53 vpnclient5[19555]:   show_ciphers = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   show_digests = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   show_engines = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   genkey = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   key_pass_file = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   show_tls_ciphers = DISABLED
Apr 22 00:50:53 vpnclient5[19555]: Connection profiles [default]:
Apr 22 00:50:53 vpnclient5[19555]:   proto = udp
Apr 22 00:50:53 vpnclient5[19555]:   local = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   local_port = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote = 'keltere.com'
Apr 22 00:50:53 vpnclient5[19555]:   remote_port = 5000
Apr 22 00:50:53 vpnclient5[19555]:   remote_float = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   bind_defined = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   bind_local = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   connect_retry_seconds = 5
Apr 22 00:50:53 vpnclient5[19555]:   connect_timeout = 10
Apr 22 00:50:53 vpnclient5[19555]:   connect_retry_max = 0
Apr 22 00:50:53 vpnclient5[19555]:   tun_mtu = 48000
Apr 22 00:50:53 vpnclient5[19555]:   tun_mtu_defined = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   link_mtu = 1500
Apr 22 00:50:53 vpnclient5[19555]:   link_mtu_defined = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   tun_mtu_extra = 0
Apr 22 00:50:53 vpnclient5[19555]:   tun_mtu_extra_defined = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   mtu_discover_type = -1
Apr 22 00:50:53 vpnclient5[19555]:   fragment = 0
Apr 22 00:50:53 vpnclient5[19555]:   mssfix = 0
Apr 22 00:50:53 vpnclient5[19555]:   explicit_exit_notification = 0
Apr 22 00:50:53 vpnclient5[19555]: Connection profiles END
Apr 22 00:50:53 vpnclient5[19555]:   remote_random = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   ipchange = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   dev = 'tun15'
Apr 22 00:50:53 vpnclient5[19555]:   dev_type = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   dev_node = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   lladdr = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   topology = 1
Apr 22 00:50:53 vpnclient5[19555]:   tun_ipv6 = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_local = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_remote_netmask = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_noexec = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_nowarn = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_ipv6_local = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_ipv6_netbits = 0
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_ipv6_remote = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   shaper = 0
Apr 22 00:50:53 vpnclient5[19555]:   mtu_test = 0
Apr 22 00:50:53 vpnclient5[19555]:   mlock = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   keepalive_ping = 0
Apr 22 00:50:53 vpnclient5[19555]:   keepalive_timeout = 0
Apr 22 00:50:53 vpnclient5[19555]:   inactivity_timeout = 0
Apr 22 00:50:53 vpnclient5[19555]:   ping_send_timeout = 0
Apr 22 00:50:53 vpnclient5[19555]:   ping_rec_timeout = 0
Apr 22 00:50:53 vpnclient5[19555]:   ping_rec_timeout_action = 0
Apr 22 00:50:53 vpnclient5[19555]:   ping_timer_remote = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   remap_sigusr1 = 0
Apr 22 00:50:53 vpnclient5[19555]:   persist_tun = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   persist_local_ip = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   persist_remote_ip = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   persist_key = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   passtos = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   resolve_retry_seconds = 1000000000
Apr 22 00:50:53 vpnclient5[19555]:   username = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   groupname = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   chroot_dir = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   cd_dir = '/etc/openvpn/client5'
Apr 22 00:50:53 vpnclient5[19555]:   writepid = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   up_script = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   down_script = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   down_pre = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   up_restart = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   up_delay = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   daemon = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   inetd = 0
Apr 22 00:50:53 vpnclient5[19555]:   log = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   suppress_timestamps = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   nice = 0
Apr 22 00:50:53 vpnclient5[19555]:   verbosity = 5
Apr 22 00:50:53 vpnclient5[19555]:   mute = 0
Apr 22 00:50:53 vpnclient5[19555]:   status_file = 'status'
Apr 22 00:50:53 vpnclient5[19555]:   status_file_version = 2
Apr 22 00:50:53 vpnclient5[19555]:   status_file_update_freq = 10
Apr 22 00:50:53 vpnclient5[19555]:   occ = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   rcvbuf = 0
Apr 22 00:50:53 vpnclient5[19555]:   sndbuf = 0
Apr 22 00:50:53 vpnclient5[19555]:   mark = 0
Apr 22 00:50:53 vpnclient5[19555]:   sockflags = 0
Apr 22 00:50:53 vpnclient5[19555]:   fast_io = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   lzo = 0
Apr 22 00:50:53 vpnclient5[19555]:   route_script = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   route_default_gateway = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   route_default_metric = 0
Apr 22 00:50:53 vpnclient5[19555]:   route_noexec = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   route_delay = 0
Apr 22 00:50:53 vpnclient5[19555]:   route_delay_window = 30
Apr 22 00:50:53 vpnclient5[19555]:   route_delay_defined = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   route_nopull = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   route_gateway_via_dhcp = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   max_routes = 100
Apr 22 00:50:53 vpnclient5[19555]:   allow_pull_fqdn = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   management_addr = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   management_port = 0
Apr 22 00:50:53 vpnclient5[19555]:   management_user_pass = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   management_log_history_cache = 250
Apr 22 00:50:53 vpnclient5[19555]:   management_echo_buffer_size = 100
Apr 22 00:50:53 vpnclient5[19555]:   management_write_peer_info_file = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   management_client_user = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   management_client_group = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   management_flags = 0
Apr 22 00:50:53 vpnclient5[19555]:   shared_secret_file = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   key_direction = 2
Apr 22 00:50:53 vpnclient5[19555]:   ciphername_defined = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   ciphername = 'AES-128-CBC'
Apr 22 00:50:53 vpnclient5[19555]:   authname_defined = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   authname = 'SHA256'
Apr 22 00:50:53 vpnclient5[19555]:   prng_hash = 'SHA1'
Apr 22 00:50:53 vpnclient5[19555]:   prng_nonce_secret_len = 16
Apr 22 00:50:53 vpnclient5[19555]:   keysize = 0
Apr 22 00:50:53 vpnclient5[19555]:   engine = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   replay = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   mute_replay_warnings = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   replay_window = 64
Apr 22 00:50:53 vpnclient5[19555]:   replay_time = 15
Apr 22 00:50:53 vpnclient5[19555]:   packet_id_file = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   use_iv = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   test_crypto = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   tls_server = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   tls_client = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   key_method = 2
Apr 22 00:50:53 vpnclient5[19555]:   ca_file = 'ca.crt'
Apr 22 00:50:53 vpnclient5[19555]:   ca_path = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   dh_file = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   cert_file = 'client.crt'
Apr 22 00:50:53 vpnclient5[19555]:   priv_key_file = 'client.key'
Apr 22 00:50:53 vpnclient5[19555]:   pkcs12_file = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   cipher_list = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   tls_verify = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   tls_export_cert = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   verify_x509_type = 0
Apr 22 00:50:53 vpnclient5[19555]:   verify_x509_name = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   crl_file = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   ns_cert_type = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 160
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 136
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_ku[i] = 0
Apr 22 00:50:53 vpnclient5[19555]:   remote_cert_eku = 'TLS Web Server Authentication'
Apr 22 00:50:53 vpnclient5[19555]:   ssl_flags = 0
Apr 22 00:50:53 vpnclient5[19555]:   tls_timeout = 2
Apr 22 00:50:53 vpnclient5[19555]:   renegotiate_bytes = 0
Apr 22 00:50:53 vpnclient5[19555]:   renegotiate_packets = 0
Apr 22 00:50:53 vpnclient5[19555]:   renegotiate_seconds = 3600
Apr 22 00:50:53 vpnclient5[19555]:   handshake_window = 60
Apr 22 00:50:53 vpnclient5[19555]:   transition_window = 3600
Apr 22 00:50:53 vpnclient5[19555]:   single_session = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   push_peer_info = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   tls_exit = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   tls_auth_file = 'static.key'
Apr 22 00:50:53 vpnclient5[19555]:   server_network = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   server_netmask = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   server_network_ipv6 = ::
Apr 22 00:50:53 vpnclient5[19555]:   server_netbits_ipv6 = 0
Apr 22 00:50:53 vpnclient5[19555]:   server_bridge_ip = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   server_bridge_netmask = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   server_bridge_pool_start = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   server_bridge_pool_end = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_pool_defined = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_pool_start = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_pool_end = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_pool_netmask = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_pool_persist_filename = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_pool_persist_refresh_freq = 600
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_ipv6_pool_defined = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_ipv6_pool_base = ::
Apr 22 00:50:53 vpnclient5[19555]:   ifconfig_ipv6_pool_netbits = 0
Apr 22 00:50:53 vpnclient5[19555]:   n_bcast_buf = 256
Apr 22 00:50:53 vpnclient5[19555]:   tcp_queue_limit = 64
Apr 22 00:50:53 vpnclient5[19555]:   real_hash_size = 256
Apr 22 00:50:53 vpnclient5[19555]:   virtual_hash_size = 256
Apr 22 00:50:53 vpnclient5[19555]:   client_connect_script = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   learn_address_script = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   client_disconnect_script = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   client_config_dir = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   ccd_exclusive = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   tmp_dir = '/tmp'
Apr 22 00:50:53 vpnclient5[19555]:   push_ifconfig_defined = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   push_ifconfig_local = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   push_ifconfig_remote_netmask = 0.0.0.0
Apr 22 00:50:53 vpnclient5[19555]:   push_ifconfig_ipv6_defined = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   push_ifconfig_ipv6_local = ::/0
Apr 22 00:50:53 vpnclient5[19555]:   push_ifconfig_ipv6_remote = ::
Apr 22 00:50:53 vpnclient5[19555]:   enable_c2c = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   duplicate_cn = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   cf_max = 0
Apr 22 00:50:53 vpnclient5[19555]:   cf_per = 0
Apr 22 00:50:53 vpnclient5[19555]:   max_clients = 1024
Apr 22 00:50:53 vpnclient5[19555]:   max_routes_per_client = 256
Apr 22 00:50:53 vpnclient5[19555]:   auth_user_pass_verify_script = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   auth_user_pass_verify_script_via_file = DISABLED
Apr 22 00:50:53 vpnclient5[19555]:   port_share_host = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]:   port_share_port = 0
Apr 22 00:50:53 vpnclient5[19555]:   client = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   pull = ENABLED
Apr 22 00:50:53 vpnclient5[19555]:   auth_user_pass_file = '[UNDEF]'
Apr 22 00:50:53 vpnclient5[19555]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Mar 30 2018
Apr 22 00:50:53 vpnclient5[19555]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Apr 22 00:50:53 vpnclient5[19555]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 22 00:50:53 vpnclient5[19555]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 22 00:50:53 vpnclient5[19555]: Control Channel MTU parms [ L:48069 D:178 EF:78 EB:0 ET:0 EL:0 ]
Apr 22 00:50:53 vpnclient5[19555]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 22 00:50:53 vpnclient5[19555]: Data Channel MTU parms [ L:48069 D:48069 EF:69 EB:4 ET:0 EL:0 ]
Apr 22 00:50:53 vpnclient5[19555]: Local Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Apr 22 00:50:53 vpnclient5[19555]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Apr 22 00:50:53 vpnclient5[19555]: Local Options hash (VER=V4): 'd2ba0673'
Apr 22 00:50:53 vpnclient5[19555]: Expected Remote Options hash (VER=V4): '971f728d'
Apr 22 00:50:53 vpnclient5[19556]: UDPv4 link local: [undef]
Apr 22 00:50:53 vpnclient5[19556]: UDPv4 link remote: [AF_INET]92.82.232.44:5000
Apr 22 00:50:53 vpnclient5[19556]: TLS: Initial packet from [AF_INET]92.82.232.44:5000, sid=d22815ee 32793583
Apr 22 00:51:53 vpnclient5[19556]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 22 00:51:53 vpnclient5[19556]: TLS Error: TLS handshake failed
Apr 22 00:51:53 vpnclient5[19556]: TCP/UDP: Closing socket
Apr 22 00:51:53 vpnclient5[19556]: SIGUSR1[soft,tls-error] received, process restarting
Apr 22 00:51:53 vpnclient5[19556]: Restart pause, 2 second(s)
Apr 22 00:51:55 vpnclient5[19556]: Re-using SSL/TLS context
Apr 22 00:51:55 vpnclient5[19556]: Control Channel MTU parms [ L:48069 D:178 EF:78 EB:0 ET:0 EL:0 ]
Apr 22 00:51:55 vpnclient5[19556]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 22 00:51:55 vpnclient5[19556]: Data Channel MTU parms [ L:48069 D:48069 EF:69 EB:4 ET:0 EL:0 ]
Apr 22 00:51:55 vpnclient5[19556]: Local Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Apr 22 00:51:55 vpnclient5[19556]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Apr 22 00:51:55 vpnclient5[19556]: Local Options hash (VER=V4): 'd2ba0673'
Apr 22 00:51:55 vpnclient5[19556]: Expected Remote Options hash (VER=V4): '971f728d'
Apr 22 00:51:55 vpnclient5[19556]: UDPv4 link local: [undef]
Apr 22 00:51:55 vpnclient5[19556]: UDPv4 link remote: [AF_INET]92.82.232.44:5000
Apr 22 00:51:55 vpnclient5[19556]: TLS: Initial packet from [AF_INET]92.82.232.44:5000, sid=3d2074dd fab82b20
Apr 22 00:52:55 vpnclient5[19556]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 22 00:52:55 vpnclient5[19556]: TLS Error: TLS handshake failed
Apr 22 00:52:55 vpnclient5[19556]: TCP/UDP: Closing socket
Apr 22 00:52:55 vpnclient5[19556]: SIGUSR1[soft,tls-error] received, process restarting
Apr 22 00:52:55 vpnclient5[19556]: Restart pause, 2 second(s)
Apr 22 00:52:57 vpnclient5[19556]: Re-using SSL/TLS context
Apr 22 00:52:57 vpnclient5[19556]: Control Channel MTU parms [ L:48069 D:178 EF:78 EB:0 ET:0 EL:0 ]
Apr 22 00:52:57 vpnclient5[19556]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 22 00:52:57 vpnclient5[19556]: Data Channel MTU parms [ L:48069 D:48069 EF:69 EB:4 ET:0 EL:0 ]
Apr 22 00:52:57 vpnclient5[19556]: Local Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Apr 22 00:52:57 vpnclient5[19556]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Apr 22 00:52:57 vpnclient5[19556]: Local Options hash (VER=V4): 'd2ba0673'
Apr 22 00:52:57 vpnclient5[19556]: Expected Remote Options hash (VER=V4): '971f728d'
Apr 22 00:52:57 vpnclient5[19556]: UDPv4 link local: [undef]
Apr 22 00:52:57 vpnclient5[19556]: UDPv4 link remote: [AF_INET]92.82.232.44:5000
Apr 22 00:52:57 vpnclient5[19556]: TLS: Initial packet from [AF_INET]92.82.232.44:5000, sid=f8b6d766 eb9c114e
Apr 22 00:53:57 vpnclient5[19556]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 22 00:53:57 vpnclient5[19556]: TLS Error: TLS handshake failed
Apr 22 00:53:57 vpnclient5[19556]: TCP/UDP: Closing socket
Apr 22 00:53:57 vpnclient5[19556]: SIGUSR1[soft,tls-error] received, process restarting
Apr 22 00:53:57 vpnclient5[19556]: Restart pause, 2 second(s)
Apr 22 00:53:59 vpnclient5[19556]: Re-using SSL/TLS context
Apr 22 00:53:59 vpnclient5[19556]: Control Channel MTU parms [ L:48069 D:178 EF:78 EB:0 ET:0 EL:0 ]
Apr 22 00:53:59 vpnclient5[19556]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 22 00:53:59 vpnclient5[19556]: Data Channel MTU parms [ L:48069 D:48069 EF:69 EB:4 ET:0 EL:0 ]
Apr 22 00:53:59 vpnclient5[19556]: Local Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Apr 22 00:53:59 vpnclient5[19556]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Apr 22 00:53:59 vpnclient5[19556]: Local Options hash (VER=V4): 'd2ba0673'
Apr 22 00:53:59 vpnclient5[19556]: Expected Remote Options hash (VER=V4): '971f728d'
Apr 22 00:53:59 vpnclient5[19556]: UDPv4 link local: [undef]
Apr 22 00:53:59 vpnclient5[19556]: UDPv4 link remote: [AF_INET]92.82.232.44:5000
Apr 22 00:53:59 vpnclient5[19556]: TLS: Initial packet from [AF_INET]92.82.232.44:5000, sid=73e8db62 14c8f1be
Apr 22 00:55:00 vpnclient5[19556]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 22 00:55:00 vpnclient5[19556]: TLS Error: TLS handshake failed
Apr 22 00:55:00 vpnclient5[19556]: TCP/UDP: Closing socket
Apr 22 00:55:00 vpnclient5[19556]: SIGUSR1[soft,tls-error] received, process restarting
Apr 22 00:55:00 vpnclient5[19556]: Restart pause, 2 second(s)
Apr 22 00:55:02 vpnclient5[19556]: Re-using SSL/TLS context
Apr 22 00:55:02 vpnclient5[19556]: Control Channel MTU parms [ L:48069 D:178 EF:78 EB:0 ET:0 EL:0 ]
Apr 22 00:55:02 vpnclient5[19556]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 22 00:55:02 vpnclient5[19556]: Data Channel MTU parms [ L:48069 D:48069 EF:69 EB:4 ET:0 EL:0 ]
Apr 22 00:55:02 vpnclient5[19556]: Local Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Apr 22 00:55:02 vpnclient5[19556]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Apr 22 00:55:02 vpnclient5[19556]: Local Options hash (VER=V4): 'd2ba0673'
Apr 22 00:55:02 vpnclient5[19556]: Expected Remote Options hash (VER=V4): '971f728d'
Apr 22 00:55:02 vpnclient5[19556]: UDPv4 link local: [undef]
Apr 22 00:55:02 vpnclient5[19556]: UDPv4 link remote: [AF_INET]92.82.232.44:5000
Apr 22 00:55:02 vpnclient5[19556]: TLS: Initial packet from [AF_INET]92.82.232.44:5000, sid=0ec18494 6a4cb83c
Apr 22 00:56:02 vpnclient5[19556]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 22 00:56:02 vpnclient5[19556]: TLS Error: TLS handshake failed
Apr 22 00:56:02 vpnclient5[19556]: TCP/UDP: Closing socket
Apr 22 00:56:02 vpnclient5[19556]: SIGUSR1[soft,tls-error] received, process restarting
Apr 22 00:56:02 vpnclient5[19556]: Restart pause, 2 second(s)
Apr 22 00:56:04 vpnclient5[19556]: Re-using SSL/TLS context
Apr 22 00:56:04 vpnclient5[19556]: Control Channel MTU parms [ L:48069 D:178 EF:78 EB:0 ET:0 EL:0 ]
Apr 22 00:56:04 vpnclient5[19556]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 22 00:56:04 vpnclient5[19556]: Data Channel MTU parms [ L:48069 D:48069 EF:69 EB:4 ET:0 EL:0 ]
Apr 22 00:56:04 vpnclient5[19556]: Local Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Apr 22 00:56:04 vpnclient5[19556]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Apr 22 00:56:04 vpnclient5[19556]: Local Options hash (VER=V4): 'd2ba0673'
Apr 22 00:56:04 vpnclient5[19556]: Expected Remote Options hash (VER=V4): '971f728d'
Apr 22 00:56:04 vpnclient5[19556]: UDPv4 link local: [undef]
Apr 22 00:56:04 vpnclient5[19556]: UDPv4 link remote: [AF_INET]92.82.232.44:5000
Apr 22 00:56:05 vpnclient5[19556]: TLS: Initial packet from [AF_INET]92.82.232.44:5000, sid=46c4b4a3 bc07a2e4
Apr 22 00:57:04 vpnclient5[19556]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 22 00:57:04 vpnclient5[19556]: TLS Error: TLS handshake failed
Apr 22 00:57:04 vpnclient5[19556]: TCP/UDP: Closing socket
Apr 22 00:57:04 vpnclient5[19556]: SIGUSR1[soft,tls-error] received, process restarting
Apr 22 00:57:04 vpnclient5[19556]: Restart pause, 2 second(s)
Apr 22 00:57:06 vpnclient5[19556]: Re-using SSL/TLS context
Apr 22 00:57:06 vpnclient5[19556]: Control Channel MTU parms [ L:48069 D:178 EF:78 EB:0 ET:0 EL:0 ]
Apr 22 00:57:06 vpnclient5[19556]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 22 00:57:06 vpnclient5[19556]: Data Channel MTU parms [ L:48069 D:48069 EF:69 EB:4 ET:0 EL:0 ]
Apr 22 00:57:06 vpnclient5[19556]: Local Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Apr 22 00:57:06 vpnclient5[19556]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Apr 22 00:57:06 vpnclient5[19556]: Local Options hash (VER=V4): 'd2ba0673'
Apr 22 00:57:06 vpnclient5[19556]: Expected Remote Options hash (VER=V4): '971f728d'
Apr 22 00:57:06 vpnclient5[19556]: UDPv4 link local: [undef]
Apr 22 00:57:06 vpnclient5[19556]: UDPv4 link remote: [AF_INET]92.82.232.44:5000
Apr 22 00:57:06 vpnclient5[19556]: TLS: Initial packet from [AF_INET]92.82.232.44:5000, sid=da3a0b63 f84bb458
Apr 22 00:58:06 vpnclient5[19556]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 22 00:58:06 vpnclient5[19556]: TLS Error: TLS handshake failed
Apr 22 00:58:06 vpnclient5[19556]: TCP/UDP: Closing socket
Apr 22 00:58:06 vpnclient5[19556]: SIGUSR1[soft,tls-error] received, process restarting
Apr 22 00:58:06 vpnclient5[19556]: Restart pause, 2 second(s)
Apr 22 00:58:08 vpnclient5[19556]: Re-using SSL/TLS context
Apr 22 00:58:08 vpnclient5[19556]: Control Channel MTU parms [ L:48069 D:178 EF:78 EB:0 ET:0 EL:0 ]
Apr 22 00:58:08 vpnclient5[19556]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 22 00:58:08 vpnclient5[19556]: Data Channel MTU parms [ L:48069 D:48069 EF:69 EB:4 ET:0 EL:0 ]
Apr 22 00:58:08 vpnclient5[19556]: Local Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Apr 22 00:58:08 vpnclient5[19556]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Apr 22 00:58:08 vpnclient5[19556]: Local Options hash (VER=V4): 'd2ba0673'
Apr 22 00:58:08 vpnclient5[19556]: Expected Remote Options hash (VER=V4): '971f728d'
Apr 22 00:58:08 vpnclient5[19556]: UDPv4 link local: [undef]
Apr 22 00:58:08 vpnclient5[19556]: UDPv4 link remote: [AF_INET]92.82.232.44:5000
Apr 22 00:58:08 vpnclient5[19556]: TLS: Initial packet from [AF_INET]92.82.232.44:5000, sid=6e5e3f05 72296193
Apr 22 00:59:09 vpnclient5[19556]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 22 00:59:09 vpnclient5[19556]: TLS Error: TLS handshake failed
Apr 22 00:59:09 vpnclient5[19556]: TCP/UDP: Closing socket
Apr 22 00:59:09 vpnclient5[19556]: SIGUSR1[soft,tls-error] received, process restarting
Apr 22 00:59:09 vpnclient5[19556]: Restart pause, 2 second(s)
Apr 22 00:59:11 vpnclient5[19556]: Re-using SSL/TLS context
Apr 22 00:59:11 vpnclient5[19556]: Control Channel MTU parms [ L:48069 D:178 EF:78 EB:0 ET:0 EL:0 ]
Apr 22 00:59:11 vpnclient5[19556]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Apr 22 00:59:11 vpnclient5[19556]: Data Channel MTU parms [ L:48069 D:48069 EF:69 EB:4 ET:0 EL:0 ]
Apr 22 00:59:11 vpnclient5[19556]: Local Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
Apr 22 00:59:11 vpnclient5[19556]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 48069,tun-mtu 48000,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Apr 22 00:59:11 vpnclient5[19556]: Local Options hash (VER=V4): 'd2ba0673'
Apr 22 00:59:11 vpnclient5[19556]: Expected Remote Options hash (VER=V4): '971f728d'
Apr 22 00:59:11 vpnclient5[19556]: UDPv4 link local: [undef]
Apr 22 00:59:11 vpnclient5[19556]: UDPv4 link remote: [AF_INET]92.82.232.44:5000
Apr 22 00:59:11 vpnclient5[19556]: TLS: Initial packet from [AF_INET]92.82.232.44:5000, sid=fde352b4 da9ad8ed

I was thinking it's the cipher but now i'm not sure what is it

JW0914 · April 22, 2018, 12:52am

I don't mind helping out, but come on now... You know you can Google the error message from the log, which is exactly what I would do to respond.

Something is preventing the TLS handshake, as the handshake is failing from no response after 60s... Note the log lines right above the error.

The only time I've ever encountered the error is when there's an issue with the TLS-Auth PSK [tls-auth.key].
- If your client is Windows, it could be the EOLs, as if I recall right, OpenVPN on Windows does require Windows EOLs, however I could very well be wrong and misremembering.
I would also google the OpenSSL error line

I know you've mentioned the TLS 1.2 setting a few times now, and while I don't believe that would be the cause of this due to the error message, older clients running dated OSes do not always support TLS 1.2.

To simply rule it out, change 1.2 to 1, as all devices are compatible with TLS v1
- Valid options are 1, 1.1, and 1.2
- Ensure you change it in both the server and client configs.

Keltere · April 22, 2018, 9:38am

Sorry but i searched in google but i couldn't find anything working.
No the tls-auth.key dosen't have any problem because in windows it's working fine, just on my home router isn't working.

With tls-version-min set to 1.0 it gave me a different error:

Sun Apr 22 08:41:46 2018 us=227734 OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun Apr 22 08:41:46 2018 us=227801 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Sun Apr 22 08:41:46 2018 us=228478 Diffie-Hellman initialized with 2048 bit key
Sun Apr 22 08:41:46 2018 us=228590 No valid translation found for TLS cipher '!aNULL'
Sun Apr 22 08:41:46 2018 us=228644 No valid translation found for TLS cipher '!eNULL'
Sun Apr 22 08:41:46 2018 us=228709 No valid translation found for TLS cipher '!3DES'
Sun Apr 22 08:41:46 2018 us=228756 No valid translation found for TLS cipher '!MD5'
Sun Apr 22 08:41:46 2018 us=228803 No valid translation found for TLS cipher '!SHA'
Sun Apr 22 08:41:46 2018 us=228867 No valid translation found for TLS cipher '!PSK'
Sun Apr 22 08:41:46 2018 us=228931 No valid translation found for TLS cipher '!DSS'
Sun Apr 22 08:41:46 2018 us=228977 No valid translation found for TLS cipher '!RC4'
Sun Apr 22 08:41:46 2018 us=239579 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Apr 22 08:41:46 2018 us=239648 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Apr 22 08:41:46 2018 us=239692 TLS-Auth MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sun Apr 22 08:41:46 2018 us=240790 TUN/TAP device tun0 opened
Sun Apr 22 08:41:46 2018 us=241108 TUN/TAP TX queue length set to 100
Sun Apr 22 08:41:46 2018 us=241175 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Apr 22 08:41:46 2018 us=241239 /sbin/ifconfig tun0 10.1.0.1 netmask 255.255.255.240 mtu 1500 broadcast 10.1.0.15
Sun Apr 22 08:41:46 2018 us=246564 Data Channel MTU parms [ L:1621 D:1621 EF:121 EB:406 ET:0 EL:3 ]
Sun Apr 22 08:41:46 2018 us=246670 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Apr 22 08:41:46 2018 us=246718 Socket Buffers: R=[163840->327680] S=[163840->327680]
Sun Apr 22 08:41:46 2018 us=246766 UDPv4 link local (bound): [AF_INET][undef]:5000
Sun Apr 22 08:41:46 2018 us=246800 UDPv4 link remote: [AF_UNSPEC]
Sun Apr 22 08:41:46 2018 us=246838 GID set to nogroup
Sun Apr 22 08:41:46 2018 us=246874 UID set to nobody
Sun Apr 22 08:41:46 2018 us=246911 MULTI: multi_init called, r=256 v=256
Sun Apr 22 08:41:46 2018 us=246966 IFCONFIG POOL: base=10.1.0.2 size=12, ipv6=0
Sun Apr 22 08:41:46 2018 us=247063 Initialization Sequence Completed
Sun Apr 22 08:41:58 2018 us=387965 MULTI: multi_create_instance called
Sun Apr 22 08:41:58 2018 us=388154 79.50.176.249:56604 Re-using SSL/TLS context
Sun Apr 22 08:41:58 2018 us=388385 79.50.176.249:56604 Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sun Apr 22 08:41:58 2018 us=388436 79.50.176.249:56604 Data Channel MTU parms [ L:1621 D:1621 EF:121 EB:406 ET:0 EL:3 ]
Sun Apr 22 08:41:58 2018 us=388542 79.50.176.249:56604 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-server'
Sun Apr 22 08:41:58 2018 us=388579 79.50.176.249:56604 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client'
RSun Apr 22 08:41:58 2018 us=388657 79.50.176.249:56604 TLS: Initial packet from [AF_INET]79.50.176.249:56604, sid=daea96a4 c478b5ab
WRRWRSun Apr 22 08:41:58 2018 us=453823 79.50.176.249:56604 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
Sun Apr 22 08:41:58 2018 us=453901 79.50.176.249:56604 OpenSSL: error:1408A0C1:lib(20):func(138):reason(193)
Sun Apr 22 08:41:58 2018 us=453939 79.50.176.249:56604 TLS_ERROR: BIO read tls_read_plaintext error
Sun Apr 22 08:41:58 2018 us=453972 79.50.176.249:56604 TLS Error: TLS object -> incoming plaintext read error
Sun Apr 22 08:41:58 2018 us=454001 79.50.176.249:56604 TLS Error: TLS handshake failed
Sun Apr 22 08:41:58 2018 us=454118 79.50.176.249:56604 SIGUSR1[soft,tls-error] received, client-instance restarting

So yup i think is not compatible with my current chiper, i did a openssl chipers -v and this is the resoult:

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
DH-DSS-SEED-SHA         SSLv3 Kx=DH/DSS   Au=DH   Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA128-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA128-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=3DES(168) Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=3DES(168) Mac=SHA1
SRP-3DES-EDE-CBC-SHA    SSLv3 Kx=SRP      Au=SRP  Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA     SSLv3 Kx=DH/DSS   Au=DH   Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1

I've removed tls-chiper from server and now it's working.
I think this chiper is not good
tls_cipher 'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'

So at the end my router is compatible just with tls 1.0 (even if it has 1.2) and the tls_cipher setting was wrong.

Is a problem to not set the tls_cipher on the server?

JW0914 · April 24, 2018, 12:52pm

This is not recommended as TLS ciphers are faster [i.e. allow higher throughput] than SSL ciphers. TLS EC ciphers also don't tax CPUs as much as SSL ciphers do.

I explain what needs to be done in the comprehensive wiki, so I would recommend doing what is suggested in the wiki to determine the TLS ciphers your devices are compatible with.
- "Ciphers must match the capabilities of the server & clients"

Keltere · April 24, 2018, 1:47pm

Thanks again for your patience with me and for helping.

It's really strange, the output is the same on both:

          0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
          0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
          0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
          0xC0,0x24 - ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
          0x00,0xA5 - DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
          0x00,0xA3 - DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
          0x00,0xA1 - DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(256) Mac=AEAD
          0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
          0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
          0x00,0x6A - DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
          0x00,0x69 - DH-RSA-AES256-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA256
          0x00,0x68 - DH-DSS-AES256-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA256
          0xC0,0x32 - ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
          0xC0,0x2E - ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
          0xC0,0x2A - ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
          0xC0,0x26 - ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
          0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
          0x00,0x3D - AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
          0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
          0xC0,0x2B - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
          0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
          0xC0,0x23 - ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
          0x00,0xA4 - DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(128) Mac=AEAD
          0x00,0xA2 - DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
          0x00,0xA0 - DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AESGCM(128) Mac=AEAD
          0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
          0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
          0x00,0x40 - DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
          0x00,0x3F - DH-RSA-AES128-SHA256    TLSv1.2 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA256
          0x00,0x3E - DH-DSS-AES128-SHA256    TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA256
          0xC0,0x31 - ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
          0xC0,0x2D - ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
          0xC0,0x29 - ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
          0xC0,0x25 - ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
          0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
          0x00,0x3C - AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256

So the chiper you suggested me should work or i'm mistaken?

tls_cipher          'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'

JW0914 · April 24, 2018, 1:58pm

Please post the output of: opkg list-installed | grep kmod-crypto-*

Keltere · April 24, 2018, 2:01pm

Just on my openvpn server i can use opkg

kmod-crypto-acompress - 4.14.34-1
kmod-crypto-aead - 4.14.34-1
kmod-crypto-authenc - 4.14.34-1
kmod-crypto-cmac - 4.14.34-1
kmod-crypto-crc32c - 4.14.34-1
kmod-crypto-ecb - 4.14.34-1
kmod-crypto-ecdh - 4.14.34-1
kmod-crypto-hash - 4.14.34-1
kmod-crypto-hmac - 4.14.34-1
kmod-crypto-kpp - 4.14.34-1
kmod-crypto-manager - 4.14.34-1
kmod-crypto-md5 - 4.14.34-1
kmod-crypto-null - 4.14.34-1
kmod-crypto-pcompress - 4.14.34-1
kmod-crypto-sha1 - 4.14.34-1
kmod-crypto-sha256 - 4.14.34-1
kmod-crypto-sha512 - 4.14.34-1
kmod-cryptodev - 4.14.34+1.9.git-2017-10-04-mvebu-1

On my home router i use a stock firmware from asus because i have an integrated modem.

JW0914 · April 24, 2018, 2:06pm

The issue is the GCM ciphersuite (kmod-crypto-gcm), which isn't installed on LEDE, and it's unlikely it will be installed on the Asus stock firmware.

Change tls_cipher to the following:
```
tls_cipher    'TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4:!kRSA'
```
- Keep in mind OpenVPN <2.4 does not support EC [Elliptic-Curve] ciphers, so if the stock Asus firmware does not have 2.4 installed, I personally would recommend installing OpenWrt on it.
To install the GCM ciphersuite: opkg update && opkg install kmod-crypto-gcm

Keltere · April 24, 2018, 2:29pm

Not working either, same chiper error.

TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive

Yes asus has 2.3.2 i've contacted them to tell to update to 2.4, i hope they will do it.
Yes i really want to use openwrt but for now i need to stay with stock.

JW0914 · April 24, 2018, 2:50pm

My bad, issue the following opkg update && opkg install kmod-crypto-cbc kmod-crypto-gcm

I could have sworn that was a package installed when either openssl or openvpn was installed [kmod-crypto-cbc], as OpenVPN's default is to utilize vars, of which sets a CBC ciphersuite as default.

Keltere · April 24, 2018, 3:27pm

Nope same error, well nevermind, i think this is an asus problem or an openvpn 2.3.2 problem.
I wil try to write this in the openvpn forum. I will hate to bother you again even with problems unrelated from lede.

I really thanks you again. You helped me a lot.

JW0914 · April 28, 2018, 12:00pm

It's not an OpenVPN 2.3.2 issue, as I used the exact same configuration, minus the EC ciphers, on OpenVPN versions <2.4.

When you have time, please post a link to your OpenVPN thread, as I'm curious what's determined as the issue.

Keltere · April 28, 2018, 10:39pm

I didn't post, i found this
I will wait for fiber optics then i will replace my modem/router with a router that support openwrt.

JW0914 · April 28, 2018, 11:33pm

You can try using TLS 1.0 as suggested in that thread, else you'll have to disable TLS entirely, sticking with the inefficient SSL ciphers.

Remove:

tls_server
tls_cipher

What I would recommend instead is installing OpenWrt on the Asus router. All routers outside their EOL (End of Life, typically 12 - 24 months after initial release) should be running 3rd party open source firmware... Not doing so is an enormous security risk.