OpenVPN Client wont to connect to server

Hi everyone.
I have a trouble:
OpenVPN client doesn't want to connect to server with this config:

client
dev tun
proto tcp
port 443 
remote 185.178.47.61 #IP сервера
script-security 2
dhcp-option DNS 8.8.8.8
tls-client
reneg-sec 36000
cipher AES-128-CBC
auth SHA1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
----
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
---
</cert>
<key>
-----BEGIN PRIVATE KEY-----
---
-----END PRIVATE KEY-----
</key>
verb 5

I have two router with openwrt: x86 based pc (custom build 18.06 may 2019, openvpn 2.4.6 - 2.4.7) and TP-LINK 740N (Chaos Calmer 15.09.1, openvpn 2.3.6) - for testing . Both router don't connect to server. But, Android device, connected via router (x86) connect perfectly with same config (OpenVPN Connect 3.0.5 b1816).

From router (x86) i recive next log:

root@RRGW:~# openvpn /etc/openvpn/grouter_client_hthudyetdpht.conf
Fri May 10 10:41:51 2019 us=337741 OpenVPN 2.4.7 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri May 10 10:41:51 2019 us=337829 library versions: OpenSSL 1.1.1b  26 Feb 2019, LZO 2.10
Fri May 10 10:41:51 2019 us=337969 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri May 10 10:41:51 2019 us=339687 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 10:41:51 2019 us=339766 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 10:41:51 2019 us=340088 Control Channel MTU parms [ L:1623 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Fri May 10 10:41:51 2019 us=340200 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Fri May 10 10:41:51 2019 us=340333 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri May 10 10:41:51 2019 us=340389 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri May 10 10:41:51 2019 us=340464 TCP/UDP: Preserving recently used remote address: [AF_INET]185.178.47.61:443
Fri May 10 10:41:51 2019 us=340539 Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri May 10 10:41:51 2019 us=340603 Attempting to establish TCP connection with [AF_INET]185.178.47.61:443 [nonblock]
Fri May 10 10:41:52 2019 us=340848 TCP connection established with [AF_INET]185.178.47.61:443
Fri May 10 10:41:52 2019 us=340928 TCP_CLIENT link local: (not bound)
Fri May 10 10:41:52 2019 us=340986 TCP_CLIENT link remote: [AF_INET]185.178.47.61:443
WRFri May 10 10:41:52 2019 us=406617 TLS: Initial packet from [AF_INET]185.178.47.61:443, sid=defe6926 07194078
WWWWWWFri May 10 10:42:53 2019 us=103020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri May 10 10:42:53 2019 us=103120 TLS Error: TLS handshake failed
Fri May 10 10:42:53 2019 us=103307 Fatal TLS error (check_tls_errors_co), restarting
Fri May 10 10:42:53 2019 us=103469 TCP/UDP: Closing socket
Fri May 10 10:42:53 2019 us=103583 SIGUSR1[soft,tls-error] received, process restarting
Fri May 10 10:42:53 2019 us=103656 Restart pause, 5 second(s)
Fri May 10 10:42:58 2019 us=103780 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri May 10 10:42:58 2019 us=104787 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 10:42:58 2019 us=104855 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 10:42:58 2019 us=105015 Control Channel MTU parms [ L:1623 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Fri May 10 10:42:58 2019 us=105092 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Fri May 10 10:42:58 2019 us=105190 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri May 10 10:42:58 2019 us=105239 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri May 10 10:42:58 2019 us=105301 TCP/UDP: Preserving recently used remote address: [AF_INET]185.178.47.61:443
Fri May 10 10:42:58 2019 us=105373 Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri May 10 10:42:58 2019 us=105428 Attempting to establish TCP connection with [AF_INET]185.178.47.61:443 [nonblock]
Fri May 10 10:42:59 2019 us=105627 TCP connection established with [AF_INET]185.178.47.61:443
Fri May 10 10:42:59 2019 us=105723 TCP_CLIENT link local: (not bound)
Fri May 10 10:42:59 2019 us=105781 TCP_CLIENT link remote: [AF_INET]185.178.47.61:443
WRFri May 10 10:42:59 2019 us=173684 TLS: Initial packet from [AF_INET]185.178.47.61:443, sid=4754a52f 968748d8
WWWW
^C #I press Ctrl+C
Fri May 10 10:43:06 2019 us=277524 event_wait : Interrupted system call (code=4)
Fri May 10 10:43:06 2019 us=277771 TCP/UDP: Closing socket
Fri May 10 10:43:06 2019 us=277901 SIGINT[hard,] received, process exiting

Log from TP-LINK router (connected via x86 router):

root@OpenWrt:~# openvpn /etc/openvpn_c/real4root.conf
Fri May 10 10:45:23 2019 us=706281 OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (PolarSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  8 2016
Fri May 10 10:45:23 2019 us=707491 library versions: PolarSSL 1.3.14, LZO 2.08
Fri May 10 10:45:23 2019 us=708906 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri May 10 10:45:23 2019 us=779765 Control Channel Authentication: tls-auth using INLINE static key file
Fri May 10 10:45:23 2019 us=780780 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 10:45:23 2019 us=781884 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 10:45:23 2019 us=784874 Control Channel MTU parms [ L:1559 D:168 EF:68 EB:0 ET:0 EL:0 ]
Fri May 10 10:45:23 2019 us=785533 Socket Buffers: R=[87380->131072] S=[16384->131072]
Fri May 10 10:45:23 2019 us=786014 Data Channel MTU parms [ L:1559 D:1450 EF:59 EB:4 ET:0 EL:0 ]
Fri May 10 10:45:23 2019 us=786381 Attempting to establish TCP connection with [AF_INET]185.178.47.61:443 [nonblock]
Fri May 10 10:45:24 2019 us=787249 TCP connection established with [AF_INET]185.178.47.61:443
Fri May 10 10:45:24 2019 us=787561 TCPv4_CLIENT link local: [undef]
Fri May 10 10:45:24 2019 us=787759 TCPv4_CLIENT link remote: [AF_INET]185.178.47.61:443
WRFri May 10 10:45:24 2019 us=857832 TLS: Initial packet from [AF_INET]185.178.47.61:443, sid=9e56de7e 34b8ba11
WWWWWWWWWWWFri May 10 10:46:25 2019 us=52586 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri May 10 10:46:25 2019 us=52870 TLS Error: TLS handshake failed
Fri May 10 10:46:25 2019 us=54240 Fatal TLS error (check_tls_errors_co), restarting
Fri May 10 10:46:25 2019 us=55689 TCP/UDP: Closing socket
Fri May 10 10:46:25 2019 us=56252 SIGUSR1[soft,tls-error] received, process restarting
Fri May 10 10:46:25 2019 us=56509 Restart pause, 5 second(s)
Fri May 10 10:46:30 2019 us=56775 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri May 10 10:46:30 2019 us=100335 Control Channel Authentication: tls-auth using INLINE static key file
Fri May 10 10:46:30 2019 us=101334 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 10:46:30 2019 us=102453 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 10 10:46:30 2019 us=105077 Control Channel MTU parms [ L:1559 D:168 EF:68 EB:0 ET:0 EL:0 ]
Fri May 10 10:46:30 2019 us=106203 Socket Buffers: R=[87380->131072] S=[16384->131072]
Fri May 10 10:46:30 2019 us=107355 Data Channel MTU parms [ L:1559 D:1450 EF:59 EB:4 ET:0 EL:0 ]
Fri May 10 10:46:30 2019 us=108311 Attempting to establish TCP connection with [AF_INET]185.178.47.61:443 [nonblock]
Fri May 10 10:46:31 2019 us=109805 TCP connection established with [AF_INET]185.178.47.61:443
Fri May 10 10:46:31 2019 us=110730 TCPv4_CLIENT link local: [undef]
Fri May 10 10:46:31 2019 us=111758 TCPv4_CLIENT link remote: [AF_INET]185.178.47.61:443
WRFri May 10 10:46:31 2019 us=181670 TLS: Initial packet from [AF_INET]185.178.47.61:443, sid=8a690b69 4b81db68
WWWW^CFri May 10 10:46:34 2019 us=182048 event_wait : Interrupted system call (code=4)
Fri May 10 10:46:34 2019 us=184719 TCP/UDP: Closing socket
Fri May 10 10:46:34 2019 us=185865 SIGINT[hard,] received, process exiting

Please help me understand what I do wrong.

I have new data about my trouble:
In my country top-level provider blocks openvpn, but android client still works. I grab traffic via tcpdump and analise it via WireShark. And that's what I see:

In top window - Android client connected perfectly to OpenVPN server
In middle - Openwrt CC15.01 router with OpenVPN 2.3.6
In bottom - Linux Ubuntu 18.11 with OpenVPN 2.4.6
As we can see - Openwrt and Ubuntu use SSL protocol to auth and dont wont to connect to server, but Android client use TLSv1.2 and connects perfectly. All clients use the same config file.

Why Openwrt (and linux) client uses SSL auth? How to change it to TLS?

Your client configuration is using tls-auth which requires to define key-direction:

  • Server: key-direction 0
  • Client: key-direction 1

A better approach is to utilize tls-crypt, but OpenVPN 2.3 doesn't support it.

There is tls-version-min 1.2 but it is unclear if that can be configured on clients or only servers.

I would suggest putting the static key in a file and reference it in your tls-auth line, it may be ambiguous to inline it.
tls-auth /etc/openvpn/statickey 1

Thanks, but it's does not work for me.

I've solved my problem, using nfque module for iptables and nfqws from bol-van zapret

If someone met the DPI block, try to use next solution:
Install raw and nfque modules for iptables, and add next line into iptables:
iptables -t raw -I PREROUTING -s $_openvpn_serverip -p tcp --sport 443 --tcp-flags SYN,ACK SYN,ACK -j NFQUEUE --queue-num 200 --queue-bypass
and start nfqws: nfqws --daemon --qnum=200 --wsize=20

In my solution nfqws devides all SYN,ACK packets addressed to port 443 to 20 byte fragments. Provider's DPI monitors only not fragmented SYN,ACK packets and OpenVPN works fine.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.