Problem to establish OpenVPN connection

Hi,
I'm testing OpenVPN connection to my provider box (FreeBox).
It seems to start well, accepting the password, chacking the TLS certificate, but at the end the server send a connection-reset.

I test on a GL.Inet MT3000 with latest OpenWRT OpenWrt 23.05.3.
I use openvpn-openssl with luci-app-openvpn

Earlier I worked on the snapshot release or about APR30, first with
openvpn-mbedtls then with luci-app-openvpn.

behavior was the same in all 3 configuration (Snapshot+openvpn-mbedtls,Snapshot+openvpn-openssl,Release23.05.3+openvpn-openssl)., with both Routed and bridged variant of the config,

I've just added
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
to avoid a warning, but it changed nothing.
I've checked that AES-256-CBC is supported listing the cipher...

I cannot access the VPN server log.

the same OVPN config worked perfectly with GL.Inet firmware, and I use it on windows 10 (the bridged variant) and android (the routed variant)...

I maye have forgotten a detail, but I don't see what...

here is the config file in luci/openvpn withip/port/keys replaced

client
remote MYHOST MYPORT
proto tcp-client
nobind
dev-type tap
verb 5
pull
dev tap0
askpass /etc/openvpn/VillejuifOVPNBridged.auth
auth-retry interact
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
cipher AES-256-CBC
auth SHA1

remote-cert-tls server
verify-x509-name "C=FR, O=Freebox SA, CN=Freebox OpenVPN server 8e62a324a151dfffd3c2ac9e23102fc4"

<ca>
-----BEGIN CERTIFICATE-----
ww
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xx
-----END CERTIFICATE-----
</cert>
<extra-certs>
-----BEGIN CERTIFICATE-----
yy
-----END CERTIFICATE-----
</extra-certs>
<key>
-----BEGIN PRIVATE KEY-----
zz
-----END PRIVATE KEY-----
</key>

the logs show all is fin until the connection reset by peer

Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: OpenVPN 2.5.8 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Fri May  3 11:13:00 2024 daemon.warn openvpn(VillejuifOVPNBridged)[7216]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: Control Channel MTU parms [ L:1655 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: Data Channel MTU parms [ L:1655 D:1450 EF:123 EB:411 ET:32 EL:3 ]
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: TCP/UDP: Preserving recently used remote address: [AF_INET]MYHOST:MYPORT
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: Attempting to establish TCP connection with [AF_INET]MYHOST:MYPORT [nonblock]
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: TCP connection established with [AF_INET]MYHOST:MYPORT
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: TCP_CLIENT link local: (not bound)
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: TCP_CLIENT link remote: [AF_INET]MYHOST:MYPORT
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: TLS: Initial packet from [AF_INET]MYHOST:MYPORT, sid=20dbe411 6df9c11c
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: VERIFY OK: depth=1, C=FR, O=Freebox SA, CN=Freebox OpenVPN server CA for 8e62a324a151dfffd3c2ac9e23102fc4
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: VERIFY KU OK
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: Validating certificate extended key usage
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: VERIFY EKU OK
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: VERIFY X509NAME OK: C=FR, O=Freebox SA, CN=Freebox OpenVPN server 8e62a324a151dfffd3c2ac9e23102fc4
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: VERIFY OK: depth=0, C=FR, O=Freebox SA, CN=Freebox OpenVPN server 8e62a324a151dfffd3c2ac9e23102fc4
Fri May  3 11:13:00 2024 daemon.err openvpn(VillejuifOVPNBridged)[7216]: Connection reset, restarting [0]
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: TCP/UDP: Closing socket
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: SIGUSR1[soft,connection-reset] received, process restarting
Fri May  3 11:13:00 2024 daemon.notice openvpn(VillejuifOVPNBridged)[7216]: Restart pause, 5 second(s)

at verb 10 verbosity level, there is nothing interesting...

It must be banal, but I don't understand what it is

Hello...

When I configure my OpenVPN Server in the the past, I follow this oficial tutorial...

[OpenWrt Wiki] OpenVPN server

Good Luck!

I suggest that you revise yours configs, here, works well...

except OP seems to be setting up a client ...

Maybe this is the problem?:

--key-method Removed in OpenVPN 2.5. This option should not be used, as using the old key-method weakens the VPN tunnel security. The old key-method was also only needed when the remote side was older than OpenVPN 2.0.

1 Like

another option is to reinstall the gl.inet fw agian, set up the tunnel, and steal all the openvpn settings via ssh.

then flash openwrt again, apply the gl.inet fw settings for the tunnel, and keep your fingers crossed.

Restarting from scratch I have finally found the problem, stupid as expected
as said in Luci one need to replace the line for password as:
auth-user-pass /etc/openvpn/VillejuifOVPNBridged.auth

I don't know where I found askpass, but it's wrong...
the point is that contrary to my assumptions, it was the password, and the reaction of the server is a peer reset. Good to know.

By the way thanks for the hint on key-method, I checked but it seems it is indeed no more supported by openvpn. the key-method=2 in the log seems to be a default value.

To understand my problem,
first I've build a config that worked with LUCI

Maybe it can help people having a Freebox

config openvpn 'TestBridged'
	option ca '/etc/openvpn/VillejuifOVPNBridged.ca'
	option key '/etc/openvpn/VillejuifOVPNBridged.key'
	option client '1'
	option dev 'tap0'
	option verb '5'
	option nobind '1'
	option remote_cert_tls 'server'
	option proto 'tcp-client'
	option dev_type 'tap'
	option pull '1'
	option auth_user_pass '/etc/openvpn/VillejuifOVPNBridged.auth'
	option port 'MYPORT'
	option cert '/etc/openvpn/VillejuifOVPNBridged.cert'
	option cipher 'AES-256-CBC'
	list remote 'MYIP'
	option tls_remote '/C=FR/O=Freebox_SA/CN=Freebox_OpenVPN_server_8e62a324a151dfffd3c2ac9e23102fc'
	list data_ciphers 'AES-256-CBC'
	list data_ciphers 'AES-256-GCM'
	list data_ciphers 'AES-128-GCM'

then I caught the command line with "ps -www"
and found the generated config file
/tmp/etc/openvpn-TestBridged.conf
and reading it I found that stupid difference about auth_user_pass instead of askpass

So,, reading the generated conf file in /tmp/etc/*.comf may help noobies like me.

Thanks for the advices, and sorry for the disturbance.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.