If I try to connect to the Private Internet Access VPN server on my Ubuntu server using the following OpenVPN configuration file
client
dev tun
proto udp
resolv-retry infinite
nobind 1
persist-key 1
persist-tun 1
cipher BF-CBC
auth SHA1
tls-client 1
remote-cert-tls server
auth-user-pass /etc/openvpn/.secret
comp-lzo yes
verb 3
reneg-sec 0
crl-verify /etc/openvpn/crl.pem
ca /etc/openvpn/ca.crt
disable-occ 1
port 53
remote 5.63.151.156
remote 104.238.169.85
script-security 2
ping 10
ping-restart 60
it works and see this:
Fri Jun 9 15:08:29 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Jun 9 15:08:29 2017 UDPv4 link local: [undef]
Fri Jun 9 15:08:29 2017 UDPv4 link remote: [AF_INET]104.238.169.85:53
Fri Jun 9 15:08:29 2017 TLS: Initial packet from [AF_INET]104.238.169.85:53, sid=5821d6f5 20296e9d
Fri Jun 9 15:08:29 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jun 9 15:08:29 2017 CRL CHECK OK: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Fri Jun 9 15:08:29 2017 VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Fri Jun 9 15:08:29 2017 Validating certificate key usage
Fri Jun 9 15:08:29 2017 ++ Certificate has key usage 00a0, expects 00a0
Fri Jun 9 15:08:29 2017 VERIFY KU OK
Fri Jun 9 15:08:29 2017 Validating certificate extended key usage
Fri Jun 9 15:08:29 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Jun 9 15:08:29 2017 VERIFY EKU OK
Fri Jun 9 15:08:29 2017 CRL CHECK OK: C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=913b6ab8cfffcfc9efa4345d4104a57b, name=913b6ab8cfffcfc9efa4345d4104a57b
Fri Jun 9 15:08:29 2017 VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=913b6ab8cfffcfc9efa4345d4104a57b, name=913b6ab8cfffcfc9efa4345d4104a57b
Fri Jun 9 15:08:29 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jun 9 15:08:29 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 9 15:08:29 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Jun 9 15:08:29 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jun 9 15:08:29 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Jun 9 15:08:29 2017 [913b6ab8cfffcfc9efa4345d4104a57b] Peer Connection Initiated with [AF_INET]104.238.169.85:53
Fri Jun 9 15:08:31 2017 SENT CONTROL [913b6ab8cfffcfc9efa4345d4104a57b]: 'PUSH_REQUEST' (status=1)
Fri Jun 9 15:08:31 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,comp-lzo no,route 10.62.10.1,topology net30,ifconfig 10.62.10.6 10.62.10.5,auth-token toQJXs191geecQsjVLIjSmVXWoo6mFk9dgl4Ou+7soQ='
Fri Jun 9 15:08:31 2017 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jun 9 15:08:31 2017 OPTIONS IMPORT: LZO parms modified
Fri Jun 9 15:08:31 2017 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jun 9 15:08:31 2017 OPTIONS IMPORT: route options modified
Fri Jun 9 15:08:31 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Jun 9 15:08:31 2017 ROUTE_GATEWAY 192.168.129.1/255.255.255.0 IFACE=eth0 HWADDR=00:01:2e:3d:2a:d1
Fri Jun 9 15:08:31 2017 TUN/TAP device tun0 opened
Fri Jun 9 15:08:31 2017 TUN/TAP TX queue length set to 100
Fri Jun 9 15:08:31 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jun 9 15:08:31 2017 /sbin/ip link set dev tun0 up mtu 1500
Fri Jun 9 15:08:31 2017 /sbin/ip addr add dev tun0 local 10.62.10.6 peer 10.62.10.5
Fri Jun 9 15:08:31 2017 /sbin/ip route add 104.238.169.85/32 via 192.168.129.1
Fri Jun 9 15:08:31 2017 /sbin/ip route add 0.0.0.0/1 via 10.62.10.5
Fri Jun 9 15:08:31 2017 /sbin/ip route add 128.0.0.0/1 via 10.62.10.5
Fri Jun 9 15:08:31 2017 /sbin/ip route add 10.62.10.1/32 via 10.62.10.5
Fri Jun 9 15:08:31 2017 Initialization Sequence Completed
However if I try the equivalent on my Homehub 5A running LEDE, I get the following in syslog:
Fri Jun 9 14:27:01 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: Restart pause, 5 second(s)
Fri Jun 9 14:27:06 2017 daemon.warn openvpn(PIA_VPN_BF)[17573]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: Re-using SSL/TLS context
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: LZO compression initializing
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: calc_options_string_link_mtu: link-mtu 1622 -> 1542
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: calc_options_string_link_mtu: link-mtu 1622 -> 1542
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: TCP/UDP: Preserving recently used remote address: [AF_INET]104.238.169.85:53
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP link local: (not bound)
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP link remote: [AF_INET]104.238.169.85:53
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: event_wait returned 1
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP WRITE [14] to [AF_INET]104.238.169.85:53: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=7c4bac2c 0ee25db6 [ ] pid=0 DATA
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP write returned 14
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: event_wait returned 1
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP read returned 26
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP READ [26] from [AF_INET]104.238.169.85:53: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=74fbe891 cdc5da12 [ 0 sid=7c4bac2c 0ee25db6 ] pid=0 DATA
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: TLS: Initial packet from [AF_INET]104.238.169.85:53, sid=74fbe891 cdc5da12
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: event_wait returned 1
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP WRITE [22] to [AF_INET]104.238.169.85:53: P_ACK_V1 kid=0 sid=7c4bac2c 0ee25db6 [ 0 sid=74fbe891 cdc5da12 ]
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP write returned 22
Fri Jun 9 14:27:06 2017 daemon.warn openvpn(PIA_VPN_BF)[17573]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: event_wait returned 1
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP WRITE [178] to [AF_INET]104.238.169.85:53: P_CONTROL_V1 kid=0 sid=7c4bac2c 0ee25db6 [ ] pid=1 DATA 16030100 9f010000 9b030359 3ab03ac0 ed869418 8c7726cc 70f8eff3 be5e51d[more...]
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP write returned 178
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: event_wait returned 1
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP read returned 1200
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP READ [1200] from [AF_INET]104.238.169.85:53: P_CONTROL_V1 kid=0 sid=74fbe891 cdc5da12 [ 1 sid=7c4bac2c 0ee25db6 ] pid=1 DATA 16030100 31020000 2d03018a fe3c27bd 11918831 1c0cf3fb afdc1520 df5de92[more...]
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: event_wait returned 1
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP WRITE [22] to [AF_INET]104.238.169.85:53: P_ACK_V1 kid=0 sid=7c4bac2c 0ee25db6 [ 1 sid=74fbe891 cdc5da12 ]
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP write returned 22
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: event_wait returned 1
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP read returned 1188
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: UDP READ [1188] from [AF_INET]104.238.169.85:53: P_CONTROL_V1 kid=0 sid=74fbe891 cdc5da12 [ ] pid=2 DATA 32447625 25eb300d 06092a86 4886f70d 01010505 003081a5 310b3009 0603550[more...]
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Fri Jun 9 14:27:06 2017 daemon.err openvpn(PIA_VPN_BF)[17573]: VERIFY ERROR: depth=0, subject=C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=913b6ab8cfffcfc9efa4345d4104a57b, ??=913b6ab8cfffcfc9efa4345d4104a57b: The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
Fri Jun 9 14:27:06 2017 daemon.err openvpn(PIA_VPN_BF)[17573]: TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Fri Jun 9 14:27:06 2017 daemon.err openvpn(PIA_VPN_BF)[17573]: TLS Error: TLS object -> incoming plaintext read error
Fri Jun 9 14:27:06 2017 daemon.err openvpn(PIA_VPN_BF)[17573]: TLS Error: TLS handshake failed
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: TCP/UDP: Closing socket
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: SIGUSR1[soft,tls-error] received, process restarting
Fri Jun 9 14:27:06 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: Restart pause, 5 second(s)
Fri Jun 9 14:27:08 2017 daemon.notice openvpn(PIA_VPN_BF)[17573]: SIGTERM[hard,init_instance] received, process exiting
Fri Jun 9 14:27:51 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: OpenVPN 2.4.2 mips-openwrt-linux-gnu [SSL (mbed TLS)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Jun 9 14:27:51 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: library versions: mbed TLS 2.4.2, LZO 2.09
Fri Jun 9 14:27:51 2017 daemon.warn openvpn(PIA_VPN_BF)[18461]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jun 9 14:27:51 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: TCP/UDP: Preserving recently used remote address: [AF_INET]5.63.151.156:53
Fri Jun 9 14:27:51 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jun 9 14:27:51 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: UDP link local: (not bound)
Fri Jun 9 14:27:51 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: UDP link remote: [AF_INET]5.63.151.156:53
Fri Jun 9 14:28:09 2017 daemon.info odhcpd[812]: Using a RA lifetime of 0 seconds on br-lan
Fri Jun 9 14:28:51 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Fri Jun 9 14:28:51 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: SIGUSR1[soft,ping-restart] received, process restarting
Fri Jun 9 14:28:51 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: Restart pause, 5 second(s)
Fri Jun 9 14:28:56 2017 daemon.warn openvpn(PIA_VPN_BF)[18461]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jun 9 14:28:56 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: TCP/UDP: Preserving recently used remote address: [AF_INET]104.238.169.85:53
Fri Jun 9 14:28:56 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jun 9 14:28:56 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: UDP link local: (not bound)
Fri Jun 9 14:28:56 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: UDP link remote: [AF_INET]104.238.169.85:53
Fri Jun 9 14:28:56 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: TLS: Initial packet from [AF_INET]104.238.169.85:53, sid=d910ac67 3cfe9bbd
Fri Jun 9 14:28:56 2017 daemon.warn openvpn(PIA_VPN_BF)[18461]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jun 9 14:28:56 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Fri Jun 9 14:28:56 2017 daemon.err openvpn(PIA_VPN_BF)[18461]: VERIFY ERROR: depth=0, subject=C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=913b6ab8cfffcfc9efa4345d4104a57b, ??=913b6ab8cfffcfc9efa4345d4104a57b: The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
Fri Jun 9 14:28:56 2017 daemon.err openvpn(PIA_VPN_BF)[18461]: TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Fri Jun 9 14:28:56 2017 daemon.err openvpn(PIA_VPN_BF)[18461]: TLS Error: TLS object -> incoming plaintext read error
Fri Jun 9 14:28:56 2017 daemon.err openvpn(PIA_VPN_BF)[18461]: TLS Error: TLS handshake failed
Fri Jun 9 14:28:56 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: SIGUSR1[soft,tls-error] received, process restarting
Fri Jun 9 14:28:56 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: Restart pause, 5 second(s)
Fri Jun 9 14:29:01 2017 daemon.warn openvpn(PIA_VPN_BF)[18461]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jun 9 14:29:01 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: TCP/UDP: Preserving recently used remote address: [AF_INET]5.63.151.156:53
Fri Jun 9 14:29:01 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Jun 9 14:29:01 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: UDP link local: (not bound)
Fri Jun 9 14:29:01 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: UDP link remote: [AF_INET]5.63.151.156:53
Fri Jun 9 14:29:04 2017 daemon.info hostapd: wlan1: STA 34:15:9e:6b:17:ad WPA: group key handshake completed (RSN)
Fri Jun 9 14:29:21 2017 daemon.err openvpn(PIA_VPN_BF)[18461]: event_wait : Interrupted system call (code=4)
Fri Jun 9 14:29:21 2017 daemon.notice openvpn(PIA_VPN_BF)[18461]: SIGTERM[hard,] received, process exiting
Note that a similar config using AES-256-CBC and different ca and crl files works on LEDE.
Can anyone cast light on what's wrong please?