[SOLVED] OpenVPN - TLS Handshake timeout

TheHellSite · October 17, 2019, 2:19pm

Hey guys,

since a few days I am unable to connect to my OpenWrt router using OpenVPN.
One week ago everything was working just fine and I didn't change any configuration files at all.

client_log

2019-10-17 08:09:47 offizielle Version 0.7.8 läuft auf OnePlus GM1903 (msmnile), Android 9 (PKQ1.190110.001) API 28, ABI arm64-v8a, (OnePlus/OnePlus7_EEA/OnePlus7:9/PKQ1.190110.001/1907280700:user/release-keys)
2019-10-17 08:09:47 Generiere OpenVPN-Konfiguration…
2019-10-17 08:09:47 started Socket Thread
2019-10-17 08:09:47 Netzwerkstatus: CONNECTED  to WIFI 
2019-10-17 08:09:47 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2019-10-17 08:09:47 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2019-10-17 08:09:47 Current Parameter Settings:
2019-10-17 08:09:47 Warte 0s Sekunden zwischen zwei Verbindungsversuchen
2019-10-17 08:09:47   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2019-10-17 08:09:47   mode = 0
2019-10-17 08:09:47   show_ciphers = DISABLED
2019-10-17 08:09:47   show_digests = DISABLED
2019-10-17 08:09:47   show_engines = DISABLED
2019-10-17 08:09:47   genkey = DISABLED
2019-10-17 08:09:47   key_pass_file = '[UNDEF]'
2019-10-17 08:09:47   show_tls_ciphers = DISABLED
2019-10-17 08:09:47   connect_retry_max = 0
2019-10-17 08:09:47 Connection profiles [0]:
2019-10-17 08:09:47   proto = udp
2019-10-17 08:09:47   local = '[UNDEF]'
2019-10-17 08:09:47   local_port = '[UNDEF]'
2019-10-17 08:09:47   remote = 'xxxxxxx.goip.de'
2019-10-17 08:09:47   remote_port = '1194'
2019-10-17 08:09:47   remote_float = DISABLED
2019-10-17 08:09:47   bind_defined = DISABLED
2019-10-17 08:09:47   bind_local = DISABLED
2019-10-17 08:09:47   bind_ipv6_only = DISABLED
2019-10-17 08:09:47   connect_retry_seconds = 2
2019-10-17 08:09:47   connect_timeout = 120
2019-10-17 08:09:47   socks_proxy_server = '[UNDEF]'
2019-10-17 08:09:47   socks_proxy_port = '[UNDEF]'
2019-10-17 08:09:47   tun_mtu = 1500
2019-10-17 08:09:47   tun_mtu_defined = ENABLED
2019-10-17 08:09:47   link_mtu = 1500
2019-10-17 08:09:47   link_mtu_defined = DISABLED
2019-10-17 08:09:47   tun_mtu_extra = 0
2019-10-17 08:09:47   tun_mtu_extra_defined = DISABLED
2019-10-17 08:09:47   mtu_discover_type = -1
2019-10-17 08:09:47   fragment = 0
2019-10-17 08:09:47   mssfix = 1450
2019-10-17 08:09:47   explicit_exit_notification = 0
2019-10-17 08:09:47   tls_auth_file = '[UNDEF]'
2019-10-17 08:09:47   key_direction = not set
2019-10-17 08:09:47   tls_crypt_file = '[[INLINE]]'
2019-10-17 08:09:47   tls_crypt_v2_file = '[UNDEF]'
2019-10-17 08:09:47 Connection profiles END
2019-10-17 08:09:47   remote_random = DISABLED
2019-10-17 08:09:47   ipchange = '[UNDEF]'
2019-10-17 08:09:47   dev = 'tun'
2019-10-17 08:09:47   dev_type = '[UNDEF]'
2019-10-17 08:09:47   dev_node = '[UNDEF]'
2019-10-17 08:09:47   lladdr = '[UNDEF]'
2019-10-17 08:09:47   topology = 1
2019-10-17 08:09:47   ifconfig_local = '[UNDEF]'
2019-10-17 08:09:47   ifconfig_remote_netmask = '[UNDEF]'
2019-10-17 08:09:47   ifconfig_noexec = DISABLED
2019-10-17 08:09:47   ifconfig_nowarn = ENABLED
2019-10-17 08:09:47   ifconfig_ipv6_local = '[UNDEF]'
2019-10-17 08:09:47   ifconfig_ipv6_netbits = 0
2019-10-17 08:09:47   ifconfig_ipv6_remote = '[UNDEF]'
2019-10-17 08:09:47   shaper = 0
2019-10-17 08:09:47   mtu_test = 0
2019-10-17 08:09:47   mlock = DISABLED
2019-10-17 08:09:47   keepalive_ping = 0
2019-10-17 08:09:47   keepalive_timeout = 0
2019-10-17 08:09:47   inactivity_timeout = 0
2019-10-17 08:09:47   ping_send_timeout = 0
2019-10-17 08:09:47   ping_rec_timeout = 0
2019-10-17 08:09:47   ping_rec_timeout_action = 0
2019-10-17 08:09:47   ping_timer_remote = DISABLED
2019-10-17 08:09:47   remap_sigusr1 = 0
2019-10-17 08:09:47   persist_tun = ENABLED
2019-10-17 08:09:47   persist_local_ip = DISABLED
2019-10-17 08:09:47   persist_remote_ip = DISABLED
2019-10-17 08:09:47   persist_key = DISABLED
2019-10-17 08:09:47   passtos = DISABLED
2019-10-17 08:09:47   resolve_retry_seconds = 1000000000
2019-10-17 08:09:47   resolve_in_advance = ENABLED
2019-10-17 08:09:47   username = '[UNDEF]'
2019-10-17 08:09:47   groupname = '[UNDEF]'
2019-10-17 08:09:47   chroot_dir = '[UNDEF]'
2019-10-17 08:09:47   cd_dir = '[UNDEF]'
2019-10-17 08:09:47   writepid = '[UNDEF]'
2019-10-17 08:09:47   up_script = '[UNDEF]'
2019-10-17 08:09:47   down_script = '[UNDEF]'
2019-10-17 08:09:47   down_pre = DISABLED
2019-10-17 08:09:47   up_restart = DISABLED
2019-10-17 08:09:47   up_delay = DISABLED
2019-10-17 08:09:47   daemon = DISABLED
2019-10-17 08:09:47   inetd = 0
2019-10-17 08:09:47   log = DISABLED
2019-10-17 08:09:47   suppress_timestamps = DISABLED
2019-10-17 08:09:47   machine_readable_output = ENABLED
2019-10-17 08:09:47   nice = 0
2019-10-17 08:09:47   verbosity = 4
2019-10-17 08:09:47   mute = 0
2019-10-17 08:09:47   gremlin = 0
2019-10-17 08:09:47   status_file = '[UNDEF]'
2019-10-17 08:09:47   status_file_version = 1
2019-10-17 08:09:47   status_file_update_freq = 60
2019-10-17 08:09:47   occ = ENABLED
2019-10-17 08:09:47   rcvbuf = 0
2019-10-17 08:09:47   sndbuf = 0
2019-10-17 08:09:47   sockflags = 0
2019-10-17 08:09:47   fast_io = DISABLED
2019-10-17 08:09:47   comp.alg = 0
2019-10-17 08:09:47   comp.flags = 0
2019-10-17 08:09:47   route_script = '[UNDEF]'
2019-10-17 08:09:47   route_default_gateway = '[UNDEF]'
2019-10-17 08:09:47   route_default_metric = 0
2019-10-17 08:09:47   route_noexec = DISABLED
2019-10-17 08:09:47   route_delay = 0
2019-10-17 08:09:47   route_delay_window = 30
2019-10-17 08:09:47   route_delay_defined = DISABLED
2019-10-17 08:09:47   route_nopull = DISABLED
2019-10-17 08:09:47   route_gateway_via_dhcp = DISABLED
2019-10-17 08:09:47   allow_pull_fqdn = DISABLED
2019-10-17 08:09:47   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2019-10-17 08:09:47   management_port = 'unix'
2019-10-17 08:09:47   management_user_pass = '[UNDEF]'
2019-10-17 08:09:47   management_log_history_cache = 250
2019-10-17 08:09:47   management_echo_buffer_size = 100
2019-10-17 08:09:47   management_write_peer_info_file = '[UNDEF]'
2019-10-17 08:09:47   management_client_user = '[UNDEF]'
2019-10-17 08:09:47   management_client_group = '[UNDEF]'
2019-10-17 08:09:47   management_flags = 16678
2019-10-17 08:09:47   shared_secret_file = '[UNDEF]'
2019-10-17 08:09:47   key_direction = not set
2019-10-17 08:09:47   ciphername = 'AES-256-CBC'
2019-10-17 08:09:47   ncp_enabled = ENABLED
2019-10-17 08:09:47   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2019-10-17 08:09:47   authname = 'SHA512'
2019-10-17 08:09:47   prng_hash = 'SHA1'
2019-10-17 08:09:47   prng_nonce_secret_len = 16
2019-10-17 08:09:47   keysize = 0
2019-10-17 08:09:47   engine = DISABLED
2019-10-17 08:09:47   replay = ENABLED
2019-10-17 08:09:47   mute_replay_warnings = DISABLED
2019-10-17 08:09:47   replay_window = 64
2019-10-17 08:09:47   replay_time = 15
2019-10-17 08:09:47   packet_id_file = '[UNDEF]'
2019-10-17 08:09:47   test_crypto = DISABLED
2019-10-17 08:09:47   tls_server = DISABLED
2019-10-17 08:09:47   tls_client = ENABLED
2019-10-17 08:09:47   key_method = 2
2019-10-17 08:09:47   ca_file = '[[INLINE]]'
2019-10-17 08:09:47   ca_path = '[UNDEF]'
2019-10-17 08:09:47   dh_file = '[UNDEF]'
2019-10-17 08:09:47   cert_file = '[[INLINE]]'
2019-10-17 08:09:47   extra_certs_file = '[UNDEF]'
2019-10-17 08:09:47   priv_key_file = '[[INLINE]]'
2019-10-17 08:09:47   pkcs12_file = '[UNDEF]'
2019-10-17 08:09:47   cipher_list = '[UNDEF]'
2019-10-17 08:09:47   cipher_list_tls13 = '[UNDEF]'
2019-10-17 08:09:47   tls_cert_profile = '[UNDEF]'
2019-10-17 08:09:47   tls_verify = '[UNDEF]'
2019-10-17 08:09:47   tls_export_cert = '[UNDEF]'
2019-10-17 08:09:47   verify_x509_type = 0
2019-10-17 08:09:47   verify_x509_name = '[UNDEF]'
2019-10-17 08:09:47   crl_file = '[UNDEF]'
2019-10-17 08:09:47   ns_cert_type = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 65535
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_ku[i] = 0
2019-10-17 08:09:47   remote_cert_eku = 'TLS Web Server Authentication'
2019-10-17 08:09:47   ssl_flags = 0
2019-10-17 08:09:47   tls_timeout = 2
2019-10-17 08:09:47   renegotiate_bytes = -1
2019-10-17 08:09:47   renegotiate_packets = 0
2019-10-17 08:09:47   renegotiate_seconds = 3600
2019-10-17 08:09:47   handshake_window = 60
2019-10-17 08:09:47   transition_window = 3600
2019-10-17 08:09:47   single_session = DISABLED
2019-10-17 08:09:47   push_peer_info = DISABLED
2019-10-17 08:09:47   tls_exit = DISABLED
2019-10-17 08:09:47   tls_crypt_v2_genkey_type = '[UNDEF]'
2019-10-17 08:09:47   tls_crypt_v2_genkey_file = '[UNDEF]'
2019-10-17 08:09:47   tls_crypt_v2_metadata = '[UNDEF]'
2019-10-17 08:09:47   client = ENABLED
2019-10-17 08:09:47   pull = ENABLED
2019-10-17 08:09:47   auth_user_pass_file = '[UNDEF]'
2019-10-17 08:09:47 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.8-0-g168367a5] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 22 2019
2019-10-17 08:09:47 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
2019-10-17 08:09:47 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2019-10-17 08:09:47 MANAGEMENT: CMD 'version 3'
2019-10-17 08:09:47 MANAGEMENT: CMD 'hold release'
2019-10-17 08:09:47 MANAGEMENT: CMD 'bytecount 2'
2019-10-17 08:09:47 MANAGEMENT: CMD 'proxy NONE'
2019-10-17 08:09:47 MANAGEMENT: CMD 'state on'
2019-10-17 08:09:48 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 08:09:48 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 08:09:48 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 08:09:48 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 08:09:48 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2019-10-17 08:09:48 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2019-10-17 08:09:48 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2019-10-17 08:09:48 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2019-10-17 08:09:48 TCP/UDP: Preserving recently used remote address: [AF_INET6]::1:1194
2019-10-17 08:09:48 Socket Buffers: R=[229376->229376] S=[229376->229376]
2019-10-17 08:09:48 UDP link local: (not bound)
2019-10-17 08:09:48 UDP link remote: [AF_INET6]::1:1194
2019-10-17 08:09:48 MANAGEMENT: >STATE:1571292588,WAIT,,,,,,
2019-10-17 08:10:48 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-10-17 08:10:48 Warte 2s Sekunden zwischen zwei Verbindungsversuchen
2019-10-17 08:10:48 TLS Error: TLS handshake failed
2019-10-17 08:10:48 TCP/UDP: Closing socket
2019-10-17 08:10:48 SIGUSR1[soft,tls-error] received, process restarting
2019-10-17 08:10:48 MANAGEMENT: >STATE:1571292648,RECONNECTING,tls-error,,,,,
2019-10-17 08:10:50 MANAGEMENT: CMD 'hold release'
2019-10-17 08:10:50 MANAGEMENT: CMD 'proxy NONE'
2019-10-17 08:10:50 MANAGEMENT: CMD 'bytecount 2'
2019-10-17 08:10:50 MANAGEMENT: CMD 'state on'
2019-10-17 08:10:51 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 08:10:51 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 08:10:51 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 08:10:51 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 08:10:51 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2019-10-17 08:10:51 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2019-10-17 08:10:51 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2019-10-17 08:10:51 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2019-10-17 08:10:51 TCP/UDP: Preserving recently used remote address: [AF_INET]server_public_ip:1194
2019-10-17 08:10:51 Socket Buffers: R=[229376->229376] S=[229376->229376]
2019-10-17 08:10:51 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-10-17 08:10:51 UDP link local: (not bound)
2019-10-17 08:10:51 UDP link remote: [AF_INET]server_public_ip:1194
2019-10-17 08:10:51 MANAGEMENT: >STATE:1571292651,WAIT,,,,,,
2019-10-17 08:10:51 MANAGEMENT: >STATE:1571292651,AUTH,,,,,,
2019-10-17 08:10:51 TLS: Initial packet from [AF_INET]server_public_ip:1194, sid=447187f9 2a04d9e6
2019-10-17 08:10:52 VERIFY OK: depth=1, CN=ovpnserver_xxxxxxxx
2019-10-17 08:10:52 VERIFY KU OK
2019-10-17 08:10:52 Validating certificate extended key usage
2019-10-17 08:10:52 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2019-10-17 08:10:52 VERIFY EKU OK
2019-10-17 08:10:52 VERIFY OK: depth=0, CN=vpnserver
2019-10-17 08:11:51 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-10-17 08:11:51 Warte 2s Sekunden zwischen zwei Verbindungsversuchen
2019-10-17 08:11:51 TLS Error: TLS handshake failed
2019-10-17 08:11:51 TCP/UDP: Closing socket
2019-10-17 08:11:51 SIGUSR1[soft,tls-error] received, process restarting
2019-10-17 08:11:51 MANAGEMENT: >STATE:1571292711,RECONNECTING,tls-error,,,,,
2019-10-17 08:11:53 MANAGEMENT: CMD 'hold release'
2019-10-17 08:11:53 MANAGEMENT: CMD 'proxy NONE'
2019-10-17 08:11:53 MANAGEMENT: CMD 'bytecount 2'
2019-10-17 08:11:53 MANAGEMENT: CMD 'state on'
2019-10-17 08:11:54 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 08:11:54 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 08:11:54 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 08:11:54 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 08:11:54 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2019-10-17 08:11:54 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2019-10-17 08:11:54 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2019-10-17 08:11:54 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2019-10-17 08:11:54 TCP/UDP: Preserving recently used remote address: [AF_INET6]::1:1194
2019-10-17 08:11:54 Socket Buffers: R=[229376->229376] S=[229376->229376]
2019-10-17 08:11:54 UDP link local: (not bound)
2019-10-17 08:11:54 UDP link remote: [AF_INET6]::1:1194
2019-10-17 08:11:54 MANAGEMENT: >STATE:1571292714,WAIT,,,,,,
2019-10-17 08:12:21 MANAGEMENT: CMD 'signal SIGINT'
2019-10-17 08:12:21 TCP/UDP: Closing socket
2019-10-17 08:12:21 SIGINT[hard,] received, process exiting
2019-10-17 08:12:21 MANAGEMENT: >STATE:1571292741,EXITING,SIGINT,,,,,

The client has a working internet connection, the public ip also gets resolved correctly.
My other clients/friends have the exact same problem.

I don't know, where OpenVPN for OpenWrt saves the server logs...

trendy · October 17, 2019, 3:05pm

Is it expected to try to connect to the IPv6 address?

TheHellSite · October 17, 2019, 3:33pm

No that is indeed also not intended!
I couldn't figure out how to disable this behaviour, happens on every client.

But it was working before, even with that "error".

trendy · October 17, 2019, 3:56pm

Check in the server for option log /some/path to find the server logs.

You have this in the IPv4 negotiation. Maybe the file on the server is corrupted?

TheHellSite · October 17, 2019, 4:26pm

I don't think it is the file.
OpenVPN log on openwrt gets stored in /tmp/openvpn.log

Below is a clean log for both client and server.

log_server

Thu Oct 17 18:17:00 2019 OpenVPN 2.4.5 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Thu Oct 17 18:17:00 2019 library versions: OpenSSL 1.0.2s  28 May 2019, LZO 2.10
Thu Oct 17 18:17:00 2019 Diffie-Hellman initialized with 4096 bit key
Thu Oct 17 18:17:00 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Oct 17 18:17:00 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Oct 17 18:17:00 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Oct 17 18:17:00 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Oct 17 18:17:00 2019 TUN/TAP device tun_server opened
Thu Oct 17 18:17:00 2019 TUN/TAP TX queue length set to 100
Thu Oct 17 18:17:00 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Oct 17 18:17:00 2019 /sbin/ifconfig tun_server 192.168.173.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.173.255
Thu Oct 17 18:17:00 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Oct 17 18:17:00 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Oct 17 18:17:00 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Thu Oct 17 18:17:00 2019 UDPv4 link remote: [AF_UNSPEC]
Thu Oct 17 18:17:00 2019 GID set to nogroup
Thu Oct 17 18:17:00 2019 UID set to nobody
Thu Oct 17 18:17:00 2019 MULTI: multi_init called, r=256 v=256
Thu Oct 17 18:17:00 2019 IFCONFIG POOL: base=192.168.173.2 size=252, ipv6=0
Thu Oct 17 18:17:00 2019 Initialization Sequence Completed
Thu Oct 17 18:18:17 2019 client_public_ip:1766 TLS: Initial packet from [AF_INET]client_public_ip:1766, sid=a3bbfa77 cd3a788e
Thu Oct 17 18:18:19 2019 client_public_ip:1766 VERIFY ERROR: depth=0, error=CRL has expired: CN=admin
Thu Oct 17 18:18:19 2019 client_public_ip:1766 OpenSSL: error:14089086:lib(20):func(137):reason(134)
Thu Oct 17 18:18:19 2019 client_public_ip:1766 TLS_ERROR: BIO read tls_read_plaintext error
Thu Oct 17 18:18:19 2019 client_public_ip:1766 TLS Error: TLS object -> incoming plaintext read error
Thu Oct 17 18:18:19 2019 client_public_ip:1766 TLS Error: TLS handshake failed
Thu Oct 17 18:18:19 2019 client_public_ip:1766 SIGUSR1[soft,tls-error] received, client-instance restarting

log_client

2019-10-17 18:17:11 offizielle Version 0.7.8 läuft auf OnePlus GM1903 (msmnile), Android 9 (PKQ1.190110.001) API 28, ABI arm64-v8a, (OnePlus/OnePlus7_EEA/OnePlus7:9/PKQ1.190110.001/1907280700:user/release-keys)
2019-10-17 18:17:11 Generiere OpenVPN-Konfiguration…
2019-10-17 18:17:11 started Socket Thread
2019-10-17 18:17:11 Netzwerkstatus: CONNECTED HSPA+ to MOBILE internet
2019-10-17 18:17:11 Debug state info: CONNECTED HSPA+ to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2019-10-17 18:17:11 Debug state info: CONNECTED HSPA+ to MOBILE internet, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2019-10-17 18:17:11 Current Parameter Settings:
2019-10-17 18:17:11   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2019-10-17 18:17:11   mode = 0
2019-10-17 18:17:11   show_ciphers = DISABLED
2019-10-17 18:17:11   show_digests = DISABLED
2019-10-17 18:17:11   show_engines = DISABLED
2019-10-17 18:17:11 Warte 0s Sekunden zwischen zwei Verbindungsversuchen
2019-10-17 18:17:11   genkey = DISABLED
2019-10-17 18:17:11   key_pass_file = '[UNDEF]'
2019-10-17 18:17:11   show_tls_ciphers = DISABLED
2019-10-17 18:17:11   connect_retry_max = 0
2019-10-17 18:17:11 Connection profiles [0]:
2019-10-17 18:17:11   proto = udp
2019-10-17 18:17:11   local = '[UNDEF]'
2019-10-17 18:17:11   local_port = '[UNDEF]'
2019-10-17 18:17:11   remote = 'XXXXXX.goip.de'
2019-10-17 18:17:11   remote_port = '1194'
2019-10-17 18:17:11   remote_float = DISABLED
2019-10-17 18:17:11   bind_defined = DISABLED
2019-10-17 18:17:11   bind_local = DISABLED
2019-10-17 18:17:11   bind_ipv6_only = DISABLED
2019-10-17 18:17:11   connect_retry_seconds = 2
2019-10-17 18:17:11   connect_timeout = 120
2019-10-17 18:17:11   socks_proxy_server = '[UNDEF]'
2019-10-17 18:17:11   socks_proxy_port = '[UNDEF]'
2019-10-17 18:17:11   tun_mtu = 1500
2019-10-17 18:17:11   tun_mtu_defined = ENABLED
2019-10-17 18:17:11   link_mtu = 1500
2019-10-17 18:17:11   link_mtu_defined = DISABLED
2019-10-17 18:17:11   tun_mtu_extra = 0
2019-10-17 18:17:11   tun_mtu_extra_defined = DISABLED
2019-10-17 18:17:11   mtu_discover_type = -1
2019-10-17 18:17:11   fragment = 0
2019-10-17 18:17:11   mssfix = 1450
2019-10-17 18:17:11   explicit_exit_notification = 0
2019-10-17 18:17:11   tls_auth_file = '[UNDEF]'
2019-10-17 18:17:11   key_direction = not set
2019-10-17 18:17:11   tls_crypt_file = '[[INLINE]]'
2019-10-17 18:17:11   tls_crypt_v2_file = '[UNDEF]'
2019-10-17 18:17:11 Connection profiles END
2019-10-17 18:17:11   remote_random = DISABLED
2019-10-17 18:17:11   ipchange = '[UNDEF]'
2019-10-17 18:17:11   dev = 'tun'
2019-10-17 18:17:11   dev_type = '[UNDEF]'
2019-10-17 18:17:11   dev_node = '[UNDEF]'
2019-10-17 18:17:11   lladdr = '[UNDEF]'
2019-10-17 18:17:11   topology = 1
2019-10-17 18:17:11   ifconfig_local = '[UNDEF]'
2019-10-17 18:17:11   ifconfig_remote_netmask = '[UNDEF]'
2019-10-17 18:17:11   ifconfig_noexec = DISABLED
2019-10-17 18:17:11   ifconfig_nowarn = ENABLED
2019-10-17 18:17:11   ifconfig_ipv6_local = '[UNDEF]'
2019-10-17 18:17:11   ifconfig_ipv6_netbits = 0
2019-10-17 18:17:11   ifconfig_ipv6_remote = '[UNDEF]'
2019-10-17 18:17:11   shaper = 0
2019-10-17 18:17:11   mtu_test = 0
2019-10-17 18:17:11   mlock = DISABLED
2019-10-17 18:17:11   keepalive_ping = 0
2019-10-17 18:17:11   keepalive_timeout = 0
2019-10-17 18:17:11   inactivity_timeout = 0
2019-10-17 18:17:11   ping_send_timeout = 0
2019-10-17 18:17:11   ping_rec_timeout = 0
2019-10-17 18:17:11   ping_rec_timeout_action = 0
2019-10-17 18:17:11   ping_timer_remote = DISABLED
2019-10-17 18:17:11   remap_sigusr1 = 0
2019-10-17 18:17:11   persist_tun = ENABLED
2019-10-17 18:17:11   persist_local_ip = DISABLED
2019-10-17 18:17:12   persist_remote_ip = DISABLED
2019-10-17 18:17:12   persist_key = DISABLED
2019-10-17 18:17:12   passtos = DISABLED
2019-10-17 18:17:12   resolve_retry_seconds = 1000000000
2019-10-17 18:17:12   resolve_in_advance = ENABLED
2019-10-17 18:17:12   username = '[UNDEF]'
2019-10-17 18:17:12   groupname = '[UNDEF]'
2019-10-17 18:17:12   chroot_dir = '[UNDEF]'
2019-10-17 18:17:12   cd_dir = '[UNDEF]'
2019-10-17 18:17:12   writepid = '[UNDEF]'
2019-10-17 18:17:12   up_script = '[UNDEF]'
2019-10-17 18:17:12   down_script = '[UNDEF]'
2019-10-17 18:17:12   down_pre = DISABLED
2019-10-17 18:17:12   up_restart = DISABLED
2019-10-17 18:17:12   up_delay = DISABLED
2019-10-17 18:17:12   daemon = DISABLED
2019-10-17 18:17:12   inetd = 0
2019-10-17 18:17:12   log = DISABLED
2019-10-17 18:17:12   suppress_timestamps = DISABLED
2019-10-17 18:17:12   machine_readable_output = ENABLED
2019-10-17 18:17:12   nice = 0
2019-10-17 18:17:12   verbosity = 4
2019-10-17 18:17:12   mute = 0
2019-10-17 18:17:12   gremlin = 0
2019-10-17 18:17:12   status_file = '[UNDEF]'
2019-10-17 18:17:12   status_file_version = 1
2019-10-17 18:17:12   status_file_update_freq = 60
2019-10-17 18:17:12   occ = ENABLED
2019-10-17 18:17:12   rcvbuf = 0
2019-10-17 18:17:12   sndbuf = 0
2019-10-17 18:17:12   sockflags = 0
2019-10-17 18:17:12   fast_io = DISABLED
2019-10-17 18:17:12   comp.alg = 0
2019-10-17 18:17:12   comp.flags = 0
2019-10-17 18:17:12   route_script = '[UNDEF]'
2019-10-17 18:17:12   route_default_gateway = '[UNDEF]'
2019-10-17 18:17:12   route_default_metric = 0
2019-10-17 18:17:12   route_noexec = DISABLED
2019-10-17 18:17:12   route_delay = 0
2019-10-17 18:17:12   route_delay_window = 30
2019-10-17 18:17:12   route_delay_defined = DISABLED
2019-10-17 18:17:12   route_nopull = DISABLED
2019-10-17 18:17:12   route_gateway_via_dhcp = DISABLED
2019-10-17 18:17:12   allow_pull_fqdn = DISABLED
2019-10-17 18:17:12   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2019-10-17 18:17:12   management_port = 'unix'
2019-10-17 18:17:12   management_user_pass = '[UNDEF]'
2019-10-17 18:17:12   management_log_history_cache = 250
2019-10-17 18:17:12   management_echo_buffer_size = 100
2019-10-17 18:17:12   management_write_peer_info_file = '[UNDEF]'
2019-10-17 18:17:12   management_client_user = '[UNDEF]'
2019-10-17 18:17:12   management_client_group = '[UNDEF]'
2019-10-17 18:17:12   management_flags = 16678
2019-10-17 18:17:12   shared_secret_file = '[UNDEF]'
2019-10-17 18:17:12   key_direction = not set
2019-10-17 18:17:12   ciphername = 'AES-256-CBC'
2019-10-17 18:17:12   ncp_enabled = ENABLED
2019-10-17 18:17:12   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2019-10-17 18:17:12   authname = 'SHA512'
2019-10-17 18:17:12   prng_hash = 'SHA1'
2019-10-17 18:17:12   prng_nonce_secret_len = 16
2019-10-17 18:17:12   keysize = 0
2019-10-17 18:17:12   engine = DISABLED
2019-10-17 18:17:12   replay = ENABLED
2019-10-17 18:17:12   mute_replay_warnings = DISABLED
2019-10-17 18:17:12   replay_window = 64
2019-10-17 18:17:12   replay_time = 15
2019-10-17 18:17:12   packet_id_file = '[UNDEF]'
2019-10-17 18:17:12   test_crypto = DISABLED
2019-10-17 18:17:12   tls_server = DISABLED
2019-10-17 18:17:12   tls_client = ENABLED
2019-10-17 18:17:12   key_method = 2
2019-10-17 18:17:12   ca_file = '[[INLINE]]'
2019-10-17 18:17:12   ca_path = '[UNDEF]'
2019-10-17 18:17:12   dh_file = '[UNDEF]'
2019-10-17 18:17:12   cert_file = '[[INLINE]]'
2019-10-17 18:17:12   extra_certs_file = '[UNDEF]'
2019-10-17 18:17:12   priv_key_file = '[[INLINE]]'
2019-10-17 18:17:12   pkcs12_file = '[UNDEF]'
2019-10-17 18:17:12   cipher_list = '[UNDEF]'
2019-10-17 18:17:12   cipher_list_tls13 = '[UNDEF]'
2019-10-17 18:17:12   tls_cert_profile = '[UNDEF]'
2019-10-17 18:17:12   tls_verify = '[UNDEF]'
2019-10-17 18:17:12   tls_export_cert = '[UNDEF]'
2019-10-17 18:17:12   verify_x509_type = 0
2019-10-17 18:17:12   verify_x509_name = '[UNDEF]'
2019-10-17 18:17:12   crl_file = '[UNDEF]'
2019-10-17 18:17:12   ns_cert_type = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 65535
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_ku[i] = 0
2019-10-17 18:17:12   remote_cert_eku = 'TLS Web Server Authentication'
2019-10-17 18:17:12   ssl_flags = 0
2019-10-17 18:17:12   tls_timeout = 2
2019-10-17 18:17:12   renegotiate_bytes = -1
2019-10-17 18:17:12   renegotiate_packets = 0
2019-10-17 18:17:12   renegotiate_seconds = 3600
2019-10-17 18:17:12   handshake_window = 60
2019-10-17 18:17:12   transition_window = 3600
2019-10-17 18:17:12   single_session = DISABLED
2019-10-17 18:17:12   push_peer_info = DISABLED
2019-10-17 18:17:12   tls_exit = DISABLED
2019-10-17 18:17:12   tls_crypt_v2_genkey_type = '[UNDEF]'
2019-10-17 18:17:12   tls_crypt_v2_genkey_file = '[UNDEF]'
2019-10-17 18:17:12   tls_crypt_v2_metadata = '[UNDEF]'
2019-10-17 18:17:12   client = ENABLED
2019-10-17 18:17:12   pull = ENABLED
2019-10-17 18:17:12   auth_user_pass_file = '[UNDEF]'
2019-10-17 18:17:12 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.8-0-g168367a5] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 22 2019
2019-10-17 18:17:12 library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
2019-10-17 18:17:12 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2019-10-17 18:17:12 MANAGEMENT: CMD 'version 3'
2019-10-17 18:17:12 MANAGEMENT: CMD 'hold release'
2019-10-17 18:17:12 MANAGEMENT: CMD 'bytecount 2'
2019-10-17 18:17:12 MANAGEMENT: CMD 'state on'
2019-10-17 18:17:12 MANAGEMENT: CMD 'proxy NONE'
2019-10-17 18:17:13 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 18:17:13 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 18:17:13 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 18:17:13 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 18:17:13 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2019-10-17 18:17:13 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2019-10-17 18:17:13 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2019-10-17 18:17:13 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2019-10-17 18:17:13 TCP/UDP: Preserving recently used remote address: [AF_INET6]::1:1194
2019-10-17 18:17:13 Socket Buffers: R=[229376->229376] S=[229376->229376]
2019-10-17 18:17:13 UDP link local: (not bound)
2019-10-17 18:17:13 UDP link remote: [AF_INET6]::1:1194
2019-10-17 18:17:13 MANAGEMENT: >STATE:1571329033,WAIT,,,,,,
2019-10-17 18:18:13 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-10-17 18:18:13 Warte 2s Sekunden zwischen zwei Verbindungsversuchen
2019-10-17 18:18:13 TLS Error: TLS handshake failed
2019-10-17 18:18:13 TCP/UDP: Closing socket
2019-10-17 18:18:13 SIGUSR1[soft,tls-error] received, process restarting
2019-10-17 18:18:13 MANAGEMENT: >STATE:1571329093,RECONNECTING,tls-error,,,,,
2019-10-17 18:18:15 MANAGEMENT: CMD 'hold release'
2019-10-17 18:18:15 MANAGEMENT: CMD 'proxy NONE'
2019-10-17 18:18:15 MANAGEMENT: CMD 'bytecount 2'
2019-10-17 18:18:15 MANAGEMENT: CMD 'state on'
2019-10-17 18:18:16 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 18:18:16 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 18:18:16 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 18:18:16 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 18:18:16 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2019-10-17 18:18:16 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2019-10-17 18:18:16 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2019-10-17 18:18:16 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2019-10-17 18:18:16 TCP/UDP: Preserving recently used remote address: [AF_INET]server_public_ip:1194
2019-10-17 18:18:16 Socket Buffers: R=[229376->229376] S=[229376->229376]
2019-10-17 18:18:16 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2019-10-17 18:18:16 UDP link local: (not bound)
2019-10-17 18:18:16 UDP link remote: [AF_INET]server_public_ip:1194
2019-10-17 18:18:16 MANAGEMENT: >STATE:1571329096,WAIT,,,,,,
2019-10-17 18:18:16 MANAGEMENT: >STATE:1571329096,AUTH,,,,,,
2019-10-17 18:18:16 TLS: Initial packet from [AF_INET]server_public_ip:1194, sid=dfb86f31 27c416d3
2019-10-17 18:18:18 VERIFY OK: depth=1, CN=ovpnserver_XXXXXX
2019-10-17 18:18:18 VERIFY KU OK
2019-10-17 18:18:18 Validating certificate extended key usage
2019-10-17 18:18:18 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2019-10-17 18:18:18 VERIFY EKU OK
2019-10-17 18:18:18 VERIFY OK: depth=0, CN=vpnserver
2019-10-17 18:19:16 Warte 2s Sekunden zwischen zwei Verbindungsversuchen
2019-10-17 18:19:16 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2019-10-17 18:19:16 TLS Error: TLS handshake failed
2019-10-17 18:19:16 TCP/UDP: Closing socket
2019-10-17 18:19:16 SIGUSR1[soft,tls-error] received, process restarting
2019-10-17 18:19:16 MANAGEMENT: >STATE:1571329156,RECONNECTING,tls-error,,,,,
2019-10-17 18:19:18 MANAGEMENT: CMD 'hold release'
2019-10-17 18:19:18 MANAGEMENT: CMD 'proxy NONE'
2019-10-17 18:19:18 MANAGEMENT: CMD 'bytecount 2'
2019-10-17 18:19:18 MANAGEMENT: CMD 'state on'
2019-10-17 18:19:19 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 18:19:19 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 18:19:19 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-10-17 18:19:19 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-10-17 18:19:19 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2019-10-17 18:19:19 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2019-10-17 18:19:19 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
2019-10-17 18:19:19 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
2019-10-17 18:19:19 TCP/UDP: Preserving recently used remote address: [AF_INET6]::1:1194
2019-10-17 18:19:19 Socket Buffers: R=[229376->229376] S=[229376->229376]
2019-10-17 18:19:19 UDP link local: (not bound)
2019-10-17 18:19:19 UDP link remote: [AF_INET6]::1:1194
2019-10-17 18:19:19 MANAGEMENT: >STATE:1571329159,WAIT,,,,,,
2019-10-17 18:19:24 MANAGEMENT: CMD 'signal SIGINT'
2019-10-17 18:19:24 TCP/UDP: Closing socket
2019-10-17 18:19:24 SIGINT[hard,] received, process exiting
2019-10-17 18:19:24 MANAGEMENT: >STATE:1571329164,EXITING,SIGINT,,,,,

Seems like this line explains the issue:

Thu Oct 17 18:18:19 2019 client_public_ip:1766 VERIFY ERROR: depth=0, error=CRL has expired: CN=admin

But what exactly has expired? The certificate revoke list file?

vgaetera · October 17, 2019, 4:37pm

Utilize dual-stack mode, or specify the protocol udp4 explicitly.

trendy · October 17, 2019, 7:42pm

Use this to verify that they have not expired.
openssl x509 -enddate -noout -in /path/to/certs

TheHellSite · October 18, 2019, 10:44am

I tried your command with all folders in this directory /etc/easy-rsa/pki

The result always looks like this

root@OPENWRT-ROUTER:~# openssl x509 -enddate -noout -in /etc/easy-rsa/pki/issued
unable to load certificate
140336706837452:error:0906D06C:lib(9):func(109):reason(108):NA:0:Expecting: TRUSTED CERTIFICATE

EDIT: Okay I had to point it directly at a certificate. The vpnserver.crt, ca.crt and admin.crt are valid for another 10 years.

vgaetera · October 18, 2019, 10:51am

find /etc/easy-rsa/pki/issued/*.crt -print -exec openssl x509 -enddate -noout -in {} \+

TheHellSite · October 18, 2019, 10:52am

Thanks this makes it easier!
Like I said, all certs are valid till 2029...

vgaetera · October 18, 2019, 10:57am

trendy · October 18, 2019, 11:03am

Also here they seemed to fix the same issue by regenerating the crl.

TheHellSite · October 18, 2019, 11:23am

Thanks a lot!!!!
This was the issue! My crl.pem file was configured to be only valid for 180 days.

I edited the /etc/easy-rsa/vars file and raised the CRL publish time to 10 years.
set_var EASYRSA_CRL_DAYS 3650
Then ran easyrsa gen-crl in console, copied the new crl.pem file to my openvpn server config, restarted the server and now everything is working well again!

And thanks @vgaetera for pointing out how to force ipv4, so that my clients can now connect faster.

TheHellSite · October 18, 2019, 11:54am

Just some last quick off topic:

I changed option proto udp to option proto udp4 at the client and even server configuration. But the client is still trying to connect using ipv6 first.
Am I missing something?

vgaetera · October 18, 2019, 12:14pm

remote HOST PORT udp4

TheHellSite · October 18, 2019, 1:25pm

Sadly that didn't work either.
It is still trying to connect via IPv6 first.

client
dev tun
proto udp4
remote XXXXXX.goip.de 1194 udp4
... more config below

my server is also set to proto udp4

vgaetera · October 19, 2019, 6:22am

This might be a client/platform-specific issue that depends on the connectivity state.
On the other hand, it shouldn't typically matter which protocol version the tunnel runs over provided enough connectivity.

TheHellSite · October 22, 2019, 12:59pm

Yes it is!

OpenVPN for Android (https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en)
as well as
OpenVPN Connect
both ignore the proto udp4 argument.
I need to specify it in the app in the custom directives of the profiles... Strange, but at least it is working!
On my desktop devices the argument gets recognized fine.

system · November 1, 2019, 12:59pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.