OPEN VPNdown after maintenance?

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
31 posts Page 1 of 4
by Elmatador2 » Thu Mar 29, 2018 7:10 am
I had open vpn running on my router for the last couple of years(FTTN). Last night maintenance was done on it according to the status page. Now my router doesn't connect to the vpn. I've rebooted several times. Do I now need a new super secret handshake?
by faisal » Thu Mar 29, 2018 9:24 am
I’m aware of a couple more such cases.
by goetsch » Thu Mar 29, 2018 10:36 am
No problem here. Lost connection, of course, of the four machines I've got that use VPN. Two with Prutini client re-connected automatically, two with Tunnelblick didn't, but was able to get them up and running again manually.
by forest » Thu Mar 29, 2018 12:41 pm
I lost openvpn service, too.

My internal router sits behind the Pace gateway (FTTN service) and does whole-house VPN. Connectivity was lost as expected during this morning's maintenance at midnight. After the maintenance was completed, my router is no longer able to establish a VPN session.
openvpn log wrote:Mar 29 11:30:05 erx openvpn[4041]: Control Channel Authentication: tls-auth using INLINE static key file
Mar 29 11:30:05 erx openvpn[4041]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 29 11:30:05 erx openvpn[4041]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 29 11:30:05 erx openvpn[4041]: Socket Buffers: R=[180224->200000] S=[180224->200000]
Mar 29 11:30:05 erx openvpn[4042]: UDPv4 link local: [undef]
Mar 29 11:30:05 erx openvpn[4042]: UDPv4 link remote: [AF_INET]209.148.113.36:1194
Mar 29 11:30:05 erx openvpn[4042]: TLS: Initial packet from [AF_INET]209.148.113.36:1194, sid=12345678 87654321
Mar 29 11:30:05 erx openvpn[4042]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mar 29 11:31:06 erx openvpn[4042]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 29 11:31:06 erx openvpn[4042]: TLS Error: TLS handshake failed
Computers plugged directly into the Pace gateway are now having connectivity trouble as well. Maybe there's something wrong with the gateway, or an interaction between the new OpenVPN Access Server and AT&T's gateway or network? I've spent all morning on this, and still don't have an answer. I guess I have more troubleshooting to do. :(
by Elmatador2 » Thu Mar 29, 2018 12:58 pm
I have the same exact log dump as forest. TLS negotiation fails.
by forest » Thu Mar 29, 2018 1:26 pm
Failing openvpn client details:
(The device is an EdgeRouter.)
$ /usr/sbin/openvpn --version
OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Mar 5 2018
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no
git revision: refs/heads/dev-v1.10.1/66143cad4fd6f33e
by forest » Thu Mar 29, 2018 3:08 pm
The device whose vpn access broke last night is still able to ping ovpn.sonic.net, and does get http responses from ovpn.sonic.net running on port 80, and can download test files from ftp.sonic.net. This, along with the timing and fact that I haven't changed any network settings recently, hints that the VPN breakage is likely caused by last night's OpenVPN server update.

Hey Sonic staff, could you please help here? It looks like you broke something.

I am able to establish a VPN session using a different computer and different version of openvpn. Here's the client that still works:
$ openvpn --version
OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 3 2017
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
by guarino » Thu Mar 29, 2018 3:43 pm
Thanks for posting your versions Forest. Are you able to run 'openvpn --show-tls' and post the list of available ciphers on both clients?

As a general rule to those of you having issues connecting to the upgraded server version, please make sure you are running the most up to date software for your devices.

See here for a list of changes that came in with the upgrade (we were coming from 2.1.9):
https://openvpn.net/index.php/access-se ... -v200.html
Justin Guarino
Sonic System Operations
by forest » Thu Mar 29, 2018 5:48 pm
openvpn 2.4.3 client (still works) wrote:Available TLS Ciphers,
listed in order of preference:

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
openvpn 2.3.2 client (fails since last night) wrote:Available TLS Ciphers,
listed in order of preference:

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA
SRP-AES-256-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-DSS-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-PSK-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA
TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA
SRP-3DES-EDE-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA
TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
TLS-PSK-WITH-3DES-EDE-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA
TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA
SRP-AES-128-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-DSS-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-SEED-CBC-SHA
TLS-DHE-DSS-WITH-SEED-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDH-RSA-WITH-AES-128-CBC-SHA
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-SEED-CBC-SHA
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-PSK-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-RC4-128-SHA
TLS-ECDHE-ECDSA-WITH-RC4-128-SHA
TLS-ECDH-RSA-WITH-RC4-128-SHA
TLS-ECDH-ECDSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-MD5
TLS-PSK-WITH-RC4-128-SHA
guarino wrote:As a general rule to those of you having issues connecting to the upgraded server version, please make sure you are running the most up to date software for your devices.
As you might guess from the openvpn build date that I posted earlier, the affected device (EdgeRouter responsible for connectivity throughout my house) is already running the most up to date software from Ubiquiti, released about a week ago.
by Elmatador2 » Thu Mar 29, 2018 6:31 pm
Yep, updated my firmware on my Asus router this morning. No go!
31 posts Page 1 of 4

Who is online

In total there are 29 users online :: 0 registered, 0 hidden and 29 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 29 guests