OpenVPN Service

Advanced feature discussion, beta programs and unsupported "Labs" features.
140 posts Page 13 of 14
by js9erfan » Fri Jun 14, 2019 6:44 am
Try enabling TLS cipher under advanced options (you have it set to none). As a reference I'm using TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384 without issue. And if there's an option for selecting IPv4 or IPv6 on that DD-WRT OpenVPN client page make sure IPv4 is selected.
by drew.phillips » Fri Jun 14, 2019 8:47 am
ark wrote:
Thanks, Drew. I still can't seem to get it to work.

I tried changing the host to opvn.sonic.net and get this error message sequence, as expected.

Client: RECONNECTING init_instance Local Address:
Remote Address:

The upper right shows the following:

Firmware: DD-WRT v3.0-r37305 std (10/10/18)
Time: 22:27:16 up 8:39, load average: 0.05, 0.03, 0.00
WAN IP: 73.162.21.232

I tried rebooting the router, but it doesn't help.


For some reason, it now looks like the router is having DNS or connectivity issues, at least with regards to the VPN connection.

The log line "20190613 22:22:49 N RESOLVE: Cannot resolve host address: opvn.sonic.net:1194 (Name does not resolve)" indicates that it can't resolve the VPN server's IP address so it's not even able to attempt a connection now.

You can try changing the host to 209.148.113.36 temporarily to see if it connects, but long term it would be preferred to have it resolve the hostname.
Drew Phillips
Programmer / System Operations, Sonic.net
by js9erfan » Fri Jun 14, 2019 5:55 pm
The log line "20190613 22:22:49 N RESOLVE: Cannot resolve host address: opvn.sonic.net:1194 (Name does not resolve)" indicates that it can't resolve the VPN server's IP address so it's not even able to attempt a connection now.


Perhaps because opvn.sonic.net isn't valid 8-)
by drew.phillips » Fri Jun 14, 2019 10:11 pm
Ha good catch js, I guess more coffee was needed when I was looking at those logs!

Hopefully with the clock set, "ovpn.sonic.net" will do the trick!
Drew Phillips
Programmer / System Operations, Sonic.net
by ark » Sat Jun 15, 2019 12:06 am
Hi. I deliberately tried to use opvn.sonic.net to get the error message because when I tried ovpn.sonic.net I got no messages at all.

I switched it to ovpn.sonic.net and set TLS Cipher to TLS-RSA-WITH-AES-256-GCM-SHA384, I get the following on the status page:

State
Client: AUTH Local Address:
Remote Address:

Status
VPN Client Stats
TUN/TAP read bytes 0
TUN/TAP write bytes 0
TCP/UDP read bytes 54
TCP/UDP write bytes 1208
Auth read bytes 0
pre-compress bytes 0
post-compress bytes 0
pre-decompress bytes 0
post-decompress bytes 0

Log
Clientlog:
20190614 23:57:01 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20190614 23:57:01 W WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
20190614 23:57:01 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20190614 23:57:01 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20190614 23:57:01 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20190614 23:57:01 I OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 10 2018
20190614 23:57:01 I library versions: OpenSSL 1.1.1 11 Sep 2018 LZO 2.09
20190614 23:57:01 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20190614 23:57:01 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190614 23:57:01 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190614 23:57:01 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20190614 23:57:01 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20190614 23:57:01 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
20190614 23:57:01 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190614 23:57:01 I UDPv4 link local: (not bound)
20190614 23:57:01 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
20190614 23:57:01 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=13658f13 21cebe90
20190614 23:57:01 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20190614 23:57:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190614 23:57:06 D MANAGEMENT: CMD 'state'
20190614 23:57:06 MANAGEMENT: Client disconnected
20190614 23:57:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190614 23:57:06 D MANAGEMENT: CMD 'state'
20190614 23:57:06 MANAGEMENT: Client disconnected
20190614 23:57:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190614 23:57:06 D MANAGEMENT: CMD 'state'
20190614 23:57:06 MANAGEMENT: Client disconnected
20190614 23:57:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190614 23:57:06 D MANAGEMENT: CMD 'status 2'
20190614 23:57:06 MANAGEMENT: Client disconnected
20190614 23:57:06 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190614 23:57:06 D MANAGEMENT: CMD 'log 500'
20190614 23:57:06 MANAGEMENT: Client disconnected
20190614 23:58:01 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20190614 23:58:01 N TLS Error: TLS handshake failed
20190614 23:58:01 I SIGUSR1[soft tls-error] received process restarting
20190614 23:58:01 Restart pause 5 second(s)
20190614 23:58:06 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190614 23:58:06 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190614 23:58:06 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
20190614 23:58:06 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190614 23:58:06 I UDPv4 link local: (not bound)
20190614 23:58:06 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
20190614 23:58:07 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=19d10b58 0d4c9201
20190614 23:59:06 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20190614 23:59:06 N TLS Error: TLS handshake failed
20190614 23:59:06 I SIGUSR1[soft tls-error] received process restarting
20190614 23:59:06 Restart pause 5 second(s)
20190614 23:59:11 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190614 23:59:11 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190614 23:59:11 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
20190614 23:59:11 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190614 23:59:11 I UDPv4 link local: (not bound)
20190614 23:59:11 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
20190614 23:59:11 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=b3dc6f32 3406e798
20190615 00:00:11 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20190615 00:00:11 N TLS Error: TLS handshake failed
20190615 00:00:11 I SIGUSR1[soft tls-error] received process restarting
20190615 00:00:11 Restart pause 5 second(s)
20190615 00:00:16 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190615 00:00:16 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190615 00:00:16 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
20190615 00:00:16 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190615 00:00:16 I UDPv4 link local: (not bound)
20190615 00:00:16 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
20190615 00:00:16 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=b127f942 660a6f4c
20190615 00:01:16 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20190615 00:01:16 N TLS Error: TLS handshake failed
20190615 00:01:16 I SIGUSR1[soft tls-error] received process restarting
20190615 00:01:16 Restart pause 5 second(s)
20190615 00:01:21 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190615 00:01:21 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190615 00:01:21 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
20190615 00:01:21 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190615 00:01:21 I UDPv4 link local: (not bound)
20190615 00:01:21 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
20190615 00:01:21 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=ab00a990 611e8d50
20190615 00:01:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190615 00:01:39 D MANAGEMENT: CMD 'state'
20190615 00:01:39 MANAGEMENT: Client disconnected
20190615 00:01:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190615 00:01:39 D MANAGEMENT: CMD 'state'
20190615 00:01:39 MANAGEMENT: Client disconnected
20190615 00:01:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190615 00:01:39 D MANAGEMENT: CMD 'state'
20190615 00:01:39 MANAGEMENT: Client disconnected
20190615 00:01:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190615 00:01:39 D MANAGEMENT: CMD 'status 2'
20190615 00:01:39 MANAGEMENT: Client disconnected
20190615 00:01:39 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190615 00:01:39 D MANAGEMENT: CMD 'log 500'
19691231 16:00:00


Help

When I set TLS Cipher to TLS-DHE-RSA-WITH-AES-256-GCM-SHA384, the status page says:

State
Client: Local Address:
Remote Address:

Status
VPN Client Stats

Log
Clientlog:
by drew.phillips » Sat Jun 15, 2019 12:43 pm
Try AES-128-CBC for the cipher when connecting to the production ovpn.sonic.net server. beta.vpn.sonic.net may support newer ciphers, but for the initial setup, I would copy every setting exactly as is from the config file you get when you log in.

Even minor changes to settings can cause the connections to fail. The immediate disconnects seen in the last log are likely due to failure in negotiating a connection due to the wrong cipher selection.
Drew Phillips
Programmer / System Operations, Sonic.net
by js9erfan » Sat Jun 15, 2019 1:05 pm
You might try connecting over TCP (ovpn.sonic.net port: 443) in case UDP is somehow getting blocked/filtered locally.
by ark » Mon Jun 17, 2019 1:38 am
I have been using Encryption Cipher of AES-128 CBC.

I tried using TLS Cipher of TLS-RSA-WITH-AES-128-CBC-SHA and I get the following messages:

State
Client: AUTH Local Address:
Remote Address:

Status
VPN Client Stats
TUN/TAP read bytes 0
TUN/TAP write bytes 0
TCP/UDP read bytes 54
TCP/UDP write bytes 929
Auth read bytes 0
pre-compress bytes 0
post-compress bytes 0
pre-decompress bytes 0
post-decompress bytes 0

Log
Clientlog:
20190617 01:32:39 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20190617 01:32:39 W WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
20190617 01:32:39 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20190617 01:32:39 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20190617 01:32:39 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20190617 01:32:39 I OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 10 2018
20190617 01:32:39 I library versions: OpenSSL 1.1.1 11 Sep 2018 LZO 2.09
20190617 01:32:39 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20190617 01:32:39 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190617 01:32:39 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190617 01:32:39 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20190617 01:32:39 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20190617 01:32:39 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
20190617 01:32:39 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190617 01:32:39 I UDPv4 link local: (not bound)
20190617 01:32:39 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
20190617 01:32:39 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=e599ca27 c72d01f1
20190617 01:32:39 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20190617 01:32:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:32:47 D MANAGEMENT: CMD 'state'
20190617 01:32:47 MANAGEMENT: Client disconnected
20190617 01:32:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:32:47 D MANAGEMENT: CMD 'state'
20190617 01:32:47 MANAGEMENT: Client disconnected
20190617 01:32:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:32:47 D MANAGEMENT: CMD 'state'
20190617 01:32:47 MANAGEMENT: Client disconnected
20190617 01:32:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:32:47 D MANAGEMENT: CMD 'status 2'
20190617 01:32:47 MANAGEMENT: Client disconnected
20190617 01:32:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:32:47 D MANAGEMENT: CMD 'log 500'
20190617 01:32:47 MANAGEMENT: Client disconnected
20190617 01:33:39 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20190617 01:33:39 N TLS Error: TLS handshake failed
20190617 01:33:39 I SIGUSR1[soft tls-error] received process restarting
20190617 01:33:39 Restart pause 5 second(s)
20190617 01:33:44 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190617 01:33:44 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190617 01:33:44 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
20190617 01:33:44 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190617 01:33:44 I UDPv4 link local: (not bound)
20190617 01:33:44 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
20190617 01:33:44 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=47f183c4 33967be4
20190617 01:34:44 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20190617 01:34:44 N TLS Error: TLS handshake failed
20190617 01:34:44 I SIGUSR1[soft tls-error] received process restarting
20190617 01:34:44 Restart pause 5 second(s)
20190617 01:34:49 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190617 01:34:49 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190617 01:34:49 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
20190617 01:34:49 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190617 01:34:49 I UDPv4 link local: (not bound)
20190617 01:34:49 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
20190617 01:34:49 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=c7c69278 fa956517
20190617 01:35:49 N TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20190617 01:35:49 N TLS Error: TLS handshake failed
20190617 01:35:49 I SIGUSR1[soft tls-error] received process restarting
20190617 01:35:49 Restart pause 5 second(s)
20190617 01:35:54 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190617 01:35:54 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190617 01:35:54 I TCP/UDP: Preserving recently used remote address: [AF_INET]209.148.113.36:1194
20190617 01:35:54 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190617 01:35:54 I UDPv4 link local: (not bound)
20190617 01:35:54 I UDPv4 link remote: [AF_INET]209.148.113.36:1194
20190617 01:35:54 TLS: Initial packet from [AF_INET]209.148.113.36:1194 sid=01993ad7 daa66ba8
20190617 01:36:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:36:01 D MANAGEMENT: CMD 'state'
20190617 01:36:01 MANAGEMENT: Client disconnected
20190617 01:36:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:36:01 D MANAGEMENT: CMD 'state'
20190617 01:36:01 MANAGEMENT: Client disconnected
20190617 01:36:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:36:01 D MANAGEMENT: CMD 'state'
20190617 01:36:01 MANAGEMENT: Client disconnected
20190617 01:36:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:36:01 D MANAGEMENT: CMD 'status 2'
20190617 01:36:01 MANAGEMENT: Client disconnected
20190617 01:36:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:36:01 D MANAGEMENT: CMD 'log 500'
19691231 16:00:00

When I change TLS Cipher to TLS-DHE-RSA-WITH-AES-128-CBC-SHA, I get the following:

State
Client: Local Address:
Remote Address:

Status
VPN Client Stats

Log
Clientlog:
by ark » Mon Jun 17, 2019 1:45 am
I changed to beta.vpn.sonic.net with TLS Cipher set to TLS-DHE-RSA-WITH-AES-128-CBC-SHA, and I still get:

State
Client: Local Address:
Remote Address:

Status
VPN Client Stats

Log
Clientlog:

I changed to TCP with port 1194 and I see the same lack of message.

I changed it back to UDP and TLS Cipher TLS-RSA-WITH-AES-128-CBC-SHA and get the following:

Client: WAIT Local Address:
Remote Address:

Status
VPN Client Stats
TUN/TAP read bytes 0
TUN/TAP write bytes 0
TCP/UDP read bytes 0
TCP/UDP write bytes 84
Auth read bytes 0
pre-compress bytes 0
post-compress bytes 0
pre-decompress bytes 0
post-decompress bytes 0

Log
Clientlog:
20190617 01:43:55 W WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure
20190617 01:43:55 W WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
20190617 01:43:55 W WARNING: file '/tmp/openvpncl/client.key' is group or others accessible
20190617 01:43:55 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20190617 01:43:55 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20190617 01:43:55 I OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 10 2018
20190617 01:43:55 I library versions: OpenSSL 1.1.1 11 Sep 2018 LZO 2.09
20190617 01:43:55 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20190617 01:43:55 W WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
20190617 01:43:55 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20190617 01:43:55 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20190617 01:43:55 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20190617 01:43:55 I TCP/UDP: Preserving recently used remote address: [AF_INET]157.131.0.36:1194
20190617 01:43:55 Socket Buffers: R=[180224->180224] S=[180224->180224]
20190617 01:43:55 I UDPv4 link local: (not bound)
20190617 01:43:55 I UDPv4 link remote: [AF_INET]157.131.0.36:1194
20190617 01:44:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:44:00 D MANAGEMENT: CMD 'state'
20190617 01:44:00 MANAGEMENT: Client disconnected
20190617 01:44:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:44:00 D MANAGEMENT: CMD 'state'
20190617 01:44:00 MANAGEMENT: Client disconnected
20190617 01:44:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:44:00 D MANAGEMENT: CMD 'state'
20190617 01:44:00 MANAGEMENT: Client disconnected
20190617 01:44:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:44:00 D MANAGEMENT: CMD 'status 2'
20190617 01:44:00 MANAGEMENT: Client disconnected
20190617 01:44:00 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20190617 01:44:00 D MANAGEMENT: CMD 'log 500'
19691231 16:00:00
by ark » Mon Jun 17, 2019 1:47 am
I made the change TCP port 443 still with beta.vpn.sonic.net and AES-128 CBC (for Encryption Cipher) and TLS-RSA-WITH-AES-128-CBC-SHA for TLS Cipher.

I get this result:

State
Client: Local Address:
Remote Address:

Status
VPN Client Stats

Log
Clientlog:
140 posts Page 13 of 14

Who is online

In total there are 5 users online :: 0 registered, 0 hidden and 5 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 5 guests