Connection problem on OpenVPN 2.1.x client

[PennyLook]

Hello,
I noticed problems on the client wit hOpenVPN version 2.1.x
Example:
OpenVPN version 2.1.3 i486-pc-linux-gnu [SSL] [ILO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010

The solution could be to update the OpenVPN client, but this is not always possible.

In the case of using OpenVPN kylemann/openvpn it works without problems, even on version 2.1.3

logs from OpvenVPN server:

<CLIENT_PUBLIC_IP>:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
<CLIENT_PUBLIC_IP>:1194 TLS Error: TLS handshake failed
<CLIENT_PUBLIC_IP>:1194 TLS Error: TLS object -> incoming plaintext read error
<CLIENT_PUBLIC_IP>:1194 TLS_ERROR: BIO read tls_read_plaintext error
<CLIENT_PUBLIC_IP>:1194 OpenSSL: error:0A000102:SSL routines::unsupported protocol
<CLIENT_PUBLIC_IP>:1194 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
<CLIENT_PUBLIC_IP>:1194 TLS: Initial packet from [AF_INET]<CLIENT_PUBLIC_IP>:1194, sid=7b5cc07e 7b003d07
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
<CLIENT_PUBLIC_IP>:1194 TLS Error: TLS handshake failed
<CLIENT_PUBLIC_IP>:1194 TLS Error: TLS object -> incoming plaintext read error
<CLIENT_PUBLIC_IP>:1194 TLS_ERROR: BIO read tls_read_plaintext error
<CLIENT_PUBLIC_IP>:1194 OpenSSL: error:0A000102:SSL routines::unsupported protocol
<CLIENT_PUBLIC_IP>:1194 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
<CLIENT_PUBLIC_IP>:1194 TLS: Initial packet from [AF_INET]<CLIENT_PUBLIC_IP>:1194, sid=6ad261b0 5fc8a94e
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)
<CLIENT_PUBLIC_IP>:1194 TLS Error: Unroutable control packet received from [AF_INET]<CLIENT_PUBLIC_IP>:1194 (si=3 op=P_CONTROL_V1)

[d3vilh]

Hi @PennyLook,
It is a matter of server/clients configuration.
Please share your server.conf and client.ovpn I'll have a look on it.

[PennyLook]

@d3vilh
server.conf:

management 0.0.0.0 2080

port 1194
proto udp

dev tun
tls-version-min 1.0

ca pki/ca.crt
cert pki/issued/server.crt
key pki/private/server.key

cipher AES-256-CBC
auth SHA512
dh pki/dh.pem

server 10.0.0.0 255.255.255.0
route 10.0.1.0 255.255.255.0
ifconfig-pool-persist pki/ipp.txt
push "route 10.0.60.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.0.0.1"

keepalive 10 120
max-clients 100

persist-key
persist-tun

log         /var/log/openvpn/openvpn.log
verb 3

topology subnet

client-config-dir /etc/openvpn/staticclients

push "redirect-gateway def1 bypass-dhcp"

ncp-ciphers AES-256-GCM:AES-192-GCM:AES-128-GCM

user nobody
group nogroup

status /var/log/openvpn/openvpn-status.log
explicit-exit-notify 1
crl-verify pki/crl.pem

#auto generated by OpenVPN-UI

I added an additional: tls-version-min 1.0
because such a solution I found somewhere, however, it does not help anything

client config:

client
dev tun
proto udp
remote <PUBLIC_SERVER_IP> 1194 udp
resolv-retry infinite
user nobody
group nogroup
persist-tun
persist-key
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-client
redirect-gateway def1
verb 3
<ca>
<GENERATED_CA_VALUE_HERE>
</ca>
<cert>
<GENERATED_CERT_VALUE_HERE>
</cert>
<key>
<GENERATED_PRIVATE_KEY_VALUE_HERE>
</key>

Client output from openvpn --version:

OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010

[d3vilh]

@PennyLook any chance you can extract working server config from kylemann image?

[PennyLook]

@d3vilh
sure

config from container level /etc/openvpn

server 192.168.0.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/<SERVER_PUBLIC_IP>.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/<SERVER_PUBLIC_IP>.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

user nobody
group nogroup
comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"

maybe tls-auth is required to work with OpenVPN version 2.1.3 client?

and I store the static ip for clients in configuration under /ccd dir - as default

client config from kylemann image:

client
nobind
dev tun
remote-cert-tls server

remote <SERVER_PUBLIC_IP> 1194 udp

<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

redirect-gateway def1

[PennyLook]

@d3vilh
I tried to somehow check the discrepancies between TLS and on the client where the problem is the command openssl ciphers -v | awk '{print $2}' | sort | uniq returns :

openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv2
SSLv3

On a client that has no connection problem:

openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2

server from container level:

openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1
TLSv1.2
TLSv1.3

Is it possible to install another version of openvpn via docker-compose?
because currently it is like this:

build: ./openvpn-docker
       #image: d3vilh/openvpn-server:latest

[d3vilh]

As per the output, your problematic client does not support TLS and it will not be able to connect to the OpenVPN server. This is because TLS is required for secure communication between the client and the server.

You could try configuring the OpenVPN server to support SSLv2 or SSLv3, but this is not recommended as these protocols are also considered insecure and have been deprecated.

Try to update easyrsa on that client if it won't support newer version, you better to give-up on it, as I strongly not recommend to go without TLS.

However if you still would like to, you would need to modify the openssl.cnf file and regenerate the server certificate and all the clients certificates with the new settings.

Again, this is not recommended as it would weaken the security of your VPN.