0

I have OpenVPN 2.5.1 on Debian 11 VPS, and OpenVPN 2.4.4 on my Linux PC client. I cannot connect to VPN server from my Linux PC by using this client.ovpn file.

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
TCP/UDP: Closing socket
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)

The same client.ovpn config on Windows with Open VPN 2.6.2 works perfectly. Obviously reason is because OpenVPN 2.4.4 doesn't support something that is needed and included in config files.

I tried to upgrade OpenVPN on my Linux PC, but it's old and ended with full system reinstall twice because when I update just plain OpenVPN it ruins my Gnome and network manager, and other things. That is not an option for me.

Is there any way I can still use this? If possible I don't want downgrade OpenVPN version on Debian server too. I spent a long time until I configured it successfully and finally it really works.

I already read many articles. Can someone can advise what to do?

The following are client.ovpn

client
proto udp
remote **.**.**.** 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_GOrbpjYhITYUxs7D name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

here certs follow so I cut it here

and this is server.conf from Debian 11 VPS

port 1194
proto udp
dev tun0
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
push "route 10.8.0.0 255.255.255.0"
dh dh.pem
tls-auth tls-auth.key 0
crl-verify crl.pem
ca ca.crt
cert server_GOrbpjYhITYUxs7D.crt
key server_GOrbpjYhITYUxs7D.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
#status /var/log/openvpn/status.log
#verb 3
duplicate-cn
log /dev/null
log-append /dev/null
status /dev/null
verb 0
Improve this question
4
  • 2
    welcome, the client can be downloaded from the vendor. and if you're using and EOL OS it does not make it eve more on topic
    – djdomi
    Commented Jun 3 at 5:39
  • 1
    Obviously reason is because my 2.4.4 doesn't support something what is needed — no, no, from the log snippet you shown, obviously, you have a network connectivity issue. Not a feature support. That said, don't fix algorithms, remove all these cipher, auth and s on. Also remove that duplicate-cn and pretend OpenVPN has no such option and never had and will never have (unless you're a world's network security superstar); each client should have it's own dedicated personal certificate for good.
    – Nikita Kipriyanov
    Commented Jun 3 at 5:39
  • Sorry but your answer was completely wrong and misleading. That log snippet doesn't mean there is network issue that is standard text what is being seen always. And it's factually correct it says "TLS handshake failed" which is true in this case and now i will explain why. I finally found where was issue and problem was quite simple in this line: "tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" and reason quite simple too - this cipher was not yet supported in v. 2.4.4 with it's related TLS version what comes with it in original installation. Dooh
    – Arnimundo
    Commented Jun 6 at 11:02
  • Ok, well, it turns out was correct in that you shouldn't fix ciphers in OpenVPN. You really shouldn't, it will pick the best ones supported by both parties automatically, that's what the cipher negotiation (introduced in v2.4) is for.
    – Nikita Kipriyanov
    Commented Jun 18 at 6:34

1 Answer 1

Reset to default
1

The reason most likely is not openvpn itself at all. Since it’s an old version of an OS, your OpenSSL library is probably older. The cipher suite you have chosen is a first new one. I’m going to go on a hunch here and say that most likely your older PC doesn’t support the chosen cipher suite due to OpenSSL version (not openvpn version) on your old PC.

Solutions:

  1. Remove the cipher suite selections, there is no need for that as openvpn and OpenSSL have same defaults, where they try to negotiate starting from the best to weakest algorithm. Not perfect, but they are fairly good at that.
  2. Your connection may be insecure if your OpenSSL is THAT old, consider upgrading
  3. If you cannot upgrade the old PC, there are ways to have a second openvpn with OpenSSL in parallel to kot sacrifice cipher security. Described below:

You can install docker and start a container with host networking (or bridge) and new Linux image in that container. Install new openvpn (which will install new OpenSSL there as dependency) and almost done. Now do a little jig with routes and done.

An alternative you can debootstrap (if on Debian-like OS - debootstrap is an app) a whole new small OS into a subdirectory, do some bind mounts and install openvpn there. Slightly more work but avoids having docker.

As another alternative you can run podman instead of docker to do this. Podman is docker-compatible and daemonless.

Improve this answer

Not the answer you're looking for? Browse other questions tagged .