Cannot connect to openvpn

omichalek · 2 January 2025 11:09

I have trouble connecting to opnevpn server on my Turris Omnia router (it is openwrt-based).

This is the server log
apparently running OpenVPN 2.5.8:

Jan  1 16:53:46 openvpn(server_turris)[5869]: Initialization Sequence Completed
Jan  1 16:53:52 openvpn(server_turris)[5869]: event_wait : Interrupted system call (code=4)
Jan  1 16:53:52 openvpn(server_turris)[5869]: /usr/libexec/openvpn-hotplug route-pre-down server_turris tun_turris 1500 1621 10.0.1.1 255.255.255.0 init
Jan  1 16:53:52 openvpn(server_turris)[5869]: WARNING: Failed running command (--up/--down): external program exited with error status: 2
Jan  1 16:53:52 openvpn(server_turris)[5869]: Exiting due to fatal error
Jan  1 16:53:52 openvpn(server_turris)[7008]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jan  1 16:53:52 openvpn(server_turris)[7008]: OpenVPN 2.5.8 arm-openwrt-linux-muslgnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Jan  1 16:53:52 openvpn(server_turris)[7008]: library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.10
Jan  1 16:53:52 openvpn(server_turris)[7008]: net_route_v4_best_gw query: dst 0.0.0.0
Jan  1 16:53:52 openvpn(server_turris)[7008]: net_route_v4_best_gw result: via 10.10.10.1 dev pppoe-wan
Jan  1 16:53:52 openvpn(server_turris)[7008]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  1 16:53:52 openvpn(server_turris)[7008]: Diffie-Hellman initialized with 4096 bit key
Jan  1 16:53:52 openvpn(server_turris)[7008]: CRL: loaded 1 CRLs from file /etc/ssl/ca/openvpn/ca.crl
Jan  1 16:53:52 openvpn(server_turris)[7008]: TUN/TAP device tun_turris opened
Jan  1 16:53:52 openvpn(server_turris)[7008]: net_iface_mtu_set: mtu 1500 for tun_turris
Jan  1 16:53:52 openvpn(server_turris)[7008]: net_iface_up: set tun_turris up
Jan  1 16:53:52 openvpn(server_turris)[7008]: net_addr_v4_add: 10.0.1.1/24 dev tun_turris
Jan  1 16:53:52 openvpn(server_turris)[7008]: /usr/libexec/openvpn-hotplug up server_turris tun_turris 1500 1621 10.0.1.1 255.255.255.0 init
Jan  1 16:53:56 openvpn(server_turris)[7008]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Jan  1 16:53:56 openvpn(server_turris)[7008]: setsockopt(IPV6_V6ONLY=0)
Jan  1 16:53:56 openvpn(server_turris)[7008]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Jan  1 16:53:56 openvpn(server_turris)[7008]: UDPv6 link remote: [AF_UNSPEC]
Jan  1 16:53:56 openvpn(server_turris)[7008]: MULTI: multi_init called, r=256 v=256
Jan  1 16:53:56 openvpn(server_turris)[7008]: IFCONFIG POOL IPv4: base=10.0.1.2 size=253
Jan  1 16:53:56 openvpn(server_turris)[7008]: IFCONFIG POOL LIST
Jan  1 16:53:56 openvpn(server_turris)[7008]: Initialization Sequence Completed

This is the client on SFOS version 4.6.0.15 (Sauna)

client version:

OpenVPN 2.6.9 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.1.1v FIPS 1 Aug 2023, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc sales@openvpn.net
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=no enable_dco_arg=auto enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=no enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

client log:

Jan 02 11:33:37 openvpn[8337]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jan 02 11:33:37 openvpn[8337]: Options error: If you use one of --cert or --key, you must use them both
Jan 02 11:33:37 openvpn[8337]: Use --help for more information.
Jan 02 11:33:39 openvpn[8345]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jan 02 11:33:39 openvpn[8345]: Options error: If you use one of --cert or --key, you must use them both
Jan 02 11:33:39 openvpn[8345]: Use --help for more information.

Could this mean the server uses an unsupported cipher maybe?

I managed to connect from a different client (Windows 10) after one fix to the .ovpn file as reported on the Turris forum but it did not help on Sailfish.

Do you have any advise, please?

nephros · 2 January 2025 12:39

Jan 02 11:33:39 openvpn[8345]: Options error: If you use one of --cert or --key, you must use them both

Well, do you have both cert and key specified in your config file?

kan_ibal · 2 January 2025 18:40

Should it is openwrt 23.x with openssl3 it looks like this issue.

omichalek · 2 January 2025 21:26

The .ovpn file contains it and when I open “details” of the VPN connection, it lists OpenVPN.CACert, .Config as well as .Key, so this sould be good.

omichalek · 2 January 2025 21:41

It says

In the past, Access Server used BF-CBC (Blowfish) as the default encryption cipher, but it was deprecated and replaced with AES-256 as the new default since Access Server 2.5.0.

the server version is 2.5.8 already, but it also talks about openssl v3 and this is on the router:

# openssl version
OpenSSL 1.1.1w  11 Sep 2023

# openssl ciphers
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-GCM-SHA384:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA

mickobal · 3 January 2025 06:36

When I installed the newest raspbian in order to connect my company VPN , I had to change openvpn config file content :
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
data-ciphers-fallback AES-128-GCM.
My prev file conent:
cipher AES-256-CBC
Maybe above will bu useful for you.

omichalek · 3 January 2025 09:56

Do you mean config on the server - raspbian?

mickobal · 3 January 2025 10:01

Yes, at client side (RPi). ____