You are here
TurnKey OpenVPN has been working fine for months, but all of the sudden clients cannot connect. The server and client are able to send and receive data according to the client GUI, but the connection is never completed and fails around the time that the certificate is being authenticated. Please see the log from the client GUI below.
Thu Nov 29 08:38:25 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Nov 29 08:38:25 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Nov 29 08:38:25 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Thu Nov 29 08:38:25 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Nov 29 08:38:25 2018 Need hold release from management interface, waiting...
Thu Nov 29 08:38:25 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Nov 29 08:38:25 2018 MANAGEMENT: CMD 'state on'
Thu Nov 29 08:38:25 2018 MANAGEMENT: CMD 'log all on'
Thu Nov 29 08:38:25 2018 MANAGEMENT: CMD 'echo all on'
Thu Nov 29 08:38:25 2018 MANAGEMENT: CMD 'bytecount 5'
Thu Nov 29 08:38:25 2018 MANAGEMENT: CMD 'hold off'
Thu Nov 29 08:38:25 2018 MANAGEMENT: CMD 'hold release'
Thu Nov 29 08:38:25 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Nov 29 08:38:25 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov 29 08:38:25 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov 29 08:38:25 2018 MANAGEMENT: >STATE:1543498705,RESOLVE,,,,,,
Thu Nov 29 08:38:25 2018 TCP/UDP: Preserving recently used remote address: [AF_INET][SERVERIP]:1194
Thu Nov 29 08:38:25 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Nov 29 08:38:25 2018 UDP link local: (not bound)
Thu Nov 29 08:38:25 2018 UDP link remote: [AF_INET][SERVERIP]:1194
Thu Nov 29 08:38:25 2018 MANAGEMENT: >STATE:1543498705,WAIT,,,,,,
Thu Nov 29 08:38:25 2018 MANAGEMENT: >STATE:1543498705,AUTH,,,,,,
Thu Nov 29 08:38:25 2018 TLS: Initial packet from [AF_INET][SERVERIP]:1194, sid=d7c7b2e8 34ee4c10
Thu Nov 29 08:38:26 2018 VERIFY OK: depth=1, C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server, name=openvpn, emailAddress=[CERTEMAIL]
Thu Nov 29 08:38:26 2018 VERIFY OK: nsCertType=SERVER
Thu Nov 29 08:38:26 2018 VERIFY OK: depth=0, C=US, ST=CA, L=San Francisco, O=TurnKey Linux, OU=OpenVPN, CN=server, name=openvpn, emailAddress=[CERTEMAIL]
At the time of failure, 3534B have come in and 6676B have gone out. The client appears to be transmitting and receiving data from the server, but a connection is never established. After some time, the reconnection process begins and subsequently fails the same way. Any help is greatly appreciated.
Hmm, seems strange that it just stopped working...
I have just checked and there should not have been any security updates that should have affected OpenVPN, so it's very strange that it just stopped working!
Are all clients having the same experience (assuming there is more than one)? Have there been any recent client-side software updates? I wonder if there have been any Windows updates that may have affected this?
I also notice in the log "WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.". TBH I highly doubt that is the cause (it's a deprecation warning, not an error). But perhaps it's worth a try? Another user also noted that on the tracker and has also kindly provided a patch. Perhaps it's worth apply the suggested tweak and regenerating a new .opvn profile? I can't guarantee anything but possibly worth a shot...
Otherwise, TBH I'm not at all sure...
I've just double-checked bugs on the Debian tracker
FWIW I've just had a quick glance through the bugs against OpenVPN on the Debian Bug Tracker (aka BTS). Unfortunately none of them jump out to me as being in any way related to your experience. Although it is possible that I'm missing something.
However, I did notice what appears to be a bug that may be related?! (For some reason it's not against the OpenVPN package, so doesn't show up via the BTS link above). It looks like a new package (version 2.4.0-6+deb9u3) should be available soon. At the time of writing, the latest (Debian 9/Stretch) package available is still 2.4.0-6+deb9u2 (one update version behind the new one noted above i.e. deb9u2 vs deb9u3).
It still doesn't completely match with your issue from my reading, but perhaps...?! It may also be worth investigating OpenSSL updates. Hopefully that package will be available soon. It's probably worth noting, that you'll need to manually update to it via apt:
If that says something along the lines of "OpenVPN is already at the latest version", then there isn't a new package (yet). Although it may also be worth double checking which version you have installed. You can do that like this:
Actually, one other thing I just noticed is that OpenSSL has very recently had a security update (the notification I have is actually dated 9 hours after your post - hence why I didn't notice it before). But perhaps that is the real culprit of your issues? I note from your log that it appears your client is using OpenSSL 1.1.0h, where TurnKey was using 1.1.0f(-3+deb9u2), but has now updated to 1.1.0j(-1~deb9u1). Perhaps that version difference is upsetting things?
Sorry about all this stabbing in the dark, but I'd be really interested to hear how you're going with it and if any of this helps.
I can't reproduce this?!
Have you tried creating a new profile and testing with that? I just launched a new TurnKey OpenVPN instance from the Hub (installed all security updates - with no other changes) and created a profile (i.e.
.opvn
file). I then imported that profile to my desktop and it "just works" (see below)?!As I'm using Debian on my desktop, to check that it isn't just working Debian Debian (the basis of TurnKey) I also tried it on my (Android) phone. Using the same
.opvn
profile with the latest version of the OpenVPN Connect app it also works fine?! Unfortunately, I don't have a Windows machine handy so can't test that, but otherwise, it all appears to be working as intended here?!The only other thing that I am thinking, is perhaps you aren't getting DNS for some reason?(Actually re-reading this thread - that comment doesn't make sense... sorry about that)FWIW:
On the TurnKey OpenVPN instance (in US West 1 - California):
On my Desktop (in Australia):
Then in another terminal again on my desktop (Note I'm in Australia and
geoiplookup MY_PUBLIC_IP
reports as such prior to using the VPN):As the above suggests, web browsing etc works fine.
Apologies I hadn't replied sooner...
I wonder if this is related to another user's experience of the the default CRL expiring? It appears that the default CRL expiry is 30 days. As noted in the bug that I opened, 30 days is probably too short, so we should increase that...
Add new comment