id summary reporter owner description type status priority milestone component version severity resolution keywords cc 897 OpenVPN not working (tls-auth) on Apollo Lake? mgcrea "Not sure why but two newly acquired NUC6CAYS (Apollo Lake) devices won't connect properly to our VPN server. Looks like a tls-auth issue - Both devices run an up-to-date Ubuntu 16.04.2 LTS installation - Reproduced on two separate devices - Error log loop: {{{ Tue May 30 15:12:26 2017 us=594155 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue May 30 15:12:26 2017 us=594394 Re-using SSL/TLS context Tue May 30 15:12:26 2017 us=594482 LZO compression initialized Tue May 30 15:12:26 2017 us=594983 Control Channel MTU parms [ L:1560 D:1182 EF:68 EB:0 ET:0 EL:3 ] Tue May 30 15:12:26 2017 us=595207 Socket Buffers: R=[87380->87380] S=[16384->16384] Tue May 30 15:12:26 2017 us=597360 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:143 ET:0 EL:3 AF:3/1 ] Tue May 30 15:12:26 2017 us=597537 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client' Tue May 30 15:12:26 2017 us=597766 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server' Tue May 30 15:12:26 2017 us=597878 Local Options hash (VER=V4): '2f2c6498' Tue May 30 15:12:26 2017 us=598134 Expected Remote Options hash (VER=V4): '9915e4a2' Tue May 30 15:12:26 2017 us=598391 Attempting to establish TCP connection with [AF_INET]5.135.198.245:443 [nonblock] Tue May 30 15:12:26 2017 us=816276 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue May 30 15:12:26 2017 us=816431 Re-using SSL/TLS context Tue May 30 15:12:26 2017 us=816510 LZO compression initialized Tue May 30 15:12:26 2017 us=816643 Control Channel MTU parms [ L:1560 D:1182 EF:68 EB:0 ET:0 EL:3 ] Tue May 30 15:12:26 2017 us=816748 Socket Buffers: R=[87380->87380] S=[16384->16384] Tue May 30 15:12:26 2017 us=818746 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:143 ET:0 EL:3 AF:3/1 ] Tue May 30 15:12:26 2017 us=818914 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client' Tue May 30 15:12:26 2017 us=818947 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server' Tue May 30 15:12:26 2017 us=819005 Local Options hash (VER=V4): '2f2c6498' Tue May 30 15:12:26 2017 us=819103 Expected Remote Options hash (VER=V4): '9915e4a2' Tue May 30 15:12:26 2017 us=819274 Attempting to establish TCP connection with [AF_INET]5.135.198.245:443 [nonblock] Tue May 30 15:12:27 2017 us=598869 TCP connection established with [AF_INET]5.135.198.245:443 Tue May 30 15:12:27 2017 us=599006 TCPv4_CLIENT link local: [undef] Tue May 30 15:12:27 2017 us=599081 TCPv4_CLIENT link remote: [AF_INET]5.135.198.245:443 WRTue May 30 15:12:27 2017 us=606105 TLS: Initial packet from [AF_INET]5.135.198.245:443, sid=43675bcc 81d6c724 WWRWRRRWWRWRWRRWWRWRWRRWWRWRWRRWWRWRWRRWWRWRWRRWWRWRTue May 30 15:12:27 2017 us=782665 VERIFY OK: depth=1, C=FR, ST=Ile-de-France, L=Paris, O=Carlipa, OU=carlipa-online.com, CN=ca@prod, emailAddress=admin@carlipa-online.com Tue May 30 15:12:27 2017 us=783248 VERIFY OK: depth=0, C=FR, ST=Ile-de-France, L=Paris, O=Carlipa, OU=carlipa-online.com, CN=server@prod, emailAddress=admin@carlipa-online.com WRRWWRWRWRRWWRWTue May 30 15:12:27 2017 us=819777 TCP connection established with [AF_INET]5.135.198.245:443 Tue May 30 15:12:27 2017 us=819916 TCPv4_CLIENT link local: [undef] Tue May 30 15:12:27 2017 us=819998 TCPv4_CLIENT link remote: [AF_INET]5.135.198.245:443 WRWRRRTue May 30 15:12:27 2017 us=826903 TLS: Initial packet from [AF_INET]5.135.198.245:443, sid=5c7fa685 65c623d9 WWWWWWRRWRRRWWRWRRWRWTue May 30 15:12:27 2017 us=919144 Connection reset, restarting [0] Tue May 30 15:12:27 2017 us=919557 TCP/UDP: Closing socket Tue May 30 15:12:27 2017 us=919727 SIGUSR1[soft,connection-reset] received, process restarting Tue May 30 15:12:27 2017 us=919821 Restart pause, 5 second(s) RRWWRWRWRRWWRWRWRRWWRWRWRRWWRWRWRRWWRWRTue May 30 15:12:28 2017 us=13548 VERIFY OK: depth=1, C=FR, ST=Ile-de-France, L=Paris, O=Carlipa, OU=carlipa-online.com, CN=ca@prod, emailAddress=admin@carlipa-online.com Tue May 30 15:12:28 2017 us=13836 VERIFY OK: depth=0, C=FR, ST=Ile-de-France, L=Paris, O=Carlipa, OU=carlipa-online.com, CN=server@prod, emailAddress=admin@carlipa-online.com WRRWWRWRWRRWWRWRWRRWWWWRRRWTue May 30 15:12:28 2017 us=150963 Connection reset, restarting [0] Tue May 30 15:12:28 2017 us=151311 TCP/UDP: Closing socket Tue May 30 15:12:28 2017 us=151472 SIGUSR1[soft,connection-reset] received, process restarting Tue May 30 15:12:28 2017 us=151536 Restart pause, 5 second(s) }}} - Device info: {{{ root@player-ef15:~# uname -a Linux player-ef15 4.10.0-21-generic #23~16.04.1-Ubuntu SMP Tue May 2 12:57:17 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux root@player-ef15:~# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.2 LTS Release: 16.04 Codename: xenial root@player-ef15:~# openvpn --version OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no }}} " Bug / Defect closed critical Generic / unclassified OpenVPN 2.3.10 (Community Ed) Not set (select this one, unless your'e a OpenVPN developer) invalid tls Steffan Karger