Opened 6 years ago
Closed 6 years ago
#955 closed Bug / Defect (fixed)
OpenVPN Connect unable to connect to OpenVPN server
| Reported by: | kiemlicz | Owned by: | Antonio Quartulli |
|---|---|---|---|
| Priority: | blocker | Milestone: | |
| Component: | OpenVPN Connect | Version: | 1.1.12 |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
OpenVPN Connect 1.1.12 (build 89)
OpenVPN server 2.3.2
Client is unable to connect to server, fails with error:
Transport error: TCP connect error on 'myfancydomain': Connection refused
The server logs:
openvpn[925]: TCP connection established with [AF_INET]SOME_IP:57796 openvpn[925]: SOME_IP:57796 TLS: Initial packet from [AF_INET]SOME_IP:57796, sid=a08ab2d8 40a042c2 openvpn[925]: SOME_IP:57796 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC3200, emailAddress=me@myhost.mydomain openvpn[925]: SOME_IP:57796 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain openvpn[925]: SOME_IP:57796 Assertion failed at ssl.c:2005 openvpn[925]: SOME_IP:57796 Exiting due to fatal error openvpn[925]: SOME_IP:57796 /sbin/route del -net SOME_NET_IP netmask 255.255.255.0 openvpn[925]: SOME_IP:57796 Closing TUN/TAP interface openvpn[925]: SOME_IP:57796 /sbin/ifconfig tun21 0.0.0.0
The bug occured in one of the latest OpenVPN connect versions
Previously worked flawlessly
Marking as blocker because the OpenVPN is totally unusable
Please confirm
Kind regards
Change History (12)
comment:1 Changed 6 years ago by
comment:2 Changed 6 years ago by
Hi and thanks for reporting the issue.
We are already working on a mitigation on the OpenVPN Connect app for Android.
I used the word "mitigation" because, as you may understand, the server version you are running is bugged and prone to crash.
This "assert bug" (which leads to the server to stop running) has been fixed in the v2.3.7 release and we highly recommend to upgrade, because v2.3.2 is very old and vulnerable (latest release from the 2.3 series is v2.3.18).
If I am not wrong, your log comes from an ASUS device. I'd suggest to report this issue back to their support team in the hope that they move to a newer and safer version some time soon.
Speaking more about the issue: it occurs because your openvpn server is still using the ancient TLS v1.0, while the Connect app is using a much more recent SSL engine that does not cooperate pretty well with that TLS version.
We should be able to make the app more resilient to this problem, but what I said above will still apply.
Cheers,
comment:3 Changed 6 years ago by
Fully understood
Thank you for information and very fast response&action.
Will report this directly to ASUS as I believe their action would require full firmware upgrade to be conducted...
Thank you!
comment:4 Changed 6 years ago by
Hi,
FYI we have managed to fix the glitch in OpenVPN Connect that triggered the bug in openvpn2.3.2.
OpenVPN Connect should now be able to talk to the server without crashing it This is v1.1.23 and it's available in PlayStore? already.
However, this shouldn't prevent you from reporting the issue to ASUS, because the server is still vulnerable and should really be upgraded.
Cheers,
comment:5 Changed 6 years ago by
Thank you
I've submitted issue via their support website
Will see if they will take any action.
comment:6 Changed 6 years ago by
That's great. Let us know how it goes. May you also tell us what's the router model you have been using?
Thanks
comment:7 Changed 6 years ago by
Hi,
That is very Odd i also have the same error on my ASUS RT-N18U . Reason why am I saing tahs odd becasue I'm useing it since 2016 Jan and nothing has been change on server site. Since 2 days bouth my Laptop and Andoriod is unable to log into it. I would stick it more to some setting on Server sites, but i'm not an expert on it.
My desktop verion of client is : 1.5.6
Android : 1.1.22
Down below log from Router
Nov 4 20:20:00 openvpn[8077]: event_wait : Interrupted system call (code=4)
Nov 4 20:20:01 openvpn[8077]: /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Nov 4 20:20:01 openvpn[8077]: Closing TUN/TAP interface
Nov 4 20:20:01 openvpn[8077]: /sbin/ifconfig tun21 0.0.0.0
Nov 4 20:20:01 openvpn[8077]: PLUGIN_CLOSE: /usr/lib/openvpn-plugin-auth-pam.so
Nov 4 20:20:01 openvpn[8077]: SIGTERM[hard,] received, process exiting
Nov 4 20:20:03 openvpn[8168]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 2 2017
Nov 4 20:20:03 openvpn[8168]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so 'usr/lib/openvpn-plugin-auth-pam.so [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Nov 4 20:20:03 openvpn[8168]: Diffie-Hellman initialized with 2048 bit key
Nov 4 20:20:03 openvpn[8168]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Nov 4 20:20:03 openvpn[8168]: TUN/TAP device tun21 opened
Nov 4 20:20:03 openvpn[8168]: TUN/TAP TX queue length set to 100
Nov 4 20:20:03 openvpn[8168]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 4 20:20:03 openvpn[8168]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Nov 4 20:20:03 openvpn[8168]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Nov 4 20:20:03 openvpn[8177]: UDPv4 link local (bound): [undef]
Nov 4 20:20:03 openvpn[8177]: UDPv4 link remote: [undef]
Nov 4 20:20:03 openvpn[8177]: MULTI: multi_init called, r=256 v=256
Nov 4 20:20:03 openvpn[8177]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Nov 4 20:20:03 openvpn[8177]: Initialization Sequence Completed
Nov 4 20:20:28 openvpn[8177]: IP:54306 TLS: Initial packet from [AF_INET]INTERNAL_IP:54306 (via [AF_INET] EXTERNAL_IP%br0), sid=0c1d0e11 0bbf1ad1
Nov 4 20:20:29 openvpn[8177]: IP:54306 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N18U, emailAddress=me@…
Nov 4 20:20:29 openvpn[8177]: IP:54306 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@…
Nov 4 20:20:29 openvpn[8177]: IP:54306 Assertion failed at ssl.c:2005
Nov 4 20:20:29 openvpn[8177]: IP:54306 Exiting due to fatal error
Nov 4 20:20:29 openvpn[8177]: IP:54306 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Nov 4 20:20:29 openvpn[8177]: IP:54306 Closing TUN/TAP interface
Nov 4 20:20:29 openvpn[8177]: IP:54306 /sbin/ifconfig tun21 0.0.0.0
comment:8 Changed 6 years ago by
Sure:
Asus | RT-AC3200 from Polish distributor
Will provide update when they respond back to me
comment:9 Changed 6 years ago by
ASUS got back with me and basically they acknowledged that they are aware
of very old OpenVPN server in their firmware.
They claim that update will be provided but the release date is unknown
We will see how it turns out
comment:10 Changed 6 years ago by
| Owner: | set to Antonio Quartulli |
|---|---|
| Status: | new → accepted |
The app has been fixed.
@kiemlicz, can we close this ticket?
comment:11 follow-up: 12 Changed 6 years ago by
Yes, please
Thank you.
(just to update) ASUS firmware is still not updated with new OpenVPN server
comment:12 Changed 6 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | accepted → closed |
Replying to kiemlicz:
Yes, please
Thank you.
(just to update) ASUS firmware is still not updated with new OpenVPN server
I imagined that. They normally take a bit before the change can be deployed.
EDIT:
OpenVPN Connect 1.1.22 (build 89)