Opened 4 years ago

Closed 4 years ago

#955 closed Bug / Defect (fixed)

OpenVPN Connect unable to connect to OpenVPN server

Reported by: kiemlicz Owned by: Antonio
Priority: blocker Milestone:
Component: OpenVPN Connect Version: 1.1.12
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

OpenVPN Connect 1.1.12 (build 89)
OpenVPN server 2.3.2

Client is unable to connect to server, fails with error:

Transport error: TCP connect error on 'myfancydomain': Connection refused

The server logs:

openvpn[925]: TCP connection established with [AF_INET]SOME_IP:57796
openvpn[925]: SOME_IP:57796 TLS: Initial packet from [AF_INET]SOME_IP:57796, sid=a08ab2d8 40a042c2
openvpn[925]: SOME_IP:57796 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC3200, emailAddress=me@myhost.mydomain
openvpn[925]: SOME_IP:57796 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
openvpn[925]: SOME_IP:57796 Assertion failed at ssl.c:2005
openvpn[925]: SOME_IP:57796 Exiting due to fatal error
openvpn[925]: SOME_IP:57796 /sbin/route del -net SOME_NET_IP netmask 255.255.255.0
openvpn[925]: SOME_IP:57796 Closing TUN/TAP interface
openvpn[925]: SOME_IP:57796 /sbin/ifconfig tun21 0.0.0.0

The bug occured in one of the latest OpenVPN connect versions
Previously worked flawlessly
Marking as blocker because the OpenVPN is totally unusable
Please confirm

Kind regards

Change History (12)

comment:1 Changed 4 years ago by kiemlicz

EDIT:
OpenVPN Connect 1.1.22 (build 89)

comment:2 Changed 4 years ago by Antonio

Hi and thanks for reporting the issue.

We are already working on a mitigation on the OpenVPN Connect app for Android.

I used the word "mitigation" because, as you may understand, the server version you are running is bugged and prone to crash.
This "assert bug" (which leads to the server to stop running) has been fixed in the v2.3.7 release and we highly recommend to upgrade, because v2.3.2 is very old and vulnerable (latest release from the 2.3 series is v2.3.18).

If I am not wrong, your log comes from an ASUS device. I'd suggest to report this issue back to their support team in the hope that they move to a newer and safer version some time soon.

Speaking more about the issue: it occurs because your openvpn server is still using the ancient TLS v1.0, while the Connect app is using a much more recent SSL engine that does not cooperate pretty well with that TLS version.

We should be able to make the app more resilient to this problem, but what I said above will still apply.

Cheers,

comment:3 Changed 4 years ago by kiemlicz

Fully understood

Thank you for information and very fast response&action.
Will report this directly to ASUS as I believe their action would require full firmware upgrade to be conducted...

Thank you!

comment:4 Changed 4 years ago by Antonio

Hi,
FYI we have managed to fix the glitch in OpenVPN Connect that triggered the bug in openvpn2.3.2.
OpenVPN Connect should now be able to talk to the server without crashing it This is v1.1.23 and it's available in PlayStore? already.

However, this shouldn't prevent you from reporting the issue to ASUS, because the server is still vulnerable and should really be upgraded.

Cheers,

comment:5 Changed 4 years ago by kiemlicz

Thank you

I've submitted issue via their support website
Will see if they will take any action.

comment:6 Changed 4 years ago by Antonio

That's great. Let us know how it goes. May you also tell us what's the router model you have been using?
Thanks

comment:7 Changed 4 years ago by Misza2

Hi,
That is very Odd i also have the same error on my ASUS RT-N18U . Reason why am I saing tahs odd becasue I'm useing it since 2016 Jan and nothing has been change on server site. Since 2 days bouth my Laptop and Andoriod is unable to log into it. I would stick it more to some setting on Server sites, but i'm not an expert on it.
My desktop verion of client is : 1.5.6
Android : 1.1.22

Down below log from Router

Nov 4 20:20:00 openvpn[8077]: event_wait : Interrupted system call (code=4)
Nov 4 20:20:01 openvpn[8077]: /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Nov 4 20:20:01 openvpn[8077]: Closing TUN/TAP interface
Nov 4 20:20:01 openvpn[8077]: /sbin/ifconfig tun21 0.0.0.0
Nov 4 20:20:01 openvpn[8077]: PLUGIN_CLOSE: /usr/lib/openvpn-plugin-auth-pam.so
Nov 4 20:20:01 openvpn[8077]: SIGTERM[hard,] received, process exiting
Nov 4 20:20:03 openvpn[8168]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 2 2017
Nov 4 20:20:03 openvpn[8168]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so 'usr/lib/openvpn-plugin-auth-pam.so [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Nov 4 20:20:03 openvpn[8168]: Diffie-Hellman initialized with 2048 bit key
Nov 4 20:20:03 openvpn[8168]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Nov 4 20:20:03 openvpn[8168]: TUN/TAP device tun21 opened
Nov 4 20:20:03 openvpn[8168]: TUN/TAP TX queue length set to 100
Nov 4 20:20:03 openvpn[8168]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 4 20:20:03 openvpn[8168]: /sbin/ifconfig tun21 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Nov 4 20:20:03 openvpn[8168]: /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Nov 4 20:20:03 openvpn[8177]: UDPv4 link local (bound): [undef]
Nov 4 20:20:03 openvpn[8177]: UDPv4 link remote: [undef]
Nov 4 20:20:03 openvpn[8177]: MULTI: multi_init called, r=256 v=256
Nov 4 20:20:03 openvpn[8177]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Nov 4 20:20:03 openvpn[8177]: Initialization Sequence Completed

Nov 4 20:20:28 openvpn[8177]: IP:54306 TLS: Initial packet from [AF_INET]INTERNAL_IP:54306 (via [AF_INET] EXTERNAL_IP%br0), sid=0c1d0e11 0bbf1ad1
Nov 4 20:20:29 openvpn[8177]: IP:54306 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N18U, emailAddress=me@…
Nov 4 20:20:29 openvpn[8177]: IP:54306 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@…
Nov 4 20:20:29 openvpn[8177]: IP:54306 Assertion failed at ssl.c:2005
Nov 4 20:20:29 openvpn[8177]: IP:54306 Exiting due to fatal error
Nov 4 20:20:29 openvpn[8177]: IP:54306 /sbin/route del -net 10.8.0.0 netmask 255.255.255.0
Nov 4 20:20:29 openvpn[8177]: IP:54306 Closing TUN/TAP interface
Nov 4 20:20:29 openvpn[8177]: IP:54306 /sbin/ifconfig tun21 0.0.0.0

Router config :

Interface type : TUN
Protocol: UTP
Server Port : XXXX
Firewall : Auto
Authorization Mode: TLS
Username / Password Auth. Only: No
Extra HMAC authorization: Disabled
VPN Subnet / Netmask: 10.8.0.0. Mask 255.255.255.0
Poll Interval : 0
Push LAN to clients Yes
Direct clients to redirect Internet traffic: No
Respond to DNS: No
Encryption cipher : AES-256-CBC
Compression : Adaptive
TLS Renegotiation Time seconds: -1
Manage Client-Specific Options : No

Version 2, edited 4 years ago by Misza2 (previous) (next) (diff)

comment:8 Changed 4 years ago by kiemlicz

Sure:
Asus | RT-AC3200 from Polish distributor

Will provide update when they respond back to me

comment:9 Changed 4 years ago by kiemlicz

ASUS got back with me and basically they acknowledged that they are aware
of very old OpenVPN server in their firmware.

They claim that update will be provided but the release date is unknown

We will see how it turns out

comment:10 Changed 4 years ago by Antonio

Owner: set to Antonio
Status: newaccepted

The app has been fixed.

@kiemlicz, can we close this ticket?

comment:11 Changed 4 years ago by kiemlicz

Yes, please
Thank you.

(just to update) ASUS firmware is still not updated with new OpenVPN server

comment:12 in reply to:  11 Changed 4 years ago by Antonio

Resolution: fixed
Status: acceptedclosed

Replying to kiemlicz:

Yes, please
Thank you.

(just to update) ASUS firmware is still not updated with new OpenVPN server

I imagined that. They normally take a bit before the change can be deployed.

Note: See TracTickets for help on using tickets.