Opened 6 years ago

Closed 6 years ago

#955 closed Bug / Defect (fixed)

OpenVPN Connect unable to connect to OpenVPN server

Reported by: kiemlicz Owned by: Antonio Quartulli
Priority: blocker Milestone:
Component: OpenVPN Connect Version: 1.1.12
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

OpenVPN Connect 1.1.12 (build 89)
OpenVPN server 2.3.2

Client is unable to connect to server, fails with error:

Transport error: TCP connect error on 'myfancydomain': Connection refused

The server logs:

openvpn[925]: TCP connection established with [AF_INET]SOME_IP:57796
openvpn[925]: SOME_IP:57796 TLS: Initial packet from [AF_INET]SOME_IP:57796, sid=a08ab2d8 40a042c2
openvpn[925]: SOME_IP:57796 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC3200, emailAddress=me@myhost.mydomain
openvpn[925]: SOME_IP:57796 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
openvpn[925]: SOME_IP:57796 Assertion failed at ssl.c:2005
openvpn[925]: SOME_IP:57796 Exiting due to fatal error
openvpn[925]: SOME_IP:57796 /sbin/route del -net SOME_NET_IP netmask 255.255.255.0
openvpn[925]: SOME_IP:57796 Closing TUN/TAP interface
openvpn[925]: SOME_IP:57796 /sbin/ifconfig tun21 0.0.0.0

The bug occured in one of the latest OpenVPN connect versions
Previously worked flawlessly
Marking as blocker because the OpenVPN is totally unusable
Please confirm

Kind regards

Change History (12)

comment:1 Changed 6 years ago by kiemlicz

EDIT:
OpenVPN Connect 1.1.22 (build 89)

comment:2 Changed 6 years ago by Antonio Quartulli

Hi and thanks for reporting the issue.

We are already working on a mitigation on the OpenVPN Connect app for Android.

I used the word "mitigation" because, as you may understand, the server version you are running is bugged and prone to crash.
This "assert bug" (which leads to the server to stop running) has been fixed in the v2.3.7 release and we highly recommend to upgrade, because v2.3.2 is very old and vulnerable (latest release from the 2.3 series is v2.3.18).

If I am not wrong, your log comes from an ASUS device. I'd suggest to report this issue back to their support team in the hope that they move to a newer and safer version some time soon.

Speaking more about the issue: it occurs because your openvpn server is still using the ancient TLS v1.0, while the Connect app is using a much more recent SSL engine that does not cooperate pretty well with that TLS version.

We should be able to make the app more resilient to this problem, but what I said above will still apply.

Cheers,

comment:3 Changed 6 years ago by kiemlicz

Fully understood

Thank you for information and very fast response&action.
Will report this directly to ASUS as I believe their action would require full firmware upgrade to be conducted...

Thank you!

comment:4 Changed 6 years ago by Antonio Quartulli

Hi,
FYI we have managed to fix the glitch in OpenVPN Connect that triggered the bug in openvpn2.3.2.
OpenVPN Connect should now be able to talk to the server without crashing it This is v1.1.23 and it's available in PlayStore? already.

However, this shouldn't prevent you from reporting the issue to ASUS, because the server is still vulnerable and should really be upgraded.

Cheers,

comment:5 Changed 6 years ago by kiemlicz

Thank you

I've submitted issue via their support website
Will see if they will take any action.

comment:6 Changed 6 years ago by Antonio Quartulli

That's great. Let us know how it goes. May you also tell us what's the router model you have been using?
Thanks

comment:7 Changed 6 years ago by Misza2

Last edited 6 years ago by Misza2 (previous) (diff)

comment:8 Changed 6 years ago by kiemlicz

Sure:
Asus | RT-AC3200 from Polish distributor

Will provide update when they respond back to me

comment:9 Changed 6 years ago by kiemlicz

ASUS got back with me and basically they acknowledged that they are aware
of very old OpenVPN server in their firmware.

They claim that update will be provided but the release date is unknown

We will see how it turns out

comment:10 Changed 6 years ago by Antonio Quartulli

Owner: set to Antonio Quartulli
Status: newaccepted

The app has been fixed.

@kiemlicz, can we close this ticket?

comment:11 Changed 6 years ago by kiemlicz

Yes, please
Thank you.

(just to update) ASUS firmware is still not updated with new OpenVPN server

comment:12 in reply to:  11 Changed 6 years ago by Antonio Quartulli

Resolution: fixed
Status: acceptedclosed

Replying to kiemlicz:

Yes, please
Thank you.

(just to update) ASUS firmware is still not updated with new OpenVPN server

I imagined that. They normally take a bit before the change can be deployed.

Note: See TracTickets for help on using tickets.