Opened 6 months ago

Last modified 5 months ago

#976 new Bug / Defect

open VPN not connecting from windows 10.

Reported by: vibin Owned by:
Priority: critical Milestone: release 2.4.4
Component: Generic / unclassified Version: OpenVPN 2.4.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc: tnmff@…

Description

Hi,
I can connect my open VPN server(Linux) through windows 7 & 8, but using the same settings is not working on windows 10.

I am using open VPN clinet 2.4.4i601.

LOG from WINDOWS 7

Sat Jan 06 12:15:08 2018 OpenVPN 2.4.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sat Jan 06 12:15:08 2018 Windows version 6.1 (Windows 7) 32bit
Sat Jan 06 12:15:08 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Sat Jan 06 12:15:08 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Jan 06 12:15:08 2018 Need hold release from management interface, waiting...
Sat Jan 06 12:15:08 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Jan 06 12:15:08 2018 MANAGEMENT: CMD 'state on'
Sat Jan 06 12:15:08 2018 MANAGEMENT: CMD 'log all on'
Sat Jan 06 12:15:08 2018 MANAGEMENT: CMD 'echo all on'
Sat Jan 06 12:15:08 2018 MANAGEMENT: CMD 'hold off'
Sat Jan 06 12:15:08 2018 MANAGEMENT: CMD 'hold release'
Sat Jan 06 12:15:10 2018 MANAGEMENT: CMD 'username "Auth" "vibin"'
Sat Jan 06 12:15:10 2018 MANAGEMENT: CMD 'password [...]'
Sat Jan 06 12:15:10 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Sat Jan 06 12:15:11 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]106.51.148.23:1194
Sat Jan 06 12:15:11 2018 Socket Buffers: R=[8192->8192] S=[64512->64512]
Sat Jan 06 12:15:11 2018 UDP link local: (not bound)
Sat Jan 06 12:15:11 2018 UDP link remote: [AF_INET]106.51.148.23:1194
Sat Jan 06 12:15:11 2018 MANAGEMENT: >STATE:1515221111,WAIT
Sat Jan 06 12:15:11 2018 MANAGEMENT: >STATE:1515221111,AUTH

Sat Jan 06 12:15:11 2018 TLS: Initial packet from [AF_INET]106.51.148.23:1194, sid=ab2e7cd6 729e1fd9
Sat Jan 06 12:15:11 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jan 06 12:15:14 2018 VERIFY OK: depth=1, O=Cerulean Infromation Technology Pvt Ltd, OU=IT department, emailAddress=sysadmin@…, L=Bangalore, ST=Karnataka, C=IN, CN=gw2.ceruleaninfotech.com
Sat Jan 06 12:15:14 2018 VERIFY OK: nsCertType=SERVER
Sat Jan 06 12:15:14 2018 VERIFY OK: depth=0, C=IN, ST=Karnataka, O=Cerulean Infromation Technology Pvt Ltd, OU=IT department, L=Bangalore, CN=gw2.ceruleaninfotech.com, emailAddress=sysadmin@…
Sat Jan 06 12:15:14 2018 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Jan 06 12:15:14 2018 [gw2.ceruleaninfotech.com] Peer Connection Initiated with [AF_INET]106.51.148.23:1194
Sat Jan 06 12:15:15 2018 MANAGEMENT: >STATE:1515221115,GET_CONFIG
Sat Jan 06 12:15:15 2018 SENT CONTROL [gw2.ceruleaninfotech.com]: 'PUSH_REQUEST' (status=1)
Sat Jan 06 12:15:15 2018 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.10.10.254,dhcp-option WINS 192.10.10.1,dhcp-option DOMAIN ceruleaninfotech.com,route 192.10.10.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Jan 06 12:15:15 2018 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jan 06 12:15:15 2018 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jan 06 12:15:15 2018 OPTIONS IMPORT: route options modified
Sat Jan 06 12:15:15 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jan 06 12:15:15 2018 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan 06 12:15:15 2018 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sat Jan 06 12:15:15 2018 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 06 12:15:15 2018 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jan 06 12:15:15 2018 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sat Jan 06 12:15:15 2018 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jan 06 12:15:15 2018 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Sat Jan 06 12:15:15 2018 interactive service msg_channel=200
Sat Jan 06 12:15:15 2018 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 I=33 HWADDR=4c:0f:6e:84:9e:ff
Sat Jan 06 12:15:15 2018 open_tun
Sat Jan 06 12:15:15 2018 TAP-WIN32 device [Local Area Connection 2] opened:
.\Global\{059A3149-B10F-43F3-9A68-B0F33D63EEFA}.tap
Sat Jan 06 12:15:15 2018 TAP-Windows Driver Version 9.21
Sat Jan 06 12:15:15 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {059A3149-B10F-43F3-9A68-B0F33D63EEFA} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sat Jan 06 12:15:15 2018 Successful ARP Flush on interface [46] {059A3149-B10F-43F3-9A68-B0F33D63EEFA}
Sat Jan 06 12:15:15 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jan 06 12:15:15 2018 MANAGEMENT: >STATE:1515221115,ASSIGN_IP,,10.8.0.6

Sat Jan 06 12:15:20 2018 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sat Jan 06 12:15:20 2018 MANAGEMENT: >STATE:1515221120,ADD_ROUTES

Sat Jan 06 12:15:20 2018 C:\Windows\system32\route.exe ADD 192.10.10.0 MASK 255.255.255.0 10.8.0.5
Sat Jan 06 12:15:20 2018 Route addition via service succeeded
Sat Jan 06 12:15:20 2018 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sat Jan 06 12:15:20 2018 Route addition via service succeeded
Sat Jan 06 12:15:20 2018 Initialization Sequence Completed
Sat Jan 06 12:15:20 2018 MANAGEMENT: >STATE:1515221120,CONNECTED,SUCCESS,10.8.0.6,106.51.148.23,1194

=============================================================================================

Log from windows 10

Sat Jan 06 12:50:54 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sat Jan 06 12:50:54 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Jan 06 12:50:54 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Sat Jan 06 12:50:54 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Jan 06 12:50:54 2018 Need hold release from management interface, waiting...
Sat Jan 06 12:50:54 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Jan 06 12:50:55 2018 MANAGEMENT: CMD 'state on'
Sat Jan 06 12:50:55 2018 MANAGEMENT: CMD 'log all on'
Sat Jan 06 12:50:55 2018 MANAGEMENT: CMD 'echo all on'
Sat Jan 06 12:50:55 2018 MANAGEMENT: CMD 'hold off'
Sat Jan 06 12:50:55 2018 MANAGEMENT: CMD 'hold release'
Sat Jan 06 12:50:57 2018 MANAGEMENT: CMD 'username "Auth" "mmpanda"'
Sat Jan 06 12:50:57 2018 MANAGEMENT: CMD 'password [...]'
Sat Jan 06 12:50:57 2018 MANAGEMENT: CMD 'proxy NONE '
Sat Jan 06 12:50:58 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Sat Jan 06 12:50:59 2018 MANAGEMENT: >STATE:1515223259,RESOLVE
Sat Jan 06 12:50:59 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]106.51.148.23:1194
Sat Jan 06 12:50:59 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Jan 06 12:50:59 2018 UDP link local: (not bound)
Sat Jan 06 12:50:59 2018 UDP link remote: [AF_INET]106.51.148.23:1194
Sat Jan 06 12:50:59 2018 MANAGEMENT: >STATE:1515223259,WAIT

Sat Jan 06 12:50:59 2018 MANAGEMENT: >STATE:1515223259,AUTH
Sat Jan 06 12:50:59 2018 TLS: Initial packet from [AF_INET]106.51.148.23:1194, sid=47fed63d d0519ca5
Sat Jan 06 12:50:59 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jan 06 12:50:59 2018 VERIFY OK: depth=1, O=Cerulean Infromation Technology Pvt Ltd, OU=IT department, emailAddress=sysadmin@…, L=Bangalore, ST=Karnataka, C=IN, CN=gw2.ceruleaninfotech.com
Sat Jan 06 12:50:59 2018 VERIFY OK: nsCertType=SERVER
Sat Jan 06 12:50:59 2018 VERIFY OK: depth=0, C=IN, ST=Karnataka, O=Cerulean Infromation Technology Pvt Ltd, OU=IT department, L=Bangalore, CN=gw2.ceruleaninfotech.com, emailAddress=sysadmin@…
Sat Jan 06 12:51:59 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 06 12:51:59 2018 TLS Error: TLS handshake failed
Sat Jan 06 12:51:59 2018 SIGUSR1[soft,tls-error] received, process restarting
Sat Jan 06 12:51:59 2018 MANAGEMENT: >STATE:1515223319,RECONNECTING,tls-error
,
Sat Jan 06 12:51:59 2018 Restart pause, 5 second(s)
Sat Jan 06 12:52:04 2018 MANAGEMENT: CMD 'proxy NONE '
Sat Jan 06 12:52:05 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Sat Jan 06 12:52:05 2018 MANAGEMENT: >STATE:1515223325,RESOLVE

Change History (1)

comment:1 Changed 5 months ago by selvanair

I can connect my open VPN server(Linux) through windows 7 & 8, but using the same settings is not working on windows 10.

At least one setting is different: the windows 10 settings is using --management-query-proxy. Though that shouldn't matter as the proxy is set to NONE and the client-server connectivity looks ok. Anything else different?

If you have access to the server logs that may give some clue. Else try using the same certificate as the one that succeeds from Windows 7. It could be a number of things like the server rejected the client certificate or some script like tls-verify on the server took too long to respond.

Note: See TracTickets for help on using tickets.