Hi Everybody,
Not sure if someone could provide some help / has the same issue here but since the release of the latest stable Linux OpenVPN Client 2.6.0 connections can't be created. Downgrade to latest stable 2.5.6 release has no issue at all and can connect to the destination.
No changes where made on the XG550 (SFOS 17.5.14 MR-14-1). Maybe there is a bug in the Firmware ? Latest client changes are written on github.com/.../Changes.rst
Latest release shows lot of output errors like:
2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported protocol
2022-05-29 19:08:08 TLS_ERROR: BIO read tls_read_plaintext error
I think the generated 'opnv' file on the firewall is the problem here as the debug output shows data cipher errors.
I attached a text file which compare the output of both releases.Top shows the latest 2.6.0 release output and bottom one the 2.5.6 after downgrading to that version.
Output latest OpenVPN Debian/SID release '2.6.0~git20220518+dco-1' in repo - This version doesn't connect to destination ! root@debian:/home/henrik/Downloads# openvpn hschoepel@ssl_vpn_config.ovpn 2022-05-29 19:07:47 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-05-29 19:07:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 2022-05-29 19:07:47 Cannot find ovpn_dco netlink component: Object not found 2022-05-29 19:07:47 Note: Kernel support for ovpn-dco missing, disabling data channel offload. 2022-05-29 19:07:47 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 20 2022 2022-05-29 19:07:47 library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10 Enter Auth Username: hschoepel 🔐 Enter Auth Password: ****** 2022-05-29 19:08:08 TCP/UDP: Preserving recently used remote address: [AF_INET]*********:8443 2022-05-29 19:08:08 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-05-29 19:08:08 Attempting to establish TCP connection with [AF_INET]*********:8443 2022-05-29 19:08:08 TCP connection established with [AF_INET]*********:8443 2022-05-29 19:08:08 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92) 2022-05-29 19:08:08 TCP_CLIENT link local: (not bound) 2022-05-29 19:08:08 TCP_CLIENT link remote: [AF_INET]*********:8443 2022-05-29 19:08:08 TLS: Initial packet from [AF_INET]*********.35:8443, sid=2a3742bf 758117bf 2022-05-29 19:08:08 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only 2022-05-29 19:08:08 OpenSSL: error:0A000102:SSL routines::unsupported protocol 2022-05-29 19:08:08 TLS_ERROR: BIO read tls_read_plaintext error 2022-05-29 19:08:08 TLS Error: TLS object -> incoming plaintext read error 2022-05-29 19:08:08 TLS Error: TLS handshake failed 2022-05-29 19:08:08 Fatal TLS error (check_tls_errors_co), restarting 2022-05-29 19:08:08 SIGUSR1[soft,tls-error] received, process restarting 2022-05-29 19:08:08 Restart pause, 5 second(s) 2022-05-29 19:08:13 TCP/UDP: Preserving recently used remote address: [AF_INET]*********:8443 2022-05-29 19:08:13 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-05-29 19:08:13 Attempting to establish TCP connection with [AF_INET]*********:8443 2022-05-29 19:08:13 TCP connection established with [AF_INET]*********:8443 2022-05-29 19:08:13 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92) 2022-05-29 19:08:13 TCP_CLIENT link local: (not bound) 2022-05-29 19:08:13 TCP_CLIENT link remote: [AF_INET]*********:8443 2022-05-29 19:08:13 TLS: Initial packet from [AF_INET]*********:8443, sid=eceadd8a 6679da5c 2022-05-29 19:08:13 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only 2022-05-29 19:08:13 OpenSSL: error:0A000102:SSL routines::unsupported protocol 2022-05-29 19:08:13 TLS_ERROR: BIO read tls_read_plaintext error 2022-05-29 19:08:13 TLS Error: TLS object -> incoming plaintext read error 2022-05-29 19:08:13 TLS Error: TLS handshake failed 2022-05-29 19:08:13 Fatal TLS error (check_tls_errors_co), restarting 2022-05-29 19:08:13 SIGUSR1[soft,tls-error] received, process restarting 2022-05-29 19:08:13 Restart pause, 5 second(s) Output OpenVPN Debian/SID release '2.6.0~git20220518+dco-1' - This version connects just fine to destination ! root@debian:/home/henrik/Downloads# openvpn hschoepel@ssl_vpn_config.ovpn 2022-05-29 19:13:41 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-05-29 19:13:41 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2022-05-29 19:13:41 OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 20 2022 2022-05-29 19:13:41 library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10 Enter Auth Username: hschoepel 🔐 Enter Auth Password: **************** 2022-05-29 19:14:09 TCP/UDP: Preserving recently used remote address: [AF_INET]*********:8443 2022-05-29 19:14:09 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-05-29 19:14:09 Attempting to establish TCP connection with [AF_INET]*********:8443 [nonblock] 2022-05-29 19:14:09 TCP connection established with [AF_INET]*********:8443 2022-05-29 19:14:09 TCP_CLIENT link local: (not bound) 2022-05-29 19:14:09 TCP_CLIENT link remote: [AF_INET]*********:8443 2022-05-29 19:14:09 TLS: Initial packet from [AF_INET]*********:8443, sid=35f93a56 414d6e12 2022-05-29 19:14:09 VERIFY OK: depth=1, C=DE, ST=*********, L=*********, O=*********, OU=OU, CN=Sophos_CA_C51028TQFXXK621, emailAddress=********* 2022-05-29 19:14:09 VERIFY X509NAME OK: C=DE, ST=*********, L=*********, O=*********, OU=OU, CN=SophosApplianceCertificate_C51028TQFXXK621, emailAddress=********* 2022-05-29 19:14:09 VERIFY OK: depth=0, C=DE, ST=MV, L=Schwerin, O=Datagroup Bremen, OU=OU, CN=SophosApplianceCertificate_C51028TQFXXK621, emailAddress=********* 2022-05-29 19:14:10 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2022-05-29 19:14:10 [SophosApplianceCertificate_C51028TQFXXK621] Peer Connection Initiated with [AF_INET]*********:8443 2022-05-29 19:14:11 SENT CONTROL [SophosApplianceCertificate_C51028TQFXXK621]: 'PUSH_REQUEST' (status=1) 2022-05-29 19:14:16 SENT CONTROL [SophosApplianceCertificate_C51028TQFXXK621]: 'PUSH_REQUEST' (status=1) 2022-05-29 19:14:16 PUSH: Received control message: 'PUSH_REPLY,route-gateway ...... Couldn't find any simmilar up2date bug reports via Google related to OpenVPN on Debian/SID. Greetings, Henrik
Greetings,
Henrik
This thread was automatically locked due to age.
