Can't connect to my sever anymore with OpenVPN

[hackdesigner]

Hi community!

I've been running the SE server for many years. I used the auto-generated .ovpn file on all platforms and it always worked.
But with recent changes to OpenVPN (cipher changes) first it required me to alter the data-ciphers, and now it just hangs indefinitely.
I am referring to the problem with AES-128-CBC used by default by OpenVPN implementation in SEVPN. There are a plenty of threads ofer the past 2 years all over the place but they don't ever seem to reach any meaningful conclusion.
I started experimenting and I think at this point entirely borked the setup so that I cannot connect anymore with OpenVPN client neither from any Windows machine nor from the phones.

What should be the cypher values in

• SoftEtherVPN configuration windows under(Encryption...) settings
• in the ovpn file

so that newwer OpenVPN clients connect?

For the reference, here is the log. Same log I get now regardless of OpenVPN version (2.4-2.6) and cypher in the .ovpn file (AES-128-CBC or AES-256-GCM)

Code: Select all

Wed May 03 21:51:53 2023 OpenVPN 2.4.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 17 2022
Wed May 03 21:51:53 2023 Windows version 6.2 (Windows 8 or greater) 64bit
Wed May 03 21:51:53 2023 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Wed May 03 21:51:53 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed May 03 21:51:53 2023 Need hold release from management interface, waiting...
Wed May 03 21:51:54 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed May 03 21:51:54 2023 MANAGEMENT: CMD 'state on'
Wed May 03 21:51:54 2023 MANAGEMENT: CMD 'log all on'
Wed May 03 21:51:54 2023 MANAGEMENT: CMD 'echo all on'
Wed May 03 21:51:54 2023 MANAGEMENT: CMD 'bytecount 5'
Wed May 03 21:51:54 2023 MANAGEMENT: CMD 'hold off'
Wed May 03 21:51:54 2023 MANAGEMENT: CMD 'hold release'
Wed May 03 21:51:56 2023 MANAGEMENT: CMD 'username "Auth" [redacted]'
Wed May 03 21:51:56 2023 MANAGEMENT: CMD 'password [redacted]'
Wed May 03 21:51:56 2023 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed May 03 21:51:56 2023 MANAGEMENT: >STATE:1683143516,RESOLVE,,,,,,
Wed May 03 21:51:56 2023 TCP/UDP: Preserving recently used remote address: [AF_INET](redacted):1194
Wed May 03 21:51:56 2023 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed May 03 21:51:56 2023 UDP link local: (not bound)
Wed May 03 21:51:56 2023 UDP link remote: [AF_INET](redacted):1194
Wed May 03 21:51:56 2023 MANAGEMENT: >STATE:1683143516,WAIT,,,,,,
Wed May 03 21:52:56 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 03 21:52:56 2023 TLS Error: TLS handshake failed
Wed May 03 21:52:56 2023 SIGUSR1[soft,tls-error] received, process restarting
Wed May 03 21:52:56 2023 MANAGEMENT: >STATE:1683143576,RECONNECTING,tls-error,,,,,
Wed May 03 21:52:56 2023 Restart pause, 5 second(s)
The cycle continues then

[solo]

Use OpenVPN client version 2.6+ AND change "cipher" to "data-ciphers" in .ovpn config.

[hackdesigner]

Thanks for the response, solo.
Using OpenVPN client 2.6 now.
Here's my .ovpn file secion:

Code: Select all

###############################################################################
# The encryption and authentication algorithm.
# The supported algorithms are as follows:
#  cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC
#          CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC
#          RC2-40-CBC RC2-64-CBC RC2-CBC CAMELLIA-128-CBC CAMELLIA-192-CBC CAMELLIA-256-CBC
#  auth:   SHA SHA1 SHA256 SHA384 SHA512 MD5 MD4 RMD160

cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA1

Here's what is selected in the server-side:


Here's the result:


If I use AES-128-CBC, the log says it's not supported anymore and that it is going t use BF-CBC instead.

[solo]

Code: Select all

cipher AES-256-GCM
data-ciphers AES-256-GCM

But I wrote to change, not add it. I'll spell it out:

Code: Select all

#cipher AES-128-CBC
data-ciphers AES-128-CBC

[hackdesigner]

Sure. I have done a number of tests with all combinations of parameters and that was just the end state.

When I update it with just data-cyphers instead of cypher

Code: Select all

#cipher AES-256-GCM
data-ciphers AES-256-GCM

I get the following warning in the top of the log. Otherwise no other changes, hangs exactly as it was before.

Thu May 4 20:58:02 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Thu May 4 20:58:02 2023 OpenVPN 2.6.3 [git:v2.6.3/94aad8c51043a805] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Apr 26 2023
Thu May 4 20:58:02 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Thu May 4 20:58:02 2023 library versions: OpenSSL 3.1.0 14 Mar 2023, LZO 2.10
Thu May 4 20:58:02 2023 DCO version: v0
Thu May 4 20:58:02 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu May 4 20:58:02 2023 Need hold release from management interface, waiting...
Thu May 4 20:58:02 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:50529
Thu May 4 20:58:02 2023 MANAGEMENT: CMD 'state on'
Thu May 4 20:58:02 2023 MANAGEMENT: CMD 'log on all'
Thu May 4 20:58:02 2023 MANAGEMENT: CMD 'echo on all'
Thu May 4 20:58:02 2023 MANAGEMENT: CMD 'bytecount 5'
Thu May 4 20:58:02 2023 MANAGEMENT: CMD 'state'
Thu May 4 20:58:02 2023 MANAGEMENT: CMD 'hold off'
Thu May 4 20:58:02 2023 MANAGEMENT: CMD 'hold release'
Thu May 4 20:58:05 2023 MANAGEMENT: CMD 'username "Auth" [...]''
Thu May 4 20:58:05 2023 MANAGEMENT: CMD 'password [...]'
Thu May 4 20:58:05 2023 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu May 4 20:58:05 2023 MANAGEMENT: >STATE:1683226685,RESOLVE,,,,,,
Thu May 4 20:58:05 2023 TCP/UDP: Preserving recently used remote address: [AF_INET][...]':1194
Thu May 4 20:58:05 2023 ovpn-dco device [OpenVPN Data Channel Offload] opened
Thu May 4 20:58:05 2023 UDP link local: (not bound)
Thu May 4 20:58:05 2023 UDP link remote: [AF_INET][...]':1194
Thu May 4 20:58:05 2023 MANAGEMENT: >STATE:1683226685,WAIT,,,,,,

When I also change the cypher to the one that you provided (the default in OVPN file)

Code: Select all

#cipher AES-256-GCM
data-ciphers AES-128-CBC

, then another warning pops up, but the rest of the log rremains unchanged:

Thu May 4 20:50:21 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Thu May 4 20:50:21 2023 Note: cipher 'AES-128-CBC' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload.
Thu May 4 20:50:21 2023 OpenVPN 2.6.3 [git:v2.6.3/94aad8c51043a805] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Apr 26 2023
Thu May 4 20:50:21 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Thu May 4 20:50:21 2023 library versions: OpenSSL 3.1.0 14 Mar 2023, LZO 2.10
Thu May 4 20:50:21 2023 DCO version: v0
Thu May 4 20:50:21 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu May 4 20:50:21 2023 Need hold release from management interface, waiting...
Thu May 4 20:50:21 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:50465
Thu May 4 20:50:22 2023 MANAGEMENT: CMD 'state on'
Thu May 4 20:50:22 2023 MANAGEMENT: CMD 'log on all'
Thu May 4 20:50:22 2023 MANAGEMENT: CMD 'echo on all'
Thu May 4 20:50:22 2023 MANAGEMENT: CMD 'bytecount 5'
Thu May 4 20:50:22 2023 MANAGEMENT: CMD 'state'
Thu May 4 20:50:22 2023 MANAGEMENT: CMD 'hold off'
Thu May 4 20:50:22 2023 MANAGEMENT: CMD 'hold release'
Thu May 4 20:50:24 2023 MANAGEMENT: CMD 'username "Auth" [...]'
Thu May 4 20:50:24 2023 MANAGEMENT: CMD 'password [...]'
Thu May 4 20:50:24 2023 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu May 4 20:50:24 2023 MANAGEMENT: >STATE:1683226224,RESOLVE,,,,,,
Thu May 4 20:50:25 2023 TCP/UDP: Preserving recently used remote address: [AF_INET][...]:1194
Thu May 4 20:50:25 2023 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu May 4 20:50:25 2023 UDPv4 link local: (not bound)
Thu May 4 20:50:25 2023 UDPv4 link remote: [AF_INET][...]:1194
Thu May 4 20:50:25 2023 MANAGEMENT: >STATE:1683226225,WAIT,,,,,,
Thu May 4 20:51:25 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu May 4 20:51:25 2023 TLS Error: TLS handshake failed
Thu May 4 20:51:25 2023 SIGUSR1[soft,tls-error] received, process restarting
Thu May 4 20:51:25 2023 MANAGEMENT: >STATE:1683226285,RECONNECTING,tls-error,,,,,
Thu May 4 20:51:25 2023 Restart pause, 1 second(s)

[solo]

Update your SE server and set it to AES-128-CBC. Look, here is my session on https://www.vpngate.net/en/

• vpngate_public-vpn-197.opengw.net_tcp_443.ovpn

Code: Select all

#cipher AES-128-CBC
data-ciphers AES-128-CBC

Code: Select all

2023-04-12 19:56:32 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-04-12 19:56:32 Note: cipher 'AES-128-CBC' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload.
2023-04-12 19:56:32 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Feb  6 2023
2023-04-12 19:56:32 Windows version 6.1 (Windows 7), x86 executable
2023-04-12 19:56:32 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2023-04-12 19:56:32 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2023-04-12 19:56:32 Need hold release from management interface, waiting...
2023-04-12 19:56:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49183
2023-04-12 19:56:32 MANAGEMENT: CMD 'state on'
2023-04-12 19:56:32 MANAGEMENT: CMD 'log on all'
2023-04-12 19:56:32 MANAGEMENT: CMD 'echo on all'
2023-04-12 19:56:32 MANAGEMENT: CMD 'bytecount 5'
2023-04-12 19:56:32 MANAGEMENT: CMD 'state'
2023-04-12 19:56:32 MANAGEMENT: CMD 'hold off'
2023-04-12 19:56:32 MANAGEMENT: CMD 'hold release'
2023-04-12 19:56:32 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2023-04-12 19:56:32 MANAGEMENT: >STATE:1681293392,RESOLVE,,,,,,
2023-04-12 19:56:33 TCP/UDP: Preserving recently used remote address: [AF_INET]219.100.37.211:443
2023-04-12 19:56:33 Socket Buffers: R=[8192->8192] S=[8192->8192]
2023-04-12 19:56:33 Attempting to establish TCP connection with [AF_INET]219.100.37.211:443
2023-04-12 19:56:33 MANAGEMENT: >STATE:1681293393,TCP_CONNECT,,,,,,
2023-04-12 19:56:33 TCP connection established with [AF_INET]219.100.37.211:443
2023-04-12 19:56:33 TCPv4_CLIENT link local: (not bound)
2023-04-12 19:56:33 TCPv4_CLIENT link remote: [AF_INET]219.100.37.211:443
2023-04-12 19:56:33 MANAGEMENT: >STATE:1681293393,WAIT,,,,,,
2023-04-12 19:56:34 MANAGEMENT: >STATE:1681293394,AUTH,,,,,,
2023-04-12 19:56:34 TLS: Initial packet from [AF_INET]219.100.37.211:443, sid=65070f64 b18f0485
2023-04-12 19:56:34 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-04-12 19:56:34 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-04-12 19:56:34 VERIFY OK: depth=0, CN=opengw.net
2023-04-12 19:56:34 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-04-12 19:56:34 [opengw.net] Peer Connection Initiated with [AF_INET]219.100.37.211:443
2023-04-12 19:56:34 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-04-12 19:56:34 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-04-12 19:56:36 MANAGEMENT: >STATE:1681293396,GET_CONFIG,,,,,,
2023-04-12 19:56:36 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-04-12 19:56:41 SENT CONTROL [opengw.net]: 'PUSH_REQUEST' (status=1)
2023-04-12 19:56:43 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.246.47.9 10.246.47.10,dhcp-option DNS 10.246.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.246.47.10,redirect-gateway def1'
2023-04-12 19:56:43 OPTIONS IMPORT: timers and/or timeouts modified
2023-04-12 19:56:43 OPTIONS IMPORT: --ifconfig/up options modified
2023-04-12 19:56:43 OPTIONS IMPORT: route options modified
2023-04-12 19:56:43 OPTIONS IMPORT: route-related options modified
2023-04-12 19:56:43 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-04-12 19:56:43 Using peer cipher 'AES-128-CBC'
2023-04-12 19:56:43 interactive service msg_channel=348
2023-04-12 19:56:43 open_tun
2023-04-12 19:56:43 tap-windows6 device [OpenVPN TAP-Windows6] opened
2023-04-12 19:56:43 TAP-Windows Driver Version 9.24 
2023-04-12 19:56:43 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.246.47.9/255.255.255.252 on interface {001C2F0C-B587-4335-8ED8-6F9DA924572B} [DHCP-serv: 10.246.47.10, lease-time: 31536000]
2023-04-12 19:56:43 Successful ARP Flush on interface [16] {001C2F0C-B587-4335-8ED8-6F9DA924572B}
2023-04-12 19:56:43 MANAGEMENT: >STATE:1681293403,ASSIGN_IP,,10.246.47.9,,,,
2023-04-12 19:56:43 IPv4 MTU set to 1500 on interface 16 using service
2023-04-12 19:56:43 Data Channel: using negotiated cipher 'AES-128-CBC'
2023-04-12 19:56:43 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2023-04-12 19:56:43 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2023-04-12 19:56:43 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
2023-04-12 19:56:43 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2023-04-12 19:56:43 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.246.47.9 10.246.47.10,dhcp-option DNS 10.246.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.246.47.10,redirect-gateway def'
2023-04-12 19:56:43 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2023-04-12 19:56:43 Options error: unknown --redirect-gateway flag: def
2023-04-12 19:56:48 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
2023-04-12 19:56:48 C:\Windows\system32\route.exe ADD 219.100.37.211 MASK 255.255.255.255 10.0.2.2
2023-04-12 19:56:48 Route addition via service succeeded
2023-04-12 19:56:48 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.246.47.10
2023-04-12 19:56:48 Route addition via service succeeded
2023-04-12 19:56:48 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.246.47.10
2023-04-12 19:56:48 Route addition via service succeeded
2023-04-12 19:56:48 Initialization Sequence Completed
2023-04-12 19:56:48 MANAGEMENT: >STATE:1681293408,CONNECTED,SUCCESS,10.246.47.9,219.100.37.211,443,10.0.2.15,49184

TLDR: works for me.

[hackdesigner]

I am using 4.41, the latest available.
Yes, that was partially the question in the OP: what exactly is the value for "AES-128-CBC" since there is no such entry in the list and I forgot the default? Is it "AES128-SHA" — or am I supposed to manualy type there "AES-128-CBC"?

[solo]

Select "AES128-SHA".

[hackdesigner]

@solo, If I knew where you live, I'd bring you a nice bottle of something, per your choice. Thank you so much for spending time trying to help me. It really helped because I was at least able to return the system to defaults. As for the problem...

— My computer does not work!
— Did you try turning on the monitor?
— Ah! You fixed it!

I forgot to add hotel's IP to 1194 port filter in Azure 😏

It is only upon reading the log I understood it was talking about connection between vpn client and local service, so while visually it seemed like the "process happens", in fact the moment it actually tried to connect to the server - it all hung. Given the confirmation bias of the fact that I have not used that laptop for a while and had to update the client - here we are.

Thanks again, and sorry for wasting your time, hopefully this thread will be at least helpful as a reference to someone :)