0

At my recent job, I need to connect to the corporate VPN so I was sent a .ovpn file. I am not very much experienced with VPNs, but I had a feeling that connecting should be as easy as:

sudo pacman -S openvpn

sudo openvpn --config <path_to_ovpn_file>

The trouble is, it can only connect once in 10-20 attempts and there is no trend or logic here. Sometimes it works, but most often not.

I use Linux Manjaro on my laptop, but I have the same problem on another laptop of mine with Ubuntu installed.

  • Using mssfix didn't help
  • Trying another Internet connection didn't help either. I tried sharing my mobile network without any success
  • Reinstalling an earlier version OpenVPN (2.5.0 -> 2.4.8) had no effect

The most surprising part is that it works fine on another computer with exactly the same config file but on Windows 7. Importing this ovpn file into OpenVPN connect worked immediately and the connection can be established every single time.

For a moment, I had a feeling that this might have something to do with Wi-Fi, that idea didn't get confirmed when I tried to use a wired connection to my router.

Here is my client config:

client
dev tun
proto udp
remote some.address.net 1194
comp-lzo
resolv-retry infinite
auth-retry none
nobind
persist-key
persist-tun
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
mute-replay-warnings
ns-cert-type server
verb 3
mute 20

# Additional custom options
tls-version-min 1.2
mtu-test 

# Authentication 
<ca>
</ca>
<key>
</key>
<cert>
</cert>

What am I missing? Maybe, there is some additional step that is necessary on both Manjaro and Ubuntu to make it work correctly? I have seen some instructions, but those if I understand correctly cover the case when you need to set up your own server, which is not the case.

OpenVPN log:

2021-03-02 20:04:59 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2021-03-02 20:04:59 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-03-02 20:04:59 OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  6 2020
2021-03-02 20:04:59 library versions: OpenSSL 1.1.1i  8 Dec 2020, LZO 2.10
2021-03-02 20:04:59 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
2021-03-02 20:04:59 TCP/UDP: Preserving recently used remote address: [AF_INET]192.243.55.42:1194
2021-03-02 20:04:59 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-03-02 20:04:59 UDP link local: (not bound)
2021-03-02 20:04:59 UDP link remote: [AF_INET]X.X.X.X:1194
2021-03-02 20:04:59 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=044d567f f34bfa49
2021-03-02 20:05:59 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-03-02 20:05:59 TLS Error: TLS handshake failed
2021-03-02 20:05:59 SIGUSR1[soft,tls-error] received, process restarting
2021-03-02 20:05:59 Restart pause, 5 second(s)

Without mtu-test, it's exactly the same timeout issue.

This can repeat for minutes or even hours and then suddenly connect.

Don Draper
  • 101
  • 2
  • Please attach logs, at least from faulty system, but it would be nice to see relevant server logs too. // Also I don't get why you specify ciphers in the client. Modern OpenVPN (2.4+) support negotiation and cipher needs to be specified only on the server; also, the defaults are secure enough (it'll select AES-256-GCM), so simply don't specify any cihper anywhere. As for tls-cipher, it uses "DEFAULT:!EXP:!LOW:!MEDIUM:!kDH:!kECDH:!DSS:!PSK:!SRP:!kRSA" by default for OpenSSL. – Nikita Kipriyanov Mar 02 '21 at 14:14
  • While I was going to attach logs, a strange thing happened: I followed this instruction: https://openvpn.net/cloud-docs/openvpn-3-client-for-linux/ `openvpn3 session-start --config ` This works perfectly. Is there an explanation to that? – Don Draper Mar 02 '21 at 14:16
  • There couldn't be any explanation without any logs. – Nikita Kipriyanov Mar 02 '21 at 14:16
  • Can you please specify which logs exactly could be helpful? Something like `tcpdump`? Sorry if that's a stupid question, but I don't have much experience with that kind of troubleshooting – Don Draper Mar 02 '21 at 14:21
  • OpenVPN can write logs to the log file, or to syslog, in your case I suppose it'll just show them to the console. Also please test connection without `mtu-test`. – Nikita Kipriyanov Mar 02 '21 at 14:23
  • @NikitaKipriyanov, I have just updated the post – Don Draper Mar 02 '21 at 15:09

0 Answers0