Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

OVPN connects on stable, not on testing

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
Migilenik
Posts: 28
Joined: 2011-08-07 09:04

OVPN connects on stable, not on testing

#1 Post by Migilenik »

Hi, i have got a weird problem with Debian Stretch.

I cant connect any testing installation to my OpenVPN server running MikroTik Gateway at my customers premises. It is running for more than a year and all ovpn clients from XP (sadly) to 10 can successfully connect. Rest of the firm is powered by Debian Jessie and even those client can connect without any problems.

But Stretch cant connect at all. I have got network-manager-openvpn-gnome and network-manager-openvpn with with all dependencies installed, configuration is correct (i have even setup new stable and testing clients side by side), but stretch just cant connect.

Im using CA certificate with user credentials and AES-256-CBC, all configured through Network Manager OVPN Gui Wizard.


Mikrotik shows "disconnected <internal error>" and "<TLS error>" at its log (picture), i will have to dig little deeper for further information from MikroTik, if i have to.
http://postimg.org/image/y632ahi0l/

/var/log/messages says this:
  • Sep 23 15:28:59 Dauntless nm-openvpn-serv[3815]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
    Sep 23 15:30:48 Dauntless nm-openvpn-serv[4427]: Connect timer expired, disconnecting.
    Sep 23 17:42:14 Dauntless nm-openvpn-serv[12311]: Connect timer expired, disconnecting.
    Sep 23 17:44:15 Dauntless nm-openvpn-serv[12986]: Connect timer expired, disconnecting.
    Sep 23 17:45:49 Dauntless nm-openvpn-serv[13635]: Connect timer expired, disconnecting.
Thanks for any advice.

User avatar
gradinaruvasile
Posts: 935
Joined: 2010-01-31 22:03
Location: Cluj, Romania
Contact:

Re: OVPN connects on stable, not on testing

#2 Post by gradinaruvasile »

Please post the openvpn versions for server and client.
Openvpn 2.3.11 has some hardening features that disable unsecure (meaning lacking forward secrecy) ciphers but it seems it also makes them incompatible with older versions' AES implementation (probably related to openssl version).
Sometimes disabling specific ciphers (like AES-256-CBC) and adding

Code: Select all

tls-cipher DEFAULT:!EXP:!LOW:!MEDIUM:!PSK:!SRP
to the client conf helps but it reduces the cipher to the default BF-CBC (usually 128 bit) encryption (that also means no hardware AES support that may be important for slow cpus).

https://community.openvpn.net/openvpn/ticket/685

Migilenik
Posts: 28
Joined: 2011-08-07 09:04

Re: OVPN connects on stable, not on testing

#3 Post by Migilenik »

Hi,

in Debian jessie its openvpn 2.3.4 (https://packages.debian.org/jessie/openvpn) and in MikroTik it has to be 2.3.3 or something before that. RouterOS used in our GW was released at the end of the year 2014 and ovpn 2.3.3 was released at september 2014.
Support wrote me:
We have released RouterOS v6.36rc16 which contains a fix for this problem.
Well this looks promising. I was already thinking about upgrade. Thanks for the link, i will try tomorrow. :)

Migilenik
Posts: 28
Joined: 2011-08-07 09:04

Re: OVPN connects on stable, not on testing

#4 Post by Migilenik »

Small update: With ROS 6.37 testing can connect, but cant ping GW IP address or any other device at remote network.
Ip addr sh shows correct route in table, tap0 interface correctly receives ip from remote dhcp server.

On stale or any windows station everything forks fine.

Post Reply