Login on Android Client via OPN VPN not working

ritchie · 25 2024 17:24

Hello,

suddenly the connection to my network via a vpn connection does not work.

The VPN Connection is staying in the stage “Authentication”

Here a part of the log file from the handy

2024-07-25 19:14:33 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2024-07-25 19:14:33 UDPv4 link local: (not bound)
2024-07-25 19:14:33 UDPv4 link remote: [AF_INET]89.0.236.212:1194
2024-07-25 19:14:33 MANAGEMENT: >STATE:1721927673,WAIT,,,,,,
2024-07-25 19:14:33 MANAGEMENT: >STATE:1721927673,AUTH,,,,,,
2024-07-25 19:14:33 TLS: Initial packet from [AF_INET]89.0.236.212:1194, sid=85956ccb d3f60016

I am on stage 186 and I remember the last connection with stage 185.
Not sure if it works since the last update.

Any hints to find out the reason for this ?
I did not change anything in matter of certificate.

Best regards
R.

bonnietwin · 25 2024 17:36

Check in your IPFire OpenVPN Server log and if you see a message that includes the words

VERIFY ERROR: depth=0, error=CRL has expired:

then read through the following thread for the reason and some workarounds until CU187 is released which will apply the fix.

https://community.ipfire.org/t/log-summary-openvpn-no-crl-update/11816

ritchie · 26 2024 16:02

Hi,

sorry, I do not have such lines within the log file

024-07-26 17:56:36 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2024-07-26 17:56:36 UDPv4 link local: (not bound)
2024-07-26 17:56:36 UDPv4 link remote: [AF_INET]89.0.245.39:1194
2024-07-26 17:56:36 MANAGEMENT: >STATE:1722009396,WAIT,,,,,,
2024-07-26 17:56:36 MANAGEMENT: >STATE:1722009396,AUTH,,,,,,
2024-07-26 17:56:36 TLS: Initial packet from [AF_INET]<ip>, sid=4c413cc0 fd604128
2024-07-26 17:56:37 VERIFY OK: depth=1, C=DE....
2024-07-26 17:56:37 VERIFY X509NAME OK: C=DE,.....
2024-07-26 17:56:37 VERIFY OK: depth=0, C=DE,...

Only these lines where shown

Best regards
R.

bonnietwin · 26 2024 16:47

Then you have a different problem and you will need to show the client and server logs to show the messages up to the point that it stops at authentication.
There should be messages that indicate what has made the client or the server stop at that stage.

The bits of the logs you have shown don’t show any error messages at all so there must be more elsewhere in the logs.
You can always change any privacy sensitive elements of the logs such as your public ip to xxx.xxx.xxx.xxx etc.

Which client are you using on your android os phone?

ritchie · 26 2024 19:46

Hi,

These messages came up after i wait longer. I am using OpenVpn for Android that last version

Client log part:
2024-07-26 21:26:22 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-07-26 21:26:22 TLS Error: TLS handshake failed

Server log part:
|21:41:57|openvpnserver[7645]: |I/O WAIT TR|Tw|SR|Sw [10/0]|
|—|—|—|
|21:41:57|openvpnserver[7645]: |PO_CTL rwflags=0x0001 ev=9 arg=0x004cbc04|
|21:41:57|openvpnserver[7645]: |PO_CTL rwflags=0x0001 ev=7 arg=0x004cbc08|
|21:41:57|openvpnserver[7645]: |PO_CTL rwflags=0x0001 ev=8 arg=0x004cbd18|
|21:41:57|openvpnserver[7645]: |SCHEDULE: schedule_find_least NULL|
|21:41:57|openvpnserver[7645]: |MULTI: REAP range 240 → 256|
|21:41:57|openvpnserver[7645]: |I/O WAIT status=0x0020|
|21:41:57|openvpnserver[7645]: |event_wait returned 0|
|21:41:47|openvpnserver[7645]: |I/O WAIT TR|Tw|SR|Sw [10/0]|
|21:41:47|openvpnserver[7645]: |PO_CTL rwflags=0x0001 ev=9 arg=0x004cbc04|
|21:41:47|openvpnserver[7645]: |PO_CTL rwflags=0x0001 ev=7 arg=0x004cbc08|
|21:41:47|openvpnserver[7645]: |PO_CTL rwflags=0x0001 ev=8 arg=0x004cbd18|
|21:41:47|openvpnserver[7645]: |SCHEDULE: schedule_find_least NULL|
|21:41:47|openvpnserver[7645]: |MULTI: REAP range 224 → 240|
|21:41:47|openvpnserver[7645]: |I/O WAIT status=0x0020|

A lot of this log entries.

Best regards
R.

bonnietwin · 26 2024 20:10

Your client log is saying that it did not get any reply from its request for the TLS key negotiation.

Your server has no indication of receiving anything from the client.

So the comment in the client log to (check your network connectivity) is a good suggestion.

For some reason the communication from the client is not getting to the server.

Are you using an IP for the connection from the client or are you using a Dynamic DNS. If the latter has the DDNS IP been updated so that the use of the DDNS name is properly sending the client to the right IP.

Where are you trying to make the client connection from? Some wifi hotspots block any VPN type ports that are being used. I have had that problem at various motorway service stations in some countries and dependent on the service station owner.

That error message has the following page at OpenVPN.
https://openvpn.net/faq/tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds-check-your-network-connectivity/

The various things mentioned with regard to the server don’t apply to IPFire as it has rules to allow all those things. The item one before last is basically what I asked above with regard to using a DDNS for the server address.

Do you have IPFire as the only router on your network between you and your ISP or do you also have an ISP router with double NAT. Maybe something changed on the ISP router. Some of the routers provided by ISP’s can be accessed by the ISP and modified etc unless you turn that option off in the router configuration.

ritchie · 27 2024 14:21

Hi,

I checked the DnS Configuration. The connection is active and a ping to the DNS Name is also possible.

I check the fritz box configuration and it is proper. Also the fritzbox says, connection to DynDNS is correct and connected. I also checked the Port forwarding, which is also configured for vpn.

When I try to connect via my mobile to ipfire it stops within the step “Authenization”.

When a stop the OPN VPN Service, it stops at “Connection to server”, connection is refused.

So i guess, the ipfire system is connected with my mobile, but the step “Authenization” does not work. Or am i wrong ?

Best regards
R.

bonnietwin · 27 2024 15:20

If it is then there should be messages in the OpenVPN Server logs showing the connection to the client but the server log section you showed had no connection with the client messages and you said that all the messages in the server log were similar to what you showed.

Maybe you need to try and make a connection from the client RW to IPFire and then copy the server log from the time you tried to make the connection and show all of the logs from that time onwards.

ritchie · 27 2024 16:06

Hi,

now i see the line

176.1.150.53:56315 VERIFY ERROR: depth=0, error=CRL has expired:

I will check the post you told me at the first time

Update:
After I entered the command:

openssl ca -config /usr/share/openvpn/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem

As shown in the post, everthing is working. I hope the next update will be within one month.

Thanks for help.

Best regards
R.

bonnietwin · 27 2024 16:36

The next update CU187 has already been out in Testing phase for 16 days.

No feedback from anyone except the devs and it is very likely to be fully released early next week.