Hi, all
All the OpenVPN clients where working before the Core 170 upgrade, and after server reboot, they can not complete the connection. I’ve checked the whole configuration and made a start for zero, without success. Is someone with the same issue?
I’ll be grateful if you have any suggestion about the matter as I really don’t know how to proceed.
Thanks in advance
Best regards
Here are the logs and configuration for both server and client:
SERVER CONFIG
#OpenVPN Server conf
daemon openvpnserver
writepid /var/run/openvpn.pid
#DAN prepare OpenVPN for listening on blue and orange
;local 147.83.92.136
dev tun
proto udp
port 1194
script-security 3
ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600
client-config-dir /var/ipfire/ovpn/ccd
tls-server
ca /var/ipfire/ovpn/ca/cacert.pem
cert /var/ipfire/ovpn/certs/servercert.pem
key /var/ipfire/ovpn/certs/serverkey.pem
dh /var/ipfire/ovpn/ca/dh1024.pem
server 10.8.0.0 255.255.255.0
tun-mtu 1500
mssfix
keepalive 10 60
status-version 1
status /var/run/ovpnserver.log 30
ncp-disable
cipher AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-auth /var/ipfire/ovpn/certs/ta.key
push “dhcp-option DOMAIN cttc.org”
push “dhcp-option DNS 10.1.1.1”
max-clients 100
tls-verify /usr/lib/openvpn/verify
crl-verify /var/ipfire/ovpn/crls/cacrl.pem
auth-user-pass-optional
reneg-sec 86400
user nobody
group nobody
persist-key
persist-tun
verb 3
Log clients connecting/disconnecting
client-connect “/usr/sbin/openvpn-metrics client-connect”
client-disconnect “/usr/sbin/openvpn-metrics client-disconnect”
Enable Management Socket
management /var/run/openvpn.sock unix
management-client-auth
#---------------------------
Start of custom directives
from server.conf.local
#---------------------------
topology subnet
management localhost 7505
#-----------------------------
End of custom directives
#-----------------------------
SERVER LOG
2022-10-12 15:19:40 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
2022-10-12 15:19:40 OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 7 2022
2022-10-12 15:19:40 library versions: OpenSSL 1.1.1q 5 Jul 2022, LZO 2.10
2022-10-12 15:19:40 MANAGEMENT: unix domain socket listening on localhost
2022-10-12 15:19:40 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-10-12 15:19:40 Diffie-Hellman initialized with 2048 bit key
2022-10-12 15:19:40 CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
2022-10-12 15:19:40 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
2022-10-12 15:19:40 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
2022-10-12 15:19:40 TUN/TAP device tun0 opened
2022-10-12 15:19:40 /sbin/ip link set dev tun0 up mtu 1500
2022-10-12 15:19:40 /sbin/ip link set dev tun0 up
2022-10-12 15:19:40 /sbin/ip addr add dev tun0 10.8.0.1/24
2022-10-12 15:19:40 Could not determine IPv4/IPv6 protocol. Using AF_INET
2022-10-12 15:19:40 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-10-12 15:19:40 UDPv4 link local (bound): [AF_INET][undef]:1194
2022-10-12 15:19:40 UDPv4 link remote: [AF_UNSPEC]
2022-10-12 15:19:40 GID set to nobody
2022-10-12 15:19:40 UID set to nobody
2022-10-12 15:19:40 MULTI: multi_init called, r=256 v=256
2022-10-12 15:19:40 IFCONFIG POOL IPv4: base=10.8.0.2 size=253
2022-10-12 15:19:40 IFCONFIG POOL LIST
2022-10-12 15:19:40 Initialization Sequence Completed
2022-10-12 15:20:15 93.176.132.127:33999 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
2022-10-12 15:20:15 93.176.132.127:33999 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
2022-10-12 15:20:15 93.176.132.127:33999 TLS: Initial packet from [AF_INET]93.176.132.127:33999, sid=10409916 84230194
2022-10-12 15:20:15 93.176.132.127:33999 VERIFY SCRIPT OK: depth=1, C=ES, ST=Barcelona, L=Terrassa, O=Universitat Politecnica de Catalunya, OU=Centre Tecnologic de Tranferencia de Calor, CN=Universitat Politecnica de Catalunya CA, emailAddress=ramiro.alba@upc.edu
2022-10-12 15:20:15 93.176.132.127:33999 VERIFY OK: depth=1, C=ES, ST=Barcelona, L=Terrassa, O=Universitat Politecnica de Catalunya, OU=Centre Tecnologic de Tranferencia de Calor, CN=Universitat Politecnica de Catalunya CA, emailAddress=ramiro.alba@upc.edu
2022-10-12 15:20:15 93.176.132.127:33999 VERIFY SCRIPT OK: depth=0, C=ES, ST=Barcelona, O=Universitat Politecnica de Catalunya, OU=Centre Tecnologic de Transferencia de Calor, CN=Ramiro Alba Queipo D
2022-10-12 15:20:15 93.176.132.127:33999 VERIFY OK: depth=0, C=ES, ST=Barcelona, O=Universitat Politecnica de Catalunya, OU=Centre Tecnologic de Transferencia de Calor, CN=Ramiro Alba Queipo D
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_VER=2.5.5
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_PLAT=linux
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_PROTO=6
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_NCP=2
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_LZ4=1
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_LZ4v2=1
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_LZO=1
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_COMP_STUB=1
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_COMP_STUBv2=1
2022-10-12 15:20:15 93.176.132.127:33999 peer info: IV_TCPNL=1
2022-10-12 15:20:15 93.176.132.127:33999 TLS: Username/Password authentication deferred for username ‘’
2022-10-12 15:20:15 93.176.132.127:33999 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-10-12 15:20:15 93.176.132.127:33999 [Ramiro Alba Queipo D] Peer Connection Initiated with [AF_INET]93.176.132.127:33999
2022-10-12 15:20:16 93.176.132.127:33999 PUSH: Received control message: ‘PUSH_REQUEST’
2022-10-12 15:20:21 93.176.132.127:33999 PUSH: Received control message: ‘PUSH_REQUEST’
2022-10-12 15:20:27 93.176.132.127:33999 PUSH: Received control message: ‘PUSH_REQUEST’
2022-10-12 15:20:32 93.176.132.127:33999 PUSH: Received control message: ‘PUSH_REQUEST’
CLIENT CONFIG
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1500
remote 147.83.92.136 1194
pkcs12 RamiroAlbaD.p12
cipher AES-256-GCM
auth SHA512
tls-auth ta.key
verb 3
remote-cert-tls server
verify-x509-name cttc.upc.es name
mssfix
auth-nocache
auth-token-user USER
auth-token TOTP
auth-retry interact
#---------------------------
Start of custom directives
from client.conf.local
#---------------------------
Uncomment if the Operating System is Linux. In that case, the
package ‘openresolv’ must be installed.
data-ciphers-fallback ‘AES-256-GCM’
log /var/log/openvpn.log
status /var/log/openvpn-status.log
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#---------------------------
End of custom directives
#---------------------------
CLIENT LOG
2022-10-12 15:20:15 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-10-12 15:20:15 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-10-12 15:20:15 NOTE: starting with OpenVPN 2.1, ‘–script-security 2’ or higher is required to call user-defined scripts or executables
2022-10-12 15:20:15 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
2022-10-12 15:20:15 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
2022-10-12 15:20:15 TCP/UDP: Preserving recently used remote address: [AF_INET]147.83.92.136:1194
2022-10-12 15:20:15 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-10-12 15:20:15 UDP link local: (not bound)
2022-10-12 15:20:15 UDP link remote: [AF_INET]147.83.92.136:1194
2022-10-12 15:20:15 TLS: Initial packet from [AF_INET]147.83.92.136:1194, sid=3974a395 0c904902
2022-10-12 15:20:15 VERIFY OK: depth=1, C=ES, ST=Barcelona, L=Terrassa, O=Universitat Politecnica de Catalunya, OU=Centre Tecnologic de Tranferencia de Calor, CN=Universitat Politecnica de Catalunya CA, emailAddress=ramiro.alba@upc.edu
2022-10-12 15:20:15 VERIFY KU OK
2022-10-12 15:20:15 Validating certificate extended key usage
2022-10-12 15:20:15 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-10-12 15:20:15 VERIFY EKU OK
2022-10-12 15:20:15 VERIFY X509NAME OK: C=ES, ST=Barcelona, O=Universitat Politecnica de Catalunya, OU=Centre Tecnologic de Tranferencia de Calor, CN=cttc.upc.es
2022-10-12 15:20:15 VERIFY OK: depth=0, C=ES, ST=Barcelona, O=Universitat Politecnica de Catalunya, OU=Centre Tecnologic de Tranferencia de Calor, CN=cttc.upc.es
2022-10-12 15:20:15 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-10-12 15:20:15 [cttc.upc.es] Peer Connection Initiated with [AF_INET]147.83.92.136:1194
2022-10-12 15:20:16 SENT CONTROL [cttc.upc.es]: ‘PUSH_REQUEST’ (status=1)
2022-10-12 15:20:21 SENT CONTROL [cttc.upc.es]: ‘PUSH_REQUEST’ (status=1)
2022-10-12 15:20:27 SENT CONTROL [cttc.upc.es]: ‘PUSH_REQUEST’ (status=1)
2022-10-12 15:20:32 SENT CONTROL [cttc.upc.es]: ‘PUSH_REQUEST’ (status=1)