[SOLVED] VPN will not connect

[Rander]

I have my router (Asus RT-AC66U, FW ver. 3.0.0.4.382_51641) running an OpenVPN server. Using the OpenVPN client app on my phone, I can connect to it with no problems, so that part works!

I have tried setting up my (newly installed) LMDE4 as a client, and I cant get it to work! When I try and connect, it says "Connecting" for about 15 seconds, then says it was unable to connect.

The syslog has this to say:

Code: Select all

Feb 15 20:41:16 dellap NetworkManager[594]: <info>  [1613418076.2030] audit: op="connection-activate" uuid="b6d3a504-6b69-43dc-9944-eb87c64aeb0d" name="Home" pid=4246 uid=1000 result="success"
Feb 15 20:41:16 dellap NetworkManager[594]: <info>  [1613418076.2222] vpn-connection[0x558b65fba320,b6d3a504-6b69-43dc-9944-eb87c64aeb0d,"Home",0]: Started the VPN service, PID 6220
Feb 15 20:41:16 dellap NetworkManager[594]: <info>  [1613418076.2373] vpn-connection[0x558b65fba320,b6d3a504-6b69-43dc-9944-eb87c64aeb0d,"Home",0]: Saw the service appear; activating connection
Feb 15 20:41:16 dellap NetworkManager[594]: <info>  [1613418076.3295] vpn-connection[0x558b65fba320,b6d3a504-6b69-43dc-9944-eb87c64aeb0d,"Home",0]: VPN plugin: state changed: starting (3)
Feb 15 20:41:16 dellap NetworkManager[594]: <info>  [1613418076.3296] vpn-connection[0x558b65fba320,b6d3a504-6b69-43dc-9944-eb87c64aeb0d,"Home",0]: VPN connection: (ConnectInteractive) reply received
Feb 15 20:41:16 dellap nm-openvpn[6228]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Feb 15 20:41:16 dellap nm-openvpn[6228]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Feb 15 20:41:16 dellap nm-openvpn[6228]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Feb 15 20:41:16 dellap nm-openvpn[6228]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 15 20:41:16 dellap nm-openvpn[6228]: TCP/UDP: Preserving recently used remote address: [AF_INET]<my-ip>:1194
Feb 15 20:41:16 dellap nm-openvpn[6228]: UDP link local: (not bound)
Feb 15 20:41:16 dellap nm-openvpn[6228]: UDP link remote: [AF_INET]<my-ip>:1194
Feb 15 20:41:16 dellap nm-openvpn[6228]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Feb 15 20:41:16 dellap nm-openvpn[6228]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Feb 15 20:41:16 dellap nm-openvpn[6228]: TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
Feb 15 20:41:16 dellap nm-openvpn[6228]: OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Feb 15 20:41:16 dellap nm-openvpn[6228]: TLS_ERROR: BIO read tls_read_plaintext error
Feb 15 20:41:16 dellap nm-openvpn[6228]: TLS Error: TLS object -> incoming plaintext read error
Feb 15 20:41:16 dellap nm-openvpn[6228]: TLS Error: TLS handshake failed
Feb 15 20:41:16 dellap nm-openvpn[6228]: SIGUSR1[soft,tls-error] received, process restarting
Feb 15 20:41:18 dellap NetworkManager[594]: <info>  [1613418078.7085] audit: op="connection-deactivate" uuid="b6d3a504-6b69-43dc-9944-eb87c64aeb0d" name="Home" pid=4246 uid=1000 result="success"
Feb 15 20:41:18 dellap dbus-daemon[583]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.10' (uid=0 pid=594 comm="/usr/sbin/NetworkManager --no-daemon ")
Feb 15 20:41:18 dellap systemd[1]: Starting Network Manager Script Dispatcher Service...
Feb 15 20:41:18 dellap nm-openvpn[6228]: SIGTERM[hard,init_instance] received, process exiting
Feb 15 20:41:18 dellap NetworkManager[594]: <warn>  [1613418078.7257] vpn-connection[0x558b65fba320,b6d3a504-6b69-43dc-9944-eb87c64aeb0d,"Home",0]: VPN plugin: failed: connect-failed (1)

As far as I can make out, it is some sort of tls-problem!? So, how do I move on from here? I'm guessing that I should tell LMDE to use an older tls-version, but how?

[it-place]

Hi Rander,

could you also post how you've configured your VPN client in LMDE4, please?

Regards - Olli

[Rander]

could you also post how you've configured your VPN client in LMDE4, please?

Well, I downloaded a .ovpn file from the router and imported that as a network VPN connection. That's what I did on a Mint 20 install, and that worked no problem (and still does). They both run the same version of openvpn, but i noticed that the Mint runs openssl 1.1.1f, while LMDE4 runs openssl 1.1.1d - could this be the problem?

If there are any specific settings you need, I'll see if I can find them...

[it-place]

I would take a deeper look into this error message:

TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only

At work we had some trouble with systems still using the old version of TLS (1.0).

[Rander]

Okay, so this solved another thing...

I thought my router no longer received updates - it's been a long time ago that it told me there was an update available. It appears that the server it checked no longer exists, but Asus did have a never firmware on their site. After installing that, it's self-checking for new firmwares now works again.

More importantly (for the matter at hand), this update also updated the routers openvpn 2.3.2 to 2.4.7 - and apparantly that was all it took! The connection from LMDE4 now works!