OpenVPN 2.6 client can't connect to Azure Virtual Network Gateway Point-to-Site VPN - Connection Reset

[itstrategic-gh]

We are experiencing issues connecting to the Azure VNG OpenVPN (SSL) Point-To-Site VPN after updating the OpenVPN client to version2.6.0 on Windows clients

• 2.6.0 release notes: https://community.openvpn.net/openvpn/wiki/Downloads

• Reverting to 2.5.8 resolves the issue

• disabling DCO has no impact, still get the Connection Reset message, see logs below

• using the vanilla client config downloaded from the Azure portal

Client details:

• OS Name Microsoft Windows 11 Enterprise

• Version 10.0.22621 Build 22621

• OpenVPN client 2.6.0

Connection log (redacted):

Tue Feb  7 10:31:13 2023 Note: ovpn-dco-win driver is missing, disabling data channel offload.
Tue Feb  7 10:31:13 2023 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jan 25 2023
Tue Feb  7 10:31:13 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Tue Feb  7 10:31:13 2023 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
Tue Feb  7 10:31:13 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25344
Tue Feb  7 10:31:13 2023 Need hold release from management interface, waiting...
Tue Feb  7 10:31:13 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:20365
Tue Feb  7 10:31:13 2023 MANAGEMENT: CMD 'state on'
Tue Feb  7 10:31:13 2023 MANAGEMENT: CMD 'log on all'
Tue Feb  7 10:31:13 2023 MANAGEMENT: CMD 'echo on all'
Tue Feb  7 10:31:13 2023 MANAGEMENT: CMD 'bytecount 5'
Tue Feb  7 10:31:13 2023 MANAGEMENT: CMD 'state'
Tue Feb  7 10:31:13 2023 MANAGEMENT: CMD 'hold off'
Tue Feb  7 10:31:13 2023 MANAGEMENT: CMD 'hold release'
Tue Feb  7 10:31:19 2023 MANAGEMENT: CMD 'username "Auth" "xxxxx.xxxxxx"'
Tue Feb  7 10:31:19 2023 MANAGEMENT: CMD 'password [...]'
Tue Feb  7 10:31:19 2023 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Feb  7 10:31:19 2023 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Feb  7 10:31:19 2023 MANAGEMENT: >STATE:1675726279,RESOLVE,,,,,,
Tue Feb  7 10:31:19 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
Tue Feb  7 10:31:19 2023 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Feb  7 10:31:19 2023 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443
Tue Feb  7 10:31:19 2023 MANAGEMENT: >STATE:1675726279,TCP_CONNECT,,,,,,
Tue Feb  7 10:31:19 2023 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
Tue Feb  7 10:31:19 2023 TCPv4_CLIENT link local: (not bound)
Tue Feb  7 10:31:19 2023 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
Tue Feb  7 10:31:19 2023 MANAGEMENT: >STATE:1675726279,WAIT,,,,,,
Tue Feb  7 10:31:19 2023 MANAGEMENT: >STATE:1675726279,AUTH,,,,,,
Tue Feb  7 10:31:19 2023 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:443, sid=83ee9c91 06a05be5
Tue Feb  7 10:31:19 2023 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Feb  7 10:31:19 2023 Connection reset, restarting [0]
Tue Feb  7 10:31:19 2023 SIGUSR1[soft,connection-reset] received, process restarting
Tue Feb  7 10:31:19 2023 MANAGEMENT: >STATE:1675726279,RECONNECTING,connection-reset,,,,,

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: cf66871e-f045-8ecb-6aff-dd36e20f1601
• Version Independent ID: 19b1740f-ba43-92a3-74e7-28fb6c462f2b
• Content: How to enable OpenVPN for P2S VPN gateways - Azure VPN Gateway
• Content Source: articles/vpn-gateway/vpn-gateway-howto-openvpn.md
• Service: vpn-gateway
• GitHub Login: @cherylmc
• Microsoft Alias: cherylmc

[ManoharLakkoju-MSFT]

@itstrategic-gh Thanks for your feedback! We will investigate and update as appropriate.

[ManoharLakkoju-MSFT]

@itstrategic-gh It would be great if you could add a link to the documentation you are following for these steps? This would help us redirect the issue to the appropriate team. Thanks!

[itstrategic-gh]

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn

[Akhisar]

We too faced similar issue and restriction is documented as per Azure support. A fix would be very much appreciated.

FYR: https://learn.microsoft.com/en-us/azure/virtual-wan/howto-openvpn-clients#windows

Download and install the OpenVPN client (version 2.4 or higher) from the official OpenVPN website. Version 2.6 is not yet supported.```

[cherylmc]

Updated - 2.6 isn't yet supported. #please-close

[InDoNax]

Are there any plans to support the newer versions of OpenVPN?

[Sylphe88]

OpenVPN is moving on and 2.6 has been out for almost 2 years (let alone the 3.x version for macOS...) and users at my company are really asking why we're stuck with an old client version. Any news?

[JustinGrote]

For anyone coming here like me, these docs are out of date. OpenVPN connect 3+ works just fine, here is mine working with ca-based cert auth

Here's the proper docs: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-certificate-windows-openvpn-client-version-3

To be clear this is for Virtual Network Gateway, I think Virtual WAN may still have these restrictions.