TLS handshake fails a couple of times, then connects.

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Use the below config. 
2. It will fail to connect with: 
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your 
network connectivity)
TLS Error: TLS handshake failed
3. It will then retry and after a 2-3 tries it usually succeeds to connect. 
Sometimes it gives up after 5 tries.

What is the expected output? What do you see instead?
I expect to connect on the first try. Why is it failing a few times?
If I connect with OpenVPN on Windows or Linux or with OpenVPN-Connect appon 
Android or iPad there is no problem connecting.

What mobile phone are you using?
Moto G
It also happens on Samsung 7" GalaxyTab 2

Which Android Version and stock ROM or aftermarket like cyanogenmod?
On Moto G: Android 4.4.2
On Galaxy Tab2: 4.2.2

Please provide any additional information below.
Log file from Moto G (I tried to give it 'Verb 7' in the config but it ignores 
it an insist on 'Verb 4', why is this?):
2014-02-06 00:47:14 Building configuration…
2014-02-06 00:47:16 started Socket Thread
2014-02-06 00:47:16 P:Initializing Google Breakpad!
2014-02-06 00:47:16 Current Parameter Settings:
2014-02-06 00:47:16 config = '/data/data/de.blinkt.openvpn/cache/android.conf'
2014-02-06 00:47:16 mode = 0
2014-02-06 00:47:16 show_ciphers = DISABLED
2014-02-06 00:47:16 show_digests = DISABLED
2014-02-06 00:47:16 show_engines = DISABLED
2014-02-06 00:47:16 genkey = DISABLED
2014-02-06 00:47:16 key_pass_file = '[UNDEF]'
2014-02-06 00:47:16 show_tls_ciphers = DISABLED
2014-02-06 00:47:16 connect_retry_max = 5
2014-02-06 00:47:16 Connection profiles [default]:
2014-02-06 00:47:16 proto = udp
2014-02-06 00:47:16 local = '[UNDEF]'
2014-02-06 00:47:16 local_port = '1194'
2014-02-06 00:47:16 remote = '[UNDEF]'
2014-02-06 00:47:16 remote_port = '1194'
2014-02-06 00:47:16 remote_float = DISABLED
2014-02-06 00:47:16 bind_defined = DISABLED
2014-02-06 00:47:16 bind_local = DISABLED
2014-02-06 00:47:16 bind_ipv6_only = DISABLED
2014-02-06 00:47:16 connect_retry_seconds = 5
2014-02-06 00:47:16 connect_timeout = 10
2014-02-06 00:47:16 socks_proxy_server = '[UNDEF]'
2014-02-06 00:47:16 socks_proxy_port = '[UNDEF]'
2014-02-06 00:47:16 socks_proxy_retry = DISABLED
2014-02-06 00:47:16 tun_mtu = 1500
2014-02-06 00:47:16 tun_mtu_defined = ENABLED
2014-02-06 00:47:16 link_mtu = 1500
2014-02-06 00:47:16 link_mtu_defined = DISABLED
2014-02-06 00:47:16 tun_mtu_extra = 32
2014-02-06 00:47:16 tun_mtu_extra_defined = ENABLED
2014-02-06 00:47:16 mtu_discover_type = -1
2014-02-06 00:47:16 fragment = 0
2014-02-06 00:47:16 mssfix = 1450
2014-02-06 00:47:16 explicit_exit_notification = 2
2014-02-06 00:47:16 Connection profiles [0]:
2014-02-06 00:47:16 proto = udp
2014-02-06 00:47:16 local = '[UNDEF]'
2014-02-06 00:47:16 local_port = '[UNDEF]'
2014-02-06 00:47:16 remote = 'us.citizenvpn.com'
2014-02-06 00:47:16 remote_port = '80'
2014-02-06 00:47:16 remote_float = DISABLED
2014-02-06 00:47:16 bind_defined = DISABLED
2014-02-06 00:47:16 bind_local = DISABLED
2014-02-06 00:47:16 bind_ipv6_only = DISABLED
2014-02-06 00:47:16 connect_retry_seconds = 5
2014-02-06 00:47:16 connect_timeout = 10
2014-02-06 00:47:16 socks_proxy_server = '[UNDEF]'
2014-02-06 00:47:16 socks_proxy_port = '[UNDEF]'
2014-02-06 00:47:16 socks_proxy_retry = DISABLED
2014-02-06 00:47:16 tun_mtu = 1500
2014-02-06 00:47:16 tun_mtu_defined = ENABLED
2014-02-06 00:47:16 link_mtu = 1500
2014-02-06 00:47:16 link_mtu_defined = DISABLED
2014-02-06 00:47:16 tun_mtu_extra = 32
2014-02-06 00:47:16 tun_mtu_extra_defined = ENABLED
2014-02-06 00:47:16 mtu_discover_type = -1
2014-02-06 00:47:16 fragment = 0
2014-02-06 00:47:16 mssfix = 1450
2014-02-06 00:47:16 explicit_exit_notification = 2
2014-02-06 00:47:16 Connection profiles END
2014-02-06 00:47:16 remote_random = DISABLED
2014-02-06 00:47:16 ipchange = '[UNDEF]'
2014-02-06 00:47:16 dev = 'tun'
2014-02-06 00:47:16 dev_type = '[UNDEF]'
2014-02-06 00:47:16 dev_node = '[UNDEF]'
2014-02-06 00:47:16 lladdr = '[UNDEF]'
2014-02-06 00:47:16 topology = 1
2014-02-06 00:47:16 tun_ipv6 = DISABLED
2014-02-06 00:47:16 ifconfig_local = '[UNDEF]'
2014-02-06 00:47:16 ifconfig_remote_netmask = '[UNDEF]'
2014-02-06 00:47:16 ifconfig_noexec = DISABLED
2014-02-06 00:47:16 ifconfig_nowarn = DISABLED
2014-02-06 00:47:16 ifconfig_ipv6_local = '[UNDEF]'
2014-02-06 00:47:16 ifconfig_ipv6_netbits = 0
2014-02-06 00:47:16 ifconfig_ipv6_remote = '[UNDEF]'
2014-02-06 00:47:16 shaper = 0
2014-02-06 00:47:16 mtu_test = 0
2014-02-06 00:47:16 mlock = DISABLED
2014-02-06 00:47:16 keepalive_ping = 0
2014-02-06 00:47:16 keepalive_timeout = 0
2014-02-06 00:47:16 inactivity_timeout = 0
2014-02-06 00:47:16 ping_send_timeout = 0
2014-02-06 00:47:16 ping_rec_timeout = 0
2014-02-06 00:47:16 ping_rec_timeout_action = 0
2014-02-06 00:47:16 ping_timer_remote = DISABLED
2014-02-06 00:47:16 remap_sigusr1 = 0
2014-02-06 00:47:16 persist_tun = ENABLED
2014-02-06 00:47:16 persist_local_ip = DISABLED
2014-02-06 00:47:16 persist_remote_ip = DISABLED
2014-02-06 00:47:16 persist_key = DISABLED
2014-02-06 00:47:16 passtos = DISABLED
2014-02-06 00:47:16 resolve_retry_seconds = 1000000000
2014-02-06 00:47:16 resolve_in_advance = ENABLED
2014-02-06 00:47:16 username = '[UNDEF]'
2014-02-06 00:47:16 groupname = '[UNDEF]'
2014-02-06 00:47:16 chroot_dir = '[UNDEF]'
2014-02-06 00:47:16 cd_dir = '[UNDEF]'
2014-02-06 00:47:16 writepid = '[UNDEF]'
2014-02-06 00:47:16 up_script = '[UNDEF]'
2014-02-06 00:47:16 down_script = '[UNDEF]'
2014-02-06 00:47:16 down_pre = DISABLED
2014-02-06 00:47:16 up_restart = DISABLED
2014-02-06 00:47:16 up_delay = DISABLED
2014-02-06 00:47:16 daemon = DISABLED
2014-02-06 00:47:16 inetd = 0
2014-02-06 00:47:16 log = DISABLED
2014-02-06 00:47:16 suppress_timestamps = DISABLED
2014-02-06 00:47:16 machine_readable_output = ENABLED
2014-02-06 00:47:16 nice = 0
2014-02-06 00:47:16 verbosity = 4
2014-02-06 00:47:16 mute = 0
2014-02-06 00:47:16 gremlin = 0
2014-02-06 00:47:16 status_file = '[UNDEF]'
2014-02-06 00:47:16 status_file_version = 1
2014-02-06 00:47:16 status_file_update_freq = 60
2014-02-06 00:47:16 occ = ENABLED
2014-02-06 00:47:16 rcvbuf = 65536
2014-02-06 00:47:16 sndbuf = 65536
2014-02-06 00:47:16 sockflags = 0
2014-02-06 00:47:16 fast_io = DISABLED
2014-02-06 00:47:16 comp.alg = 0
2014-02-06 00:47:16 comp.flags = 0
2014-02-06 00:47:16 route_script = '[UNDEF]'
2014-02-06 00:47:16 route_default_gateway = '[UNDEF]'
2014-02-06 00:47:16 route_default_metric = 0
2014-02-06 00:47:16 route_noexec = DISABLED
2014-02-06 00:47:16 route_delay = 0
2014-02-06 00:47:16 route_delay_window = 30
2014-02-06 00:47:16 route_delay_defined = DISABLED
2014-02-06 00:47:16 route_nopull = DISABLED
2014-02-06 00:47:16 route_gateway_via_dhcp = DISABLED
2014-02-06 00:47:16 max_routes = 100
2014-02-06 00:47:16 allow_pull_fqdn = DISABLED
2014-02-06 00:47:16 management_addr = 
'/data/data/de.blinkt.openvpn/cache/mgmtsocket'
2014-02-06 00:47:16 management_port = 'unix'
2014-02-06 00:47:16 management_user_pass = '[UNDEF]'
2014-02-06 00:47:16 management_log_history_cache = 250
2014-02-06 00:47:16 management_echo_buffer_size = 100
2014-02-06 00:47:16 management_write_peer_info_file = '[UNDEF]'
2014-02-06 00:47:16 management_client_user = '[UNDEF]'
2014-02-06 00:47:16 management_client_group = '[UNDEF]'
2014-02-06 00:47:16 management_flags = 4390
2014-02-06 00:47:16 shared_secret_file = '[UNDEF]'
2014-02-06 00:47:16 key_direction = 2
2014-02-06 00:47:16 ciphername_defined = ENABLED
2014-02-06 00:47:16 ciphername = 'AES-256-CBC'
2014-02-06 00:47:16 authname_defined = ENABLED
2014-02-06 00:47:16 authname = 'SHA1'
2014-02-06 00:47:16 prng_hash = 'SHA1'
2014-02-06 00:47:16 prng_nonce_secret_len = 16
2014-02-06 00:47:16 keysize = 0
2014-02-06 00:47:16 engine = DISABLED
2014-02-06 00:47:16 replay = ENABLED
2014-02-06 00:47:16 mute_replay_warnings = DISABLED
2014-02-06 00:47:16 Network Status: CONNECTED to WIFI "iogt"
2014-02-06 00:47:16 replay_window = 64
2014-02-06 00:47:16 replay_time = 15
2014-02-06 00:47:17 packet_id_file = '[UNDEF]'
2014-02-06 00:47:17 use_iv = ENABLED
2014-02-06 00:47:17 test_crypto = DISABLED
2014-02-06 00:47:17 tls_server = DISABLED
2014-02-06 00:47:17 tls_client = ENABLED
2014-02-06 00:47:17 key_method = 2
2014-02-06 00:47:17 ca_file = '[[INLINE]]'
2014-02-06 00:47:17 ca_path = '[UNDEF]'
2014-02-06 00:47:17 dh_file = '[UNDEF]'
2014-02-06 00:47:17 cert_file = '[[INLINE]]'
2014-02-06 00:47:17 priv_key_file = '[[INLINE]]'
2014-02-06 00:47:17 pkcs12_file = '[UNDEF]'
2014-02-06 00:47:17 cipher_list = '[UNDEF]'
2014-02-06 00:47:17 tls_verify = '[UNDEF]'
2014-02-06 00:47:17 tls_export_cert = '[UNDEF]'
2014-02-06 00:47:17 verify_x509_type = 0
2014-02-06 00:47:17 verify_x509_name = '[UNDEF]'
2014-02-06 00:47:17 crl_file = '[UNDEF]'
2014-02-06 00:47:17 ns_cert_type = 1
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_ku[i] = 0
2014-02-06 00:47:17 remote_cert_eku = '[UNDEF]'
2014-02-06 00:47:17 ssl_flags = 0
2014-02-06 00:47:17 tls_timeout = 2
2014-02-06 00:47:17 renegotiate_bytes = 0
2014-02-06 00:47:17 renegotiate_packets = 0
2014-02-06 00:47:17 renegotiate_seconds = 3600
2014-02-06 00:47:17 handshake_window = 60
2014-02-06 00:47:17 transition_window = 3600
2014-02-06 00:47:17 single_session = DISABLED
2014-02-06 00:47:17 push_peer_info = DISABLED
2014-02-06 00:47:17 tls_exit = DISABLED
2014-02-06 00:47:17 tls_auth_file = '[[INLINE]]'
2014-02-06 00:47:17 client = ENABLED
2014-02-06 00:47:17 pull = ENABLED
2014-02-06 00:47:17 auth_user_pass_file = 'stdin'
2014-02-06 00:47:17 OpenVPN 2.4-icsopenvpn android-14-armeabi-v7a [SSL 
(OpenSSL)] [LZO] [SNAPPY] [EPOLL] [MH] [IPv6] built on Dec 9 2013
2014-02-06 00:47:17 MANAGEMENT: Connected to management server at 
/data/data/de.blinkt.openvpn/cache/mgmtsocket
2014-02-06 00:47:17 MANAGEMENT: CMD 'hold release'
2014-02-06 00:47:17 MANAGEMENT: CMD 'username 'Auth' mkHsNqpQ'
2014-02-06 00:47:17 MANAGEMENT: CMD 'bytecount 2'
2014-02-06 00:47:17 MANAGEMENT: CMD 'state on'
2014-02-06 00:47:17 MANAGEMENT: CMD 'password [...]'
2014-02-06 00:47:17 MANAGEMENT: >STATE:1391644036,RESOLVE,,,
2014-02-06 00:47:22 MANAGEMENT: CMD 'proxy NONE'
2014-02-06 00:47:23 Control Channel Authentication: tls-auth using INLINE 
static key file
2014-02-06 00:47:23 Outgoing Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authentication
2014-02-06 00:47:23 Incoming Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authentication
2014-02-06 00:47:23 Control Channel MTU parms [ L:1589 D:166 EF:66 EB:0 ET:0 
EL:0 ]
2014-02-06 00:47:23 Data Channel MTU parms [ L:1589 D:1450 EF:57 EB:400 ET:32 
EL:0 ]
2014-02-06 00:47:23 Local Options String: 'V4,dev-type tun,link-mtu 
1589,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 
256,tls-auth,key-method 2,tls-client'
2014-02-06 00:47:23 Expected Remote Options String: 'V4,dev-type tun,link-mtu 
1589,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 
256,tls-auth,key-method 2,tls-server'
2014-02-06 00:47:23 Local Options hash (VER=V4): 'c5080cb9'
2014-02-06 00:47:23 Expected Remote Options hash (VER=V4): '195cb9c5'
2014-02-06 00:47:23 TCP/UDP: Preserving recently used remote address: 
[AF_INET]68.233.237.11:80
2014-02-06 00:47:23 Socket Buffers: R=[163840->131072] S=[163840->131072]
2014-02-06 00:47:23 Protecting socket fd 4
2014-02-06 00:47:23 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2014-02-06 00:47:23 UDP link local: (not bound)
2014-02-06 00:47:23 UDP link remote: [AF_INET]68.233.237.11:80
2014-02-06 00:47:23 MANAGEMENT: >STATE:1391644043,WAIT,,,
2014-02-06 00:47:23 MANAGEMENT: >STATE:1391644043,AUTH,,,
2014-02-06 00:47:23 TLS: Initial packet from [AF_INET]68.233.237.11:80, 
sid=6d16a7b8 8af1bad6
2014-02-06 00:47:23 WARNING: this configuration may cache passwords in memory 
-- use the auth-nocache option to prevent this
2014-02-06 00:47:54 VERIFY OK: depth=1, C=DK, ST=DK, L=Copenhagen, 
O=CitizenVPN, CN=CitizenVPN CA, emailAddress=info@citizenvpn.com
2014-02-06 00:47:54 VERIFY OK: nsCertType=SERVER
2014-02-06 00:47:54 VERIFY OK: depth=0, C=DK, ST=DK, L=Copenhagen, 
O=CitizenVPN, CN=server, emailAddress=info@citizenvpn.com
2014-02-06 00:48:24 TLS Error: TLS key negotiation failed to occur within 60 
seconds (check your network connectivity)
2014-02-06 00:48:24 TLS Error: TLS handshake failed
2014-02-06 00:48:24 TCP/UDP: Closing socket
2014-02-06 00:48:24 SIGUSR1[soft,tls-error] received, process restarting
2014-02-06 00:48:24 MANAGEMENT: >STATE:1391644104,RECONNECTING,tls-error,,
2014-02-06 00:48:24 MANAGEMENT: CMD 'hold release'
2014-02-06 00:48:24 MANAGEMENT: CMD 'bytecount 2'
2014-02-06 00:48:24 MANAGEMENT: CMD 'state on'
2014-02-06 00:48:24 MANAGEMENT: CMD 'proxy NONE'
2014-02-06 00:48:25 Control Channel Authentication: tls-auth using INLINE 
static key file
2014-02-06 00:48:25 Outgoing Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authentication
2014-02-06 00:48:25 Incoming Control Channel Authentication: Using 160 bit 
message hash 'SHA1' for HMAC authentication
2014-02-06 00:48:25 Control Channel MTU parms [ L:1589 D:166 EF:66 EB:0 ET:0 
EL:0 ]
2014-02-06 00:48:25 Data Channel MTU parms [ L:1589 D:1450 EF:57 EB:400 ET:32 
EL:0 ]
2014-02-06 00:48:25 Local Options String: 'V4,dev-type tun,link-mtu 
1589,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 
256,tls-auth,key-method 2,tls-client'
2014-02-06 00:48:25 Expected Remote Options String: 'V4,dev-type tun,link-mtu 
1589,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 
256,tls-auth,key-method 2,tls-server'
2014-02-06 00:48:25 Local Options hash (VER=V4): 'c5080cb9'
2014-02-06 00:48:25 Expected Remote Options hash (VER=V4): '195cb9c5'
2014-02-06 00:48:25 TCP/UDP: Preserving recently used remote address: 
[AF_INET]68.233.237.11:80
2014-02-06 00:48:25 Socket Buffers: R=[163840->131072] S=[163840->131072]
2014-02-06 00:48:25 Protecting socket fd 4
2014-02-06 00:48:25 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2014-02-06 00:48:25 UDP link local: (not bound)
2014-02-06 00:48:25 UDP link remote: [AF_INET]68.233.237.11:80
2014-02-06 00:48:25 MANAGEMENT: >STATE:1391644105,WAIT,,,
2014-02-06 00:48:25 MANAGEMENT: >STATE:1391644105,AUTH,,,
2014-02-06 00:48:25 TLS: Initial packet from [AF_INET]68.233.237.11:80, 
sid=018406c5 08d13c82
2014-02-06 00:48:32 VERIFY OK: depth=1, C=DK, ST=DK, L=Copenhagen, 
O=CitizenVPN, CN=CitizenVPN CA, emailAddress=info@citizenvpn.com
2014-02-06 00:48:32 VERIFY OK: nsCertType=SERVER
2014-02-06 00:48:32 VERIFY OK: depth=0, C=DK, ST=DK, L=Copenhagen, 
O=CitizenVPN, CN=server, emailAddress=info@citizenvpn.com
2014-02-06 00:48:48 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 
256 bit key
2014-02-06 00:48:48 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2014-02-06 00:48:48 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 
256 bit key
2014-02-06 00:48:48 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for 
HMAC authentication
2014-02-06 00:48:48 Control Channel: TLSv1, cipher TLSv1/SSLv3 
DHE-RSA-AES256-SHA, 1024 bit RSA
2014-02-06 00:48:48 [server] Peer Connection Initiated with 
[AF_INET]68.233.237.11:80
2014-02-06 00:48:50 MANAGEMENT: >STATE:1391644130,GET_CONFIG,,,
2014-02-06 00:48:51 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2014-02-06 00:48:51 PUSH: Received control message: 
'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 
66.96.80.43,dhcp-option DNS 66.96.80.194,route 10.5.3.1,topology net30,ping 
10,ping-restart 120,ifconfig 10.5.3.182 10.5.3.181'
2014-02-06 00:48:51 OPTIONS IMPORT: timers and/or timeouts modified
2014-02-06 00:48:51 OPTIONS IMPORT: --ifconfig/up options modified
2014-02-06 00:48:51 OPTIONS IMPORT: route options modified
2014-02-06 00:48:51 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options 
modified
2014-02-06 00:48:51 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlan0 
HWADDR=f8:e0:79:5e:19:df
2014-02-06 00:48:51 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2014-02-06 00:48:51 MANAGEMENT: >STATE:1391644131,ASSIGN_IP,,10.5.3.182,
2014-02-06 00:48:51 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2014-02-06 00:48:51 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2014-02-06 00:48:51 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2014-02-06 00:48:51 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2014-02-06 00:48:51 MANAGEMENT: >STATE:1391644131,ADD_ROUTES,,,
2014-02-06 00:48:51 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2014-02-06 00:48:51 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2014-02-06 00:48:51 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2014-02-06 00:48:51 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' 
OPEN_AFTER_CLOSE'
2014-02-06 00:48:51 Opening tun interface:
2014-02-06 00:48:51 Local IPv4: 10.5.3.182/30 IPv6: null MTU: 1500
2014-02-06 00:48:51 DNS Server: 66.96.80.43, 66.96.80.194, Domain: null
2014-02-06 00:48:51 Routes: 68.233.237.11/32, 0.0.0.0/1, 128.0.0.0/1, 
10.5.3.1/32
2014-02-06 00:48:51 Routes IPv6: 
2014-02-06 00:48:51 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2014-02-06 00:48:51 Initialization Sequence Completed
2014-02-06 00:48:51 MANAGEMENT: 
>STATE:1391644131,CONNECTED,SUCCESS,10.5.3.182,68.233.237.11

The configfile:
Note: I have removed the certs except for the TLS key (which is public anyway).
#This configfile is for connecting to the CitizenVPN USA-Alternate Server
client 
dev tun
resolv-retry infinite
nobind 
persist-key 
persist-tun 
ns-cert-type server
key-direction 1
cipher AES-256-CBC
verb 7
auth-user-pass 
explicit-exit-notify 2
tun-mtu 1500
mssfix 1450
tun-mtu-extra 32
remote us.citizenvpn.com 80
proto udp
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<tls-auth>
#
#2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
8f313a1f341b3f25850af343cf78ae6a
0a64afae91108aca11f0399beb81ddd4
30377998477b1aeddaec140125c141a9
ab7c9db6e0d7716f792be5b06703721c
6a03208a4d66ce185c28fd7d8b4ebadb
2cbedf4603091b93b9c3615f9787b9e5
f1f8a0119b4fc97b6af90dd4b681aae1
dac390c2eb475f1ce1d8d80bf385b205
8b3974441c48d1eae79a5157e74fb1bb
905bc47514c2d21a379b3bcd08668d4a
93bbece49b4acf744c8be04850f6a3d5
2cdea18109c8f1d94ce2d5ec223ecee6
8cce0f85f180b53b87fbfbbf3dc0b009
4f8ba34afc225cede8571074672726bb
5b32e5f2348585e82128fcefd329cc2c
8b1e5f17c9c3da53bd43a15719c1efb8
-----END OpenVPN Static key V1-----
</tls-auth>

Original issue reported on code.google.com by gigmarks...@gmail.com on 6 Feb 2014 at 12:04

[GoogleCodeExporter]

The issue seems to be because of bad connectivity. I suggest contacting your 
CitizenVPN support.

Original comment by arne@rfc2549.org on 6 Feb 2014 at 12:16

• Changed state: Invalid

[GoogleCodeExporter]

Hi,

I don't think it is due to bad connectivity. This issue NEVER appears when
connecting with OpenVPN for Linux, Windows, OS-X (Tunnelblick) or
OpenVPN-Connect app for Android and IOS.
And when I have been testing this the devices are on a strong WiFi
connection.

I am a developer for CitizenVPN.
Please re-consider this.

Original comment by gigmarks...@gmail.com on 6 Feb 2014 at 12:26

[GoogleCodeExporter]

Just judging from the log from the log of the client, the only explaination I 
have is a bad connection. Also note that users often want support for 
commercial from me instead of contacting their VPN provider which I am not 
willing to give for free.

OpenVPN Connect on Android/iOS uses a *completely* different codebase.

If you are a developer for CitzenVPN, can you look in the server log and/or do 
a tcpdump? Also try to compile the OpenVPN branch of ics-openvpn 
(https://github.com/schwabe/openvpn/tree/icsopenvpn_67) on your 
linux/MAC/windows machine to see if the version is specific to the branch.

The problems might be related to TLS since the timeout happens in TLS setup. 
OpenVPN <= 2.3.x uses OpenSSL with TLS 1.0. OpenVPN Connect uses PolarSSL with 
TLS 1.2 and OpenVPN > 2.3 (like ics-openvpn) use OpenSSL with TLS 1.2.

And I cannot debug this issue since I have no way of reproducing this. 

Original comment by arne@rfc2549.org on 6 Feb 2014 at 12:56

[GoogleCodeExporter]

Hi,
Thanks for your reply. I will try to do some tcpdumping and look into TLS
versions as you suggest and get back to you as soon as possible.
In the mean time, if you like to try it, I have created an account for you
(you should have received already a separate mail from CitizenVPN), it's a
1 month unlimited account.
You can use the following below config (use the username/pass in the
welcome mail), which is the default config like the one I have tested with.
This config below contains certs specific to your account.:

#This configfile is for connecting to the CitizenVPN USA-Alternate Server
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
key-direction 1
cipher AES-256-CBC
verb 4
auth-user-pass
explicit-exit-notify 2
tun-mtu 1500
mssfix 1450
tun-mtu-extra 32
remote us.citizenvpn.com 80
proto udp
<ca>
-----BEGIN CERTIFICATE-----
MIIDaTCCAtKgAwIBAgIJAL2PJbtCCbIdMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
VQQGEwJESzELMAkGA1UECBMCREsxEzARBgNVBAcTCkNvcGVuaGFnZW4xEzARBgNV
BAoTCkNpdGl6ZW5WUE4xFjAUBgNVBAMTDUNpdGl6ZW5WUE4gQ0ExIjAgBgkqhkiG
9w0BCQEWE2luZm9AY2l0aXplbnZwbi5jb20wHhcNMTEwMjA0MTIwNjU0WhcNMjEw
MjAxMTIwNjU0WjCBgDELMAkGA1UEBhMCREsxCzAJBgNVBAgTAkRLMRMwEQYDVQQH
EwpDb3BlbmhhZ2VuMRMwEQYDVQQKEwpDaXRpemVuVlBOMRYwFAYDVQQDEw1DaXRp
emVuVlBOIENBMSIwIAYJKoZIhvcNAQkBFhNpbmZvQGNpdGl6ZW52cG4uY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUjC+hFnsk3Yi32WHdLXtuBLlWgcBU
WfbMavAoYRh34YLLxIlmTc/leIB3/VNGy8zFlQ9SBjpY2sGKvygiWFvrmmzglmcI
5deN4Rz0nhAzaBXyPW8F9CY9BHxQAUBdXTKeb2K+pLQRsB0iIUC6mKXUQFrSCsWz
QO6LQ8dwWiIbEQIDAQABo4HoMIHlMB0GA1UdDgQWBBR1tbKk6EtPjRxda321JY9S
52ZtADCBtQYDVR0jBIGtMIGqgBR1tbKk6EtPjRxda321JY9S52ZtAKGBhqSBgzCB
gDELMAkGA1UEBhMCREsxCzAJBgNVBAgTAkRLMRMwEQYDVQQHEwpDb3BlbmhhZ2Vu
MRMwEQYDVQQKEwpDaXRpemVuVlBOMRYwFAYDVQQDEw1DaXRpemVuVlBOIENBMSIw
IAYJKoZIhvcNAQkBFhNpbmZvQGNpdGl6ZW52cG4uY29tggkAvY8lu0IJsh0wDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCN1jjCNioVV0Pv61+/z2rzoN9J
UF0IyPgduA5zZnigObtyCAwWGcP4gJNtUo2wScE3x6qPgleAyUwCX9DebxOeROA3
I2cBVsISSbhkvdsuYY37207+qg3Y26/YsuS/fM6ivn9cTEY1yby5WkgPeyKoVFOV
xyFQaA+YDJxREQfjlQ==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1719 (0x6b7)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DK, ST=DK, L=Copenhagen, O=CitizenVPN, CN=CitizenVPN
CA/emailAddress=info@citizenvpn.com
        Validity
            Not Before: Feb  6 14:05:27 2014 GMT
            Not After : Feb  4 14:05:27 2024 GMT
        Subject: C=DK, ST=DK, L=Copenhagen, O=CitizenVPN,
CN=kdwMVzus/emailAddress=info@citizenvpn.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ef:03:6e:8d:d7:37:71:3c:ae:ce:af:14:3d:f4:
                    05:a3:61:7a:b7:89:e1:d8:d9:d4:f3:49:68:b0:47:
                    c6:c4:a0:ce:8a:75:bd:fa:04:07:88:54:b2:2f:ed:
                    5e:bc:2d:41:0f:be:ca:83:fc:e3:ee:1d:a4:0e:4e:
                    53:2b:cc:85:dc:b9:93:42:e4:2a:88:63:9a:ab:c9:
                    b5:1c:31:93:64:43:77:17:5e:60:c5:62:4d:1c:92:
                    64:28:41:0a:37:50:c5:c8:75:07:d0:9e:36:ca:fe:
                    ba:ee:d1:b0:f7:cb:84:47:2f:d3:0b:d6:8d:0c:d4:
                    c6:01:ba:a8:08:c6:ce:c3:0f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier:
                65:57:CE:14:D8:1B:2E:AA:11:6E:45:10:8F:E2:F3:AB:1A:BF:B8:D7
            X509v3 Authority Key Identifier:

keyid:75:B5:B2:A4:E8:4B:4F:8D:1C:5D:6B:7D:B5:25:8F:52:E7:66:6D:00

DirName:/C=DK/ST=DK/L=Copenhagen/O=CitizenVPN/CN=CitizenVPN
CA/emailAddress=info@citizenvpn.com
                serial:BD:8F:25:BB:42:09:B2:1D

            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Key Usage:
                Digital Signature
    Signature Algorithm: sha1WithRSAEncryption
        73:11:cb:ad:2a:fc:10:1d:16:1c:31:7f:15:71:94:c3:50:23:
        8a:58:06:3e:9e:b2:d9:30:25:ee:47:73:7e:79:ea:16:b3:12:
        16:7f:80:03:6d:0b:77:96:a5:56:e3:51:fc:9f:7b:6a:83:9c:
        7b:d8:f6:e1:9d:13:4c:63:e5:37:42:35:53:f4:ac:d4:7c:15:
        26:1b:05:95:3a:2f:20:aa:7f:2f:b3:5a:05:27:c9:93:5d:38:
        5c:79:80:49:4f:93:59:21:ae:ef:75:74:78:ed:01:df:ee:44:
        19:9f:7b:c8:6c:76:2b:89:b8:3a:67:57:19:a9:a9:19:b4:09:
        e5:63
-----BEGIN CERTIFICATE-----
MIIDrDCCAxWgAwIBAgICBrcwDQYJKoZIhvcNAQEFBQAwgYAxCzAJBgNVBAYTAkRL
MQswCQYDVQQIEwJESzETMBEGA1UEBxMKQ29wZW5oYWdlbjETMBEGA1UEChMKQ2l0
aXplblZQTjEWMBQGA1UEAxMNQ2l0aXplblZQTiBDQTEiMCAGCSqGSIb3DQEJARYT
aW5mb0BjaXRpemVudnBuLmNvbTAeFw0xNDAyMDYxNDA1MjdaFw0yNDAyMDQxNDA1
MjdaMHsxCzAJBgNVBAYTAkRLMQswCQYDVQQIEwJESzETMBEGA1UEBxMKQ29wZW5o
YWdlbjETMBEGA1UEChMKQ2l0aXplblZQTjERMA8GA1UEAxMIa2R3TVZ6dXMxIjAg
BgkqhkiG9w0BCQEWE2luZm9AY2l0aXplbnZwbi5jb20wgZ8wDQYJKoZIhvcNAQEB
BQADgY0AMIGJAoGBAO8Dbo3XN3E8rs6vFD30BaNhereJ4djZ1PNJaLBHxsSgzop1
vfoEB4hUsi/tXrwtQQ++yoP84+4dpA5OUyvMhdy5k0LkKohjmqvJtRwxk2RDdxde
YMViTRySZChBCjdQxch1B9CeNsr+uu7RsPfLhEcv0wvWjQzUxgG6qAjGzsMPAgMB
AAGjggE3MIIBMzAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFGVXzhTYGy6qEW5FEI/i86sa
v7jXMIG1BgNVHSMEga0wgaqAFHW1sqToS0+NHF1rfbUlj1LnZm0AoYGGpIGDMIGA
MQswCQYDVQQGEwJESzELMAkGA1UECBMCREsxEzARBgNVBAcTCkNvcGVuaGFnZW4x
EzARBgNVBAoTCkNpdGl6ZW5WUE4xFjAUBgNVBAMTDUNpdGl6ZW5WUE4gQ0ExIjAg
BgkqhkiG9w0BCQEWE2luZm9AY2l0aXplbnZwbi5jb22CCQC9jyW7QgmyHTATBgNV
HSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQEFBQADgYEA
cxHLrSr8EB0WHDF/FXGUw1AjilgGPp6y2TAl7kdzfnnqFrMSFn+AA20Ld5alVuNR
/J97aoOce9j24Z0TTGPlN0I1U/Ss1HwVJhsFlTovIKp/L7NaBSfJk104XHmASU+T
WSGu73V0eO0B3+5EGZ97yGx2K4m4OmdXGampGbQJ5WM=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDvA26N1zdxPK7OrxQ99AWjYXq3ieHY2dTzSWiwR8bEoM6Kdb36
BAeIVLIv7V68LUEPvsqD/OPuHaQOTlMrzIXcuZNC5CqIY5qrybUcMZNkQ3cXXmDF
Yk0ckmQoQQo3UMXIdQfQnjbK/rru0bD3y4RHL9ML1o0M1MYBuqgIxs7DDwIDAQAB
AoGBAKSTEl6sYEqiZCOAvkliazdyeZNDZ7VvWIgkdedbpOvjZhREuokamS0wVHlX
0rFz36a90qhLS4677ijDmdVAwLJEllno6tkwqRgVVltHPk3kLXXKkEN406+dAI22
hjCRA6X+turJkcES+cD7+8C2bGUCms1pac68G8SaSQA0V3QRAkEA+JKxO3QBKNUb
vtiulYbQbUvlgDvCbfnJSEZ+Gi62tbeJ07TxKqJoW9RU9fm+IPppz8z1jMc2jdYW
aAxhBjGlWwJBAPYnnn7acBBWBvUengZ3OTmBuDogWR8Dkl6SYIKUQSy26KAX2o7/
9unGTJUDujoPLBaJZ9p5Dsfb6YSz8b5S410CQFUvGDOSpo8SsQZvBS1S3PyHpOeU
EyZTEoqFNdPNLGoLstztRjRhIbhOhKsi4eg1SKugxolu/6ANvPH9RAa2Xr8CQQDv
uXv5DKEQt8dE1xGNOHUplTSmnzRMKP1WTvXglaO3eVap+zEmDRAZcb7JbPzjaD1G
oYDb2wPTDk+oplprQWwdAkAnxOtZBHAnIR/ennUC71oER6hZHj38yqMgw1aXHWXB
dZ9zd8Q1xhszNEg2Ebhg6kNPcb1sFqRZ/ofBIkK3dZNv
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
8f313a1f341b3f25850af343cf78ae6a
0a64afae91108aca11f0399beb81ddd4
30377998477b1aeddaec140125c141a9
ab7c9db6e0d7716f792be5b06703721c
6a03208a4d66ce185c28fd7d8b4ebadb
2cbedf4603091b93b9c3615f9787b9e5
f1f8a0119b4fc97b6af90dd4b681aae1
dac390c2eb475f1ce1d8d80bf385b205
8b3974441c48d1eae79a5157e74fb1bb
905bc47514c2d21a379b3bcd08668d4a
93bbece49b4acf744c8be04850f6a3d5
2cdea18109c8f1d94ce2d5ec223ecee6
8cce0f85f180b53b87fbfbbf3dc0b009
4f8ba34afc225cede8571074672726bb
5b32e5f2348585e82128fcefd329cc2c
8b1e5f17c9c3da53bd43a15719c1efb8
-----END OpenVPN Static key V1-----
</tls-auth>

Original comment by gigmarks...@gmail.com on 6 Feb 2014 at 2:06

[GoogleCodeExporter]

By the way I can *simulate* what appears to be the same end-result (TLS
handshake fail) in OpenVPN for linux (openvpn.net) by removing the
'key-direction 1' from the client config.
This is just an observation.

The server config is as follows:

port 80
proto udp
dev tun2
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.5.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 66.96.80.43"
push "dhcp-option DNS 66.96.80.194"
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn-status-udp80.log 1
verb 0
mute 10
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin-udp80.cnf
management localhost 3081
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
multihome
username-as-common-name

Original comment by gigmarks...@gmail.com on 6 Feb 2014 at 2:23

[GoogleCodeExporter]

Removing the key-direction should it always to fail and should not even begin 
the tls auth. 

Original comment by arne@rfc2549.org on 6 Feb 2014 at 2:27

[GoogleCodeExporter]

Yes. I pointed it out because the error (when using verb 4) is identical,
so was thinking maybe the tls code forgets to use the correct parameter or
something or it is somehow related to that.

Regardless, I just did some verb 7 logging on a test server.
I see a lot of these in the server log:

ACK output sequence broken: [11] 7

at the time when it is negotiating the TLS (and failing).

Not sure what it means.

Original comment by gigmarks...@gmail.com on 6 Feb 2014 at 2:50

[GoogleCodeExporter]

On my Nexus 7 it always connects fine. I sometimes get AUTH_FAILED but that is 
probably some rate limiting on your server.

Original comment by arne@rfc2549.org on 6 Feb 2014 at 3:23

[GoogleCodeExporter]

Ok that's interesting. The AUTH_FAILED is if you are already connected (or
the server is waiting for timeout on your last connect) as simultaneous
connects are not allowed. Just wait 2 mins then it should clear.

Original comment by gigmarks...@gmail.com on 6 Feb 2014 at 3:40

[GoogleCodeExporter]

Hi,

I have tested a bit more and now we have upgraded servers in US and DE
(germany) with latest openvpn (i.e. 2.3.2 using TLSv1.2). However the issue
remains, so I doubt it is a TLS version issue.
It seems to be dependent on *distance*. I am located in Denmark and if I
connect to DE server then there is no problem. However when I connect to US
server it fails almost every time. And those two servers have identical
setups (CentOS 6.5 with OpenVPN 2.3.2), set up with the same packages.
I have tried to tcpdump on the server, and it appears the client fails to
send some ACKs during the TLS setup. Haven't been successfull in dumping on
the clientside yet, but working on it.
Not sure where you are located, but perhaps it worked for you before since
you were closer to the server you tried on?
Would you mind trying again? I have extended your account with another
month.
the new US server is: us4.citizenvpn.com
and the DE (Germany) server is: de.citizenvpn.com

If you are located in the US it would be most interesting to see if you can
connect to the DE server. (Please try several times if you are successfull
the first time).

Original comment by gigmarks...@gmail.com on 6 Mar 2014 at 2:32

[GoogleCodeExporter]

I am from germany so the US server is probably the one with the highest 
latency.  Even when connecting over GPRS (2G network) with latency with total 
of 500ms to 1000ms to the US server the conection is established fine. 

I tried several times and I never getting an error. 

ping statistics from the phone:

--- us4.citizenvpn.com ping statistics ---
162 packets transmitted, 159 received, 1% packet loss, time 161575ms
rtt min/avg/max/mdev = 514.070/999.101/6023.088/1015.715 ms, pipe 7

Original comment by arne@rfc2549.org on 6 Mar 2014 at 5:37

[GoogleCodeExporter]

Hi,

Ok thanks for trying. It must be device-specific then. Do you have any
other devices to try on? We get definite failures on Samsung galaxy tab 2
7" and also on Moto G.

Original comment by gigmarks...@gmail.com on 6 Mar 2014 at 6:13

[GoogleCodeExporter]

Xperia Acro S, Nexus 7 and Xperia Z compact. All work fine here. 

You can try to add verb 7 in the custom configuration options and see if that 
helps debugging (compare the log to OpenVPN 2.3.x running on the PC for 
example.)

Original comment by arne@rfc2549.org on 6 Mar 2014 at 7:16