search

schwabe / ics-openvpn

OpenVPN for Android
3.31k stars 1.19k forks source link

0.7.31 openssl issue with cipher suite #1433

Closed caseyng closed 2 years ago

caseyng commented 2 years ago

To make issues more manageable, I would appreciate it if you fill out the following details as applicable:

General information

  1. Android Version - 11
  2. Android Vendor/Custom ROM - vivo funtouch os 10.5 (original rom)
  3. Device - vivo v15 (aka vivo 1819)
  4. Version of the app (version number/play store version/self-built) - 0.7.31

Description of the issue

Openvpn 0.7.29 was working for fine for me. When i upgraded to 0.7.31. the connection no longer works. I'm not sure exactly what's wrong but i suspect it to be the cipher suite that i'm using. Not sure how to set the suite though cuz my router has a limit options.

I think it is an OpenSSL problem, as 0.7.31 uses OpenSSL 3.0.1 but 0.7.29 uses OpenSSL 3.0.0. Can someone help to explain why the connection fails?

Also, when i set the tls security profile in 0.7.31 to insecure (as stated in the faq), the connection works. However, i don't see where my settings are insecure, and why the same configuration works for 0.7.29 but not for 0.7.31. I don't have to set my tls security profile to insecure in 0.7.29 though.

My cipher suite does not use md5, afaik. My openvpn client settings are at the bottom of the post.

All sensitive information have been redacted.

** Log from 0.7.31 (aka non-working version) ** 2022-01-04 00:37:47 F-Droid built and signed version 0.7.31 running on vivo vivo 1819 (k71v1_64_bsp), Android 11 (RP1A.200720.012) API 30, ABI arm64-v8a, (vivo/1819N/1819N:11/RP1A.200720.012/compiler0623214610:user/release-keys) 2022-01-04 00:37:47 Building configuration… 2022-01-04 00:37:47 started Socket Thread 2022-01-04 00:37:47 Network Status: CONNECTED LTE to MOBILE xxxxx 2022-01-04 00:37:47 Debug state info: CONNECTED LTE to MOBILE xxxxx, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED  2022-01-04 00:37:47 P:WARNING: linker: Warning: "/data/app/~~XhhQPzgOS_Mp--XuVZoF8A==/de.blinkt.openvpn-myTTQd7kMfY_yh_hrCjzcA==/lib/arm64/libovpnexec.so" is not a directory (ignoring) 2022-01-04 00:37:47 Debug state info: CONNECTED LTE to MOBILE xxxxx, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED  2022-01-04 00:37:47 Note: --cipher is not set. OpenVPN versions before 2.6 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback 'BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. 2022-01-04 00:37:47 Current Parameter Settings: 2022-01-04 00:37:47   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf' 2022-01-04 00:37:47   mode = 0 2022-01-04 00:37:47   show_ciphers = DISABLED 2022-01-04 00:37:47   show_digests = DISABLED 2022-01-04 00:37:47   show_engines = DISABLED 2022-01-04 00:37:47   genkey = DISABLED 2022-01-04 00:37:47   genkey_filename = '[UNDEF]' 2022-01-04 00:37:47   key_pass_file = '[UNDEF]' 2022-01-04 00:37:47   show_tls_ciphers = DISABLED 2022-01-04 00:37:47   connect_retry_max = 0 2022-01-04 00:37:47 Connection profiles [0]: 2022-01-04 00:37:47   proto = udp 2022-01-04 00:37:47   local = '[UNDEF]' 2022-01-04 00:37:47   local_port = '[UNDEF]' 2022-01-04 00:37:47   remote = 'xxx.xxx.xxx.xxx' 2022-01-04 00:37:47   remote_port = 'yyyyy' 2022-01-04 00:37:47   remote_float = ENABLED 2022-01-04 00:37:47   bind_defined = DISABLED 2022-01-04 00:37:47   bind_local = DISABLED 2022-01-04 00:37:47   bind_ipv6_only = DISABLED 2022-01-04 00:37:47   connect_retry_seconds = 2 2022-01-04 00:37:47   connect_timeout = 120 2022-01-04 00:37:47   socks_proxy_server = '[UNDEF]' 2022-01-04 00:37:47 Waiting 0s seconds between connection attempt 2022-01-04 00:37:47   socks_proxy_port = '[UNDEF]' 2022-01-04 00:37:47   tun_mtu = 1500 2022-01-04 00:37:47   tun_mtu_defined = ENABLED 2022-01-04 00:37:47   link_mtu = 1500 2022-01-04 00:37:47   link_mtu_defined = DISABLED 2022-01-04 00:37:47   tun_mtu_extra = 0 2022-01-04 00:37:47   tun_mtu_extra_defined = DISABLED 2022-01-04 00:37:47   mtu_discover_type = -1 2022-01-04 00:37:47   fragment = 0 2022-01-04 00:37:47   mssfix = 1450 2022-01-04 00:37:47   explicit_exit_notification = 0 2022-01-04 00:37:47   tls_auth_file = '[UNDEF]' 2022-01-04 00:37:47   key_direction = not set 2022-01-04 00:37:47   tls_crypt_file = '[INLINE]' 2022-01-04 00:37:47   tls_crypt_v2_file = '[UNDEF]' 2022-01-04 00:37:47 Connection profiles END 2022-01-04 00:37:47   remote_random = DISABLED 2022-01-04 00:37:47   ipchange = '[UNDEF]' 2022-01-04 00:37:47   dev = 'tun' 2022-01-04 00:37:47   dev_type = '[UNDEF]' 2022-01-04 00:37:47   dev_node = '[UNDEF]' 2022-01-04 00:37:47   lladdr = '[UNDEF]' 2022-01-04 00:37:47   topology = 1 2022-01-04 00:37:47   ifconfig_local = '[UNDEF]' 2022-01-04 00:37:47   ifconfig_remote_netmask = '[UNDEF]' 2022-01-04 00:37:47   ifconfig_noexec = DISABLED 2022-01-04 00:37:47   ifconfig_nowarn = ENABLED 2022-01-04 00:37:47   ifconfig_ipv6_local = '[UNDEF]' 2022-01-04 00:37:47   ifconfig_ipv6_netbits = 0 2022-01-04 00:37:47   ifconfig_ipv6_remote = '[UNDEF]' 2022-01-04 00:37:47   shaper = 0 2022-01-04 00:37:47   mtu_test = 0 2022-01-04 00:37:47   mlock = DISABLED 2022-01-04 00:37:47   keepalive_ping = 15 2022-01-04 00:37:47   keepalive_timeout = 60 2022-01-04 00:37:47   inactivity_timeout = 0 2022-01-04 00:37:47   ping_send_timeout = 15 2022-01-04 00:37:47   ping_rec_timeout = 60 2022-01-04 00:37:47   ping_rec_timeout_action = 2 2022-01-04 00:37:47   ping_timer_remote = DISABLED 2022-01-04 00:37:47   remap_sigusr1 = 0 2022-01-04 00:37:47   persist_tun = DISABLED 2022-01-04 00:37:47   persist_local_ip = DISABLED 2022-01-04 00:37:47   persist_remote_ip = DISABLED 2022-01-04 00:37:47   persist_key = DISABLED 2022-01-04 00:37:47   passtos = DISABLED 2022-01-04 00:37:47   resolve_retry_seconds = 1000000000 2022-01-04 00:37:47   resolve_in_advance = DISABLED 2022-01-04 00:37:47   username = '[UNDEF]' 2022-01-04 00:37:47   groupname = '[UNDEF]' 2022-01-04 00:37:47   chroot_dir = '[UNDEF]' 2022-01-04 00:37:47   cd_dir = '[UNDEF]' 2022-01-04 00:37:47   writepid = '[UNDEF]' 2022-01-04 00:37:47   up_script = '[UNDEF]' 2022-01-04 00:37:47   down_script = '[UNDEF]' 2022-01-04 00:37:47   down_pre = DISABLED 2022-01-04 00:37:47   up_restart = DISABLED 2022-01-04 00:37:47   up_delay = DISABLED 2022-01-04 00:37:47   daemon = DISABLED 2022-01-04 00:37:47   log = DISABLED 2022-01-04 00:37:47   suppress_timestamps = DISABLED 2022-01-04 00:37:47   machine_readable_output = ENABLED 2022-01-04 00:37:47   nice = 0 2022-01-04 00:37:47   verbosity = 4 2022-01-04 00:37:47   mute = 0 2022-01-04 00:37:47   gremlin = 0 2022-01-04 00:37:47   status_file = '[UNDEF]' 2022-01-04 00:37:47   status_file_version = 1 2022-01-04 00:37:47   status_file_update_freq = 60 2022-01-04 00:37:47   occ = ENABLED 2022-01-04 00:37:47   rcvbuf = 0 2022-01-04 00:37:47   sndbuf = 0 2022-01-04 00:37:47   sockflags = 0 2022-01-04 00:37:47   fast_io = DISABLED 2022-01-04 00:37:47   comp.alg = 0 2022-01-04 00:37:47   comp.flags = 24 2022-01-04 00:37:47   route_script = '[UNDEF]' 2022-01-04 00:37:47   route_default_gateway = '[UNDEF]' 2022-01-04 00:37:47   route_default_metric = 0 2022-01-04 00:37:47   route_noexec = DISABLED 2022-01-04 00:37:47   route_delay = 0 2022-01-04 00:37:47   route_delay_window = 30 2022-01-04 00:37:47   route_delay_defined = DISABLED 2022-01-04 00:37:47   route_nopull = DISABLED 2022-01-04 00:37:47   route_gateway_via_dhcp = DISABLED 2022-01-04 00:37:47   allow_pull_fqdn = DISABLED 2022-01-04 00:37:47   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket' 2022-01-04 00:37:47   management_port = 'unix' 2022-01-04 00:37:47   management_user_pass = '[UNDEF]' 2022-01-04 00:37:47   management_log_history_cache = 250 2022-01-04 00:37:47   management_echo_buffer_size = 100 2022-01-04 00:37:47   management_write_peer_info_file = '[UNDEF]' 2022-01-04 00:37:47   management_client_user = '[UNDEF]' 2022-01-04 00:37:47   management_client_group = '[UNDEF]' 2022-01-04 00:37:47   management_flags = 16678 2022-01-04 00:37:47   shared_secret_file = '[UNDEF]' 2022-01-04 00:37:47   key_direction = not set 2022-01-04 00:37:47   ciphername = 'BF-CBC' 2022-01-04 00:37:47   ncp_ciphers = 'CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC' 2022-01-04 00:37:47   authname = 'SHA512' 2022-01-04 00:37:47   engine = DISABLED 2022-01-04 00:37:47   replay = ENABLED 2022-01-04 00:37:47   mute_replay_warnings = DISABLED 2022-01-04 00:37:47   replay_window = 64 2022-01-04 00:37:47   replay_time = 15 2022-01-04 00:37:47   packet_id_file = '[UNDEF]' 2022-01-04 00:37:47   test_crypto = DISABLED 2022-01-04 00:37:47   tls_server = DISABLED 2022-01-04 00:37:47   tls_client = ENABLED 2022-01-04 00:37:47   ca_file = '[INLINE]' 2022-01-04 00:37:47   ca_path = '[UNDEF]' 2022-01-04 00:37:47   dh_file = '[UNDEF]' 2022-01-04 00:37:47   cert_file = '[INLINE]' 2022-01-04 00:37:47   extra_certs_file = '[UNDEF]' 2022-01-04 00:37:47   priv_key_file = '[INLINE]' 2022-01-04 00:37:47   pkcs12_file = '[UNDEF]' 2022-01-04 00:37:47   cipher_list = '[UNDEF]' 2022-01-04 00:37:47   cipher_list_tls13 = '[UNDEF]' 2022-01-04 00:37:47   tls_cert_profile = 'legacy' 2022-01-04 00:37:47   tls_verify = '[UNDEF]' 2022-01-04 00:37:47   tls_export_cert = '[UNDEF]' 2022-01-04 00:37:47   verify_x509_type = 0 2022-01-04 00:37:47   verify_x509_name = '[UNDEF]' 2022-01-04 00:37:47   crl_file = '[UNDEF]' 2022-01-04 00:37:47   ns_cert_type = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 65535 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_ku[i] = 0 2022-01-04 00:37:47   remote_cert_eku = 'TLS Web Server Authentication' 2022-01-04 00:37:47   ssl_flags = 192 2022-01-04 00:37:47   tls_timeout = 2 2022-01-04 00:37:47   renegotiate_bytes = -1 2022-01-04 00:37:47   renegotiate_packets = 0 2022-01-04 00:37:47   renegotiate_seconds = 3600 2022-01-04 00:37:47   handshake_window = 60 2022-01-04 00:37:47   transition_window = 3600 2022-01-04 00:37:47   single_session = DISABLED 2022-01-04 00:37:47   push_peer_info = DISABLED 2022-01-04 00:37:47   tls_exit = DISABLED 2022-01-04 00:37:47   tls_crypt_v2_metadata = '[UNDEF]' 2022-01-04 00:37:47   server_network = 0.0.0.0 2022-01-04 00:37:47   server_netmask = 0.0.0.0 2022-01-04 00:37:47   server_network_ipv6 = :: 2022-01-04 00:37:47   server_netbits_ipv6 = 0 2022-01-04 00:37:47   server_bridge_ip = 0.0.0.0 2022-01-04 00:37:47   server_bridge_netmask = 0.0.0.0 2022-01-04 00:37:47   server_bridge_pool_start = 0.0.0.0 2022-01-04 00:37:47   server_bridge_pool_end = 0.0.0.0 2022-01-04 00:37:47   ifconfig_pool_defined = DISABLED 2022-01-04 00:37:47   ifconfig_pool_start = 0.0.0.0 2022-01-04 00:37:47   ifconfig_pool_end = 0.0.0.0 2022-01-04 00:37:47   ifconfig_pool_netmask = 0.0.0.0 2022-01-04 00:37:47   ifconfig_pool_persist_filename = '[UNDEF]' 2022-01-04 00:37:47   ifconfig_pool_persist_refresh_freq = 600 2022-01-04 00:37:47   ifconfig_ipv6_pool_defined = DISABLED 2022-01-04 00:37:47   ifconfig_ipv6_pool_base = :: 2022-01-04 00:37:47   ifconfig_ipv6_pool_netbits = 0 2022-01-04 00:37:47   n_bcast_buf = 256 2022-01-04 00:37:47   tcp_queue_limit = 64 2022-01-04 00:37:47   real_hash_size = 256 2022-01-04 00:37:47   virtual_hash_size = 256 2022-01-04 00:37:47   client_connect_script = '[UNDEF]' 2022-01-04 00:37:47   learn_address_script = '[UNDEF]' 2022-01-04 00:37:47   client_disconnect_script = '[UNDEF]' 2022-01-04 00:37:47   client_config_dir = '[UNDEF]' 2022-01-04 00:37:47   ccd_exclusive = DISABLED 2022-01-04 00:37:47   tmp_dir = '/data/data/de.blinkt.openvpn/cache' 2022-01-04 00:37:47   push_ifconfig_defined = DISABLED 2022-01-04 00:37:47   push_ifconfig_local = 0.0.0.0 2022-01-04 00:37:47   push_ifconfig_remote_netmask = 0.0.0.0 2022-01-04 00:37:47   push_ifconfig_ipv6_defined = DISABLED 2022-01-04 00:37:47   push_ifconfig_ipv6_local = ::/0 2022-01-04 00:37:47   push_ifconfig_ipv6_remote = :: 2022-01-04 00:37:47   enable_c2c = DISABLED 2022-01-04 00:37:47   duplicate_cn = DISABLED 2022-01-04 00:37:47   cf_max = 0 2022-01-04 00:37:47   cf_per = 0 2022-01-04 00:37:47   max_clients = 1024 2022-01-04 00:37:47   max_routes_per_client = 256 2022-01-04 00:37:47   auth_user_pass_verify_script = '[UNDEF]' 2022-01-04 00:37:47   auth_user_pass_verify_script_via_file = DISABLED 2022-01-04 00:37:47   auth_token_generate = DISABLED 2022-01-04 00:37:47   auth_token_lifetime = 0 2022-01-04 00:37:47   auth_token_secret_file = '[UNDEF]' 2022-01-04 00:37:47   port_share_host = '[UNDEF]' 2022-01-04 00:37:47   port_share_port = '[UNDEF]' 2022-01-04 00:37:47   vlan_tagging = DISABLED 2022-01-04 00:37:47   vlan_accept = all 2022-01-04 00:37:47   vlan_pvid = 1 2022-01-04 00:37:47   client = ENABLED 2022-01-04 00:37:47   pull = ENABLED 2022-01-04 00:37:47   auth_user_pass_file = 'stdin' 2022-01-04 00:37:47 OpenVPN 2.6-icsopenvpn [git:v2.6-master-401-gcc435973] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 20 2021 2022-01-04 00:37:47 library versions: OpenSSL 3.0.1 14 Dec 2021, LZO 2.10 2022-01-04 00:37:47 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket 2022-01-04 00:37:47 MANAGEMENT: CMD 'version 3' 2022-01-04 00:37:47 MANAGEMENT: CMD 'hold release' 2022-01-04 00:37:47 MANAGEMENT: CMD 'bytecount 2' 2022-01-04 00:37:47 MANAGEMENT: CMD 'state on' 2022-01-04 00:37:47 MANAGEMENT: CMD 'username 'Auth' vpnuser' 2022-01-04 00:37:47 MANAGEMENT: CMD 'password [...]' 2022-01-04 00:37:47 MANAGEMENT: CMD 'proxy NONE' 2022-01-04 00:37:48 OpenSSL: error:0A00018E:SSL routines::ca md too weak 2022-01-04 00:37:48 MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file 2022-01-04 00:37:48 OpenSSL reported a certificate with a weak hash, please see the in app FAQ about weak hashes. 2022-01-04 00:37:48 MANAGEMENT: Client disconnected 2022-01-04 00:37:48 Cannot load inline certificate file 2022-01-04 00:37:48 Exiting due to fatal error 2022-01-04 00:37:48 Process exited with exit value 1

** Log from 0.7.29 (aka working version) ** 2022-01-04 00:22:05 F-Droid built and signed version 0.7.29 running on vivo vivo 1819 (k71v1_64_bsp), Android 11 (RP1A.200720.012) API 30, ABI arm64-v8a, (vivo/1819N/1819N:11/RP1A.200720.012/compiler0623214610:user/release-keys) 2022-01-04 00:22:05 Building configuration… 2022-01-04 00:22:05 started Socket Thread 2022-01-04 00:22:05 Network Status: CONNECTED LTE to MOBILE xxxxx 2022-01-04 00:22:05 Debug state info: CONNECTED LTE to MOBILE xxxxx, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED  2022-01-04 00:22:05 Debug state info: CONNECTED LTE to MOBILE xxxxx, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED  2022-01-04 00:22:05 P:WARNING: linker: Warning: "/data/app/~~Cabklro6cExAJ4ccBEwH3Q==/de.blinkt.openvpn-HsftgqY-ag1SlMmhdApyhA==/lib/arm64/libovpnexec.so" is not a directory (ignoring) 2022-01-04 00:22:05 Note: --cipher is not set. OpenVPN versions before 2.6 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback 'BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. 2022-01-04 00:22:05 Current Parameter Settings: 2022-01-04 00:22:05   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf' 2022-01-04 00:22:05   mode = 0 2022-01-04 00:22:05   show_ciphers = DISABLED 2022-01-04 00:22:05   show_digests = DISABLED 2022-01-04 00:22:05   show_engines = DISABLED 2022-01-04 00:22:05   genkey = DISABLED 2022-01-04 00:22:05   genkey_filename = '[UNDEF]' 2022-01-04 00:22:05   key_pass_file = '[UNDEF]' 2022-01-04 00:22:05   show_tls_ciphers = DISABLED 2022-01-04 00:22:05   connect_retry_max = 0 2022-01-04 00:22:05 Connection profiles [0]: 2022-01-04 00:22:05   proto = udp 2022-01-04 00:22:05   local = '[UNDEF]' 2022-01-04 00:22:05   local_port = '[UNDEF]' 2022-01-04 00:22:05   remote = 'xxx.xxx.xxx.xxx' 2022-01-04 00:22:05   remote_port = 'yyyyy' 2022-01-04 00:22:05   remote_float = ENABLED 2022-01-04 00:22:05   bind_defined = DISABLED 2022-01-04 00:22:05   bind_local = DISABLED 2022-01-04 00:22:05   bind_ipv6_only = DISABLED 2022-01-04 00:22:05   connect_retry_seconds = 2 2022-01-04 00:22:05   connect_timeout = 120 2022-01-04 00:22:05   socks_proxy_server = '[UNDEF]' 2022-01-04 00:22:05   socks_proxy_port = '[UNDEF]' 2022-01-04 00:22:05   tun_mtu = 1500 2022-01-04 00:22:05   tun_mtu_defined = ENABLED 2022-01-04 00:22:05   link_mtu = 1500 2022-01-04 00:22:05   link_mtu_defined = DISABLED 2022-01-04 00:22:05   tun_mtu_extra = 0 2022-01-04 00:22:05   tun_mtu_extra_defined = DISABLED 2022-01-04 00:22:05   mtu_discover_type = -1 2022-01-04 00:22:05   fragment = 0 2022-01-04 00:22:05   mssfix = 1450 2022-01-04 00:22:05   explicit_exit_notification = 0 2022-01-04 00:22:05   tls_auth_file = '[UNDEF]' 2022-01-04 00:22:05   key_direction = not set 2022-01-04 00:22:05   tls_crypt_file = '[INLINE]' 2022-01-04 00:22:05   tls_crypt_v2_file = '[UNDEF]' 2022-01-04 00:22:05 Connection profiles END 2022-01-04 00:22:05   remote_random = DISABLED 2022-01-04 00:22:05   ipchange = '[UNDEF]' 2022-01-04 00:22:05   dev = 'tun' 2022-01-04 00:22:05   dev_type = '[UNDEF]' 2022-01-04 00:22:05   dev_node = '[UNDEF]' 2022-01-04 00:22:05   lladdr = '[UNDEF]' 2022-01-04 00:22:05   topology = 1 2022-01-04 00:22:05   ifconfig_local = '[UNDEF]' 2022-01-04 00:22:05   ifconfig_remote_netmask = '[UNDEF]' 2022-01-04 00:22:05   ifconfig_noexec = DISABLED 2022-01-04 00:22:05   ifconfig_nowarn = ENABLED 2022-01-04 00:22:05   ifconfig_ipv6_local = '[UNDEF]' 2022-01-04 00:22:05   ifconfig_ipv6_netbits = 0 2022-01-04 00:22:05   ifconfig_ipv6_remote = '[UNDEF]' 2022-01-04 00:22:05   shaper = 0 2022-01-04 00:22:05   mtu_test = 0 2022-01-04 00:22:05   mlock = DISABLED 2022-01-04 00:22:05   keepalive_ping = 15 2022-01-04 00:22:05   keepalive_timeout = 60 2022-01-04 00:22:05   inactivity_timeout = 0 2022-01-04 00:22:05   ping_send_timeout = 15 2022-01-04 00:22:05   ping_rec_timeout = 60 2022-01-04 00:22:05   ping_rec_timeout_action = 2 2022-01-04 00:22:05   ping_timer_remote = DISABLED 2022-01-04 00:22:05   remap_sigusr1 = 0 2022-01-04 00:22:05   persist_tun = DISABLED 2022-01-04 00:22:05   persist_local_ip = DISABLED 2022-01-04 00:22:05   persist_remote_ip = DISABLED 2022-01-04 00:22:05   persist_key = DISABLED 2022-01-04 00:22:05   passtos = DISABLED 2022-01-04 00:22:05   resolve_retry_seconds = 1000000000 2022-01-04 00:22:05   resolve_in_advance = DISABLED 2022-01-04 00:22:05   username = '[UNDEF]' 2022-01-04 00:22:05   groupname = '[UNDEF]' 2022-01-04 00:22:05   chroot_dir = '[UNDEF]' 2022-01-04 00:22:05   cd_dir = '[UNDEF]' 2022-01-04 00:22:05   writepid = '[UNDEF]' 2022-01-04 00:22:05   up_script = '[UNDEF]' 2022-01-04 00:22:05   down_script = '[UNDEF]' 2022-01-04 00:22:05   down_pre = DISABLED 2022-01-04 00:22:05   up_restart = DISABLED 2022-01-04 00:22:05   up_delay = DISABLED 2022-01-04 00:22:05   daemon = DISABLED 2022-01-04 00:22:05   log = DISABLED 2022-01-04 00:22:05   suppress_timestamps = DISABLED 2022-01-04 00:22:05   machine_readable_output = ENABLED 2022-01-04 00:22:05   nice = 0 2022-01-04 00:22:05   verbosity = 4 2022-01-04 00:22:05   mute = 0 2022-01-04 00:22:05   gremlin = 0 2022-01-04 00:22:05   status_file = '[UNDEF]' 2022-01-04 00:22:05   status_file_version = 1 2022-01-04 00:22:05   status_file_update_freq = 60 2022-01-04 00:22:05   occ = ENABLED 2022-01-04 00:22:05   rcvbuf = 0 2022-01-04 00:22:05   sndbuf = 0 2022-01-04 00:22:05   sockflags = 0 2022-01-04 00:22:05   fast_io = DISABLED 2022-01-04 00:22:05   comp.alg = 0 2022-01-04 00:22:05   comp.flags = 24 2022-01-04 00:22:05   route_script = '[UNDEF]' 2022-01-04 00:22:05   route_default_gateway = '[UNDEF]' 2022-01-04 00:22:05   route_default_metric = 0 2022-01-04 00:22:05   route_noexec = DISABLED 2022-01-04 00:22:05   route_delay = 0 2022-01-04 00:22:05   route_delay_window = 30 2022-01-04 00:22:05   route_delay_defined = DISABLED 2022-01-04 00:22:05   route_nopull = DISABLED 2022-01-04 00:22:05   route_gateway_via_dhcp = DISABLED 2022-01-04 00:22:05   allow_pull_fqdn = DISABLED 2022-01-04 00:22:05   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket' 2022-01-04 00:22:05   management_port = 'unix' 2022-01-04 00:22:05   management_user_pass = '[UNDEF]' 2022-01-04 00:22:05   management_log_history_cache = 250 2022-01-04 00:22:05   management_echo_buffer_size = 100 2022-01-04 00:22:05   management_write_peer_info_file = '[UNDEF]' 2022-01-04 00:22:05   management_client_user = '[UNDEF]' 2022-01-04 00:22:05   management_client_group = '[UNDEF]' 2022-01-04 00:22:05   management_flags = 16678 2022-01-04 00:22:05   shared_secret_file = '[UNDEF]' 2022-01-04 00:22:05   key_direction = not set 2022-01-04 00:22:05   ciphername = 'BF-CBC' 2022-01-04 00:22:05   ncp_ciphers = 'CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC' 2022-01-04 00:22:05   authname = 'SHA512' 2022-01-04 00:22:05   prng_hash = 'SHA1' 2022-01-04 00:22:05   prng_nonce_secret_len = 16 2022-01-04 00:22:05   engine = DISABLED 2022-01-04 00:22:05 Waiting 0s seconds between connection attempt 2022-01-04 00:22:05   replay = ENABLED 2022-01-04 00:22:05   mute_replay_warnings = DISABLED 2022-01-04 00:22:05   replay_window = 64 2022-01-04 00:22:05   replay_time = 15 2022-01-04 00:22:05   packet_id_file = '[UNDEF]' 2022-01-04 00:22:05   test_crypto = DISABLED 2022-01-04 00:22:05   tls_server = DISABLED 2022-01-04 00:22:05   tls_client = ENABLED 2022-01-04 00:22:05   ca_file = '[INLINE]' 2022-01-04 00:22:05   ca_path = '[UNDEF]' 2022-01-04 00:22:05   dh_file = '[UNDEF]' 2022-01-04 00:22:05   cert_file = '[INLINE]' 2022-01-04 00:22:05   extra_certs_file = '[UNDEF]' 2022-01-04 00:22:05   priv_key_file = '[INLINE]' 2022-01-04 00:22:05   pkcs12_file = '[UNDEF]' 2022-01-04 00:22:05   cipher_list = '[UNDEF]' 2022-01-04 00:22:05   cipher_list_tls13 = '[UNDEF]' 2022-01-04 00:22:05   tls_cert_profile = '[UNDEF]' 2022-01-04 00:22:05   tls_verify = '[UNDEF]' 2022-01-04 00:22:05   tls_export_cert = '[UNDEF]' 2022-01-04 00:22:05   verify_x509_type = 0 2022-01-04 00:22:05   verify_x509_name = '[UNDEF]' 2022-01-04 00:22:05   crl_file = '[UNDEF]' 2022-01-04 00:22:05   ns_cert_type = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 65535 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_ku[i] = 0 2022-01-04 00:22:05   remote_cert_eku = 'TLS Web Server Authentication' 2022-01-04 00:22:05   ssl_flags = 192 2022-01-04 00:22:05   tls_timeout = 2 2022-01-04 00:22:05   renegotiate_bytes = -1 2022-01-04 00:22:05   renegotiate_packets = 0 2022-01-04 00:22:05   renegotiate_seconds = 3600 2022-01-04 00:22:05   handshake_window = 60 2022-01-04 00:22:05   transition_window = 3600 2022-01-04 00:22:05   single_session = DISABLED 2022-01-04 00:22:05   push_peer_info = DISABLED 2022-01-04 00:22:05   tls_exit = DISABLED 2022-01-04 00:22:05   tls_crypt_v2_metadata = '[UNDEF]' 2022-01-04 00:22:05   server_network = 0.0.0.0 2022-01-04 00:22:05   server_netmask = 0.0.0.0 2022-01-04 00:22:05   server_network_ipv6 = :: 2022-01-04 00:22:05   server_netbits_ipv6 = 0 2022-01-04 00:22:05   server_bridge_ip = 0.0.0.0 2022-01-04 00:22:05   server_bridge_netmask = 0.0.0.0 2022-01-04 00:22:05   server_bridge_pool_start = 0.0.0.0 2022-01-04 00:22:05   server_bridge_pool_end = 0.0.0.0 2022-01-04 00:22:05   ifconfig_pool_defined = DISABLED 2022-01-04 00:22:05   ifconfig_pool_start = 0.0.0.0 2022-01-04 00:22:05   ifconfig_pool_end = 0.0.0.0 2022-01-04 00:22:05   ifconfig_pool_netmask = 0.0.0.0 2022-01-04 00:22:05   ifconfig_pool_persist_filename = '[UNDEF]' 2022-01-04 00:22:05   ifconfig_pool_persist_refresh_freq = 600 2022-01-04 00:22:05   ifconfig_ipv6_pool_defined = DISABLED 2022-01-04 00:22:05   ifconfig_ipv6_pool_base = :: 2022-01-04 00:22:05   ifconfig_ipv6_pool_netbits = 0 2022-01-04 00:22:05   n_bcast_buf = 256 2022-01-04 00:22:05   tcp_queue_limit = 64 2022-01-04 00:22:05   real_hash_size = 256 2022-01-04 00:22:05   virtual_hash_size = 256 2022-01-04 00:22:05   client_connect_script = '[UNDEF]' 2022-01-04 00:22:05   learn_address_script = '[UNDEF]' 2022-01-04 00:22:05   client_disconnect_script = '[UNDEF]' 2022-01-04 00:22:05   client_config_dir = '[UNDEF]' 2022-01-04 00:22:05   ccd_exclusive = DISABLED 2022-01-04 00:22:05   tmp_dir = '/data/data/de.blinkt.openvpn/cache' 2022-01-04 00:22:05   push_ifconfig_defined = DISABLED 2022-01-04 00:22:05   push_ifconfig_local = 0.0.0.0 2022-01-04 00:22:05   push_ifconfig_remote_netmask = 0.0.0.0 2022-01-04 00:22:05   push_ifconfig_ipv6_defined = DISABLED 2022-01-04 00:22:05   push_ifconfig_ipv6_local = ::/0 2022-01-04 00:22:05   push_ifconfig_ipv6_remote = :: 2022-01-04 00:22:05   enable_c2c = DISABLED 2022-01-04 00:22:05   duplicate_cn = DISABLED 2022-01-04 00:22:05   cf_max = 0 2022-01-04 00:22:05   cf_per = 0 2022-01-04 00:22:05   max_clients = 1024 2022-01-04 00:22:05   max_routes_per_client = 256 2022-01-04 00:22:05   auth_user_pass_verify_script = '[UNDEF]' 2022-01-04 00:22:05   auth_user_pass_verify_script_via_file = DISABLED 2022-01-04 00:22:05   auth_token_generate = DISABLED 2022-01-04 00:22:05   auth_token_lifetime = 0 2022-01-04 00:22:05   auth_token_secret_file = '[UNDEF]' 2022-01-04 00:22:05   port_share_host = '[UNDEF]' 2022-01-04 00:22:05   port_share_port = '[UNDEF]' 2022-01-04 00:22:05   vlan_tagging = DISABLED 2022-01-04 00:22:05   vlan_accept = all 2022-01-04 00:22:05   vlan_pvid = 1 2022-01-04 00:22:05   client = ENABLED 2022-01-04 00:22:05   pull = ENABLED 2022-01-04 00:22:05   auth_user_pass_file = 'stdin' 2022-01-04 00:22:05 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.29-0-g65ad05d7] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 19 2021 2022-01-04 00:22:05 library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10 2022-01-04 00:22:05 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket 2022-01-04 00:22:05 MANAGEMENT: CMD 'version 3' 2022-01-04 00:22:05 MANAGEMENT: CMD 'hold release' 2022-01-04 00:22:05 MANAGEMENT: CMD 'bytecount 2' 2022-01-04 00:22:05 MANAGEMENT: CMD 'state on' 2022-01-04 00:22:05 MANAGEMENT: CMD 'username 'Auth' vpnuser' 2022-01-04 00:22:05 MANAGEMENT: CMD 'password [...]' 2022-01-04 00:22:05 MANAGEMENT: CMD 'proxy NONE' 2022-01-04 00:22:06 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2022-01-04 00:22:06 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2022-01-04 00:22:06 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key 2022-01-04 00:22:06 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication 2022-01-04 00:22:06 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ] 2022-01-04 00:22:06 MANAGEMENT: >STATE:1641226926,RESOLVE,,,,,, 2022-01-04 00:22:07 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ] 2022-01-04 00:22:07 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,auth SHA512,keysize 128,key-method 2,tls-client' 2022-01-04 00:22:07 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,auth SHA512,keysize 128,key-method 2,tls-server' 2022-01-04 00:22:07 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:yyyyy 2022-01-04 00:22:07 Socket Buffers: R=[212992->212992] S=[212992->212992] 2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'PROTECTFD' ok' 2022-01-04 00:22:07 UDP link local: (not bound) 2022-01-04 00:22:07 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:yyyyy 2022-01-04 00:22:07 MANAGEMENT: >STATE:1641226927,WAIT,,,,,, 2022-01-04 00:22:07 MANAGEMENT: >STATE:1641226927,AUTH,,,,,, 2022-01-04 00:22:07 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:yyyyy, sid=86f2a7e4 389f2e26 2022-01-04 00:22:07 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AC68U, emailAddress=me@asusrouter.lan 2022-01-04 00:22:07 VERIFY KU OK 2022-01-04 00:22:07 Validating certificate extended key usage 2022-01-04 00:22:07 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2022-01-04 00:22:07 VERIFY EKU OK 2022-01-04 00:22:07 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AC68U, emailAddress=me@asusrouter.lan 2022-01-04 00:22:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA1 2022-01-04 00:22:07 [RT-AC68U] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:yyyyy 2022-01-04 00:22:07 PUSH: Received control message: 'PUSH_REPLY,route 192.168.123.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher CHACHA20-POLY1305' 2022-01-04 00:22:07 OPTIONS IMPORT: timers and/or timeouts modified 2022-01-04 00:22:07 OPTIONS IMPORT: --ifconfig/up options modified 2022-01-04 00:22:07 OPTIONS IMPORT: route options modified 2022-01-04 00:22:07 OPTIONS IMPORT: route-related options modified 2022-01-04 00:22:07 OPTIONS IMPORT: peer-id set 2022-01-04 00:22:07 OPTIONS IMPORT: adjusting link_mtu to 1624 2022-01-04 00:22:07 OPTIONS IMPORT: data channel crypto options modified 2022-01-04 00:22:07 Data Channel: using negotiated cipher 'CHACHA20-POLY1305' 2022-01-04 00:22:07 Data Channel MTU parms [ L:1537 D:1450 EF:37 EB:406 ET:0 EL:3 AF:14/121 ] 2022-01-04 00:22:07 Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key 2022-01-04 00:22:07 Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key 2022-01-04 00:22:07 ROUTE_GATEWAY 127.100.103.119 IFACE=android-gw 2022-01-04 00:22:07 do_ifconfig, ipv4=1, ipv6=0 2022-01-04 00:22:07 MANAGEMENT: >STATE:1641226927,ASSIGN_IP,,10.8.0.2,,,, 2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'IFCONFIG' ok' 2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'ROUTE' ok' 2022-01-04 00:22:07 MANAGEMENT: >STATE:1641226927,ADD_ROUTES,,,,,, 2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'ROUTE' ok' 2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE' 2022-01-04 00:22:07 Opening tun interface: 2022-01-04 00:22:07 Local IPv4: 10.8.0.2/24 IPv6: (not set) MTU: 1500 2022-01-04 00:22:07 DNS Server: , Domain: null 2022-01-04 00:22:07 Routes: 0.0.0.0/0, 10.8.0.0/24, 192.168.123.0/24  2022-01-04 00:22:07 Routes excluded:   2022-01-04 00:22:07 VpnService routes installed: 0.0.0.0/0  2022-01-04 00:22:07 Disallowed VPN apps:  2022-01-04 00:22:07 No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers. Please also note that Android will keep using your proxy settings specified for your mobile/Wi-Fi connection when no DNS servers are set. 2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'OPENTUN' ok' 2022-01-04 00:22:07 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this 2022-01-04 00:22:07 Initialization Sequence Completed 2022-01-04 00:22:07 MANAGEMENT: >STATE:1641226927,CONNECTED,SUCCESS,10.8.0.2,xxx.xxx.xxx.xxx,yyyyy,, 2022-01-04 00:22:08 Debug state info: CONNECTED LTE to MOBILE xxxxx, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED  2022-01-04 00:22:08 PID_ERR replay-window backtrack occurred [1] [SSL-0] [0_00000000011111] 0:16 0:15 t=1641226928[0] r=[-1,64,15,1,1] sl=[48,16,64,528]

** openvpn client settings ** client dev tun proto udp remote xxx.xxx.xxx.xxx yyyyy resolv-retry infinite nobind float ncp-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC auth SHA512 keepalive 15 60 auth-user-pass remote-cert-tls server