schwabe / ics-openvpn

OpenVPN for Android
3.29k stars 1.19k forks source link

is tls-crypt-v2 supported in OpenVPN for Android 0.7.46? #1625

Closed mmokrejs closed 1 year ago

mmokrejs commented 1 year ago

The GUI 0.7.46 does not have fields to import tls-crypt-v2 key of the client under the AUTHENTICATION/ENCRYPTION tabs. Is it not available or just not exposed throug the GUI?

I tried to paste an inline key under ADVANCED tab as:

<tls-crypt-v2>
...
</tls-crypt-v2>

# no option for this in GUI
tls-client

but it fails under SETTINGS -> "Opevn VPN 3" core and in the same way when I uncheck the option and rely on 2.x openvpn core. The connection negotiations to server (version 2.6.4) are almost completed but server says:

openvpn[28280]: TLS Error: could not determine wrapping from [AF_INET]client1_ip:some_port

schwabe commented 1 year ago

The app will happily import a profile with tls-crypt-v2 in it. The app has tls-crypt-v2 under TLS auth and then just set TLS direction to tls-crypt-v2. Setting it as advanced option with custom options should work as well.

mmokrejs commented 1 year ago

Then please rename the option from "TLS Auth File" to "TLS Auth/Crypt/Crypt_v2 file". But I do not need to specify a direction, that is only for oldest tls-auth, right?

The config file I ended up with seems OK. I will edit the logs and provide them. But the only useful info is the error logged by the server.

schwabe commented 1 year ago

The tls direction dropdown in the app also determines if you use tls-auth/crypt or crypt v2. Like I said, you need to set direction to tls-crypt-v2

mmokrejs commented 1 year ago
$ cat /tmp/OpenVPN-0.7.46_with_openvpn-3.x_core.txt
2023-07-17 12:45:03 F-Droid built and signed version 0.7.46 running on asus ASUS_I006D (lahaina), Android 13 (TKQ1.220807.001) API 33, ABI arm64-v8a, (asus/EU_I006D/ASUS_I006D:13/TKQ1.220807.001/33.0210.0210.296:user/release-keys)
2023-07-17 12:45:03 Building configuration…
2023-07-17 12:45:03 Fetched VPN profile (mydomain2023) triggered by Reconnect button pressed.
2023-07-17 12:45:03 Scheduling VPN keep alive for VPN mydomain2023
2023-07-17 12:45:03 started Socket Thread
2023-07-17 12:45:03 Server poll timeout, trying next remote entry...
2023-07-17 12:45:03 Network Status: CONNECTED  to WIFI 
2023-07-17 12:45:03 P:WARNING: linker: Warning: "/data/app/~~efCCDHzalNGzyuFVv_YAkw==/de.blinkt.openvpn-XPGK83Mh3hN99u16f-AdmA==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2023-07-17 12:45:03 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2023-07-17 12:45:03 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-07-17 12:45:03 Waiting 0s seconds between connection attempt
2023-07-17 12:45:03 Current Parameter Settings:
2023-07-17 12:45:03   config = 'stdin'
2023-07-17 12:45:03   mode = 0
2023-07-17 12:45:03   show_ciphers = DISABLED
2023-07-17 12:45:03   show_digests = DISABLED
2023-07-17 12:45:03   show_engines = DISABLED
2023-07-17 12:45:03   genkey = DISABLED
2023-07-17 12:45:03   genkey_filename = '[UNDEF]'
2023-07-17 12:45:03   key_pass_file = '[UNDEF]'
2023-07-17 12:45:03   show_tls_ciphers = DISABLED
2023-07-17 12:45:03   connect_retry_max = 0
2023-07-17 12:45:03 Connection profiles [0]:
2023-07-17 12:45:03   proto = udp
2023-07-17 12:45:03   local = '[UNDEF]'
2023-07-17 12:45:03   local_port = '[UNDEF]'
2023-07-17 12:45:03   remote = 'xx.xx.xx.xx'
2023-07-17 12:45:03   remote_port = '1196'
2023-07-17 12:45:03   remote_float = DISABLED
2023-07-17 12:45:03   bind_defined = DISABLED
2023-07-17 12:45:03   bind_local = DISABLED
2023-07-17 12:45:03   bind_ipv6_only = DISABLED
2023-07-17 12:45:03   connect_retry_seconds = 10
2023-07-17 12:45:03   connect_timeout = 120
2023-07-17 12:45:03   socks_proxy_server = '[UNDEF]'
2023-07-17 12:45:03   socks_proxy_port = '[UNDEF]'
2023-07-17 12:45:03   tun_mtu = 1300
2023-07-17 12:45:03   tun_mtu_defined = ENABLED
2023-07-17 12:45:03   link_mtu = 1500
2023-07-17 12:45:03   link_mtu_defined = DISABLED
2023-07-17 12:45:03   tun_mtu_extra = 0
2023-07-17 12:45:03   tun_mtu_extra_defined = DISABLED
2023-07-17 12:45:03   tls_mtu = 1250
2023-07-17 12:45:03   mtu_discover_type = -1
2023-07-17 12:45:03   fragment = 0
2023-07-17 12:45:03   mssfix = 1300
2023-07-17 12:45:03   mssfix_encap = ENABLED
2023-07-17 12:45:03   mssfix_fixed = ENABLED
2023-07-17 12:45:03   explicit_exit_notification = 0
2023-07-17 12:45:03   tls_auth_file = '[UNDEF]'
2023-07-17 12:45:03   key_direction = not set
2023-07-17 12:45:03   tls_crypt_file = '[UNDEF]'
2023-07-17 12:45:03   tls_crypt_v2_file = '[INLINE]'
2023-07-17 12:45:03 Connection profiles END
2023-07-17 12:45:03   remote_random = DISABLED
2023-07-17 12:45:03   ipchange = '[UNDEF]'
2023-07-17 12:45:03   dev = 'tun'
2023-07-17 12:45:03   dev_type = '[UNDEF]'
2023-07-17 12:45:03   dev_node = '[UNDEF]'
2023-07-17 12:45:03   lladdr = '[UNDEF]'
2023-07-17 12:45:03   topology = 1
2023-07-17 12:45:03   ifconfig_local = '[UNDEF]'
2023-07-17 12:45:03   ifconfig_remote_netmask = '[UNDEF]'
2023-07-17 12:45:03 Contacting xx.xx.xx.xx:1196 via UDP
2023-07-17 12:45:03   ifconfig_noexec = DISABLED
2023-07-17 12:45:03   ifconfig_nowarn = ENABLED
2023-07-17 12:45:03   ifconfig_ipv6_local = '[UNDEF]'
2023-07-17 12:45:03   ifconfig_ipv6_netbits = 0
2023-07-17 12:45:03   ifconfig_ipv6_remote = '[UNDEF]'
2023-07-17 12:45:03   shaper = 0
2023-07-17 12:45:03   mtu_test = 0
2023-07-17 12:45:03   mlock = DISABLED
2023-07-17 12:45:03   keepalive_ping = 0
2023-07-17 12:45:03   keepalive_timeout = 0
2023-07-17 12:45:03   inactivity_timeout = 0
2023-07-17 12:45:03   session_timeout = 0
2023-07-17 12:45:03   inactivity_minimum_bytes = 0
2023-07-17 12:45:03   ping_send_timeout = 0
2023-07-17 12:45:03   ping_rec_timeout = 0
2023-07-17 12:45:03   ping_rec_timeout_action = 0
2023-07-17 12:45:03   ping_timer_remote = DISABLED
2023-07-17 12:45:03   remap_sigusr1 = 0
2023-07-17 12:45:03   persist_tun = DISABLED
2023-07-17 12:45:03   persist_local_ip = DISABLED
2023-07-17 12:45:03   persist_remote_ip = DISABLED
2023-07-17 12:45:03   persist_key = DISABLED
2023-07-17 12:45:03   passtos = DISABLED
2023-07-17 12:45:03   resolve_retry_seconds = 60
2023-07-17 12:45:03   resolve_in_advance = DISABLED
2023-07-17 12:45:03   username = '[UNDEF]'
2023-07-17 12:45:03   groupname = '[UNDEF]'
2023-07-17 12:45:03   chroot_dir = '[UNDEF]'
2023-07-17 12:45:03   cd_dir = '[UNDEF]'
2023-07-17 12:45:03   writepid = '[UNDEF]'
2023-07-17 12:45:03   up_script = '[UNDEF]'
2023-07-17 12:45:03   down_script = '[UNDEF]'
2023-07-17 12:45:03   down_pre = DISABLED
2023-07-17 12:45:03   up_restart = DISABLED
2023-07-17 12:45:03   up_delay = DISABLED
2023-07-17 12:45:03 Connecting to [xx.xx.xx.xx]:1196 (xx.xx.xx.xx) via UDP
2023-07-17 12:45:03   daemon = DISABLED
2023-07-17 12:45:03   log = DISABLED
2023-07-17 12:45:03   suppress_timestamps = DISABLED
2023-07-17 12:45:03   machine_readable_output = ENABLED
2023-07-17 12:45:03   nice = 0
2023-07-17 12:45:03   verbosity = 4
2023-07-17 12:45:03   mute = 0
2023-07-17 12:45:03   gremlin = 0
2023-07-17 12:45:03   status_file = '[UNDEF]'
2023-07-17 12:45:03   status_file_version = 1
2023-07-17 12:45:03   status_file_update_freq = 60
2023-07-17 12:45:03   occ = ENABLED
2023-07-17 12:45:03   rcvbuf = 0
2023-07-17 12:45:03   sndbuf = 0
2023-07-17 12:45:03   sockflags = 0
2023-07-17 12:45:03   fast_io = DISABLED
2023-07-17 12:45:03   comp.alg = 0
2023-07-17 12:45:03   comp.flags = 24
2023-07-17 12:45:03   route_script = '[UNDEF]'
2023-07-17 12:45:03   route_default_gateway = '[UNDEF]'
2023-07-17 12:45:03   route_default_metric = 0
2023-07-17 12:45:03   route_noexec = DISABLED
2023-07-17 12:45:03 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2023-07-17 12:45:03   route_delay = 0
2023-07-17 12:45:03   route_delay_window = 30
2023-07-17 12:45:03   route_delay_defined = DISABLED
2023-07-17 12:45:03   route_nopull = DISABLED
2023-07-17 12:45:03   route_gateway_via_dhcp = DISABLED
2023-07-17 12:45:03   allow_pull_fqdn = DISABLED
2023-07-17 12:45:03   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2023-07-17 12:45:03   management_port = 'unix'
2023-07-17 12:45:03   management_user_pass = '[UNDEF]'
2023-07-17 12:45:03   management_log_history_cache = 250
2023-07-17 12:45:03   management_echo_buffer_size = 100
2023-07-17 12:45:03   management_client_user = '[UNDEF]'
2023-07-17 12:45:03   management_client_group = '[UNDEF]'
2023-07-17 12:45:03   management_flags = 294
2023-07-17 12:45:03   shared_secret_file = '[UNDEF]'
2023-07-17 12:45:03   key_direction = not set
2023-07-17 12:45:03   ciphername = 'BF-CBC'
2023-07-17 12:45:03   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305'
2023-07-17 12:45:03   authname = 'SHA1'
2023-07-17 12:45:03   engine = DISABLED
2023-07-17 12:45:03   replay = ENABLED
2023-07-17 12:45:03   mute_replay_warnings = DISABLED
2023-07-17 12:45:03   replay_window = 64
2023-07-17 12:45:03   replay_time = 15
2023-07-17 12:45:03   packet_id_file = '[UNDEF]'
2023-07-17 12:45:03   test_crypto = DISABLED
2023-07-17 12:45:03   tls_server = DISABLED
2023-07-17 12:45:03   tls_client = ENABLED
2023-07-17 12:45:03   ca_file = '[INLINE]'
2023-07-17 12:45:03   ca_path = '[UNDEF]'
2023-07-17 12:45:03   dh_file = '[UNDEF]'
2023-07-17 12:45:03   cert_file = '[INLINE]'
2023-07-17 12:45:03   extra_certs_file = '[UNDEF]'
2023-07-17 12:45:03   priv_key_file = '[INLINE]'
2023-07-17 12:45:03   pkcs12_file = '[UNDEF]'
2023-07-17 12:45:03   cipher_list = '[UNDEF]'
2023-07-17 12:45:03   cipher_list_tls13 = '[UNDEF]'
2023-07-17 12:45:03   tls_cert_profile = 'legacy'
2023-07-17 12:45:03   tls_verify = '[UNDEF]'
2023-07-17 12:45:03   tls_export_cert = '[UNDEF]'
2023-07-17 12:45:03   verify_x509_type = 2
2023-07-17 12:45:03   verify_x509_name = 'myserver.mydomain'
2023-07-17 12:45:03   crl_file = '[UNDEF]'
2023-07-17 12:45:03   ns_cert_type = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 65535
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_ku[i] = 0
2023-07-17 12:45:03   remote_cert_eku = 'TLS Web Server Authentication'
2023-07-17 12:45:03   ssl_flags = 192
2023-07-17 12:45:03   tls_timeout = 2
2023-07-17 12:45:03   renegotiate_bytes = -1
2023-07-17 12:45:03   renegotiate_packets = 0
2023-07-17 12:45:03   renegotiate_seconds = 3600
2023-07-17 12:45:03   handshake_window = 60
2023-07-17 12:45:03   transition_window = 3600
2023-07-17 12:45:03   single_session = DISABLED
2023-07-17 12:45:03   push_peer_info = ENABLED
2023-07-17 12:45:03   tls_exit = DISABLED
2023-07-17 12:45:03   tls_crypt_v2_metadata = '[UNDEF]'
2023-07-17 12:45:03   server_network = 0.0.0.0
2023-07-17 12:45:03   server_netmask = 0.0.0.0
2023-07-17 12:45:03   server_network_ipv6 = ::
2023-07-17 12:45:03   server_netbits_ipv6 = 0
2023-07-17 12:45:03   server_bridge_ip = 0.0.0.0
2023-07-17 12:45:03   server_bridge_netmask = 0.0.0.0
2023-07-17 12:45:03   server_bridge_pool_start = 0.0.0.0
2023-07-17 12:45:03   server_bridge_pool_end = 0.0.0.0
2023-07-17 12:45:03   ifconfig_pool_defined = DISABLED
2023-07-17 12:45:03   ifconfig_pool_start = 0.0.0.0
2023-07-17 12:45:03   ifconfig_pool_end = 0.0.0.0
2023-07-17 12:45:03   ifconfig_pool_netmask = 0.0.0.0
2023-07-17 12:45:03   ifconfig_pool_persist_filename = '[UNDEF]'
2023-07-17 12:45:03   ifconfig_pool_persist_refresh_freq = 600
2023-07-17 12:45:03   ifconfig_ipv6_pool_defined = DISABLED
2023-07-17 12:45:03   ifconfig_ipv6_pool_base = ::
2023-07-17 12:45:03   ifconfig_ipv6_pool_netbits = 0
2023-07-17 12:45:03   n_bcast_buf = 256
2023-07-17 12:45:03   tcp_queue_limit = 64
2023-07-17 12:45:03   real_hash_size = 256
2023-07-17 12:45:03   virtual_hash_size = 256
2023-07-17 12:45:03   client_connect_script = '[UNDEF]'
2023-07-17 12:45:03   learn_address_script = '[UNDEF]'
2023-07-17 12:45:03   client_disconnect_script = '[UNDEF]'
2023-07-17 12:45:03   client_crresponse_script = '[UNDEF]'
2023-07-17 12:45:03   client_config_dir = '[UNDEF]'
2023-07-17 12:45:03   ccd_exclusive = DISABLED
2023-07-17 12:45:03   tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2023-07-17 12:45:03   push_ifconfig_defined = DISABLED
2023-07-17 12:45:03   push_ifconfig_local = 0.0.0.0
2023-07-17 12:45:03   push_ifconfig_remote_netmask = 0.0.0.0
2023-07-17 12:45:03   push_ifconfig_ipv6_defined = DISABLED
2023-07-17 12:45:03   push_ifconfig_ipv6_local = ::/0
2023-07-17 12:45:03   push_ifconfig_ipv6_remote = ::
2023-07-17 12:45:03   enable_c2c = DISABLED
2023-07-17 12:45:03   duplicate_cn = DISABLED
2023-07-17 12:45:03   cf_max = 0
2023-07-17 12:45:03   cf_per = 0
2023-07-17 12:45:03   cf_initial_max = 100
2023-07-17 12:45:03   cf_initial_per = 10
2023-07-17 12:45:03   max_clients = 1024
2023-07-17 12:45:03   max_routes_per_client = 256
2023-07-17 12:45:03   auth_user_pass_verify_script = '[UNDEF]'
2023-07-17 12:45:03   auth_user_pass_verify_script_via_file = DISABLED
2023-07-17 12:45:03   auth_token_generate = DISABLED
2023-07-17 12:45:03   auth_token_lifetime = 0
2023-07-17 12:45:03   auth_token_secret_file = '[UNDEF]'
2023-07-17 12:45:03   port_share_host = '[UNDEF]'
2023-07-17 12:45:03   port_share_port = '[UNDEF]'
2023-07-17 12:45:03   vlan_tagging = DISABLED
2023-07-17 12:45:03   vlan_accept = all
2023-07-17 12:45:03   vlan_pvid = 1
2023-07-17 12:45:03   client = ENABLED
2023-07-17 12:45:03   pull = ENABLED
2023-07-17 12:45:03   auth_user_pass_file = '[UNDEF]'
2023-07-17 12:45:03 OpenVPN 2.7-icsopenvpn [git:icsopenvpn/v0.7.45-0-gc6f83950] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 10 2023
2023-07-17 12:45:03 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-07-17 12:45:03 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2023-07-17 12:45:03 MANAGEMENT: CMD 'version 3'
2023-07-17 12:45:03 MANAGEMENT: CMD 'hold release'
2023-07-17 12:45:03 MANAGEMENT: CMD 'bytecount 2'
2023-07-17 12:45:03 MANAGEMENT: CMD 'state on'
2023-07-17 12:45:03 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-07-17 12:45:03 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-07-17 12:45:03 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2023-07-17 12:45:03 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2023-07-17 12:45:03 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2023-07-17 12:45:03 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1300 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2023-07-17 12:45:03 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1196
2023-07-17 12:45:03 Socket Buffers: R=[229376->229376] S=[229376->229376]
2023-07-17 12:45:03 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2023-07-17 12:45:03 UDPv4 link local: (not bound)
2023-07-17 12:45:03 UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1196
2023-07-17 12:45:03 MANAGEMENT: >STATE:1689590703,WAIT,,,,,,
2023-07-17 12:45:03 MANAGEMENT: >STATE:1689590703,AUTH,,,,,,
2023-07-17 12:45:03 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1196, sid=8075a689 30dec0d1
2023-07-17 12:45:04 VERIFY OK: depth=1, CN=myserver.mydomain
2023-07-17 12:45:04 VERIFY KU OK
2023-07-17 12:45:04 Validating certificate extended key usage
2023-07-17 12:45:04 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-07-17 12:45:04 VERIFY EKU OK
2023-07-17 12:45:04 VERIFY X509NAME OK: CN=myserver.mydomain
2023-07-17 12:45:04 VERIFY OK: depth=0, CN=myserver.mydomain
2023-07-17 12:45:04 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 521 bit ECsecp521r1, signature: ecdsa-with-SHA512
2023-07-17 12:45:04 [myserver.mydomain] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1196
2023-07-17 12:45:04 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-07-17 12:45:04 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-07-17 12:45:04 PUSH: Received control message: 'PUSH_REPLY,route XX.XX.XX.XX.0 255.255.255.0,route YY.YY.YY.YY.0 255.255.255.0,route ZZ.ZZ.ZZ.ZZ.0 255.255.255.0,route 192.168.1.0 255.255.255.0,dhcp-option DNS 193.17.47.1,dhcp-option DNS 185.43.135.1,dhcp-option WINS aa.aa.aa.aa,route-gateway XX.XX.XX.XX.1,topology subnet,ping 60,ping-restart 600,ifconfig XX.XX.XX.XX.3 255.255.255.0,peer-id 0,cipher AES-256-GCM,protocol-flags cc-exit,tun-mtu 1500'
2023-07-17 12:45:04 OPTIONS IMPORT: --ifconfig/up options modified
2023-07-17 12:45:04 OPTIONS IMPORT: route options modified
2023-07-17 12:45:04 OPTIONS IMPORT: route-related options modified
2023-07-17 12:45:04 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-07-17 12:45:04 OPTIONS IMPORT: tun-mtu set to 1500
2023-07-17 12:45:04 ROUTE_GATEWAY 127.100.103.119 IFACE=android-gw
2023-07-17 12:45:04 do_ifconfig, ipv4=1, ipv6=0
2023-07-17 12:45:04 MANAGEMENT: >STATE:1689590704,ASSIGN_IP,,XX.XX.XX.XX.3,,,,
2023-07-17 12:45:04 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2023-07-17 12:45:04 MANAGEMENT: >STATE:1689590704,ADD_ROUTES,,,,,,
2023-07-17 12:45:04 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2023-07-17 12:45:04 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2023-07-17 12:45:04 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2023-07-17 12:45:04 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2023-07-17 12:45:04 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2023-07-17 12:45:04 MANAGEMENT: CMD 'needok 'DNSSERVER' ok'
2023-07-17 12:45:04 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2023-07-17 12:45:04 Opening tun interface:
2023-07-17 12:45:04 Local IPv4: XX.XX.XX.XX.3/24 IPv6: (not set) MTU: 1500
2023-07-17 12:45:04 DNS Server: 193.17.47.1, 185.43.135.1, Domain: null
2023-07-17 12:45:04 Routes: 192.168.1.0/24, XX.XX.XX.XX.0/24, YY.YY.YY.YY.0/24, ZZ.ZZ.ZZ.ZZ.0/24 
2023-07-17 12:45:04 Routes excluded: 192.168.99.3/24 fd51:f00d:ddce:0:ac95:b9ff:fe4e:25ea/64, fe80:0:0:0:ac95:b9ff:fe4e:25ea/64
2023-07-17 12:45:04 Disallowed VPN apps: 
2023-07-17 12:45:04 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2023-07-17 12:45:04 Data Channel MTU parms [ mss_fix:1260 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2023-07-17 12:45:04 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-17 12:45:04 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-07-17 12:45:04 Initialization Sequence Completed
2023-07-17 12:45:04 MANAGEMENT: >STATE:1689590704,CONNECTED,SUCCESS,XX.XX.XX.XX.3,xx.xx.xx.xx,1196,,
2023-07-17 12:45:04 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2023-07-17 12:45:04 Timers: ping 60, ping-restart 600
2023-07-17 12:45:04 Protocol options: protocol-flags cc-exit
2023-07-17 12:45:04 Debug state info: CONNECTED  to WIFI , pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2023-07-17 12:45:13 Server poll timeout, trying next remote entry...
2023-07-17 12:45:13 Contacting xx.xx.xx.xx:1196 via UDP
2023-07-17 12:45:13 Connecting to [xx.xx.xx.xx]:1196 (xx.xx.xx.xx) via UDP
2023-07-17 12:45:23 Server poll timeout, trying next remote entry...
2023-07-17 12:45:23 Contacting xx.xx.xx.xx:1196 via UDP
2023-07-17 12:45:23 Connecting to [xx.xx.xx.xx]:1196 (xx.xx.xx.xx) via UDP
2023-07-17 12:45:33 Server poll timeout, trying next remote entry...
2023-07-17 12:45:33 Contacting xx.xx.xx.xx:1196 via UDP
2023-07-17 12:45:34 Connecting to [xx.xx.xx.xx]:1196 (xx.xx.xx.xx) via UDP
2023-07-17 12:45:43 Server poll timeout, trying next remote entry...
2023-07-17 12:45:44 Contacting xx.xx.xx.xx:1196 via UDP
2023-07-17 12:45:44 Connecting to [xx.xx.xx.xx]:1196 (xx.xx.xx.xx) via UDP
2023-07-17 12:45:54 Server poll timeout, trying next remote entry...
2023-07-17 12:45:54 Contacting xx.xx.xx.xx:1196 via UDP
2023-07-17 12:45:54 Connecting to [xx.xx.xx.xx]:1196 (xx.xx.xx.xx) via UDP
2023-07-17 12:46:04 Server poll timeout, trying next remote entry...
2023-07-17 12:46:04 Contacting xx.xx.xx.xx:1196 via UDP
2023-07-17 12:46:04 Connecting to [xx.xx.xx.xx]:1196 (xx.xx.xx.xx) via UDP
2023-07-17 12:46:14 Server poll timeout, trying next remote entry...
2023-07-17 12:46:14 Contacting xx.xx.xx.xx:1196 via UDP
2023-07-17 12:46:14 Connecting to [xx.xx.xx.xx]:1196 (xx.xx.xx.xx) via UDP
mmokrejs commented 1 year ago

The tls direction dropdown in the app also determines if you use tls-auth/crypt or crypt v2. Like I said, you need to set direction to tls-crypt-v2

Aha,OK, so this does the trick telling the app that the key is actually crypt v2 key. I would not even open the option as it seems unrelated to my case. Please change its name as well.

Unfortunately, even the generated config file is same, only the option tls-client was not added automatically. But, the behavior is same: TLS Error: could not determine wrapping from.

schwabe commented 1 year ago

tls-client is not an option you normally need as it is part of the client option that is probably already present in your configuration.

schwabe commented 1 year ago

As for your TLS Error: could not determine wrapping from that sounds like a misconfiguration on your part. Check your server log for more information.

mmokrejs commented 1 year ago

Although I though I can run safely openvn on another port safely and provide same same network to clients (for testing, before I transfer the config to the main instance on default port), I think the problem were two routes on the server. I stopped the server a number of times and provided I disabled the preserve-* options it should have been enough.

I also rebooted the phone to get rid of eventually forgotten routes (although I haven' seen any by other phone apps).

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         xx.xx.xx.254   0.0.0.0         UG        0 0          0 enp0s3
xx.xx.xx.0     0.0.0.0         255.255.255.0   U         0 0          0 enp0s3
XX.XX.XX.0   0.0.0.0         255.255.255.0   U         0 0          0 tun0
XX.XX.XX.0   0.0.0.0         255.255.255.0   U         0 0          0 tun1

But the TLS Error: could not determine wrapping from error is gone once I changed the server config file from

server XX.XX.XX.0 255.255.255.0 to server WW.WW.WW.0 255.255.255.0.

Seems two openvpn instances cannot serve same network. Another thing to check when the daemon is started to save us from headaches.

schwabe commented 1 year ago

TLS wrapping has nothing to do with IP settings in OpeNVPN. Since you are running multiple daemons this sounds more like you somehow ended up messing it up another way.

mmokrejs commented 1 year ago

Other than that, the tls-crypt-v2 works. Neither server nor Android client app have any ciphers , data-ciphers or data-ciphers-fallback set in their configs.

And thank you for your assistance.