openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

System

• xuname:
  Void 5.4.46_1 x86_64 AuthenticAMD uptodate hold rDF
• package:
  openvpn-2.4.9_2

Expected behavior

Connect successfully to openvpn server

Actual behavior

Error is

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

Full log

OpenVPN 2.4.9 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  4 2020
library versions: LibreSSL 3.1.3, LZO 2.10
Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]{IP1}:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]{IP1}:1194
TLS: Initial packet from [AF_INET]{IP1}:1194, sid=38277fca 0cce7134
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address: [AF_INET]{IP2}:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]{IP2}:1194

Steps to reproduce the behavior

Connect to protonvpn with protonvpn-cli.

Downgrading to openvpn-2.4.9_1 works and it connects. Upgrading to openvpn-2.4.9_2 is above issue.

Where is the problem? Libressl,void packaging?

[Johnnynator]

Can you check if this only affects UDP connection, and not TCP?

[TinCanTech]

Also, see your server log.

[jkoderu-git]

Can you check if this only affects UDP connection, and not TCP?

NOTE: --fast-io is disabled since we are not using UDP
TCP/UDP: Preserving recently used remote address: [AF_INET]{IP}:443
Socket Buffers: R=[131072->131072] S=[16384->16384]
Attempting to establish TCP connection with [AF_INET]{IP}:443 [nonblock]
TCP connection established with [AF_INET]{IP}:443
TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET]{IP}:443
TLS: Initial packet from [AF_INET]{IP}:443, sid=d28975c1 7e6b3c32
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting
Restart pause, 5 second(s)

It is a loop.

Also, see your server log.

It is not my server. I have protonvpn.

[TinCanTech]

Note:

1. OpenVPN does not officially support LibreSSL. (It may or may not work)
2. If LibreSSL 3.x is equivalent to OpenSSL 3.x then it is, at best, currently experimental.
3. ProtonVPN obviously do not provide support for this.

A much more suitable test would be for you to setup your own server.

[ericonr]

We might need some patches from https://openports.se/net/openvpn

[Johnnynator]

Can you run openvpn with more verbose output --verb 6 (or even higher) and check which cipher it tries to use?

[TinCanTech]

--verb 4 is more suitable, any higher is mainly for debugging openvpn code.

[jkoderu-git]

tcp6.txt
udp6.txt
tcp11.txt

[HadetTheUndying]

This is effecting protonvpn-cli as well since openvpn is a requirement

[TinCanTech]

Why do you expect Protonvpn to support a version 3.x (development) SSL library ?

Especially one which OpenVPN themselves do not support ...

[Johnnynator]

LibreSSL 3.1.3 is NOT a development library. The versioning does not match with the OpenSSL one. Furthermore the Server does not have to care about the version of a client lib, as long as both ends work correctly (and either one of them doesn't)

[TinCanTech]

Sure but

1. OpenVPN clearly state that they do not support LibreSSL
2. You do not have access to ProtonVPN servers therefore have no idea why the connection fails.

[HadetTheUndying]

@TinCanTech it was working fine until this update, hence why I was reporting. Also as stated it is not a development release. For me this is just more indication that it's time the switch back to openssl. Between these kind of issues in the ABI issues, the choice to use libressl now that the issues surrounding heartbleed have long since been remedied, is mostly an exercise in frustration.

[Johnnynator]

2. You do not have access to ProtonVPN servers therefore have no idea why the connection fails.

Yes, I agree it would be far better if someone does provide a server side configuration + logs that do fail. I don't have any failing setup right now, and don't know why ProtonVPN fails.

[TinCanTech]

Furthermore the Server does not have to care about the version of a client lib

I am not particularly familiar with LibreSSL but OpenVPN use an SSL/TLS Cipher suite name translation table (see ssl.c in the OpenVPN source tree) for OpenSSL .. so I think it is very likely that the server and client use SSL libraries which match this OpenVPN translation on both ends.

This

is mostly an exercise in frustration

Indeed ..

Yes, I agree it would be far better if someone does provide a server side configuration + logs that do fail. I don't have any failing setup right now, and don't know why ProtonVPN fails

Setup two servers; One using OpenSSL and the other using LibreSSL.

I'll stay tuned but I'll leave you to it .. good luck.

[mvf]

Workaround for the desperate:

# xi libssl47
# LD_PRELOAD=/usr/lib/libssl.so.47 openvpn [...]

Personally I switched my openvpn to mbedtls for now, and this also works.

And yes, it's probably time we went back to OpenSSL.

[jkoderu-git]

To reproduce download the .ovpn from protonvpn and add tls-version-max 1.2. I don't know with protonvpn-cli, I modified template.ovpn and connenct.ovpn but it resets to its options. Though I recommend protonvpn-cli for dns leak protecion.

EDIT: follow libressl/portable#601

[HadetTheUndying]

So the latest openvpn update partially fixed this issue. I'm not getting hangs on connection where it seems like it's partially connecting but never fully.

[HadetTheUndying]

I just wanted to update that ProtonVPN does connect now, i'm not sure when it started working. It does take awhile to complete the connection, I'm not sure what causes the slowdown but it took over a minute.

hadet@endurance  ~  protonvpn c --fastest 
Connecting to US-IL#34 via UDP...
Connected!
 hadet@endurance  ~  ping google.com
PING google.com (172.217.8.206) 56(84) bytes of data.
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=1 ttl=117 time=58.3 ms
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=2 ttl=117 time=52.4 ms
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=3 ttl=117 time=81.5 ms
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=4 ttl=117 time=75.2 ms
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=5 ttl=117 time=78.1 ms
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=6 ttl=117 time=56.9 ms

If anyone else can confirm i think it might be safe to close the issue.

[jkoderu-git]

@HadetTheUndying I downgraded to openvpn-2.4.9_2 and it works again. But now I am using openvpn built with libressl 3.1.4 in order to have other TLS1.3 fixes included libressl/portable#601 (comment). Can the openvpn from repository be switched back to libressl?

[ericonr]

Ping?

[travankor]

Yes, this was fixed a while ago.

We should switch the build option back to openssl whenever Void drops libressl.