[ISSUE] openvpn build with libressl-3.1.3 does not connect

[ISSUE] openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 2069 bytes --]

New issue by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413

Description:
<!-- Don't request update of package. We have a script for that. https://alpha.de.repo.voidlinux.org/void-updates/void-updates.txt . However, a quality pull request may help. -->
### System

* xuname:  
  *Void 5.4.46_1 x86_64 AuthenticAMD uptodate hold rDF*
* package:  
  *openvpn-2.4.9_2*

### Expected behavior
Connect successfully to openvpn server
### Actual behavior
Error is
```
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
```
Full log
```
OpenVPN 2.4.9 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  4 2020
library versions: LibreSSL 3.1.3, LZO 2.10
Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]{IP1}:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]{IP1}:1194
TLS: Initial packet from [AF_INET]{IP1}:1194, sid=38277fca 0cce7134
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address: [AF_INET]{IP2}:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]{IP2}:1194
```
### Steps to reproduce the behavior

Connect to protonvpn with protonvpn-cli.

Downgrading to `openvpn-2.4.9_1` works and it connects. Upgrading to `openvpn-2.4.9_2` is above issue.

Where is the problem? Libressl,void packaging?

Re: openvpn build with libressl-3.1.3 does not connect

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 210 bytes --]

New comment by Johnnynator on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-654221518

Comment:
Can you check if this only affects UDP connection, and not TCP?

Re: openvpn build with libressl-3.1.3 does not connect

[TinCanTech]

[-- Attachment #1: Type: text/plain, Size: 172 bytes --]

New comment by TinCanTech on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-654236621

Comment:
Also, see your server log.

Re: openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 879 bytes --]

New comment by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-654332708

Comment:
>Can you check if this only affects UDP connection, and not TCP?
```
NOTE: --fast-io is disabled since we are not using UDP
TCP/UDP: Preserving recently used remote address: [AF_INET]{IP}:443
Socket Buffers: R=[131072->131072] S=[16384->16384]
Attempting to establish TCP connection with [AF_INET]{IP}:443 [nonblock]
TCP connection established with [AF_INET]{IP}:443
TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET]{IP}:443
TLS: Initial packet from [AF_INET]{IP}:443, sid=d28975c1 7e6b3c32
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting
Restart pause, 5 second(s)
```
It is a loop.
>Also, see your server log.

It is not my server. I have protonvpn.

Re: openvpn build with libressl-3.1.3 does not connect

[TinCanTech]

[-- Attachment #1: Type: text/plain, Size: 454 bytes --]

New comment by TinCanTech on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-654389532

Comment:
Note: 
1. OpenVPN does **not** officially support LibreSSL. (It may or may not work)
1. If LibreSSL 3.x is equivalent to OpenSSL 3.x then it is, at best, currently experimental.
1. ProtonVPN obviously do not provide support for this.

A much more suitable test would be for you to setup your own server.

Re: openvpn build with libressl-3.1.3 does not connect

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 207 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-654395970

Comment:
We might need some patches from https://openports.se/net/openvpn

Re: openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 588 bytes --]

New comment by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-654410014

Comment:
>Note:
OpenVPN does not officially support LibreSSL. (It may or may not work)
If LibreSSL 3.x is equivalent to OpenSSL 3.x then it is, at best, currently experimental.

It is not me that updated the libressl in the repository and rebuild pacakges.
> ProtonVPN obviously do not provide support for this.
A much more suitable test would be for you to setup your own server.

https://github.com/kisslinux/repo/issues/192#issue-621176611

Re: openvpn build with libressl-3.1.3 does not connect

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 259 bytes --]

New comment by Johnnynator on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-655564062

Comment:
Can you run openvpn with more verbose output `--verb 6` (or even higher) and check which cipher it tries to use?

Re: openvpn build with libressl-3.1.3 does not connect

[TinCanTech]

[-- Attachment #1: Type: text/plain, Size: 223 bytes --]

New comment by TinCanTech on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-655577732

Comment:
`--verb 4` is more suitable, any higher is mainly for debugging openvpn code.

Re: openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 438 bytes --]

New comment by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-655662547

Comment:
@Johnnynator I do not read a cipher problem

[tcp6.txt](https://github.com/void-linux/void-packages/files/4892345/tcp6.txt)
[udp6.txt](https://github.com/void-linux/void-packages/files/4892349/udp6.txt)
[tcp11.txt](https://github.com/void-linux/void-packages/files/4892351/tcp11.txt)

Re: openvpn build with libressl-3.1.3 does not connect

[HadetTheUndying]

[-- Attachment #1: Type: text/plain, Size: 223 bytes --]

New comment by HadetTheUndying on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-656682745

Comment:
This is effecting `protonvpn-cli` as well since openvpn is a requirement

Re: openvpn build with libressl-3.1.3 does not connect

[TinCanTech]

[-- Attachment #1: Type: text/plain, Size: 226 bytes --]

New comment by TinCanTech on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-656749410

Comment:
Why do you expect Protonvpn to support a version 3.x (development) SSL library ?

Re: openvpn build with libressl-3.1.3 does not connect

[TinCanTech]

[-- Attachment #1: Type: text/plain, Size: 290 bytes --]

New comment by TinCanTech on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-656749410

Comment:
Why do you expect Protonvpn to support a version 3.x (development) SSL library ?

Especially one which OpenVPN themselves do **not** support ?

Re: openvpn build with libressl-3.1.3 does not connect

[TinCanTech]

[-- Attachment #1: Type: text/plain, Size: 292 bytes --]

New comment by TinCanTech on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-656749410

Comment:
Why do you expect Protonvpn to support a version 3.x (development) SSL library ?

Especially one which OpenVPN themselves do **not** support ...

Re: openvpn build with libressl-3.1.3 does not connect

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 392 bytes --]

New comment by Johnnynator on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-656750774

Comment:
LibreSSL 3.1.3 is NOT a development library. The versioning does not match with the OpenSSL one. Furthermore the Server does not have to care about the version of a client lib, as long as both ends work correctly (and either one of them doesn't)

Re: openvpn build with libressl-3.1.3 does not connect

[TinCanTech]

[-- Attachment #1: Type: text/plain, Size: 314 bytes --]

New comment by TinCanTech on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-656753309

Comment:
Sure but 

1. OpenVPN clearly state that they do not support LibreSSL
1. You do not have access to ProtonVPN servers therefore have no idea why the connection fails.

Re: openvpn build with libressl-3.1.3 does not connect

[HadetTheUndying]

[-- Attachment #1: Type: text/plain, Size: 543 bytes --]

New comment by HadetTheUndying on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-656754420

Comment:
@TinCanTech it was working fine until this update, hence why I was reporting. Also as stated it is not a development release. For me this is just more indication that it's time the switch back to openssl. Between these kind of issues in the ABI issues, the choice to use libressl now that the issues surrounding heartbleed have long since been remedied, is mostly an exercise in frustration. 

Re: openvpn build with libressl-3.1.3 does not connect

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 438 bytes --]

New comment by Johnnynator on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-656755864

Comment:
>     2. You do not have access to ProtonVPN servers therefore have no idea why the connection fails.

Yes, I agree it would be far better if someone does provide a server side configuration + logs that do fail. I don't have any failing setup right now, and don't know why ProtonVPN fails.

Re: openvpn build with libressl-3.1.3 does not connect

[Johnnynator]

[-- Attachment #1: Type: text/plain, Size: 435 bytes --]

New comment by Johnnynator on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-656755864

Comment:
>  2. You do not have access to ProtonVPN servers therefore have no idea why the connection fails.

Yes, I agree it would be far better if someone does provide a server side configuration + logs that do fail. I don't have any failing setup right now, and don't know why ProtonVPN fails.

Re: openvpn build with libressl-3.1.3 does not connect

[TinCanTech]

[-- Attachment #1: Type: text/plain, Size: 905 bytes --]

New comment by TinCanTech on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-656766406

Comment:
> Furthermore the Server does not have to care about the version of a client lib

I am not particularly familiar with LibreSSL but OpenVPN use an `SSL/TLS Cipher suite name translation table` (see `ssl.c` in the OpenVPN source tree) for OpenSSL .. so I think it is very likely that the server and client use  SSL libraries which match this OpenVPN translation on both ends.

This

> is mostly an exercise in frustration

Indeed ..

> Yes, I agree it would be far better if someone does provide a server side configuration + logs that do fail. I don't have any failing setup right now, and don't know why ProtonVPN fails

Setup two servers; One using OpenSSL and the other using LibreSSL.

I'll stay tuned but I'll leave you to it .. good luck.

Re: openvpn build with libressl-3.1.3 does not connect

[mvf]

[-- Attachment #1: Type: text/plain, Size: 378 bytes --]

New comment by mvf on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-657061879

Comment:
Workaround for the desperate:
```
# xi libssl47
# LD_PRELOAD=/usr/lib/libssl.so.47 openvpn [...]
```
Personally I switched my `openvpn` to `mbedtls` for now, and this also works.

And yes, it's probably time we went back to OpenSSL.

Re: openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 588 bytes --]

New comment by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-654410014

Comment:
>Note:
OpenVPN does not officially support LibreSSL. (It may or may not work)
If LibreSSL 3.x is equivalent to OpenSSL 3.x then it is, at best, currently experimental.

It is not me that updated the libressl in the repository and rebuild pacakges.
> ProtonVPN obviously do not provide support for this.
A much more suitable test would be for you to setup your own server.

https://github.com/kisslinux/repo/issues/192#issue-621176611

Re: openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 836 bytes --]

New comment by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-657210078

Comment:
I found the problem, hopefully no need to switch to openssl.

Openvpn with Libressl 3.1.3 negotiate TLS1.3 but after Protonvpn servers force their TLS1.2 ciphers with option `ncp-ciphers`. The problem is use of TLS1.2 ciphers in a TLS1.3 connection.

On the libressl 3.1.1 changelog:
```
Improved cipher suite handling to automatically include TLSv1.3 cipher
     suites when they are not explicitly referred to in the cipher string.
```

To reproduce download the .ovpn from protonvpn and add `tls-version-max 1.2`. I don't know with protonvpn-cli, I modified template.ovpn and connenct.ovpn but it resets to its options. Though I recommend protonvpn-cli for dns leak protecion.

Re: openvpn build with libressl-3.1.3 does not connect

[HadetTheUndying]

[-- Attachment #1: Type: text/plain, Size: 306 bytes --]

New comment by HadetTheUndying on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-657249828

Comment:
So the latest openvpn update partially fixed this issue. I'm not getting hangs on connection where it seems like it's partially connecting but never fully.

Re: openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 460 bytes --]

New comment by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-657210078

Comment:
To reproduce download the .ovpn from protonvpn and add `tls-version-max 1.2`. I don't know with protonvpn-cli, I modified template.ovpn and connenct.ovpn but it resets to its options. Though I recommend protonvpn-cli for dns leak protecion.

EDIT: follow https://github.com/libressl-portable/portable/issues/601

Re: openvpn build with libressl-3.1.3 does not connect

[HadetTheUndying]

[-- Attachment #1: Type: text/plain, Size: 541 bytes --]

New comment by HadetTheUndying on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-674936953

Comment:
I just wanted to update that ProtonVPN does connect now, i'm not sure when it started working. It does take awhile to complete the connection, I'm not sure what causes the slowdown but it took over a minute. 

```
hadet@endurance  ~  protonvpn c --fastest 
Connecting to US-IL#34 via UDP...
Connected!
```
If anyone else can confirm i think it might be safe to close the issue.

Re: openvpn build with libressl-3.1.3 does not connect

[HadetTheUndying]

[-- Attachment #1: Type: text/plain, Size: 1180 bytes --]

New comment by HadetTheUndying on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-674936953

Comment:
I just wanted to update that ProtonVPN does connect now, i'm not sure when it started working. It does take awhile to complete the connection, I'm not sure what causes the slowdown but it took over a minute. 

```
hadet@endurance  ~  protonvpn c --fastest 
Connecting to US-IL#34 via UDP...
Connected!
 hadet@endurance  ~  ping google.com
PING google.com (172.217.8.206) 56(84) bytes of data.
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=1 ttl=117 time=58.3 ms
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=2 ttl=117 time=52.4 ms
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=3 ttl=117 time=81.5 ms
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=4 ttl=117 time=75.2 ms
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=5 ttl=117 time=78.1 ms
64 bytes from ord37s09-in-f14.1e100.net (172.217.8.206): icmp_seq=6 ttl=117 time=56.9 ms
```
If anyone else can confirm i think it might be safe to close the issue.

Re: openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 391 bytes --]

New comment by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-655662547

Comment:
[tcp6.txt](https://github.com/void-linux/void-packages/files/4892345/tcp6.txt)
[udp6.txt](https://github.com/void-linux/void-packages/files/4892349/udp6.txt)
[tcp11.txt](https://github.com/void-linux/void-packages/files/4892351/tcp11.txt)

Re: openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 450 bytes --]

New comment by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-678641858

Comment:
@HadetTheUndying I downgraded to openvpn-2.4.9_2 and it works again. But now I am using openvpn built with libressl 3.1.4 in order to have other TLS1.3 fixes included https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt. Can the openvpn from repository be switched back to libressl? 

Re: openvpn build with libressl-3.1.3 does not connect

[jkoderu-git]

[-- Attachment #1: Type: text/plain, Size: 457 bytes --]

New comment by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-678641858

Comment:
@HadetTheUndying I downgraded to openvpn-2.4.9_2 and it works again. But now I am using openvpn built with libressl 3.1.4 in order to have other TLS1.3 fixes included https://github.com/libressl-portable/portable/issues/601#issuecomment-678587448. Can the openvpn from repository be switched back to libressl? 

Re: openvpn build with libressl-3.1.3 does not connect

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 148 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-764828181

Comment:
Ping?

Re: openvpn build with libressl-3.1.3 does not connect

[travankor]

[-- Attachment #1: Type: text/plain, Size: 246 bytes --]

New comment by travankor on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-765280152

Comment:
Yes, this was fixed a while ago.

We should switch it back to openssl whenever Void drops libressl.

Re: openvpn build with libressl-3.1.3 does not connect

[travankor]

[-- Attachment #1: Type: text/plain, Size: 260 bytes --]

New comment by travankor on void-packages repository

https://github.com/void-linux/void-packages/issues/23413#issuecomment-765280152

Comment:
Yes, this was fixed a while ago.

We should switch the build option back to openssl whenever Void drops libressl.

Re: [ISSUE] [CLOSED] openvpn build with libressl-3.1.3 does not connect

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 2072 bytes --]

Closed issue by jkoderu-git on void-packages repository

https://github.com/void-linux/void-packages/issues/23413

Description:
<!-- Don't request update of package. We have a script for that. https://alpha.de.repo.voidlinux.org/void-updates/void-updates.txt . However, a quality pull request may help. -->
### System

* xuname:  
  *Void 5.4.46_1 x86_64 AuthenticAMD uptodate hold rDF*
* package:  
  *openvpn-2.4.9_2*

### Expected behavior
Connect successfully to openvpn server
### Actual behavior
Error is
```
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
```
Full log
```
OpenVPN 2.4.9 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  4 2020
library versions: LibreSSL 3.1.3, LZO 2.10
Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]{IP1}:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]{IP1}:1194
TLS: Initial packet from [AF_INET]{IP1}:1194, sid=38277fca 0cce7134
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)
TCP/UDP: Preserving recently used remote address: [AF_INET]{IP2}:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]{IP2}:1194
```
### Steps to reproduce the behavior

Connect to protonvpn with protonvpn-cli.

Downgrading to `openvpn-2.4.9_1` works and it connects. Upgrading to `openvpn-2.4.9_2` is above issue.

Where is the problem? Libressl,void packaging?