Morning guys!
Experiencing the same issue, with the same TLS error and tried the following:
Without any changes to the config file, which is provided by the VPN server
sudo openvpn --config Development/Keystore/vpn/17-05-2024/my_openvpn_file.ovpn
2024-05-18 14:33:03 TCP/UDP: Preserving recently used remote address: [AF_INET]<IPV4>:443
2024-05-18 14:33:03 Socket Buffers: <REDACT>
2024-05-18 14:33:03 Attempting to establish TCP connection with [AF_INET]<IPV4>:443
2024-05-18 14:33:03 TCP connection established with [AF_INET]<IPV4>:443
2024-05-18 14:33:03 TCPv4_CLIENT link local: (not bound)
2024-05-18 14:33:03 TCPv4_CLIENT link remote: [AF_INET]<IPV4>:443
2024-05-18 14:33:03 TLS: Initial packet from [AF_INET]<IPV4>:443,
2024-05-18 14:33:03 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: <COUNTRY>, <LOCALITY>, <ORG>>., <CN>>, emailAddress=<DOMAIN>@<DOMAIN>
2024-05-18 14:33:03 Sent fatal SSL alert: bad certificate
2024-05-18 14:33:03 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2024-05-18 14:33:03 TLS_ERROR: BIO read tls_read_plaintext error
2024-05-18 14:33:03 TLS Error: TLS object -> incoming plaintext read error
2024-05-18 14:33:03 TLS Error: TLS handshake failed
2024-05-18 14:33:03 Fatal TLS error (check_tls_errors_co), restarting
2024-05-18 14:33:03 SIGUSR1[soft,tls-error] received, process restarting
2024-05-18 14:33:03 Restart pause, 4 second(s)
Weak cipher workaround
tls-cipher DEFAULT:@SECLEVEL=0
sudo openvpn --config Development/Keystore/vpn/17-05-2024/my_openvpn_file.ovpn
2024-05-18 11:18:59 TCP/UDP: Preserving recently used remote address: [AF_INET]<IPV4>:443
2024-05-18 11:18:59 Socket Buffers: <REDACT>
2024-05-18 11:18:59 Attempting to establish TCP connection with [AF_INET]<IPV4>:443
2024-05-18 11:18:59 TCP connection established with [AF_INET]<IPV4>:443
2024-05-18 11:18:59 TCPv4_CLIENT link local: (not bound)
2024-05-18 11:18:59 TCPv4_CLIENT link remote: [AF_INET]<IPV4>:443
2024-05-18 11:18:59 TLS: Initial packet from [AF_INET]<IPV4>:443
2024-05-18 11:18:59 VERIFY OK: depth=1, <COUNTRY>, <LOCALITY>, <ORG>>., <CN>, emailAddress=<DOMAIN>@<DOMAIN>
2024-05-18 11:18:59 VERIFY X509NAME OK: <COUNTRY>, <LOCALITY>, <ORG>>., <CN>>, emailAddress=<DOMAIN>@<DOMAIN>
2024-05-18 11:18:59 VERIFY OK: depth=0, <COUNTRY>, <LOCALITY>, <ORG>>., <CN>>, emailAddress=<DOMAIN>@<DOMAIN>
2024-05-18 11:18:59 Control Channel: <DOMAIN>, cipher <DOMAIN> DHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA1, peer temporary key: 2048 bits DH
2024-05-18 11:18:59 [<DOMAIN>] Peer Connection Initiated with [AF_INET]<IPV4>:443
2024-05-18 11:18:59 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-05-18 11:18:59 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-05-18 11:19:00 SENT CONTROL [<DOMAIN>]: 'PUSH_REQUEST' (status=1)
2024-05-18 11:19:00 PUSH: Received control message: 'PUSH_REPLY,<ROUTE>,push-continuation 2'
2024-05-18 11:19:00 PUSH: Received control message: 'PUSH_REPLY,<ROUTE> ,dhcp-option DNS <IPV4>,dhcp-option DNS <IPV4>,dhcp-option DOMAIN <DOMAIN>,ifconfig <IPV4>,push-continuation 1'
2024-05-18 11:19:00 OPTIONS IMPORT: --ifconfig/up options modified
2024-05-18 11:19:00 OPTIONS IMPORT: <ROUTE> options modified
2024-05-18 11:19:00 OPTIONS IMPORT: <ROUTE>-related options modified
2024-05-18 11:19:00 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-05-18 11:19:00 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2024-05-18 11:19:00 ERROR: Failed to apply push options
2024-05-18 11:19:00 Failed to open tun/tap interface
2024-05-18 11:19:00 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2024-05-18 11:19:00 Restart pause, 1 second(s)
Seems OpenSSL is annoyed with less secure ciphers:
"failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server."
Add cipher algorithm to ovpn config
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
sudo openvpn --config Development/Keystore/vpn/17-05-2024/my_openvpn_file.ovpn
2024-05-18 15:29:48 TCP/UDP: Preserving recently used remote address: [AF_INET]<IPV4>:443
2024-05-18 15:29:48 Socket Buffers: <REDACT>
2024-05-18 15:29:48 Attempting to establish TCP connection with [AF_INET]<IPV4>:443
2024-05-18 15:29:48 TCP connection established with [AF_INET]<IPV4>:443
2024-05-18 15:29:48 TCPv4_CLIENT link local: (not bound)
2024-05-18 15:29:48 TCPv4_CLIENT link remote: [AF_INET]<IPV4>:443
2024-05-18 15:29:49 TLS: Initial packet from [AF_INET]<IPV4>:443
2024-05-18 15:29:49 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-05-18 15:29:49 VERIFY OK: depth=1, <COUNTRY>, <LOCALITY>, <ORG>>., <CN>, emailAddress=<DOMAIN>@<DOMAIN>
2024-05-18 15:29:49 VERIFY X509NAME OK: <COUNTRY>, <LOCALITY>, <ORG>>., <CN>>, emailAddress=<DOMAIN>@<DOMAIN>
2024-05-18 15:29:49 VERIFY OK: depth=0, <COUNTRY>, <LOCALITY>, <ORG>>., <CN>>, emailAddress=<DOMAIN>@<DOMAIN>
2024-05-18 15:29:49 Control Channel: <DOMAIN>, cipher <DOMAIN> DHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA1, peer temporary key: 2048 bits DH
2024-05-18 15:29:49 [<DOMAIN>] Peer Connection Initiated with [AF_INET]<IPV4>:443
2024-05-18 15:29:49 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-05-18 15:29:49 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-05-18 15:29:50 SENT CONTROL [<DOMAIN>]: 'PUSH_REQUEST' (status=1)
2024-05-18 15:29:55 SENT CONTROL [<DOMAIN>]: 'PUSH_REQUEST' (status=1)
2024-05-18 11:19:00 PUSH: Received control message: 'PUSH_REPLY,<ROUTE>,push-continuation 2'
2024-05-18 11:19:00 PUSH: Received control message: 'PUSH_REPLY,<ROUTE> ,dhcp-option DNS <IPV4>,dhcp-option DNS <IPV4>,dhcp-option DOMAIN <DOMAIN>,ifconfig <IPV4>,push-continuation 1'
2024-05-18 15:29:55 OPTIONS IMPORT: --ifconfig/up options modified
2024-05-18 15:29:55 OPTIONS IMPORT: <ROUTE> options modified
2024-05-18 15:29:55 OPTIONS IMPORT: <ROUTE>-related options modified
2024-05-18 15:29:55 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-05-18 15:29:55 Using peer cipher 'AES-256-CBC'
2024-05-18 15:29:55 net_route_v4_best_gw query: dst <IPV4>
2024-05-18 15:29:55 net_route_v4_best_gw result: via <IPV4> dev wlp3s0
2024-05-18 15:29:55 ROUTE_GATEWAY <IPV4>/<IPV4> IFACE=wlp3s0 HWADDR=<HW_ADDR>
2024-05-18 15:29:55 TUN/TAP device tun0 opened
2024-05-18 15:29:55 net_iface_mtu_set: mtu 1500 for tun0
2024-05-18 15:29:55 net_iface_up: set tun0 up
2024-05-18 15:29:55 net_addr_v4_add: <IPV4>/19 dev tun0
2024-05-18 15:29:55 Data Channel: cipher 'AES-256-CBC', auth 'SHA512', compression: 'lzo'
2024-05-18 15:29:55 Timers: ping 10, ping-restart 120
2024-05-18 15:29:59 net_route_v4_add: <IPV4>/28 via <IPV4> dev [NULL] table 0 metric -1
2024-05-18 15:29:59 Initialization Sequence Completed
YAY
2024-05-18 15:29:59 Initialization Sequence Completed
TL;DR
Check logging directly from the ovpn client, and see what exact error is thrown. I havenāt read the OpenSSL release notes, but my guess is that algorithm support has become stricter and they want to be sure youāre conscious of it
Fix:
add the following key values to your (in my case) ovpn file:
tls-cipher DEFAULT:@SECLEVEL=0 #Old workaround
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
# The algorithm is a representation of what works for me,
# this doesn't mean the server you're tunneling to, uses the same algorithm.
# Check the openvpn logging or your server's requirements