Cannot connect to openvpn

Software SW help
1

Hi all, my OpenVPN config does not work, please could anyone advise why?

CLIENT
openvpn version, running on SailfishOS:

OpenVPN 2.6.9 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.1.1v  FIPS 1 Aug 2023, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=no enable_dco_arg=auto enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=no enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

client log repeats this message:

Jan 01 17:50:44 openvpn[26580]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jan 01 17:50:44 openvpn[26580]: Options error: If you use one of --cert or --key, you must use them both
Jan 01 17:50:44 openvpn[26580]: Use --help for more information.
Jan 01 17:50:46 openvpn[26630]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jan 01 17:50:46 openvpn[26630]: Options error: If you use one of --cert or --key, you must use them both
Jan 01 17:50:46 openvpn[26630]: Use --help for more information.

OMNIA
fresh install from factory image
TurrisOS 7.1.2, Turris Omnia

I followed these settings: OpenVPN server - Turris Documentation
VPN network is set to 10.0.1.0 / 255.255.255.0:
server log repeats this message:

Jan  1 16:53:46 openvpn(server_turris)[5869]: Initialization Sequence Completed
Jan  1 16:53:52 openvpn(server_turris)[5869]: event_wait : Interrupted system call (code=4)
Jan  1 16:53:52 openvpn(server_turris)[5869]: /usr/libexec/openvpn-hotplug route-pre-down server_turris tun_turris 1500 1621 10.0.1.1 255.255.255.0 init
Jan  1 16:53:52 openvpn(server_turris)[5869]: WARNING: Failed running command (--up/--down): external program exited with error status: 2
Jan  1 16:53:52 openvpn(server_turris)[5869]: Exiting due to fatal error
Jan  1 16:53:52 openvpn(server_turris)[7008]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jan  1 16:53:52 openvpn(server_turris)[7008]: OpenVPN 2.5.8 arm-openwrt-linux-muslgnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Jan  1 16:53:52 openvpn(server_turris)[7008]: library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.10
Jan  1 16:53:52 openvpn(server_turris)[7008]: net_route_v4_best_gw query: dst 0.0.0.0
Jan  1 16:53:52 openvpn(server_turris)[7008]: net_route_v4_best_gw result: via 10.10.10.1 dev pppoe-wan
Jan  1 16:53:52 openvpn(server_turris)[7008]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  1 16:53:52 openvpn(server_turris)[7008]: Diffie-Hellman initialized with 4096 bit key
Jan  1 16:53:52 openvpn(server_turris)[7008]: CRL: loaded 1 CRLs from file /etc/ssl/ca/openvpn/ca.crl
Jan  1 16:53:52 openvpn(server_turris)[7008]: TUN/TAP device tun_turris opened
Jan  1 16:53:52 openvpn(server_turris)[7008]: net_iface_mtu_set: mtu 1500 for tun_turris
Jan  1 16:53:52 openvpn(server_turris)[7008]: net_iface_up: set tun_turris up
Jan  1 16:53:52 openvpn(server_turris)[7008]: net_addr_v4_add: 10.0.1.1/24 dev tun_turris
Jan  1 16:53:52 openvpn(server_turris)[7008]: /usr/libexec/openvpn-hotplug up server_turris tun_turris 1500 1621 10.0.1.1 255.255.255.0 init
Jan  1 16:53:56 openvpn(server_turris)[7008]: Socket Buffers: R=[180224->180224] S=[180224->180224]
Jan  1 16:53:56 openvpn(server_turris)[7008]: setsockopt(IPV6_V6ONLY=0)
Jan  1 16:53:56 openvpn(server_turris)[7008]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Jan  1 16:53:56 openvpn(server_turris)[7008]: UDPv6 link remote: [AF_UNSPEC]
Jan  1 16:53:56 openvpn(server_turris)[7008]: MULTI: multi_init called, r=256 v=256
Jan  1 16:53:56 openvpn(server_turris)[7008]: IFCONFIG POOL IPv4: base=10.0.1.2 size=253
Jan  1 16:53:56 openvpn(server_turris)[7008]: IFCONFIG POOL LIST
Jan  1 16:53:56 openvpn(server_turris)[7008]: Initialization Sequence Completed
2

What client do you use? Seems old or some compatibility option is set using old ciphers

3

It is part of the OS, the version is above

4

Clearly the problem is in the client not server. Please test on some Android device for example if you can connect to confirm.that.

5

How can you tell?

I just had the chance to try another client, this is the official client for Windows (10).

Sorry for the printscreens of the cumbersome program instead of text...

w10_error1
w10_error1698×1197 40.5 KB

w10_error2
w10_error2714×1109 64.7 KB

w10_error3
w10_error3702×964 49.6 KB

Nonetheless, this message is much more useful:
endpoint address family (IPv4) is incompatible with transport protocol (udp6)
And indeed,

beginning of the generated .ovpn 
##############################################
# Openvpn client configuration generated by  #
# router Turris based on Sample client-side  #
# OpenVPN 2.0 config file                    #
#                                            #
# This configuration can be used only on     #
# a single client.                           #
#                                            #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tun_turris

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

proto udp6

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
;remote my-server-2 1194
remote 1.2.3.4 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

<ca>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

</ca>
<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openvpn
        Validity
            Not Before: Jan  1 16:45:30 2025 GMT
            Not After : Dec 30 16:45:30 2034 GMT
        Subject: CN=sfos
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    [...]

contains this, while the address is IP v4.
proto udp6

Changing the line to
proto udp
fixes the problem but only in Windows…

6

Because of that:

Oww wait this is server log so I might be wrong. I would check routes on your turris. Or enable some more verbose log to see why it fails to add/remove routes. Just guesses here.

7

I am not by the router ATM, will check that later. But the official client running on Windows 10 just connected to it.

8 
2025-01-02 12:04:31 /usr/libexec/openvpn-hotplug up server_turris tun_turris 1500 1621 10.111.111.1 10.111.111.2 init
2025-01-02 12:04:31 net_route_v4_add: 10.111.111.0/24 via 10.111.111.2 dev [NULL] table 0 metric -1

Here is relevant part from my log. So it adds route. Not in your case.

Are you sure route doesnt exist already or that the networks dont overlap?

9

Will check later, thank you. Still, would that not affect the Windows machine as well? It does connect and I can access my LAN remotely using the same .ovpn config file.