OpenVPN Connection stuck at TLS Initial packet

OpenVPN suddenly stopped connecting from the AX-1800 to my OpenVPN server hosted on an AWS Lightsail instance.

It fails at the TLS Initial packet step, please find the complete log below (I've replaced the OpenVPN server's IP with AWS_INSTANCE_IP in the logs):

Sat Jun  1 15:54:41 2024 daemon.notice netifd: Interface 'ovpnclient' is setting up now
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Sat Jun  1 15:54:43 2024 daemon.warn ovpnclient[17833]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: TCP/UDP: Preserving recently used remote address: [AF_INET]AWS_INSTANCE_IP:443
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: Attempting to establish TCP connection with [AF_INET]AWS_INSTANCE_IP:443 [nonblock]
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: TCP connection established with [AF_INET]AWS_INSTANCE_IP:443
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: TCP_CLIENT link local: (not bound)
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: TCP_CLIENT link remote: [AF_INET]AWS_INSTANCE_IP:443
Sat Jun  1 15:54:43 2024 daemon.notice ovpnclient[17833]: TLS: Initial packet from [AF_INET]AWS_INSTANCE_IP:443, sid=bf239ef6 4c7d93bc

To make sure it's not an ISP/DPI issue, I tested the same OpenVPN config on my PC and mobile phone, and they are both connecting normally.

Your support is highly appreciated, thanks!

Edit: Additional Info:
I've tried resetting the router, upgrading to the latest BETA and Snapshot versions, and the issue is still there.
I used to connect normally using the same config, so I can't wrap my head around what exactly changed.

Without that you changed anything? Not on your router nor on the AWS instance or any other things?

Nope, nothing at all.

I assume the issue is with the server, not the client.
Unfortunately I can't tell which issue it might be.

Thanks for your input on this.

Do you suggest a specific configuration to check on the server?

TBH I am doubting it's the server since my PC and Mobile can connect normally to the same server using the same config.

Pls post the ovpn content to have a check.

Sorry about the late response, please find below:

client
dev tun
proto tcp
remote {IP ADDRESS} 443
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name ip-172-26-12-18_34bbb216-3a9e-4092-8a9f-aa06d1144e21 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
{CERTIFICATE}
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
{CERTIFICATE}
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
{PRIVATE_KEY}
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
{STATIC_KEY}
-----END OpenVPN Static key V1-----
</tls-crypt>

FYI, I've re-configured the whole VPN setup both server and client side, and I'm currently installing OpenVPN server on my AWS machine following this guide.

The outcome is still the same, VPN works on all my devices (PC, Laptop, and Mobile Phone) through OpenVPN Connect or Viscosity OpenVPN clients apps, but not on my Flint.

Below is a comparison of a success case, a log of the connection from my PC, and the failure case, the log from the Flint.

First, here is the openvpn config (I've redacted the IP and certificates/keys and replaced them with ######################):

client
dev tun
proto tcp
remote ######################
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA512
ignore-unknown-option block-outside-dns
verb 3
<ca>
-----BEGIN CERTIFICATE-----
######################
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
######################
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
######################
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
######################
</tls-crypt>

My log connecting through Viscosity on Windows 11 (I've redacted the IP address and replaced it with ######################):

Jun 22 1:14:54 PM: Checking reachability status of connection...
Jun 22 1:14:54 PM: Connection is reachable. Starting connection attempt.
Jun 22 1:14:54 PM: Interface Type: ViscTunTap
Jun 22 1:14:54 PM: Bringing up interface...
Jun 22 1:14:54 PM: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jun 22 1:14:54 PM: OpenVPN 2.6.10 Windows [SSL (OpenSSL)] [LZO] [LZ4] [AEAD]
Jun 22 1:14:54 PM: library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
Jun 22 1:14:55 PM: Valid endpoint found: ######################:443:tcp-client
Jun 22 1:14:55 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]######################:443
Jun 22 1:14:55 PM: Socket Buffers: R=[65536->65536] S=[65536->65536]
Jun 22 1:14:55 PM: Attempting to establish TCP connection with [AF_INET]######################:443
Jun 22 1:14:55 PM: TCP connection established with [AF_INET]######################:443
Jun 22 1:14:55 PM: TCPv4_CLIENT link local: (not bound)
Jun 22 1:14:55 PM: TCPv4_CLIENT link remote: [AF_INET]######################:443
Jun 22 1:14:55 PM: State changed to Authenticating
Jun 22 1:14:55 PM: TLS: Initial packet from [AF_INET]######################:443, sid=51011689 995d8037
Jun 22 1:14:55 PM: VERIFY OK: depth=1, CN=Easy-RSA CA
Jun 22 1:14:55 PM: VERIFY KU OK
Jun 22 1:14:55 PM: Validating certificate extended key usage
Jun 22 1:14:55 PM: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jun 22 1:14:55 PM: VERIFY EKU OK
Jun 22 1:14:55 PM: VERIFY OK: depth=0, CN=server
Jun 22 1:14:55 PM: Virtual Adapter Version: 0.7.2.1017
Jun 22 1:14:56 PM: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Jun 22 1:14:56 PM: [server] Peer Connection Initiated with [AF_INET]######################:443
Jun 22 1:14:56 PM: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jun 22 1:14:56 PM: TLS: tls_multi_process: initial untrusted session promoted to trusted
Jun 22 1:14:56 PM: State changed to Connecting
Jun 22 1:14:56 PM: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jun 22 1:14:56 PM: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,block-outside-dns,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1001/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.3 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Jun 22 1:14:56 PM: WARNING: The block-outside-dns option has been ignored as it is not required under Viscosity's DNS management system. For more information please see the following article: https://www.sparklabs.com/support/kb/article/warning-the-block-outside-dns-option-has-been-ignored/
Jun 22 1:14:56 PM: OPTIONS IMPORT: --ifconfig/up options modified
Jun 22 1:14:56 PM: OPTIONS IMPORT: route options modified
Jun 22 1:14:56 PM: OPTIONS IMPORT: route-related options modified
Jun 22 1:14:56 PM: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jun 22 1:14:56 PM: interactive service msg_channel=0
Jun 22 1:14:56 PM: ROUTE_GATEWAY 192.168.8.1/255.255.255.0 I=9 HWADDR=b4:2e:99:e8:80:8b
Jun 22 1:14:56 PM: GDG6: remote_host_ipv6=n/a
Jun 22 1:14:56 PM: GetBestInterfaceEx() returned if=15
Jun 22 1:14:56 PM: GDG6: II=15 DP=::/0 NH=::
Jun 22 1:14:56 PM: GDG6: Metric=256, Loopback=0, AA=1, I=0
Jun 22 1:14:56 PM: ROUTE6_GATEWAY :: ON_LINK I=15
Jun 22 1:14:56 PM: Awaiting adapter to come up...
Jun 22 1:14:56 PM: Third-party filters attached to network interface: "Npcap Packet Driver (NPCAP) (INSECURE_NPCAP)".
Jun 22 1:14:56 PM: TAP-WIN32 device [zSorourPC] opened: \\?\root#net#0000#{adda4c48-c32e-4ef6-9602-b3252f082583}, index: 11
Jun 22 1:14:57 PM: Waiting for DNS Setup to complete...
Jun 22 1:14:57 PM: Successful ARP Flush on interface [11] {77447188-3435-4201-81F4-AC443317209F}
Jun 22 1:14:57 PM: add_route_ipv6(fddd:1194:1194:1194::/64 -> fddd:1194:1194:1194::1001 metric 0) IF 11
Jun 22 1:14:57 PM: Data Channel: cipher 'AES-256-GCM', peer-id: 0
Jun 22 1:14:57 PM: Timers: ping 10, ping-restart 120
Jun 22 1:14:58 PM: TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Jun 22 1:14:58 PM: Route addition via service succeeded
Jun 22 1:14:58 PM: Route addition via service succeeded
Jun 22 1:14:58 PM: Route addition via service succeeded
Jun 22 1:14:58 PM: add_route_ipv6(::/3 -> fddd:1194:1194:1194::1 metric -1) IF 11
Jun 22 1:14:58 PM: add_route_ipv6(2000::/4 -> fddd:1194:1194:1194::1 metric -1) IF 11
Jun 22 1:14:58 PM: add_route_ipv6(3000::/4 -> fddd:1194:1194:1194::1 metric -1) IF 11
Jun 22 1:14:58 PM: add_route_ipv6(fc00::/7 -> fddd:1194:1194:1194::1 metric -1) IF 11
Jun 22 1:14:58 PM: Initialization Sequence Completed
Jun 22 1:14:58 PM: DNS set to Full:
Server: 1.1.1.1:53, Lookup Type: Any, Domains: None
Server: 1.0.0.1:53, Lookup Type: Any, Domains: None
Jun 22 1:14:58 PM: State changed to Connected

Please note how the client in the success case chose AES_256_GCM.

As for the log from the router (I've redacted the IP address and replaced it with ######################):

Sat Jun 22 12:19:04 2024 daemon.notice netifd: Interface 'ovpnclient' is setting up now
Sat Jun 22 12:19:04 2024 daemon.warn ovpnclient[23136]: --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Sat Jun 22 12:19:04 2024 daemon.notice ovpnclient[23136]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jun 22 12:19:04 2024 daemon.notice ovpnclient[23136]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Sat Jun 22 12:19:04 2024 daemon.warn ovpnclient[23136]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun 22 12:19:04 2024 daemon.notice ovpnclient[23136]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Jun 22 12:19:04 2024 daemon.notice ovpnclient[23136]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jun 22 12:19:04 2024 daemon.notice ovpnclient[23136]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Jun 22 12:19:04 2024 daemon.notice ovpnclient[23136]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jun 22 12:19:04 2024 daemon.notice ovpnclient[23136]: TCP/UDP: Preserving recently used remote address: [AF_INET]######################:443
Sat Jun 22 12:19:04 2024 daemon.notice ovpnclient[23136]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Jun 22 12:19:04 2024 daemon.notice ovpnclient[23136]: Attempting to establish TCP connection with [AF_INET]######################:443 [nonblock]
Sat Jun 22 12:19:05 2024 daemon.notice ovpnclient[23136]: TCP connection established with [AF_INET]######################:443
Sat Jun 22 12:19:05 2024 daemon.notice ovpnclient[23136]: TCP_CLIENT link local: (not bound)
Sat Jun 22 12:19:05 2024 daemon.notice ovpnclient[23136]: TCP_CLIENT link remote: [AF_INET]######################:443
Sat Jun 22 12:19:05 2024 daemon.notice ovpnclient[23136]: TLS: Initial packet from [AF_INET]######################:443, sid=c1bd8cfe b5e0a1d9

Please note how it chose the cipher AES-256-CTR, and the TLS handshake fails.

Now if I adjust the vpn config file to use the AES_256_GCM cipher specifically by adding cipher AES_256_GCM, this is what I get from the router OpenVPN logs:

Sat Jun 22 12:22:44 2024 daemon.notice netifd: Interface 'ovpnclient' is setting up now
Sat Jun 22 12:22:44 2024 daemon.notice ovpnclient[25904]: OpenVPN 2.5.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Jun 22 12:22:44 2024 daemon.notice ovpnclient[25904]: library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Sat Jun 22 12:22:44 2024 daemon.warn ovpnclient[25904]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun 22 12:22:44 2024 daemon.notice ovpnclient[25904]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Jun 22 12:22:44 2024 daemon.notice ovpnclient[25904]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jun 22 12:22:44 2024 daemon.notice ovpnclient[25904]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sat Jun 22 12:22:44 2024 daemon.notice ovpnclient[25904]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sat Jun 22 12:22:44 2024 daemon.notice ovpnclient[25904]: TCP/UDP: Preserving recently used remote address: [AF_INET]######################:443
Sat Jun 22 12:22:44 2024 daemon.notice ovpnclient[25904]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Jun 22 12:22:44 2024 daemon.notice ovpnclient[25904]: Attempting to establish TCP connection with [AF_INET]######################:443 [nonblock]
Sat Jun 22 12:22:45 2024 daemon.notice ovpnclient[25904]: TCP connection established with [AF_INET]######################:443
Sat Jun 22 12:22:45 2024 daemon.notice ovpnclient[25904]: TCP_CLIENT link local: (not bound)
Sat Jun 22 12:22:45 2024 daemon.notice ovpnclient[25904]: TCP_CLIENT link remote: [AF_INET]######################:443
Sat Jun 22 12:22:45 2024 daemon.notice ovpnclient[25904]: TLS: Initial packet from [AF_INET]######################:443, sid=7b7c499a 20929a07

Kindly notice how it still uses AES-256-CTR

I believe it's TLS cipher support issue on the GL iNet router, would you please advise?

@alzhao would highly appreciate your support on this, thanks in advance

Pls send me a ovpn config and credentials via message to test.

It turns out that the SSL session packet gets dropped by the ISP firewall for OpenVPN 2.5.
Upgrade to OpenVPN 2.6 can solve the issue. The OpenVPN version upgrade is in our schedule.

2 Likes