Hello to all VIX fan,

I installed (new flash) a new release, but openvpn cant connect like usually work on previous Images.
After installing from telnet it cant connect to server.

Imback to an older release, please let me know when it will work again.

Many THX, Best regards - Kdal.

What does your VPN log say?

Tested VPN manager with purevpn and it's working for me

This is an OpenVPN (open source) program. After installing it from the Network menu and copying the configuration files, the openvpn binary starts, I see it in the processes, but the vpn tunnel does not work. In the previous version of Image, ver 6.0.008, everything is fine. Even after flashing the new Image, I use the exact same installation procedure. Nothing helps, unfortunately openvpn logging does not work. I think the openvpn bug is in the new version of VIX Image (6.1.003), I deduce it from the fact that when I returned to the previous Image, everything in it works again.

THX for Your Q response, Cheers, Kdal.

It doesn't even start on my HD51.

No log.

Back to 6.0.008 for now

OpenVPN works for me

63611

Check your VPN configs don't need updating

why would they need updating ?

why would they need updating ?

Maybe to see if it sorts out the problem?

It's working for me on ViX 6.1.003 with version 1.17 of VPN Manager.

63612

why would they need updating ?

When changing to vix 6.0 from 5.4 I had to update my configs from purevpn I can't remember if it was due to OpenVPN version or openssl.

Something similar might have happened to vix 6.1

Guys, try this!
putty ---> init 4 (space between)
filezilla copy attachment to /usr/lib/enigma2/python/Screens
putty ---> init 6

When changing to vix 6.0 from 5.4 I had to update my configs from purevpn I can't remember if it was due to OpenVPN version or openssl.

Something similar might have happened to vix 6.1

Ah I see, mine is not a commercial VPN provider it's a p2p private which I've had for 5+ years.


Guys, try this!
putty ---> init 4 (space between)
filezilla copy attachment to /usr/lib/enigma2/python/Screens
putty ---> init 6

Still not starting and no log.

... what do ViX debug logs come up with?

Nothing in debug after booting but something shows up when trying to start manually from the UI


< 228.1385> [Console] command: /etc/init.d/openvpn start
< 228.1386> [eConsoleAppContainer] Starting /bin/sh
< 228.1929> [Console] finished: /etc/init.d/openvpn start
< 237.6586> [eInputDeviceInit] 1 18f (399) 1
< 237.6587> [eRCDeviceInputDev] emit: 1
< 237.6619> [InfoBarGenerics] Key: 399 (Make) KeyID='KEY_GREEN' Binding='('GREEN',)'.
< 238.0630> [eInputDeviceInit] 2 18f (399) 1
< 238.0635> [eRCDeviceInputDev] emit: 2
< 238.0674> [InfoBarGenerics] Key: 399 (Repeat) KeyID='KEY_GREEN' Binding='('GREEN',)'.
< 238.0790> [eInputDeviceInit] 0 18f (399) 1
< 238.0794> [eRCDeviceInputDev] emit: 0
< 238.0828> [InfoBarGenerics] Key: 399 (Break) KeyID='KEY_GREEN' Binding='('GREEN',)'.
< 238.0834> [ActionMap] Keymap 'ColorActions' -> Action = 'green'.
< 238.0837> [Console] command: /etc/init.d/openvpn start
< 238.0840> [eConsoleAppContainer] Starting /bin/sh
< 238.1386> [Console] finished: /etc/init.d/openvpn start

So what happens if you start VPN via command line



root@vuuno4k:~# /etc/init.d/openvpn start
Starting openvpn: ukm2-ovpn-udp.

root@mutant51:~# /etc/init.d/openvpn start
Starting openvpn: client.
root@mutant51:~#


but nothing in the processes list

Got the same problem on a Viper V20

I'm not a professional on this issue. What I know to the best of my knowledge is the system log, where it is quite clear that the so-called handshake is a problem. I enclose what I managed to get from my VU + Duo4K. I ask the developers to give me guidance on where to go when solving the problem. Thank you very much.
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: OpenSSL: error:0A0C0103:SSL routines::internal error
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: TLS_ERROR: BIO read tls_read_plaintext error
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: TLS Error: TLS object -> incoming plaintext read error
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: TLS Error: TLS handshake failed

Best regards from Kdal...

I'm not a professional on this issue. What I know to the best of my knowledge is the system log, where it is quite clear that the so-called handshake is a problem. I enclose what I managed to get from my VU + Duo4K. I ask the developers to give me guidance on where to go when solving the problem. Thank you very much.
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: OpenSSL: error:0A0C0103:SSL routines::internal error
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: TLS_ERROR: BIO read tls_read_plaintext error
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: TLS Error: TLS object -> incoming plaintext read error
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: TLS Error: TLS handshake failed

Best regards from Kdal...

A quick Google gives some trouble shooting


https://www.sparklabs.com/support/kb/article/error-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds/

On a deeper analysis of the problem, I found the following: On the server, the openvpn version is older than on the client. The error is caused by the fact that the client (in our case Vix ver 6.1) requires handshakes by the protocol (OPENSSL 3.X) TLS v.1.3. Image Vix ver 6.0 had OpenSSL version 1.1.X and TLS v. 1.1.In conclusion : This is not an Image error, but an interpretation of SSL/TLS.My procedure will be : I will try to upgrade OpenSSL to version 3.X on the server side.
Cheers, Kdal.

Hi Kdal, watching with interest, I def think you are on the right track here, and I'll explain why at the end.

I have had the same problem getting openvpn to work on 6.3.n, have finally made a breakthrough where I am running 6.3.5 with a working openvpn, but its not ideal as I am running an older version of openvpn (server side). I know some have not had this problem, and have also raised a ticket with my vpn provider, no response yet.

6.2.11 (last version working for me), is running openvpn 2.4.3, and the 6.3.n releases bring v 2.5.8 into play.
I have now reflashed vix 6.3.5 and regressed openvpn to 2.4.3, via restoring the openvpn files from a 2.4.3 version. By the way this is on both a Vu Solo2 and a Vu Zero, same behaviours.

To check which openvpn you have, check the "status" file in var/lib/opkg, search for openvpn.

Belt and braces, I copied these files in from old to new. Probably only need a couple of these but not sure which. This worked a treat.

/etc/init.d/openvpn
/etc/openvpn/openvpn.log
/etc/openvpn/openvpn.stat
/var/lib/opkg/info/openvpn.postrm
/var/lib/opkg/info/openvpn.list
/var/lib/opkg/info/openvpn.control
/var/lib/opkg/info/openvpn.postinst
/var/lib/opkg/info/openvpn.prerm
/usr/lib/openvpn
/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so
/usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib/enigma2/python/Plugins/Extensions/VpnManager/image/openvpn_logo_1920.png
/usr/lib/enigma2/python/Plugins/Extensions/VpnManager/image/openvpn_logo_1280.png
/usr/sbin/openvpn

/var/lib/opkg/info/enigma2-plugin-extensions-vpnmanager.list
/var/lib/opkg/info/enigma2-plugin-extensions-vpnmanager.prerm
/var/lib/opkg/info/enigma2-plugin-extensions-vpnmanager.preinst
/var/lib/opkg/info/enigma2-plugin-extensions-vpnmanager.control
/var/lib/opkg/info/enigma2-plugin-extensions-vpnmanager.postrm


But back to SSL 3.0
I have a theory that if vix developers were to embed openvpn v2.6.0, that would resolve the issue. This is the stable release with lots of bugfixes and support for OpenSSL 3.

See release notes at https://openvpn.net/community-downloads/

I think this commit should have fixed it https://github.com/oe-alliance/oe-alliance-core/commit/34214e59c6e11f1f041b934076d698c7d7b2fb5f#diff-59c0fb0f16177d3fff1066fa855888cbd02bcbc4481e609a64 08bc94aca4dc3b

You can also try and add this line to your VPN configs

tls-cipher "DEFAULT:@SECLEVEL=0"

I think this commit should have fixed it https://github.com/oe-alliance/oe-alliance-core/commit/34214e59c6e11f1f041b934076d698c7d7b2fb5f#diff-59c0fb0f16177d3fff1066fa855888cbd02bcbc4481e609a64 08bc94aca4dc3b

You can also try and add this line to your VPN configs

tls-cipher "DEFAULT:@SECLEVEL=0"

Thanks Dave, works perfectly!!

Just need a script now to add to all my ovpn files :)

Been bugging me for ages that i couldn't get it working.

Albert

Something like this I did before to edit all .ovpn files in one folder





for file in /hdd/OpenVPN/*.ovpn
do
echo "tls-cipher "DEFAULT:@SECLEVEL=0"" >> "$file"
done

Something like this I did before to edit all .ovpn files in one folder





for file in /hdd/OpenVPN/*.ovpn
do
echo "tls-cipher "DEFAULT:@SECLEVEL=0"" >> "$file"
done

I found i was getting run errors down to the double inverted commas i think.

Worked once i changed to...

for file in /media/hdd/Digibit2/*.ovpn; do echo "tls-cipher "DEFAULT:@SECLEVEL=0"" >> "$file"; done

However, as it added after the certificate in my Digibit ovpn file, it appears to be ignored and won't connect.

The ones i've manually added the line above the certificate work fine...

Thanks again though for the FIX!!

Albert

Bit of a late reply, only just sorted this openvpn problem on my machine, never got this sec level change working previously.
Anyway, if it helps anyone, the edit to change all your vpn config files at once is below. This will edit all files in the current folder, if it has a line starting mssfix, it will drop the new line in before that, which is working for me.

sed -i '/mssfix/s/^/tls-cipher "DEFAULT:@SECLEVEL=0"\n/' *

eg. file now shows as...

client
dev tun
proto udp
remote xxx.xx.xxx.xxx xxxx
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
tls-cipher "DEFAULT:@SECLEVEL=0"
mssfix 1450
persist-key
persist-tun
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
<ca>

Apols, double post

hi, so I have the same issue as many with openvpn. And I see your answer tls-cipher "DEFAULT:@SECLEVEL=0". But the problem I have is that I can update the client.conf in /etc/openvpn but whenever I restart the nordvpn service it overwrites the client.conf. And I have done a chmod on the file to stop write access but when I check again the permissions are back to read write. I know you had mentioned putting all the configs on the hdd and I can do this and I can also update the files with your line thanks to the help of you all but at the end of the day enigma2 looks for client.conf in /etc/openvpn so how do I redirect it to /hdd/vpn and how can I show it which file is appropriate for which nordvpn server as all these files are named differently based on that server. Thanks a million. This is driving me nuts