Got the same problem on a Viper V20
I'm not a professional on this issue. What I know to the best of my knowledge is the system log, where it is quite clear that the so-called handshake is a problem. I enclose what I managed to get from my VU + Duo4K. I ask the developers to give me guidance on where to go when solving the problem. Thank you very much.
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: OpenSSL: error:0A0C0103:SSL routines::internal error
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: TLS_ERROR: BIO read tls_read_plaintext error
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: TLS Error: TLS object -> incoming plaintext read error
Apr 2 11:16:41 vuduo4k daemon.err openvpn[2602]: TLS Error: TLS handshake failed
Best regards from Kdal...
A quick Google gives some trouble shootingOriginally Posted by Kdal22
Code:https://www.sparklabs.com/support/kb/article/error-tls-error-tls-key-negotiation-failed-to-occur-within-60-seconds/
On a deeper analysis of the problem, I found the following: On the server, the openvpn version is older than on the client. The error is caused by the fact that the client (in our case Vix ver 6.1) requires handshakes by the protocol (OPENSSL 3.X) TLS v.1.3. Image Vix ver 6.0 had OpenSSL version 1.1.X and TLS v. 1.1.In conclusion : This is not an Image error, but an interpretation of SSL/TLS.My procedure will be : I will try to upgrade OpenSSL to version 3.X on the server side.
Cheers, Kdal.
twol (09-04-22)
Hi Kdal, watching with interest, I def think you are on the right track here, and I'll explain why at the end.
I have had the same problem getting openvpn to work on 6.3.n, have finally made a breakthrough where I am running 6.3.5 with a working openvpn, but its not ideal as I am running an older version of openvpn (server side). I know some have not had this problem, and have also raised a ticket with my vpn provider, no response yet.
6.2.11 (last version working for me), is running openvpn 2.4.3, and the 6.3.n releases bring v 2.5.8 into play.
I have now reflashed vix 6.3.5 and regressed openvpn to 2.4.3, via restoring the openvpn files from a 2.4.3 version. By the way this is on both a Vu Solo2 and a Vu Zero, same behaviours.
To check which openvpn you have, check the "status" file in var/lib/opkg, search for openvpn.
Belt and braces, I copied these files in from old to new. Probably only need a couple of these but not sure which. This worked a treat.
/etc/init.d/openvpn
/etc/openvpn/openvpn.log
/etc/openvpn/openvpn.stat
/var/lib/opkg/info/openvpn.postrm
/var/lib/opkg/info/openvpn.list
/var/lib/opkg/info/openvpn.control
/var/lib/opkg/info/openvpn.postinst
/var/lib/opkg/info/openvpn.prerm
/usr/lib/openvpn
/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so
/usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib/enigma2/python/Plugins/Extensions/VpnManager/image/openvpn_logo_1920.png
/usr/lib/enigma2/python/Plugins/Extensions/VpnManager/image/openvpn_logo_1280.png
/usr/sbin/openvpn
/var/lib/opkg/info/enigma2-plugin-extensions-vpnmanager.list
/var/lib/opkg/info/enigma2-plugin-extensions-vpnmanager.prerm
/var/lib/opkg/info/enigma2-plugin-extensions-vpnmanager.preinst
/var/lib/opkg/info/enigma2-plugin-extensions-vpnmanager.control
/var/lib/opkg/info/enigma2-plugin-extensions-vpnmanager.postrm
But back to SSL 3.0
I have a theory that if vix developers were to embed openvpn v2.6.0, that would resolve the issue. This is the stable release with lots of bugfixes and support for OpenSSL 3.
See release notes at https://openvpn.net/community-downloads/
I think this commit should have fixed it https://github.com/oe-alliance/oe-al...08bc94aca4dc3b
You can also try and add this line to your VPN configs
tls-cipher "DEFAULT:@SECLEVEL=0"
Albert_Swafega (01-04-23),stash36 (01-04-23)
Thanks Dave, works perfectly!!
Just need a script now to add to all my ovpn files
Been bugging me for ages that i couldn't get it working.
Albert
Something like this I did before to edit all .ovpn files in one folder
Code:for file in /hdd/OpenVPN/*.ovpn do echo "tls-cipher "DEFAULT:@SECLEVEL=0"" >> "$file" done
Last edited by dsayers; 01-04-23 at 18:51.
I found i was getting run errors down to the double inverted commas i think.
Worked once i changed to...
for file in /media/hdd/Digibit2/*.ovpn; do echo "tls-cipher "DEFAULT:@SECLEVEL=0"" >> "$file"; done
However, as it added after the certificate in my Digibit ovpn file, it appears to be ignored and won't connect.
The ones i've manually added the line above the certificate work fine...
Thanks again though for the FIX!!
Albert
Bit of a late reply, only just sorted this openvpn problem on my machine, never got this sec level change working previously.
Anyway, if it helps anyone, the edit to change all your vpn config files at once is below. This will edit all files in the current folder, if it has a line starting mssfix, it will drop the new line in before that, which is working for me.
sed -i '/mssfix/s/^/tls-cipher "DEFAULT:@SECLEVEL=0"\n/' *
eg. file now shows as...
client
dev tun
proto udp
remote xxx.xx.xxx.xxx xxxx
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
tls-cipher "DEFAULT:@SECLEVEL=0"
mssfix 1450
persist-key
persist-tun
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
<ca>
twol (23-09-23)
Apols, double post
Last edited by stash36; 23-09-23 at 13:48. Reason: Dbl post
hi, so I have the same issue as many with openvpn. And I see your answer tls-cipher "DEFAULT:@SECLEVEL=0". But the problem I have is that I can update the client.conf in /etc/openvpn but whenever I restart the nordvpn service it overwrites the client.conf. And I have done a chmod on the file to stop write access but when I check again the permissions are back to read write. I know you had mentioned putting all the configs on the hdd and I can do this and I can also update the files with your line thanks to the help of you all but at the end of the day enigma2 looks for client.conf in /etc/openvpn so how do I redirect it to /hdd/vpn and how can I show it which file is appropriate for which nordvpn server as all these files are named differently based on that server. Thanks a million. This is driving me nuts
Posting Permissions
Reply With Quote