OpenVPN doesn't work after client update.

macak · February 3, 2015, 3:13am

Hello,

After update openssl client from version

OpenVPN Connect Release notes for 1.1.13 build 53
to
OpenVPN Connect Release notes for 1.1.14 build 56

there are release info
http://openvpn.net/index.php/component/content/article/119-faq-openvpn-client/533-connect-android-release-notes.html

there is link to client.
https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en

I already try do force Force AES-CBC ciphersuites - but it doesn’t fix the issue.

The logs:
Mikrotik logs TCP session establiished from :V4 IP Address
VPN client log. TCP revev EOL.

Anybody have simillar issue and fix for this?
Mikrotik support, could You confirm the issue?

Best Regards.
Maciej

edit,
Temporary fix, uninstall new version ovpn client, install old (from internet
beware for trojans minimize risk by scanning apk on virustotal!!!), import profile, disable autoupdate on android market. Works again.

macak · April 6, 2015, 7:09pm

Hello again,

Few holidays bank and I’m found the solution of this issue using google . The problem: newer clients are changed TLS. Workaround is described here:

http://code.google.com/p/ics-openvpn/wiki/FAQ
look at part: Connections fails with SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

For lazy guys
To work around the problem on the client add the custom option ‘tls-cipher DEFAULT’ (add this without quotes in .ovpn config file) on the Android client.

After add this option both clients:
https://play.google.com/store/apps/details?id=net.openvpn.openvpn
https://play.google.com/store/apps/details?id=de.blinkt.openvpn
back to works.

Question to Mikrotik support. In Your opinion it’s safe to use this parameter? Maybe it’s time to change TLS cipher used by default?

Thanks for Your attention.
Maciej.

djmuk · September 7, 2015, 9:53am

Any chance this could be added to the Wiki on the OVPN page. Something like:
"As of 2015 many Android (and possibly other) clients default to incompatible tls cipher suites.
Add the following line to the CLIENT config:
tls-cipher DEFAULT
"

vmiro · July 6, 2016, 6:22am

Hi,
Addind tls-cipher DEFAULT solved the problem to me but in the log I’ve found this message>

Deprecated TLS cipher name ‘DEFAULT’, please use IANA name ‘DEFAULT’

DEFAULT instead of DEFAULT, interesting.

mIRO

parksj10 · April 15, 2019, 12:02am

adding TLS Default worked for me running Tunnleblick on mac os mojave