Openvpn - AES-256-CBC

Hi all,

I’ve recently configured openvpn that is up and running, but using blowfish [BF-CBC] via default 1194.
After contacting provider, i asked for confirmation regarding the ports they use for AES-256-CBC. They informed that 1195, 444, 81 or 54 are available (tcp/udp)

I updated my config and applied the following:

remote <vpn_provider> 1195
cipher AES-256-CBC

Am I missing anything else in order to use AES-256-CBC?

The error I get is after 60 seconds is a typical timeout seen on the net in forums etc:
(please disregard warning below for server cert…)

Fri Oct 12 13:42:39 2018 Restart pause, 5 second(s)
Fri Oct 12 13:42:44 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 12 13:42:44 2018 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Oct 12 13:42:44 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]<provider_ip>:1195
Fri Oct 12 13:42:44 2018 Socket Buffers: R=[163840->163840] S=[163840->163840]
Fri Oct 12 13:42:44 2018 UDP link local: (not bound)
Fri Oct 12 13:42:44 2018 UDP link remote: [AF_INET]<provider_ip>:1195
Fri Oct 12 13:43:44 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Oct 12 13:43:44 2018 TLS Error: TLS handshake failed

Again, 1194 blowfish is working and my config looks fine from that perspective.
No firewalls configured this end, but I’m beginning to suspect that the provider (who hasn’t been particularly helpful while I asked numerous questions saying I should use default!) is probably at fault here. Thought I’d find out what your thoughts were on this one.

Appreciate it,
Peace, noolidge.

Hi,

Who is your vpn provider?

Have you tried one of the other ports suggested by your vpn provider?

Thanks Tom.

hi tom, thanks for your response.
currently with smartdnsproxy (global stealth).
yes, i’ve tried all the ports they recommended, but still getting those errors.
getting additional info out of them and finding stuff on their site has been a challenge of late after asking valid questions, but cant complain about the local speeds, locations and price.

have you tried tcp?

proto tcp

Thanks Tom.

indeed, tried it all. getting disconnection errors over tcp.
anyway, thought my config might be incorrect, but something else external not right.
if i dont get reasonable response from them i’ll be looking for another provider.
any recommendations based on your experience?

Hi,

I suggest posting your conf, may help working out whats going on.

Could please provide what instructions they have provided, or you have another guide you’ve been following.

https://www.privateinternetaccess.com/

Thanks Tom.

sure and appreciated: working config is below.
in order to use AES-256, I simply uncomment cipher entry and remote 1195" - logs posted with TLS error.

regarding ‘instructions’ as I said earlier these have been poor and I’ve built my own config by understanding the protocol as best as possible. I contacted them when I noticed AES-256 wasnt able to handshake and got a 1 liner about the ports. i’m waiting for additional responses having sent them logs. in the meantime i attempted to understand blowfish and added additional layers of security to get something up and running and a little more secure which is the current status

thanks for recommendation, i will have a look :wink:

conf:

osmc@osmc-gee:/etc/openvpn/log$ sudo cat ../vpn.conf 
#tls-client
#key /etc/openvpn/private.pem                   # private key ; waiting for confirmation
#cert						                    # waiting for confirmation
#tls-crypt vpn-oz.tlsath                                   # additional layer of auth - waiting for confirmation

client                                                                  # client mode
remote-cert-tls server                                     # RFC3280
management localhost 9999                         # management functions                           
dev tun1                                                            # tun device                                                               
proto udp                                                          # default is udp                                                           

comp-lzo                                                            # lzo compression                       
verb 3                                                                 # verbose                               
mute 10                                                             # log n consecutive entries                 

auth-nocache                                                   # dont cache auth-user-pass or --askpass    
auth-retry interact                                           # interact with auth failures
#auth SHA256					            # sha256 tests 
script-security 2                                                # call built-in scripts                     

auth-user-pass /etc/openvpn/pass.txt          # auth with pass

ca /etc/openvpn/serverlocation.crt               # cert in .pem (crt) format
#remote <provider_location> 1195               # remote host on 1195 not working with AES-256-CBC
remote <provider_location> 1194                 # remote host on 1194 BF-CBC - default
reneg-bytes 64000000                                    # as blowfish BF-CBC is in use ; rotate

float                                                                   # allow remote to change ip addy/port
redirect-gateway def1                           # auto set routing to redirect 0.0.0.0/1 & 128.0.0.0/1 rather than 0.0.0.0/0.
nobind                                                      # do not bind to local addy/port

persist-key                                     # Don't re-read key files across SIGUSR1 or --ping-restart.
persist-tun                                     # Keep tun/tap device open across SIGUSR1 or --ping-restart

#cipher BF-CBC                                   # default insecure
#cipher AES-256-CBC                        # advanced encryption standard - using providers 1195,444,81 or 54

route-delay 2                                   # delay after connection b4 adding route

up /etc/openvpn/update-resolv-conf              # run update-resolv-conf dns upon connection
down /etc/openvpn/update-resolv-conf            # run update-resolv-conf dns upon disconnection

log-append /etc/openvpn/log/openvpn-status.log  # log

Hi,

Has smartdnsproxy provided any ssl certificates, .crt & pem?

these are required for TLS & AES-256-CBC

Thanks Tom.

Thanks for that confirmation. My reading lead me to that very fact.
I have requested that but not received anything yet.
Cheers.

1 Like

A brief update:

After an ‘interesting’ online chat/experience with the staff at smartdnsproxy, I have cancelled my service. I found the levels of support not quite what you’d expect them to be.
I cannot recommend attempting to configure openvpn with this provider, however I did learn a lot myself doing it all manually.