I am also suffering from this issue with 2.6.0~git20220518+dco-2 (I have added the parameters as advised by Bernhard) (the error is the same for both TCP and UDP):
gris@tulip: ~% sudo openvpn --cipher AES-128-CBC --data-ciphers AES-128-CBC --config /root/premisg4.vpnjantit.com/premisg4.vpnjantit-tcp-8080.ovpn 2022-07-24 00:50:08 Cannot find ovpn_dco netlink component: Object not found 2022-07-24 00:50:08 Note: Kernel support for ovpn-dco missing, disabling data channel offload. 2022-07-24 00:50:08 OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 30 2022 2022-07-24 00:50:08 library versions: OpenSSL 3.0.4 21 Jun 2022, LZO 2.10 2022-07-24 00:50:08 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 2022-07-24 00:50:08 NOTE: --fast-io is disabled since we are not using UDP 2022-07-24 00:50:08 TCP/UDP: Preserving recently used remote address: [AF_INET]188.166.212.168:8080 2022-07-24 00:50:08 Socket Buffers: R=[131072->131072] S=[16384->16384] 2022-07-24 00:50:08 Attempting to establish TCP connection with [AF_INET]188.166.212.168:8080 2022-07-24 00:50:09 TCP connection established with [AF_INET]188.166.212.168:8080 2022-07-24 00:50:09 Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92) 2022-07-24 00:50:09 TCP_CLIENT link local: (not bound) 2022-07-24 00:50:09 TCP_CLIENT link remote: [AF_INET]188.166.212.168:8080 2022-07-24 00:50:09 TLS: Initial packet from [AF_INET]188.166.212.168:8080, sid=04c70371 12da42fb 2022-07-24 00:50:09 VERIFY OK: depth=0, CN=premi4.vpnjantit.com, O=premi4.vpnjantit.com, OU=premi4.vpnjantit.com, C=US 2022-07-24 00:50:09 OpenSSL: error:0A0C0103:SSL routines::internal error 2022-07-24 00:50:09 TLS_ERROR: BIO read tls_read_plaintext error 2022-07-24 00:50:09 TLS Error: TLS object -> incoming plaintext read error 2022-07-24 00:50:09 TLS Error: TLS handshake failed 2022-07-24 00:50:09 Fatal TLS error (check_tls_errors_co), restarting 2022-07-24 00:50:09 SIGUSR1[soft,tls-error] received, process restarting 2022-07-24 00:50:09 Restart pause, 5 second(s) ^C2022-07-24 00:50:11 SIGINT[hard,init_instance] received, process exiting However this unfortunately very deprecated setting still works just fine with 2.5.1-3. I also reported TLS 1.0 to the service provider On Sun, 29 May 2022 20:19:14 +0200 =?utf-8?q?Henrik_Sch=C3=B6pel?= <hschoe...@gmail.com> wrote: > Package: openvpn > Version: 2.5.6-1 > Severity: important > > Dear Debian OpenVPN Maintenaner, > > This is a pretty serious bug as it breaks the usage of VPN. > > The latest version of OpenVPN in Debian/SID repo '2.6.0~git20220518+dco-1' > won't connect due to TLS errors during connection attempts. > Only downgrade to version '2.5.6-1' solves the issue. > > I had to blur some characters like IP adresses. Destination is Sophos UTM > Appliances. > > I attached a textfile which compare both outputs of each release. > > Best regards, > Henrik > > > -- System Information: > Debian Release: bookworm/sid > APT prefers unstable > APT policy: (500, 'unstable'), (500, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.17.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not > set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages openvpn depends on: > ii debconf [debconf-2.0] 1.5.79 > ii iproute2 5.17.0-2 > ii libc6 2.33-7 > ii liblz4-1 1.9.3-2 > ii liblzo2-2 2.10-2 > ii libpam0g 1.4.0-13 > ii libpkcs11-helper1 1.28-1+b1 > ii libssl1.1 1.1.1o-1 > ii libsystemd0 251.1-1 > ii lsb-base 11.2 > > Versions of packages openvpn recommends: > ii easy-rsa 3.0.8-1 > > Versions of packages openvpn suggests: > ii openssl 3.0.3-5 > pn openvpn-systemd-resolved <none> > pn resolvconf <none> > > -- debconf information: > openvpn/create_tun: false -- Best regards, Mikhail Arefiev Yandex NOC Software Development m-aref...@yandex-team.ru +7 909 160 8668
