New Digital Ocean VPN causes client to give error message saying my server TLS is outdated and too low to connect.

June 2, 2017 165 views
VPN Debian

trying to connect from an android phone using OpenVPN Connect client
Aptitude says I'm running the latest version in my server.
Debian stretch/testing shows same version, as well

2 Answers

Hi @davewittenborn

How did you install OpenVPN - did you follow one of the tutorials here on DO, which?
Which version of Debian and OpenVPN server?
When you generated the certificate for the client, did you use TLS1.2 or only TLS1.0?
Can you supply your OpenVPN log, so it's easier to debug?

  • Thanks for the quick and detailed reply. First, I'm a bit of a noob to linux, though I'm fairly tech savvy and learn quickly. I'm running Debian 8.8-64 and installed using a DO tutorial. OpenVPN version is 2.4. I have to admit, when I generated the certs, I just blindly followed the tutorial. Here is info from my server.crt :
    X509v3 Extended Key Usage:
    TLS Web Server Authentication
    and when I check my /etc/openvpn/easy-rsa directory, the most recent ssl-related file there is openssl-1.0.0.cnf.

    That's about all I have at the moment.

    Thanks again

    • @davewittenborn

      Okay, have a look in /var/log/openvpn.log or /var/log/openvpn/error.log to see if there's something more telling about the error.

      It seems like the configuration somewhere (either server or client) is set to use TLS1.0, which was disabled since OpenVPN 2.4 (I think).
      Can you connect from another device (not an Android) with the same configuration and certificate?

      Was this the tutorial?
      https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8

      A Virtual Private Network (VPN) allows you secure access to a remote server. In short, this allows the end user to mask connections and more securely navigate an untrusted network. With that said, this tutorial teaches you how to setup OpenVPN, an open source Secure Socket Layer (SSL) VPN solution, on Debian 8.

Well, neither of those two .log files exist in my tree, or anything that looks related.

I can connect from 3 other machines: One running debian stretch, and another running debian stretch in a vm, as well as another running WIndows 7-64 in a vm.
The only problem is with my android phone.

The tutorial you linked was the one I used.

  • @davewittenborn
    I think you need to ask in the apps forum or find another app for connecting.

    • Agreed. Thanks for your efforts. This isnt a crucial issue for me, as I already have another vpn that works on all of my platforms. I'm doing this primarily as a learning experience.

      Thanks again, hansen

Have another answer? Share your knowledge.