New Digital Ocean VPN causes client to give error message saying my server TLS is outdated and too low to connect.

Question

trying to connect from an android phone using OpenVPN Connect client
Aptitude says I’m running the latest version in my server.
Debian stretch/testing shows same version, as well

Answer 1

hansen June 3, 2017

Hi @davewittenborn

How did you install OpenVPN - did you follow one of the tutorials here on DO, which?
Which version of Debian and OpenVPN server?
When you generated the certificate for the client, did you use TLS1.2 or only TLS1.0?
Can you supply your OpenVPN log, so it’s easier to debug?

Reply Report

davewittenborn June 3, 2017

Thanks for the quick and detailed reply. First, I’m a bit of a noob to linux, though I’m fairly tech savvy and learn quickly. I’m running Debian 8.8-64 and installed using a DO tutorial. OpenVPN version is 2.4. I have to admit, when I generated the certs, I just blindly followed the tutorial. Here is info from my server.crt :
X509v3 Extended Key Usage:
TLS Web Server Authentication
and when I check my /etc/openvpn/easy-rsa directory, the most recent ssl-related file there is openssl-1.0.0.cnf.

That’s about all I have at the moment.

Thanks again
Reply Report
- hansen June 3, 2017
  
  @davewittenborn
  
  Okay, have a look in /var/log/openvpn.log or /var/log/openvpn/error.log to see if there’s something more telling about the error.
  
  It seems like the configuration somewhere (either server or client) is set to use TLS1.0, which was disabled since OpenVPN 2.4 (I think).
  Can you connect from another device (not an Android) with the same configuration and certificate?
  
  Was this the tutorial?
  https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
  
  How To Set Up an OpenVPN Server on Debian 8
  by Alvin Wan
  A Virtual Private Network (VPN) allows you secure access to a remote server. In short, this allows the end user to mask connections and more securely navigate an untrusted network. With that said, this tutorial teaches you how to setup OpenVPN, an open source Secure Socket Layer (SSL) VPN solution, on Debian 8.
  
  Reply Report

Answer 2

davewittenborn June 3, 2017

Thanks for the quick and detailed reply. First, I’m a bit of a noob to linux, though I’m fairly tech savvy and learn quickly. I’m running Debian 8.8-64 and installed using a DO tutorial. OpenVPN version is 2.4. I have to admit, when I generated the certs, I just blindly followed the tutorial. Here is info from my server.crt :
X509v3 Extended Key Usage:
TLS Web Server Authentication
and when I check my /etc/openvpn/easy-rsa directory, the most recent ssl-related file there is openssl-1.0.0.cnf.

That’s about all I have at the moment.

Thanks again
Reply Report
- hansen June 3, 2017
  
  @davewittenborn
  
  Okay, have a look in /var/log/openvpn.log or /var/log/openvpn/error.log to see if there’s something more telling about the error.
  
  It seems like the configuration somewhere (either server or client) is set to use TLS1.0, which was disabled since OpenVPN 2.4 (I think).
  Can you connect from another device (not an Android) with the same configuration and certificate?
  
  Was this the tutorial?
  https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
  
  How To Set Up an OpenVPN Server on Debian 8
  by Alvin Wan
  A Virtual Private Network (VPN) allows you secure access to a remote server. In short, this allows the end user to mask connections and more securely navigate an untrusted network. With that said, this tutorial teaches you how to setup OpenVPN, an open source Secure Socket Layer (SSL) VPN solution, on Debian 8.
  
  Reply Report

Answer 3

davewittenborn June 3, 2017

Well, neither of those two .log files exist in my tree, or anything that looks related.

I can connect from 3 other machines: One running debian stretch, and another running debian stretch in a vm, as well as another running WIndows 7-64 in a vm.
The only problem is with my android phone.

The tutorial you linked was the one I used.

Reply Report

hansen June 3, 2017

@davewittenborn
I think you need to ask in the apps forum or find another app for connecting.
Reply Report
- davewittenborn June 3, 2017
  
  Agreed. Thanks for your efforts. This isnt a crucial issue for me, as I already have another vpn that works on all of my platforms. I’m doing this primarily as a learning experience.
  
  Thanks again, hansen
  
  Reply Report

Answer 4

hansen June 3, 2017

@davewittenborn
I think you need to ask in the apps forum or find another app for connecting.
Reply Report
- davewittenborn June 3, 2017
  
  Agreed. Thanks for your efforts. This isnt a crucial issue for me, as I already have another vpn that works on all of my platforms. I’m doing this primarily as a learning experience.
  
  Thanks again, hansen
  
  Reply Report

Related

Question

New Digital Ocean VPN causes client to give error message saying my server TLS is outdated and too low to connect.

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

New Digital Ocean VPN causes client to give error message saying my server TLS is outdated and too low to connect.

Leave a comment

Related

question

openvpn not routing through droplet

question

openvpn /dev/net/tun no such device

question

Does the Debian kernel in DigitalOcean support GRE or IPIP?

question

Not able to visit websites by PPTP VPN

Looking for something else?