OpenVPN with tls-crypt-v2

Hi,

I have a RUT241 that we want to use as a OpenVPN client. I tried to connect it to our server, but without succes.
For what i can see the problem is in the tls-crypt-v2 key, can you confirm that the RUT241 is not supporting tls-crypt-v2?

This is how the .ovpn-file looks like:

client
dev tun
proto udp
tun-mtu 1371
mssfix 0
remote 1194
resolv-retry infinite
remote-cert-tls server
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
auth-nocache
cipher AES-256-GCM
auth SHA256

-----BEGIN CERTIFICATE-----
Data removed
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
Data removed
-----END CERTIFICATE-----


-----BEGIN RSA PRIVATE KEY-----
MData removed
-----END RSA PRIVATE KEY-----


-----BEGIN OpenVPN tls-crypt-v2 client key-----
Data removed
-----END OpenVPN tls-crypt-v2 client key-----

In my log output i can see these errors:

2505 Thu Mar 20 23:40:43 2025 daemon.warn openvpn(inst1)[5100]: WARNING: No server certificate verification method has been enabled. See Guide To Set Up & Configure OpenVPN Client/Server VPN | OpenVPN for more info.
2506 Thu Mar 20 23:40:43 2025 daemon.warn openvpn(inst1)[5100]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2507 Thu Mar 20 23:40:43 2025 daemon.notice openvpn(inst1)[5100]: Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2508 Thu Mar 20 23:40:43 2025 daemon.notice openvpn(inst1)[5100]: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2509 Thu Mar 20 23:40:43 2025 daemon.notice openvpn(inst1)[5100]: TCP/UDP: Preserving recently used remote address: [AF_INET]:1194
2510 Thu Mar 20 23:40:43 2025 daemon.notice openvpn(inst1)[5100]: Socket Buffers: R=[180224->180224] S=[180224->180224]
2511 Thu Mar 20 23:40:43 2025 daemon.notice openvpn(inst1)[5100]: UDPv4 link local: (not bound)
2512 Thu Mar 20 23:40:43 2025 daemon.notice openvpn(inst1)[5100]: UDPv4 link remote: [AF_INET]:1194
2513 Thu Mar 20 23:41:43 2025 daemon.err openvpn(inst1)[5100]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2514 Thu Mar 20 23:41:43 2025 daemon.err openvpn(inst1)[5100]: TLS Error: TLS handshake failed
2515 Thu Mar 20 23:41:43 2025 daemon.notice openvpn(inst1)[5100]: TCP/UDP: Closing socket
2516 Thu Mar 20 23:41:43 2025 daemon.notice openvpn(inst1)[5100]: SIGUSR1[soft,tls-error] received, process restarting
2517 Thu Mar 20 23:41:43 2025 daemon.notice openvpn(inst1)[5100]: Restart pause, 300 second(s)

Hello,

Could you please confirm whether the initial issue with your VPN client’s connection to the server is still unresolved? To clarify — the tls-crypt-v2 key should indeed be supported on the RUT241, as it runs on OpenVPN 2.6.9 version

However, there’s a known issue affecting OpenVPN servers from versions 2.6.1 up to 2.6.13 when using --tls-crypt-v2, which might be what you’re encountering here. Details about this vulnerability and its symptoms are available in the OpenVPN community thread here: https://community.openvpn.net/openvpn/wiki/CVE-2025-2704

Additionally, have you tried adjusting the MTU size to 1500 on both ends? Does it make any change?

For now, as a temporary workaround, you might consider running your OpenVPN server without --tls-crypt-v2 until a patched version is in place.

Best regards,

This topic was automatically closed after 60 days. New replies are no longer allowed.