1

I want to set up OpenVPN version 2.4 or 2.6 on AlmaLinux 8 on a VPS and connect using the OpenVPN v2.4 GUI application.
I tried some scripts to set up, all of them installed properly, but during communication failed.

https://idroot.us/install-openvpn-server-almalinux-8/

https://leomoon.com/downloads/scripts/openvpn-installer-for-linux/

https://www.ionos.com/help/server-cloud-infrastructure/vpn/install-and-configure-openvpn/install-and-configure-openvpn-almalinux-8-and-9-and-rocky-linux-8-and-9/#c267989

I noticed that TLS handshake breaks and gets an error.
**TLS: Initial packet from [AF_INET]74.208.111.231:1194, sid=1cfea13f ba1c9731

I disabled the firewall to test simply.
Here is relates config and Log files.
Any advice?

Server.cfg file

port 1194  
proto tcp  
dev tun  
user nobody     
group nobody  
persist-key  
persist-tun  
keepalive 10 120  
topology subnet  
server 10.8.0.0 255.255.255.0  
ifconfig-pool-persist ipp.txt  
push "dhcp-option DNS 8.8.8.8"  
push "dhcp-option DNS 8.8.4.4"  
push "redirect-gateway def1 bypass-dhcp"  
dh none  
ecdh-curve prime256v1  
tls-crypt tls-crypt.key  
crl-verify crl.pem  
ca ca.crt  
cert server_D99XAUoi9FzAwlUr.crt  
key server_D99XAUoi9FzAwlUr.key  
auth SHA256  
cipher AES-128-GCM  
ncp-ciphers AES-128-GCM  
tls-server  
tls-version-min 1.2  
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256  
client-config-dir /etc/openvpn/ccd  
status /var/log/openvpn/status.log  
verb 3

client OVPN file

client
proto tcp-client
remote 74.208.111.231 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_D99XAUoi9FzAwlUr name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

<ca>  
-----BEGIN CERTIFICATE-----  
MIIB1zCCAX2gAwIBAgIURKfw6FcSJ4xcLb3gUWx/THu02KEwCgYIKoZIzj0EAwIw  
...  
G0T9jlALYAcCIQC+R1s/2x0BRLAg5HzZih8exkfiKbFbt9by31VSKzCY7g==  
-----END CERTIFICATE-----  
</ca>  
<cert>  
-----BEGIN CERTIFICATE-----  
MIIB1zCCAX6gAwIBAgIQDutVPwLyl5UwKB0LJVUGHTAKBggqhkjOPQQDAjAeMRww  
...  
nAYorn0Lv1FhAiAXcCdEzm4SqieMfT3Hj2TBrrufpruhoKaOoN2OLBX9hw==   
-----END CERTIFICATE-----  
</cert>  
<key>  
-----BEGIN PRIVATE KEY-----  
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg57wmtsCOWL0GaZ5N  
...  
XOyWk/p2uZuUtP6cogjwdCCsaYeEF8iYqL0MyWF+PhC+Qoc8YKX9T8Le  
-----END PRIVATE KEY-----  
</key>  
<tls-crypt>  
-#  
-# 2048 bit OpenVPN static key  
-#  
-----BEGIN OpenVPN Static key V1-----  
db3d6c752e41143cc06f8c83e48a742e  
....  
c2468e2a3e4c03d6a19efeef980c6c72  
-----END OpenVPN Static key V1-----  
</tls-crypt>

Client Log

Sub Jul 27 22:34:15 2025 OpenVPN 2.4.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 17 2022  
Sub Jul 27 22:34:15 2025 Windows version 6.2 (Windows 8 or greater) 64bit  
Sub Jul 27 22:34:15 2025 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10  
Enter Management Password:  
Sub Jul 27 22:34:15 2025 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340  
Sub Jul 27 22:34:15 2025 Need hold release from management interface, waiting...  
Sub Jul 27 22:34:15 2025 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340  
Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'state on'  
Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'log all on'  
Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'echo all on'  
Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'bytecount 5'  
Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'hold off'  
Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'hold release'  
Sub Jul 27 22:34:15 2025 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key  
Sub Jul 27 22:34:15 2025 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication  
Sub Jul 27 22:34:15 2025 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key  
Sub Jul 27 22:34:15 2025 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication  
Sub Jul 27 22:34:15 2025 TCP/UDP: Preserving recently used remote address: [AF_INET]74.208.111.231:1194  
Sub Jul 27 22:34:15 2025 Socket Buffers: R=[65536->65536] S=[65536->65536]  
Sub Jul 27 22:34:15 2025 Attempting to establish TCP connection with [AF_INET]74.208.111.231:1194 [nonblock]  
Sub Jul 27 22:34:15 2025 MANAGEMENT: >STATE:1753643055,TCP_CONNECT,,,,,,  
Sub Jul 27 22:34:16 2025 TCP connection established with [AF_INET]74.208.111.231:1194  
Sub Jul 27 22:34:16 2025 TCP_CLIENT link local: (not bound)  
Sub Jul 27 22:34:16 2025 TCP_CLIENT link remote: [AF_INET]74.208.111.231:1194  
Sub Jul 27 22:34:16 2025 MANAGEMENT: >STATE:1753643056,WAIT,,,,,,  
Sub Jul 27 22:34:17 2025 MANAGEMENT: >STATE:1753643057,AUTH,,,,,,  
Sub Jul 27 22:34:17 2025 TLS: Initial packet from [AF_INET]74.208.111.231:1194, sid=1cfea13f ba1c9731  
Sub Jul 27 22:34:54 2025 read TCP_CLIENT: Unknown error (code=10060)  
Sub Jul 27 22:34:54 2025 Connection reset, restarting [-1]  
Sub Jul 27 22:34:54 2025 SIGUSR1[soft,connection-reset] received, process restarting  
Sub Jul 27 22:34:54 2025 MANAGEMENT: >STATE:1753643094,RECONNECTING,connection-reset,,,,,  
Sub Jul 27 22:34:54 2025 Restart pause, 5 second(s)  
Sub Jul 27 22:34:59 2025 SIGTERM[hard,init_instance] received, process exiting  
Sub Jul 27 22:34:59 2025 MANAGEMENT: >STATE:1753643099,EXITING,init_instance,,,,,
Improve this question
1
  • You could raise verb to higher values (client and server). Maybe that provides helpful information. Commented Jul 28 at 16:49

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.