ECONNREFUSED (code=111)

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Import my OpenVPN configuration
2. Attempt to connect to the VPN

What is the expected output? What do you see instead?
It's expected to connect to the VPN, but it continues failing writing "P:read 
UDPv4 [ECONNREFUSED]: Connection refused (code=111)"

What mobile phone are you using?
Nexus 7

Which Android Version and stock ROM or aftermarket like cyanogenmod?
Stock 4.1.1 (JRO03D)

Please provide any additional information below.

Client's configuration (IP substituted with x.x.x.x):

client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca razor_ca.crt
cert razor_client.crt
key razor_client.key
ns-cert-type server
comp-lzo
verb 3

NOTE: options "resolv-retry infinite" and "ns-cert-type server" are treated as 
"custom options".

LOG (IP address substituted with x.x.x.x):
Running on Nexus 7 (grouper) google, Android API 16
Log cleared.
Building configuration…
Network Status: CONNECTED  to WIFI
P:OpenVPN 2.3_alpha3 arm-linux-androideabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] 
[PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on Aug  2 2012
P:MANAGEMENT: Connected to management server at 
/data/data/de.blinkt.openvpn/cache/mgmtsocket
P:MANAGEMENT: CMD 'hold release'
P:MANAGEMENT: CMD 'bytecount 2'
P:MANAGEMENT: CMD 'state on'
P:MANAGEMENT: CMD 'proxy NONE'
P:MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
P:Socket Buffers: R=[110592->131072] S=[110592->131072]
P:UDPv4 link local: [undef]
P:UDPv4 link remote: [AF_INET]x.x.x.x:1194
P:MANAGEMENT: >STATE:1347553817,WAIT,,,
P:read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
P:read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
P:read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
P:read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
P:read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
P:MANAGEMENT: CMD 'signal SIGINT'
P:SIGINT[hard,] received, process exiting
P:MANAGEMENT: >STATE:1347553849,EXITING,SIGINT,,

The same configuration (and relative certs and key) works on MacOS X (via 
Tunnelblick) on the same wifi network (thus not a port issue).

Original issue reported on code.google.com by [email protected] on 13 Sep 2012 at 4:39

[GoogleCodeExporter]

The openvpn of ics-openvpn should behave in the same way as the normal version. 
Do you have a server log or can do a tcpdump to see get more information?

Original comment by [email protected] on 13 Sep 2012 at 8:41

• Changed state: NeedMoreInformation

[GoogleCodeExporter]

This is the tcpdump. Note that I'm connected to the server through the same 
router, so some packets should be of SSH.

Original comment by [email protected] on 14 Sep 2012 at 12:10

Attachments:

• log.txt

[GoogleCodeExporter]

The tcpdump shows exactly same what openvpn shows. The client tries to connet 
and gets a connection refused:

02:08:10.875841 IP 192.168.1.129.41736 > 192.168.1.130.1194: UDP, length 14
02:08:10.875873 IP 192.168.1.130 > 192.168.1.129: ICMP 192.168.1.130 udp port 
1194 unreachable, length 50

and later again:

02:08:12.975888 IP 192.168.1.129.41736 > 192.168.1.130.1194: UDP, length 14
02:08:12.975919 IP 192.168.1.130 > 192.168.1.129: ICMP 192.168.1.130 udp port 
1194 unreachable, length 50

Original comment by [email protected] on 14 Sep 2012 at 10:22

[GoogleCodeExporter]

This is the log of a working connection, same certs and key, just from my 
MacBook. Why should it work properly on the same wifi and not with my Android 
device? The router has no rules about nor the MacBook nor the Nexus 7.

Original comment by [email protected] on 14 Sep 2012 at 10:42

Attachments:

• log_working.txt

[GoogleCodeExporter]

The second log does not show any connection to 192.168.1.30:1194 as the first. 
It shows only a udp connection from port 443 to 1025

Original comment by [email protected] on 14 Sep 2012 at 10:49

[GoogleCodeExporter]

Oops, my bad.. I just remembered I changed the port but not the configuration 
file =(

In any case now it seems it fails the TLS key negotation.

Log attached.

Original comment by [email protected] on 14 Sep 2012 at 10:54

Attachments:

• tls_key_negotation_fail.txt

[GoogleCodeExporter]

Update: this is the server error: Fri Sep 14 12:58:22 2012 TLS Error: cannot 
locate HMAC in incoming packet from 192.168.1.129:35064

Original comment by [email protected] on 14 Sep 2012 at 10:58

[GoogleCodeExporter]

Such error are mostly configuration errors. Did you try to import the 
configuration file that works on your macbook?

Original comment by [email protected] on 14 Sep 2012 at 10:59

[GoogleCodeExporter]

Yes, I did just that. HMAC may mean hardware mac? Maybe the ics-openvpn setups 
the tun device with all-zeros mac address?

Original comment by [email protected] on 14 Sep 2012 at 11:00

[GoogleCodeExporter]

http:https://en.wikipedia.org/wiki/HMAC

this is another configuration error. You are missing the tls auth settings. If 
you configuration is not imported correctly can you show me your macbook 
configuration?

Original comment by [email protected] on 14 Sep 2012 at 11:08

[GoogleCodeExporter]

Resolved, thanks. It seems that the tls cert line was commented out. Most 
probably Tunnelblick automatically detects it and correct the problem.

Original comment by [email protected] on 14 Sep 2012 at 11:15

[GoogleCodeExporter]

I am closing the bug since it was a configuration mistake

Original comment by [email protected] on 14 Sep 2012 at 11:16

• Changed state: Invalid