OpenConnect (ocserv) android app latest version has bug - Ban client issue
I have a centos 7.6 vps as server with public ip address.
Also i have an android phone + windows 7 os as clients with wireless internet.
I installed OpenConnect (ocserv) on server machine & config it in the right way.
I followed these commands to install openconnect on server machine :
sudo yum -y install gnutls-devel libev-devel tcp_wrappers-devel pam-devel lz4-devel libseccomp-devel readline-devel libnl3-devel krb5-devel radcli-devel sudo yum -y install epel-release sudo yum repolist enabled sudo yum info ocserv sudo yum -y install ocserv sudo ocpasswd -c /etc/ocserv/ocpasswd test 123 nano -K /etc/ocserv/ocserv.conf
And here is ocserv.conf file :
auth = "plain[passwd=/etc/ocserv/ocpasswd]" tcp-port = 8090 udp-port = 8090 run-as-user = ocserv run-as-group = ocserv socket-file = ocserv.sock chroot-dir = /var/lib/ocserv isolate-workers = true max-clients = 5 max-same-clients = 1 keepalive = 32400 dpd = 90 mobile-dpd = 1800 switch-to-tcp-timeout = 25 try-mtu-discovery = true server-cert = /etc/pki/ocserv/public/server.crt server-key = /etc/pki/ocserv/private/server.key ca-cert = /etc/pki/ocserv/cacerts/ca.crt cert-user-oid = 0.9.2342.19200300.100.1.1 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" auth-timeout = 240 min-reauth-time = 300 max-ban-score = 50 ban-reset-time = 300 cookie-timeout = 300 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-occtl = true pid-file = /var/run/ocserv.pid device = vpns predictable-ips = true default-domain = example.com ipv4-network = 192.168.102.0 ipv4-netmask = 255.255.255.0 dns = 188.8.131.52 dns = 184.108.40.206 ping-leases = false cisco-client-compat = true dtls-legacy = true user-profile = profile.xml # Routes to be forwarded to the client. If you need the # client to forward routes to the server, you may use the # config-per-user/group or even connect and disconnect scripts. # # To set the server as the default gateway for the client just # comment out all routes from the server, or use the special keyword # 'default'. #route = 10.10.10.0/255.255.255.0 #route = 192.168.0.0/255.255.0.0 #route = fef4:db8:1000:1001::/64
I didn't do anything about certificate & all of related parts are default.
I installed openconnect gui from here on windows os client machine & it connects to the openconnect server successfully with no errors & i can surf the internet using with that very well.
Now i installed openconnect android from here on client android phone.
I tracked openconnect connection logs in this way on the server :
journalctl -fu ocserv
When android machine connects to the server
journalctl -fu ocserv shows an strange error :
worker[username]: user's ipaddress worker-vpn.c:295: could not set TLS priority: The request is invalid.
ocserv repeats that error multiple times & at last ban that client's ip address.
so on android machine i can not surf the internet.
openconnect is connect, but does not work.
What is that ban issue & how can i fix it?
I installed cisco any connect from here on android machine & it connects to ocserv with the same error(No ban).
But it works & i can surf the internet on android phone (vpn connected).