OpenVPN
Issue with OpenVPN-2.6.14-I002.msi-2.6.14-I004.msi establishing tunnel to Azure Gateway (only on Surface Pro 2-in-1s)
UPDATE 8/28/2025: Still occurring with OpenVPN-2.6.14-I004.msi.
IMPORTANT NOTE Bugs about OpenVPN Access Server, OpenVPN Connect or any other product by OpenVPN Inc. should be directly reported to OpenVPN Inc. at https://support.openvpn.net
Describe the bug OpenVPN starting at version 2.6.14-I002 (amd64) (arm64 for Snapdragon Surface Pros) fails to establish a tunnel to Azure Gateway, only on Surface Pros 7+, 10s, 11s.****
To Reproduce Install OpenVPN-2.6.14-I002-amd64.msi to Surface Pro 7+, 10 (OR OpenVPN-2.6.14-I002-arm64.msi to Surface Pro 11s) and previously working tunnel (on ver 2.6.14-I001-amd64/arm64.msi) will fail to connect to an Azure Gateway. Settings on the clients include DCO disabled.**
Expected behavior Tunnel should be established with Azure Gateway.
Version information (please complete the following information):
- OS: Windows 11 24H2 (Build 26100.4770)
- OpenVPN version: 2.6.14-I002 (amd64) (arm64)
- Repeat for peer if relevant
Additional context OpenVPN 2.6.14-I0002 works as expected on all other workstations, except Surface Pros in the tenant. The issue persists after network resets. Unfortunately, I cannot provide much logging information from the Azure Gateway side, as the logging surrounding their Gateways is rather limited. I have temporarily rolled back to 2.6.14-I001 on Surface Pros.
Just continued attempts to establish with resets. I can pull the exact logs from a test machine on Monday, for sure. Sorry I haven't done that already.
Still getting this issue (only with the mentioned machines) with the latest 2.6.14-I004.msi. Here are the client logs:
2025-08-28 08:24:03 OpenVPN 2.6.14 [git:v2.6.14/f588592ee6c6323b] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 6 2025 2025-08-28 08:24:03 Windows version 10.0 (Windows 10 or greater), amd64 executable 2025-08-28 08:24:03 library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10 2025-08-28 08:24:03 DCO version: N/A 2025-08-28 08:24:04 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:04 Socket Buffers: R=[65536->65536] S=[65536->65536] 2025-08-28 08:24:04 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:04 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:04 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:24:04 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:04 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=53dff8ef 60d3b169 2025-08-28 08:24:11 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=244,code=10060) 2025-08-28 08:24:11 Connection reset, restarting [-1] 2025-08-28 08:24:11 SIGUSR1[soft,connection-reset] received, process restarting 2025-08-28 08:24:11 Restart pause, 1 second(s) 2025-08-28 08:24:12 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:12 Socket Buffers: R=[65536->65536] S=[65536->65536] 2025-08-28 08:24:12 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:12 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:12 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:24:12 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:12 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=ed496e56 6a2de3f6 2025-08-28 08:24:17 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=260,code=10060) 2025-08-28 08:24:17 Connection reset, restarting [-1] 2025-08-28 08:24:17 SIGUSR1[soft,connection-reset] received, process restarting 2025-08-28 08:24:17 Restart pause, 1 second(s) 2025-08-28 08:24:18 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:18 Socket Buffers: R=[65536->65536] S=[65536->65536] 2025-08-28 08:24:18 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:18 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:18 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:24:18 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:18 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=d57f0f4c 741b49dc 2025-08-28 08:24:23 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=244,code=10060) 2025-08-28 08:24:23 Connection reset, restarting [-1] 2025-08-28 08:24:23 SIGUSR1[soft,connection-reset] received, process restarting 2025-08-28 08:24:23 Restart pause, 1 second(s) 2025-08-28 08:24:24 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:24 Socket Buffers: R=[65536->65536] S=[65536->65536] 2025-08-28 08:24:24 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:24 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:24 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:24:24 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:24 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=f921429a adc2f3a4 2025-08-28 08:24:29 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=260,code=10060) 2025-08-28 08:24:29 Connection reset, restarting [-1] 2025-08-28 08:24:29 SIGUSR1[soft,connection-reset] received, process restarting 2025-08-28 08:24:29 Restart pause, 1 second(s) 2025-08-28 08:24:30 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:30 Socket Buffers: R=[65536->65536] S=[65536->65536] 2025-08-28 08:24:30 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:30 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:30 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:24:30 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:30 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=fed16166 1c368770 2025-08-28 08:24:35 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=260,code=10060) 2025-08-28 08:24:35 Connection reset, restarting [-1] 2025-08-28 08:24:35 SIGUSR1[soft,connection-reset] received, process restarting 2025-08-28 08:24:35 Restart pause, 2 second(s) 2025-08-28 08:24:37 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:37 Socket Buffers: R=[65536->65536] S=[65536->65536] 2025-08-28 08:24:37 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:37 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:37 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:24:37 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:37 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=c50e6db6 49f847e9 2025-08-28 08:24:42 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=270,code=10060) 2025-08-28 08:24:42 Connection reset, restarting [-1] 2025-08-28 08:24:42 SIGUSR1[soft,connection-reset] received, process restarting 2025-08-28 08:24:42 Restart pause, 4 second(s) 2025-08-28 08:24:46 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:46 Socket Buffers: R=[65536->65536] S=[65536->65536] 2025-08-28 08:24:46 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:46 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:46 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:24:46 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:46 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=c6d4f259 e4646ac8 2025-08-28 08:24:51 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=270,code=10060) 2025-08-28 08:24:51 Connection reset, restarting [-1] 2025-08-28 08:24:51 SIGUSR1[soft,connection-reset] received, process restarting 2025-08-28 08:24:51 Restart pause, 8 second(s) 2025-08-28 08:24:59 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:59 Socket Buffers: R=[65536->65536] S=[65536->65536] 2025-08-28 08:24:59 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:59 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:59 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:24:59 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:24:59 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=0d1dcf61 d6c92588 2025-08-28 08:25:04 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=260,code=10060) 2025-08-28 08:25:04 Connection reset, restarting [-1] 2025-08-28 08:25:04 SIGUSR1[soft,connection-reset] received, process restarting 2025-08-28 08:25:04 Restart pause, 16 second(s) 2025-08-28 08:25:20 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:20 Socket Buffers: R=[65536->65536] S=[65536->65536] 2025-08-28 08:25:20 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:20 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:20 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:25:20 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:20 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=dfcf666a bf344f3f 2025-08-28 08:25:25 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=26c,code=10060) 2025-08-28 08:25:25 Connection reset, restarting [-1] 2025-08-28 08:25:25 SIGUSR1[soft,connection-reset] received, process restarting 2025-08-28 08:25:25 Restart pause, 32 second(s) 2025-08-28 08:25:57 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:57 Socket Buffers: R=[65536->65536] S=[65536->65536] 2025-08-28 08:25:57 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:57 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:57 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:25:57 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:57 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=e3f01958 4c214a83 2025-08-28 08:26:02 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=234,code=10060) 2025-08-28 08:26:02 Connection reset, restarting [-1] 2025-08-28 08:26:02 SIGUSR1[soft,connection-reset] received, process restarting 2025-08-28 08:26:02 Restart pause, 64 second(s)
So the crucial bit is here
2025-08-28 08:25:57 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443
2025-08-28 08:25:57 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443
2025-08-28 08:25:57 TCPv4_CLIENT link local: (not bound)
2025-08-28 08:25:57 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443
2025-08-28 08:25:57 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=e3f01958 4c214a83
2025-08-28 08:26:02 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=234,code=10060)
this translates to: a connection to the remote gateway on port 443 could be established, some initial packet(s) were exchanged and a session ID set up, and then "nothing from the other side for 5 seconds" (which sounds a bit shorter than I'd expect for a timeout there - anything special in the configs, like --connect-timeout?)
There isn't any change in OpenVPN itself between I001 and I002, but there might have been an OpenSSL or compiler upgrade (@flichtenheld might know).
It would be really really helpful to get the log from the other side - like, if there is something that upsets the Azure gateway and it just drops the connection ("SSL HANDSHAKE FAILED") this might end up similarily in the logs (we should see a TCP RESET, though, not a timeout). Can you open an AWS ticket? They get money for the service, they should probably do some work for it.
Logs are super limited on the Azure side, as we are utilizing the Azure Gateway with OpenVPN option and not an actual OpenVPN server instance on a VM, but I can open a ticket on the issue with support. I have a couple of non-surface laptops where I004 works just fine but on the Surfaces, nothing past I001. It just seems really odd.
--
Mark Bell IT Administrator/Cybersecurity Engineer (CompTIA Certified SecurityX (CASP+), CySA+, Security+, Network+, A+) Journeys in Community Living 1130 Haley Rd. Murfreesboro, TN 37129 615-890-4389, ext. 45tel:+16158904389,45 (ofc) 615-295-3046tel:+16152953046 (cell) www.journeystn.orghttp://www.journeystn.org/ www.fb.com/journeysincommunityhttp://www.fb.com/journeysincommunity www.twitter.com/journeystnhttp://www.twitter.com/journeystn
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication is STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying Mark Bell of the error by reply email or calling 615-295-3046tel:+16152953046.
From: Gert Doering @.> Sent: Sunday, September 14, 2025 9:02:53 AM To: OpenVPN/openvpn @.> Cc: Mark Bell @.>; Author @.> Subject: Re: [OpenVPN/openvpn] Issue with OpenVPN-2.6.14-I002.msi-2.6.14-I004.msi establishing tunnel to Azure Gateway (only on Surface Pro 2-in-1s) (Issue #798)
[EXTERNAL SENDER] Handle with care! DO NOT open attachments or click links from unknown senders or unexpected email! This email originated from outside the journeystn.org domain!
- JICL Helpdeskhttps://jicladmin.org/
[https://avatars.githubusercontent.com/u/3456368?s=20&v=4]cron2 left a comment (OpenVPN/openvpn#798)https://github.com/OpenVPN/openvpn/issues/798#issuecomment-3289570187
So the crucial bit is here
2025-08-28 08:25:57 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:57 TCP connection established with [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:57 TCPv4_CLIENT link local: (not bound) 2025-08-28 08:25:57 TCPv4_CLIENT link remote: [AF_INET]XXX.XXX.XXX.XXX:443 2025-08-28 08:25:57 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:443, sid=e3f01958 4c214a83 2025-08-28 08:26:02 read TCPv4_CLIENT: Connection timed out (WSAETIMEDOUT) (fd=234,code=10060)
this translates to: a connection to the remote gateway on port 443 could be established, some initial packet(s) were exchanged and a session ID set up, and then "nothing from the other side for 5 seconds" (which sounds a bit shorter than I'd expect for a timeout there - anything special in the configs, like --connect-timeout?)
There isn't any change in OpenVPN itself between I001 and I002, but there might have been an OpenSSL or compiler upgrade @.***https://github.com/flichtenheld might know).
It would be really really helpful to get the log from the other side - like, if there is something that upsets the Azure gateway and it just drops the connection ("SSL HANDSHAKE FAILED") this might end up similarily in the logs (we should see a TCP RESET, though, not a timeout). Can you open an AWS ticket? They get money for the service, they should probably do some work for it.
— Reply to this email directly, view it on GitHubhttps://github.com/OpenVPN/openvpn/issues/798#issuecomment-3289570187, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZCWQ6LKQ5GNDKPMTB33SVYQZAVCNFSM6AAAAACCL5U6J2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTEOBZGU3TAMJYG4. You are receiving this because you authored the thread.Message ID: @.***>
NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply @.***> or by calling 615-890-4389.
The only difference between openvpn.exe in various 2.6.14-100x is the version of OpenSSL its linked with (OpenSSL 3.4.1 in 1001 while , e.g., 3.5.1 in 1003). Odd that this would cause such an error. Client logs with verb=4 may give some clue -- looks like the one posted are with verb = 3(?)
Wonder if this could be related - there is a report that with MSVC 17.4.1 it doesn't crash, but also doesn't connect.
Wonder if this could be related - there is a report that with MSVC 17.4.1 it doesn't crash, but also doesn't connect.
Very well could be related for the Surface Pro 11s (arm64), but I've got amd64 SurfPros that aren't establishing successful connections, either. I am planning on opening a ticket with Azure support today to try to dig into this more.
The only difference between openvpn.exe in various 2.6.14-100x is the version of OpenSSL its linked with (OpenSSL 3.4.1 in 1001 while , e.g., 3.5.1 in 1003). Odd that this would cause such an error. Client logs with verb=4 may give some clue -- looks like the one posted are with verb = 3(?)
I'll double-check, but I think these were verb = 4.
Very well could be related for the Surface Pro 11s (arm64), but I've got amd64 SurfPros that aren't establishing successful connections, either. I am planning on opening a ticket with Azure support today to try to dig into this more.
I can see ARM based devices behaving oddly ("everything works, but ARM got compiled in strange ways", which still happens, unfortunately) - but "all Surface Pro devices, no matter which CPU, fail, and everything works" is hard to find a good reason for.
Anything particular to these devices? Like a specific security software that intercepts network traffic and gets upset by TLS 1.3 negotiations, or so...? Anything interesting in the event log at these 5 seconds?