OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • OpenVPN Client stopped working after recent update
« previous next »
  • Print
Pages: 1 [2]

Author Topic: OpenVPN Client stopped working after recent update  (Read 13034 times)

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17746
  • Karma: 1620
    • View Profile
Re: OpenVPN Client stopped working after recent update
« Reply #15 on: May 31, 2023, 01:12:57 pm »
Quote from: JeGr on May 31, 2023, 11:56:26 am
Perhaps have a look at my post below in the german section? Also cipher is not the backup for data-ciphers, data-ciphers-fallback is used for that and works well enough. We had no problems making switches from OVPN2.4 to 2.5 to 2.6 on devices using data-cipher/-fallback variables setup correctly even with clients older or newer.

Fair enough, looks like a typo on my end. The issue remains: data-ciphers-fallback and cipher are NOT compatible with each other leading you to either keep cipher as is or follow the recommendation by OpenVPN and upgrade both server and client to data-ciphers-fallback. This, however, doesn't work when you don't control the other end.

This seems intentional by devs for all I can tell or else this would be a seamless handover.

https://github.com/opnsense/core/commit/4b2b6005090

Case in point the original error:

DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.

You can do what is says, but you have to do it on both ends which is counter-productive.

Quote from: JeGr on May 31, 2023, 11:56:26 am
Documentation states that with 2.6 forward that old cipher config variable is no longer used besides in old site2site configs that are also deprecated. That's why quite a few users run into problems when they had configured other ciphers like -CBC ones in the past, that are now no longer part of the default cipher-set of "data-ciphers" or "data-ciphers-fallback". We need a multiselect field for data-cipher selection and/or an option to mark some of those as optional (new feature of OVPN 2.6) as well as set up a value for data-ciphers-fallback to correctly set up the OVPN server and let older clients connect safely.

GitHub feature request is appreciated. Though we are already rebuilding OpenVPN in MVC for 23.7 at the moment (similar to split-approach of IPsec in 23.1) this might only end up in the new MVC variant if it's not already there.

https://github.com/opnsense/core/pull/6584


Cheers,
Franco
« Last Edit: May 31, 2023, 01:14:39 pm by franco »
Logged
  • Print
Pages: 1 [2]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • OpenVPN Client stopped working after recent update
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2