OpenVPN Client stopped working after recent update

Started by thefunkygibbon, March 08, 2022, 01:25:09 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
May 31, 2023, 01:12:57 PM #15 Last Edit: May 31, 2023, 01:14:39 PM by franco
Quote from: JeGr on May 31, 2023, 11:56:26 AM
Perhaps have a look at my post below in the german section? Also cipher is not the backup for data-ciphers, data-ciphers-fallback is used for that and works well enough. We had no problems making switches from OVPN2.4 to 2.5 to 2.6 on devices using data-cipher/-fallback variables setup correctly even with clients older or newer.

Fair enough, looks like a typo on my end. The issue remains: data-ciphers-fallback and cipher are NOT compatible with each other leading you to either keep cipher as is or follow the recommendation by OpenVPN and upgrade both server and client to data-ciphers-fallback. This, however, doesn't work when you don't control the other end.

This seems intentional by devs for all I can tell or else this would be a seamless handover.

https://github.com/opnsense/core/commit/4b2b6005090

Case in point the original error:

DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.

You can do what is says, but you have to do it on both ends which is counter-productive.

Quote from: JeGr on May 31, 2023, 11:56:26 AM
Documentation states that with 2.6 forward that old cipher config variable is no longer used besides in old site2site configs that are also deprecated. That's why quite a few users run into problems when they had configured other ciphers like -CBC ones in the past, that are now no longer part of the default cipher-set of "data-ciphers" or "data-ciphers-fallback". We need a multiselect field for data-cipher selection and/or an option to mark some of those as optional (new feature of OVPN 2.6) as well as set up a value for data-ciphers-fallback to correctly set up the OVPN server and let older clients connect safely.

GitHub feature request is appreciated. Though we are already rebuilding OpenVPN in MVC for 23.7 at the moment (similar to split-approach of IPsec in 23.1) this might only end up in the new MVC variant if it's not already there.

https://github.com/opnsense/core/pull/6584


Cheers,
Franco
Print
Go Up Pages 1 2
User actions