Bug with Windows v2.5 rc3 client

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Post Reply
nickh
OpenVPN User
Posts: 29
Joined: Sun Mar 02, 2014 1:25 pm

Bug with Windows v2.5 rc3 client

Post by nickh » Tue Oct 20, 2020 4:38 pm

I've just noticed that using 2.5rc3 Win10 x64 seems to be producing an erroneous error log in an OpenVPN server using openvpn-2.4.9-1.el7.x86_64. On the server logs I am now seeing:

Code: Select all

Tue Oct 20 17:21:55 2020 172.17.2.123:49159 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
The client config is:
Client config
client
remote example.net 1194
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca-cert.pem
cert client-ourfamily-cert.pem
key client-ourfamily-key.pem
ns-cert-type server
comp-lzo
verb 3


And the server config is:
Server config
port 1194
proto udp
dev tun
ca /etc/pki/CA/ca-cert.pem
cert /etc/pki/CA/sys-0-cert.pem
key /etc/pki/CA/private/sys-0-key.pem
dh /etc/openvpn/ssl/dh1024.pem
server 172.17.0.0 255.255.255.0
keepalive 10 120
compress stub-v2
push "compress stub-v2"
user nobody
group nobody
multihome
persist-key
persist-tun
ifconfig-pool-persist /var/lib/openvpn/ipp.txt 120
status /var/lib/openvpn/openvpn-status.log
verb 3
push "dhcp-option DNS 172.17.2.1"
push "dhcp-option DOMAIN example.com"
management 127.0.0.1 5555
log-append /var/log/openvpn
crl-verify /etc/pki/CA/crl/crl.pem
route 172.17.3.0 255.255.255.0
client-config-dir ccd
client-to-client
push "dhcp-option WINS 172.17.2.1"
push "route 172.17.2.0 255.255.255.0"
push "route 172.17.3.0 255.255.255.0"


I also note I still get the warning:

Code: Select all

WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
I thought --ns-cert-type was going to be removed in 2.5 (but I am very glad it has not been)
Last edited by Pippin on Tue Oct 20, 2020 4:49 pm, edited 1 time in total.
Reason: Formatting

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Bug with Windows v2.5 rc3 client

Post by TinCanTech » Tue Oct 20, 2020 5:04 pm

nickh wrote:
Tue Oct 20, 2020 4:38 pm
OpenVPN server using openvpn-2.4.9-1.el7.x86_64. On the server logs I am now seeing:

Code: Select all

Tue Oct 20 17:21:55 2020 172.17.2.123:49159 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher BF-CBC'
BF-CBC is the default --cipher in 2.4 and --cipher has been replaced with --data-ciphers in 2.5 .. So the message is actually correct .. The plan is to have everybody move to 2.5 for the new features.

nickh
OpenVPN User
Posts: 29
Joined: Sun Mar 02, 2014 1:25 pm

Re: Bug with Windows v2.5 rc3 client

Post by nickh » Tue Oct 20, 2020 5:17 pm

I am confused. Doesn't it autonogotiate? Mine goes to:

Code: Select all

Tue Oct 20 17:21:56 2020 ourfamily/172.17.2.123:49159 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Oct 20 17:21:56 2020 ourfamily/172.17.2.123:49159 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
What then is there to upgrade?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Bug with Windows v2.5 rc3 client

Post by TinCanTech » Tue Oct 20, 2020 5:48 pm

nickh wrote:
Tue Oct 20, 2020 5:17 pm
I am confused. Doesn't it autonogotiate?
Yes it does.
nickh wrote:
Tue Oct 20, 2020 5:17 pm
What then is there to upgrade?
Your server, when 2.5 is officially released.

Post Reply