Can't connect with Windows to OVPN server
-
- OpenVpn Newbie
- Posts: 9
- Joined: Fri Apr 30, 2021 4:36 pm
Can't connect with Windows to OVPN server
Hi there,
I'm trying to connect to an OpenVPN server which is basically my router.
I receive this error:
2021-04-30 14:39:25 OPTIONS IMPORT: timers and/or timeouts modified
2021-04-30 14:39:25 OPTIONS IMPORT: --ifconfig/up options modified
2021-04-30 14:39:25 OPTIONS IMPORT: route options modified
2021-04-30 14:39:25 OPTIONS ERROR: failed to negotiate cipher with server. Configure --data-ciphers-fallback if you want to connect to this server.
2021-04-30 14:39:25 ERROR: Failed to apply push options
2021-04-30 14:39:25 Failed to open tun/tap interface
2021-04-30 14:39:25 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2021-04-30 14:39:25 MANAGEMENT: >STATE:1619786365,RECONNECTING,process-push-msg-failed,,,,,
2021-04-30 14:39:25 Restart pause, 5 second(s)
I just searched for the error and found some users saying just add "ncp-disable" in my OpenVPN config on the client. But then I get this error message which I don't understand:
2021-04-30 14:51:49 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2021-04-30 14:51:49 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
Options error: --ncp-disable needs an explicit --cipher or --data-ciphers-fallback config option
Use --help for more information.
Please could you help me?
If I have to add something to my config (like ncp disable...) will this affect the security level?
Here is my current config:
client
dev tun
proto udp
remote ***HOSTNAME*** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 NAS.p12
comp-lzo
verb 3
remote-cert-tls server
ncp-disable
Thanks a lot
I'm trying to connect to an OpenVPN server which is basically my router.
I receive this error:
2021-04-30 14:39:25 OPTIONS IMPORT: timers and/or timeouts modified
2021-04-30 14:39:25 OPTIONS IMPORT: --ifconfig/up options modified
2021-04-30 14:39:25 OPTIONS IMPORT: route options modified
2021-04-30 14:39:25 OPTIONS ERROR: failed to negotiate cipher with server. Configure --data-ciphers-fallback if you want to connect to this server.
2021-04-30 14:39:25 ERROR: Failed to apply push options
2021-04-30 14:39:25 Failed to open tun/tap interface
2021-04-30 14:39:25 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2021-04-30 14:39:25 MANAGEMENT: >STATE:1619786365,RECONNECTING,process-push-msg-failed,,,,,
2021-04-30 14:39:25 Restart pause, 5 second(s)
I just searched for the error and found some users saying just add "ncp-disable" in my OpenVPN config on the client. But then I get this error message which I don't understand:
2021-04-30 14:51:49 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2021-04-30 14:51:49 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
Options error: --ncp-disable needs an explicit --cipher or --data-ciphers-fallback config option
Use --help for more information.
Please could you help me?
If I have to add something to my config (like ncp disable...) will this affect the security level?
Here is my current config:
client
dev tun
proto udp
remote ***HOSTNAME*** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 NAS.p12
comp-lzo
verb 3
remote-cert-tls server
ncp-disable
Thanks a lot
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Can't connect with Windows to OVPN server
See if you can find a suitable combination here:
https://community.openvpn.net/openvpn/w ... egotiation
https://community.openvpn.net/openvpn/w ... egotiation
-
- OpenVpn Newbie
- Posts: 9
- Joined: Fri Apr 30, 2021 4:36 pm
Re: Can't connect with Windows to OVPN server
Thanks for your quick reply!!
I found this site too but I still don't get it
Do I have to know the OpenVPN version which uses my router? What should I try to add to the config, something like data-ciphers ... ?
kind regards
I found this site too but I still don't get it
Do I have to know the OpenVPN version which uses my router? What should I try to add to the config, something like data-ciphers ... ?
kind regards
-
- OpenVpn Newbie
- Posts: 9
- Joined: Fri Apr 30, 2021 4:36 pm
Re: Can't connect with Windows to OVPN server
Ok... I just found out that my router Easybox uses OpenVPN 2.3.6 as server.
So I would need to add „—cipher“ to my config?
Thanks
So I would need to add „—cipher“ to my config?
Thanks
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Can't connect with Windows to OVPN server
I believe you need --cipher in your server:
The client should pick that automatically.
Code: Select all
cipher AES-256-GCM
-
- OpenVpn Newbie
- Posts: 9
- Joined: Fri Apr 30, 2021 4:36 pm
Re: Can't connect with Windows to OVPN server
Sadly I cant modify such parameters on the server.
Any chance to solve the issue on client side (maybe in the .ovpn file)?
Should I try an older OpenVPN client
Any chance to solve the issue on client side (maybe in the .ovpn file)?
Should I try an older OpenVPN client
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Can't connect with Windows to OVPN server
What cipher does your server use ?
-
- OpenVpn Newbie
- Posts: 9
- Joined: Fri Apr 30, 2021 4:36 pm
Re: Can't connect with Windows to OVPN server
Sorry, but I dont know. All I know is that the connection over iOS app works fine and the installed version on the server.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Can't connect with Windows to OVPN server
Try reading the log on your iOS device and also look for the log on your server.
You may need to consult your router manual ..
You may need to consult your router manual ..
-
- OpenVpn Newbie
- Posts: 9
- Joined: Fri Apr 30, 2021 4:36 pm
Re: Can't connect with Windows to OVPN server
The log on iOS has the information. Thanks for the hint !
cipher: BF-CBC
digest: SHA1
compress: LZO_STUB
peer ID: -1
I removed now the "ncp disable" line from my config and added "cipher BF-CBC".
Aaaaaaaand it works!!
The log just shows some WARNINGS about security. I think the one is about COMPRESSION and the other about SWEET32 attacks.
Any chance to avoid those insecurities?
LOG Warnings;
Sat May 01 20:30:51 2021 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Sat May 01 20:30:51 2021 DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
Sat May 01 20:31:00 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 01 20:31:00 2021 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Sat May 01 20:31:04 2021 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
cipher: BF-CBC
digest: SHA1
compress: LZO_STUB
peer ID: -1
I removed now the "ncp disable" line from my config and added "cipher BF-CBC".
Aaaaaaaand it works!!
The log just shows some WARNINGS about security. I think the one is about COMPRESSION and the other about SWEET32 attacks.
Any chance to avoid those insecurities?
LOG Warnings;
Sat May 01 20:30:51 2021 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Sat May 01 20:30:51 2021 DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
Sat May 01 20:31:00 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 01 20:31:00 2021 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Sat May 01 20:31:04 2021 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 9
- Joined: Fri Apr 30, 2021 4:36 pm
Re: Can't connect with Windows to OVPN server
Ok... I now just changed in the config to this:
cipher AES-256-CBC
Now the WARNINGS disappeared.
I think I should add the cipher AES-256-CBC line to my OVPN config on the iPhone?
The log on Windows just shows this error:
Sat May 01 21:02:45 2021 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Sat May 01 21:02:45 2021 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC'
Sat May 01 21:02:51 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 01 21:03:06 2021 Authenticate/Decrypt packet error: cipher final failed
Sat May 01 21:03:17 2021 Authenticate/Decrypt packet error: cipher final failed
Sat May 01 21:03:27 2021 Authenticate/Decrypt packet error: cipher final failed
I think the Compression error will only go away with another server config?
Deprecated Option? Don't know...
And cipher final failed? Don't know too...
cipher AES-256-CBC
Now the WARNINGS disappeared.
I think I should add the cipher AES-256-CBC line to my OVPN config on the iPhone?
The log on Windows just shows this error:
Sat May 01 21:02:45 2021 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Sat May 01 21:02:45 2021 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC'
Sat May 01 21:02:51 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 01 21:03:06 2021 Authenticate/Decrypt packet error: cipher final failed
Sat May 01 21:03:17 2021 Authenticate/Decrypt packet error: cipher final failed
Sat May 01 21:03:27 2021 Authenticate/Decrypt packet error: cipher final failed
I think the Compression error will only go away with another server config?
Deprecated Option? Don't know...
And cipher final failed? Don't know too...
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Can't connect with Windows to OVPN server
You have to change your server config. not your client.
-
- OpenVpn Newbie
- Posts: 9
- Joined: Fri Apr 30, 2021 4:36 pm
Re: Can't connect with Windows to OVPN server
Ok, I think I have to live with this issue because I can't change the compression
What about the other two errors?
Sat May 01 21:02:45 2021 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC'
Sat May 01 21:03:06 2021 Authenticate/Decrypt packet error: cipher final failed
You helped me a lot sir, many thanks again! I really appreciate this
What about the other two errors?
Sat May 01 21:02:45 2021 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC'
Sat May 01 21:03:06 2021 Authenticate/Decrypt packet error: cipher final failed
You helped me a lot sir, many thanks again! I really appreciate this
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Can't connect with Windows to OVPN server
Learn how to configure tour server.
-
- OpenVpn Newbie
- Posts: 9
- Joined: Fri Apr 30, 2021 4:36 pm
Re: Can't connect with Windows to OVPN server
I can't change the configuration on the server
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Can't connect with Windows to OVPN server
Then you need a better router.
-
- OpenVpn Newbie
- Posts: 6
- Joined: Sun May 02, 2021 9:47 pm
Re: Can't connect with Windows to OVPN server
Hello,
ask for support, can't get to my openvpn server (this is physically far away)
Many Thanks
Sun May 02 11:34:22 2021 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Sun May 02 11:34:22 2021 Windows version 6.1 (Windows 7) 64bit
Sun May 02 11:34:22 2021 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Sun May 02 11:34:22 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun May 02 11:34:22 2021 Need hold release from management interface, waiting...
Sun May 02 11:34:23 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'state on'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'log all on'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'echo all on'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'bytecount 5'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'hold off'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'hold release'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'password [...]'
Sun May 02 11:34:23 2021 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun May 02 11:34:23 2021 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun May 02 11:34:23 2021 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun May 02 11:34:23 2021 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun May 02 11:34:23 2021 MANAGEMENT: >STATE:xxxxx,
Sun May 02 11:34:23 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxx
Sun May 02 11:34:23 2021 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun May 02 11:34:23 2021 UDP link local: (not bound)
Sun May 02 11:34:23 2021 UDP link remote: [AF_INET]xxxxxxxxx
Sun May 02 11:34:23 2021 MANAGEMENT: >STATE:xxxx
Sun May 02 11:35:23 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun May 02 11:35:23 2021 TLS Error: TLS handshake failed
ask for support, can't get to my openvpn server (this is physically far away)
Many Thanks
Sun May 02 11:34:22 2021 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Sun May 02 11:34:22 2021 Windows version 6.1 (Windows 7) 64bit
Sun May 02 11:34:22 2021 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Sun May 02 11:34:22 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun May 02 11:34:22 2021 Need hold release from management interface, waiting...
Sun May 02 11:34:23 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'state on'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'log all on'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'echo all on'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'bytecount 5'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'hold off'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'hold release'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'password [...]'
Sun May 02 11:34:23 2021 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun May 02 11:34:23 2021 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun May 02 11:34:23 2021 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun May 02 11:34:23 2021 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun May 02 11:34:23 2021 MANAGEMENT: >STATE:xxxxx,
Sun May 02 11:34:23 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxx
Sun May 02 11:34:23 2021 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun May 02 11:34:23 2021 UDP link local: (not bound)
Sun May 02 11:34:23 2021 UDP link remote: [AF_INET]xxxxxxxxx
Sun May 02 11:34:23 2021 MANAGEMENT: >STATE:xxxx
Sun May 02 11:35:23 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun May 02 11:35:23 2021 TLS Error: TLS handshake failed
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Can't connect with Windows to OVPN server
I need a Ferrari .. it is financially very far away.
Many Thanks
https://github.com/TinCanTech/easy-tls
Many Thanks
https://github.com/TinCanTech/easy-tls
-
- OpenVpn Newbie
- Posts: 6
- Joined: Sun May 02, 2021 9:47 pm
Re: Can't connect with Windows to OVPN server
thanks,
I don't know where the problem is?
it always worked.
I can't get any further with ping, I just want to know whether my Vpn server is running
I don't know where the problem is?
it always worked.
I can't get any further with ping, I just want to know whether my Vpn server is running