[Solved] OpenVPN 2.4.0 use wrong cipher as in config-file

This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.
Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Locked
uli3446
OpenVpn Newbie
Posts: 3
Joined: Mon Feb 13, 2017 7:44 am

[Solved] OpenVPN 2.4.0 use wrong cipher as in config-file

Post by uli3446 » Mon Feb 13, 2017 8:19 am

Hi,

I set up a new OpenVPN Server and Client using ca and certificates and tap interface. I've done that several times before with no problems. Now I found a strange behavior on a Windows 10 Client. I use in .ovpn file this line:

Code: Select all

cipher AES-256-CBC
But in both log-files (server/Client) I see this:

Code: Select all

Mon Feb 13 07:58:33 2017 Uli-Firma-Client/82.198.217.44:50112 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 13 07:58:33 2017 Uli-Firma-Client/82.198.217.44:50112 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
M
OpenVPN uses the wrong cipher. If I use a Linux Client (Raspberry pi with Debian Jessie), than the right cipher will be used.

The result is, the tunnel comes up but no comunication is posible for the first 30 seconds. after that the tunnel works fine and all the "Outgoing TUN queue full, dropped packet" log entrys stopped.

The log file on Server side looks like this:

Code: Select all

Mon Feb 13 07:58:32 2017 82.198.217.44:50112 peer info: IV_VER=2.4.0
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 peer info: IV_PLAT=win
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 peer info: IV_PROTO=2
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 peer info: IV_NCP=2
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 peer info: IV_LZ4=1
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 peer info: IV_LZ4v2=1
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 peer info: IV_LZO=1
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 peer info: IV_COMP_STUB=1
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 peer info: IV_COMP_STUBv2=1
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 peer info: IV_TCPNL=1
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Mon Feb 13 07:58:32 2017 82.198.217.44:50112 [Uli-Firma-Client] Peer Connection Initiated with [AF_INET]82.198.217.44:50112
Mon Feb 13 07:58:32 2017 Uli-Firma-Client/82.198.217.44:50112 OPTIONS IMPORT: reading client specific options from: C:\Program Files\OpenVPN\config\Uli-Firma-Client
Mon Feb 13 07:58:33 2017 Uli-Firma-Client/82.198.217.44:50112 PUSH: Received control message: 'PUSH_REQUEST'
Mon Feb 13 07:58:33 2017 Uli-Firma-Client/82.198.217.44:50112 SENT CONTROL [Uli-Firma-Client]: 'PUSH_REPLY,route-gateway 10.1.1.1,route 192.168.25.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.1.1.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Mon Feb 13 07:58:33 2017 Uli-Firma-Client/82.198.217.44:50112 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 13 07:58:33 2017 Uli-Firma-Client/82.198.217.44:50112 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Mon Feb 13 07:58:33 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Learn: 00:ff:1f:cc:a3:0c -> Uli-Firma-Client/82.198.217.44:50112
Mon Feb 13 07:58:37 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=42
Mon Feb 13 07:58:38 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=666
Mon Feb 13 07:58:39 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=110
Mon Feb 13 07:58:40 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=92
Mon Feb 13 07:58:41 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=179
Mon Feb 13 07:58:42 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=110
Mon Feb 13 07:58:43 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=92
Mon Feb 13 07:58:44 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=92
Mon Feb 13 07:58:45 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=92
Mon Feb 13 07:58:46 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=66
Mon Feb 13 07:58:47 2017 Uli-Firma-Client/82.198.217.44:50112 MULTI: Outgoing TUN queue full, dropped packet len=66
Before I use the new version I've used 2.3.4 with teh same configuration and it works fine. This behavior is since I use 2.4.0.
Server is a Windows 2008R2 System.

Best regards Uli

Pippin
OpenVPN Expert
Posts: 248
Joined: Wed Jul 01, 2015 8:03 am

Re: OpenVPN 2.4.0 use wrong cipher as in config-file

Post by Pippin » Mon Feb 13, 2017 8:58 am

OpenVPN uses the wrong cipher
NCP overide.
If I use a Linux Client (Raspberry pi with Debian Jessie), than the right cipher will be used.
Because pi running OpenVPN older then 2.4

See manual, --cipher alg and --ncp-xxxxxx
As of OpenVPN 2.4, cipher negotiation (NCP) can override the cipher specified by --cipher.

uli3446
OpenVpn Newbie
Posts: 3
Joined: Mon Feb 13, 2017 7:44 am

Re: OpenVPN 2.4.0 use wrong cipher as in config-file

Post by uli3446 » Tue Feb 14, 2017 6:44 am

Ok, got it. NCP overide works :-). But nevertheless it is strange for me because I set in the server file the cipher AES-256-CBC and it is override to AES-256-GSM.
On the other side, what is the problem for that if in my case "tap"-driver is used? (see log below). It ends if I do the first ping from client-side. After that first ping the tunnel is useable. It happens if the client is windows 10 and OVPN 2.4.0.

Code: Select all

Tue Feb 14 06:55:52 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=169
Tue Feb 14 06:55:53 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=169
Tue Feb 14 06:55:55 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=169
Tue Feb 14 06:55:56 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=169
Tue Feb 14 06:55:57 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=169
Tue Feb 14 06:55:58 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=42
Tue Feb 14 06:55:59 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=666
Tue Feb 14 06:56:00 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=110
Tue Feb 14 06:56:01 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=110
Tue Feb 14 06:56:02 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=110
Tue Feb 14 06:56:03 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=1116
Tue Feb 14 06:56:04 2017 Uli-Firma-Client/82.198.217.44:49741 MULTI: Outgoing TUN queue full, dropped packet len=179
regards

Pippin
OpenVPN Expert
Posts: 248
Joined: Wed Jul 01, 2015 8:03 am

Re: OpenVPN 2.4.0 use wrong cipher as in config-file

Post by Pippin » Tue Feb 14, 2017 11:46 am

I set in the server file the cipher AES-256-CBC and it is override to AES-256-GSM.
Yes, because AES-GCM is preferred over AES-CBC.
If you want to stop this override behaviour (NCP), you can use --ncp-disable, also see manual 2.4.
https://github.com/OpenVPN/openvpn/blob ... hanges.rst
https://sourceforge.net/p/openvpn/mailman/search/?q=ncp

With regards to "MULTI: Outgoing TUN queue full, dropped packet", I don`t know.
I do find some messages but over my head ;)

Attach logs/configs of server/client to this thread and then maybe post on users mailing list with link to this thread.
https://lists.sourceforge.net/lists/lis ... nvpn-users

uli3446
OpenVpn Newbie
Posts: 3
Joined: Mon Feb 13, 2017 7:44 am

Re: OpenVPN 2.4.0 use wrong cipher as in config-file

Post by uli3446 » Tue Feb 14, 2017 2:13 pm

Thank you Pippin. I've read the man pages and now it is clear. :-)
I find also this in the sample .ovpn file section:
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.


The problems with tap-interface and "MULTI: Outgoing TUN queue full", I remember some problems with very old version of OpenVPN with the same problem. Last night I switched the tunnel to tun-interface and now it works fine. The tap configuration was usefull some time before but now I can also use tun. The server is a Windows 2008R2 and the clients are Raspberry pi and Windows 10. In the next time I'll change the server to Windows Server 2016. If I have still problems then with tap interface I'll come back.

I think somebody can set this thread to solved... :-)

Locked