OpenVPN ncp-ciphers not working

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
claude
OpenVpn Newbie
Posts: 9
Joined: Wed Sep 08, 2021 6:49 pm

OpenVPN ncp-ciphers not working

Post by claude » Wed Sep 08, 2021 7:12 pm

Hello,

I have an OpenVPN 2.5 server setup. I need 2.4 & 2.5 clients to work against this server and am having trouble getting it to work.

I have read documentation from the following links about this:
https://openvpn.net/vpn-server-resource ... ss-server/
https://community.openvpn.net/openvpn/w ... egotiation
https://github.com/OpenVPN/openvpn/blob ... iation.rst
https://community.openvpn.net/openvpn/w ... tedOptions

From what I understand, If I specify the following on the server, a 2.4 & a 2.5 client should work.

ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC
cipher AES-256-GCM

However, when I try to connect a 2.4 client, it fails w/ the following messages. Also tried w/ data-ciphers instead of ncp-ciphers as I read that is what's used in 2.5 but it didn't make a difference.

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1549'
WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-GCM'
WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
AUTH: Received control message: AUTH_FAILED

If I remove the cipher from the server, the 2.4 client will connect but then the 2.5 client fails w/ following messages:

--cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
AUTH: Received control message: AUTH_FAILED

I tried other combinations as well and have not been able to find anything that works on a 2.5 server w/ a 2.4 & 2.5 client.

The documentation here https://community.openvpn.net/openvpn/w ... tedOptions states the following:

"With the OpenVPN v2.4 release a new feature was introduced, Negotiable Crypto Parameters (NCP). This allows users to seamlessly migrate away from deprecated ciphers without much extra work. If both client and server runs OpenVPN v2.4 without NCP being disabled (--ncp-disable), the tunnel will automatically be upgraded to AES-256-GCM. If the environment also uses clients older than OpenVPN v2.4, the server can deploy"

However, I tested this w/ a 2.4 server and client without --ncp-disable and the default used was BF-CBC, not AES-256-GCM.

What configuration do I need on the 2.5 server to work w/ a 2.4 & 2.5 client? I'm ok with updating whatever is needed in the 2.5 configuration but I should not have to update the configuration on 2.4 as I read that until those clients get upgraded, they should be able to work w/ the default that was set which is BF-CBC.

Any help is greatly appreciated.


Thanks

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN ncp-ciphers not working

Post by TinCanTech » Wed Sep 08, 2021 8:07 pm

claude wrote:
Wed Sep 08, 2021 7:12 pm
Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration
Do that ..

claude
OpenVpn Newbie
Posts: 9
Joined: Wed Sep 08, 2021 6:49 pm

Re: OpenVPN ncp-ciphers not working

Post by claude » Thu Sep 09, 2021 1:47 pm

Thanks for your reply, I receive the same error after adding --data-ciphers-fallback BF-CBC to the server configuration.

--cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN ncp-ciphers not working

Post by TinCanTech » Thu Sep 09, 2021 1:57 pm

claude wrote:
Thu Sep 09, 2021 1:47 pm
and/or add BF-CBC to --data-ciphers
Try that ..

claude
OpenVpn Newbie
Posts: 9
Joined: Wed Sep 08, 2021 6:49 pm

Re: OpenVPN ncp-ciphers not working

Post by claude » Thu Sep 09, 2021 3:04 pm

I currently have the following set in the server config:
data-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC
data-ciphers-fallback BF-CBC

and get the message

--cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

If I add the following to the server config it will work:
cipher AES-256-GCM

However, the 2.4 client will then not work using the above configuration. It will fail w/ the following messages:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1549'
WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-GCM'
WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
AUTH: Received control message: AUTH_FAILED

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN ncp-ciphers not working

Post by TinCanTech » Thu Sep 09, 2021 3:18 pm

claude wrote:
Thu Sep 09, 2021 3:04 pm
AUTH: Received control message: AUTH_FAILED
This is a completely different error.

claude
OpenVpn Newbie
Posts: 9
Joined: Wed Sep 08, 2021 6:49 pm

Re: OpenVPN ncp-ciphers not working

Post by claude » Thu Sep 09, 2021 3:21 pm

Aren't the warning message the reason for the auth failed? If I remove specifying the cipher on the server, the 2.4 client works. That tells me that the auth_failed message is the result from the cipher inconsistently message.

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN ncp-ciphers not working

Post by TinCanTech » Thu Sep 09, 2021 3:27 pm

Please post your server log at --verb 4

claude
OpenVpn Newbie
Posts: 9
Joined: Wed Sep 08, 2021 6:49 pm

Re: OpenVPN ncp-ciphers not working

Post by claude » Thu Sep 09, 2021 5:09 pm

Following is in the server config:
data-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC
data-ciphers-fallback BF-CBC
cipher AES-256-GCM

Below is log from the client:
Thu Sep 09 09:52:08 2021 us=629033 Current Parameter Settings:
Thu Sep 09 09:52:08 2021 us=629033 config = 'C:\Program Files\OpenVPN\config\config.ovpn'
Thu Sep 09 09:52:08 2021 us=629033 mode = 0
Thu Sep 09 09:52:08 2021 us=629033 show_ciphers = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 show_digests = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 show_engines = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 genkey = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 key_pass_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 show_tls_ciphers = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 connect_retry_max = 0
Thu Sep 09 09:52:08 2021 us=629033 Connection profiles [0]:
Thu Sep 09 09:52:08 2021 us=629033 proto = udp
Thu Sep 09 09:52:08 2021 us=629033 local = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 local_port = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 remote = '<server>'
Thu Sep 09 09:52:08 2021 us=629033 remote_port = '1194'
Thu Sep 09 09:52:08 2021 us=629033 remote_float = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 bind_defined = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 bind_local = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 bind_ipv6_only = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 connect_retry_seconds = 5
Thu Sep 09 09:52:08 2021 us=629033 connect_timeout = 25
Thu Sep 09 09:52:08 2021 us=629033 socks_proxy_server = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 socks_proxy_port = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 tun_mtu = 1500
Thu Sep 09 09:52:08 2021 us=629033 tun_mtu_defined = ENABLED
Thu Sep 09 09:52:08 2021 us=629033 link_mtu = 1500
Thu Sep 09 09:52:08 2021 us=629033 link_mtu_defined = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 tun_mtu_extra = 0
Thu Sep 09 09:52:08 2021 us=629033 tun_mtu_extra_defined = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 mtu_discover_type = -1
Thu Sep 09 09:52:08 2021 us=629033 fragment = 0
Thu Sep 09 09:52:08 2021 us=629033 mssfix = 1450
Thu Sep 09 09:52:08 2021 us=629033 explicit_exit_notification = 0
Thu Sep 09 09:52:08 2021 us=629033 Connection profiles END
Thu Sep 09 09:52:08 2021 us=629033 remote_random = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 ipchange = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 dev = 'tun'
Thu Sep 09 09:52:08 2021 us=629033 dev_type = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 dev_node = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 lladdr = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 topology = 1
Thu Sep 09 09:52:08 2021 us=629033 ifconfig_local = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 ifconfig_remote_netmask = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 ifconfig_noexec = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 ifconfig_nowarn = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 ifconfig_ipv6_local = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 ifconfig_ipv6_netbits = 0
Thu Sep 09 09:52:08 2021 us=629033 ifconfig_ipv6_remote = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 shaper = 0
Thu Sep 09 09:52:08 2021 us=629033 mtu_test = 0
Thu Sep 09 09:52:08 2021 us=629033 mlock = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 keepalive_ping = 0
Thu Sep 09 09:52:08 2021 us=629033 keepalive_timeout = 0
Thu Sep 09 09:52:08 2021 us=629033 inactivity_timeout = 0
Thu Sep 09 09:52:08 2021 us=629033 ping_send_timeout = 0
Thu Sep 09 09:52:08 2021 us=629033 ping_rec_timeout = 0
Thu Sep 09 09:52:08 2021 us=629033 ping_rec_timeout_action = 0
Thu Sep 09 09:52:08 2021 us=629033 ping_timer_remote = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 remap_sigusr1 = 0
Thu Sep 09 09:52:08 2021 us=629033 persist_tun = ENABLED
Thu Sep 09 09:52:08 2021 us=629033 persist_local_ip = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 persist_remote_ip = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 persist_key = ENABLED
Thu Sep 09 09:52:08 2021 us=629033 passtos = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 resolve_retry_seconds = 1000000000
Thu Sep 09 09:52:08 2021 us=629033 resolve_in_advance = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 username = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 groupname = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 chroot_dir = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 cd_dir = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 writepid = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 up_script = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 down_script = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 down_pre = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 up_restart = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 up_delay = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 daemon = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 inetd = 0
Thu Sep 09 09:52:08 2021 us=629033 log = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 suppress_timestamps = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 machine_readable_output = DISABLED
Thu Sep 09 09:52:08 2021 us=629033 nice = 0
Thu Sep 09 09:52:08 2021 us=629033 verbosity = 4
Thu Sep 09 09:52:08 2021 us=629033 mute = 0
Thu Sep 09 09:52:08 2021 us=629033 gremlin = 0
Thu Sep 09 09:52:08 2021 us=629033 status_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=629033 status_file_version = 1
Thu Sep 09 09:52:08 2021 us=629033 status_file_update_freq = 60
Thu Sep 09 09:52:08 2021 us=629033 occ = ENABLED
Thu Sep 09 09:52:08 2021 us=629033 rcvbuf = 0
Thu Sep 09 09:52:08 2021 us=629033 sndbuf = 0
Thu Sep 09 09:52:08 2021 us=629033 sockflags = 0
Thu Sep 09 09:52:08 2021 us=644942 fast_io = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 comp.alg = 0
Thu Sep 09 09:52:08 2021 us=644942 comp.flags = 0
Thu Sep 09 09:52:08 2021 us=644942 route_script = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 route_default_gateway = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 route_default_metric = 0
Thu Sep 09 09:52:08 2021 us=644942 route_noexec = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 route_delay = 5
Thu Sep 09 09:52:08 2021 us=644942 route_delay_window = 30
Thu Sep 09 09:52:08 2021 us=644942 route_delay_defined = ENABLED
Thu Sep 09 09:52:08 2021 us=644942 route_nopull = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 route_gateway_via_dhcp = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 allow_pull_fqdn = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 management_addr = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 management_port = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 management_user_pass = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 management_log_history_cache = 250
Thu Sep 09 09:52:08 2021 us=644942 management_echo_buffer_size = 100
Thu Sep 09 09:52:08 2021 us=644942 management_write_peer_info_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 management_client_user = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 management_client_group = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 management_flags = 0
Thu Sep 09 09:52:08 2021 us=644942 shared_secret_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 key_direction = 1
Thu Sep 09 09:52:08 2021 us=644942 ciphername = 'BF-CBC'
Thu Sep 09 09:52:08 2021 us=644942 ncp_enabled = ENABLED
Thu Sep 09 09:52:08 2021 us=644942 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Thu Sep 09 09:52:08 2021 us=644942 authname = 'SHA1'
Thu Sep 09 09:52:08 2021 us=644942 prng_hash = 'SHA1'
Thu Sep 09 09:52:08 2021 us=644942 prng_nonce_secret_len = 16
Thu Sep 09 09:52:08 2021 us=644942 keysize = 0
Thu Sep 09 09:52:08 2021 us=644942 engine = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 replay = ENABLED
Thu Sep 09 09:52:08 2021 us=644942 mute_replay_warnings = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 replay_window = 64
Thu Sep 09 09:52:08 2021 us=644942 replay_time = 15
Thu Sep 09 09:52:08 2021 us=644942 packet_id_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 use_iv = ENABLED
Thu Sep 09 09:52:08 2021 us=644942 test_crypto = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 tls_server = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 tls_client = ENABLED
Thu Sep 09 09:52:08 2021 us=644942 key_method = 2
Thu Sep 09 09:52:08 2021 us=644942 ca_file = 'ca.crt'
Thu Sep 09 09:52:08 2021 us=644942 ca_path = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 dh_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 cert_file = 'client.crt'
Thu Sep 09 09:52:08 2021 us=644942 extra_certs_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 priv_key_file = 'client.key'
Thu Sep 09 09:52:08 2021 us=644942 pkcs12_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 cryptoapi_cert = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 cipher_list = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 cipher_list_tls13 = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 tls_cert_profile = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 tls_verify = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 tls_export_cert = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 verify_x509_type = 3
Thu Sep 09 09:52:08 2021 us=644942 verify_x509_name = 'Server-'
Thu Sep 09 09:52:08 2021 us=644942 crl_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 ns_cert_type = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku[i] = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku[i] = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku[i] = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku[i] = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku[i] = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_ku[i] = 0
Thu Sep 09 09:52:08 2021 us=644942 remote_cert_eku = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 ssl_flags = 0
Thu Sep 09 09:52:08 2021 us=644942 tls_timeout = 2
Thu Sep 09 09:52:08 2021 us=644942 renegotiate_bytes = -1
Thu Sep 09 09:52:08 2021 us=644942 renegotiate_packets = 0
Thu Sep 09 09:52:08 2021 us=644942 renegotiate_seconds = 3600
Thu Sep 09 09:52:08 2021 us=644942 handshake_window = 120
Thu Sep 09 09:52:08 2021 us=644942 transition_window = 3600
Thu Sep 09 09:52:08 2021 us=644942 single_session = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 push_peer_info = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 tls_exit = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 tls_auth_file = 'ta.key'
Thu Sep 09 09:52:08 2021 us=644942 tls_crypt_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_protected_authentication = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_private_mode = 00000000
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_cert_private = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_pin_cache_period = -1
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_id = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 pkcs11_id_management = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 server_network = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 server_netmask = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 server_network_ipv6 = ::
Thu Sep 09 09:52:08 2021 us=644942 server_netbits_ipv6 = 0
Thu Sep 09 09:52:08 2021 us=644942 server_bridge_ip = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 server_bridge_netmask = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 server_bridge_pool_start = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 server_bridge_pool_end = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 ifconfig_pool_defined = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 ifconfig_pool_start = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 ifconfig_pool_end = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 ifconfig_pool_netmask = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 ifconfig_pool_persist_filename = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 ifconfig_pool_persist_refresh_freq = 600
Thu Sep 09 09:52:08 2021 us=644942 ifconfig_ipv6_pool_defined = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 ifconfig_ipv6_pool_base = ::
Thu Sep 09 09:52:08 2021 us=644942 ifconfig_ipv6_pool_netbits = 0
Thu Sep 09 09:52:08 2021 us=644942 n_bcast_buf = 256
Thu Sep 09 09:52:08 2021 us=644942 tcp_queue_limit = 64
Thu Sep 09 09:52:08 2021 us=644942 real_hash_size = 256
Thu Sep 09 09:52:08 2021 us=644942 virtual_hash_size = 256
Thu Sep 09 09:52:08 2021 us=644942 client_connect_script = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 learn_address_script = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 client_disconnect_script = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 client_config_dir = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 ccd_exclusive = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 tmp_dir = 'C:\Windows\TEMP\'
Thu Sep 09 09:52:08 2021 us=644942 push_ifconfig_defined = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 push_ifconfig_local = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 push_ifconfig_remote_netmask = 0.0.0.0
Thu Sep 09 09:52:08 2021 us=644942 push_ifconfig_ipv6_defined = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 push_ifconfig_ipv6_local = ::/0
Thu Sep 09 09:52:08 2021 us=644942 push_ifconfig_ipv6_remote = ::
Thu Sep 09 09:52:08 2021 us=644942 enable_c2c = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 duplicate_cn = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 cf_max = 0
Thu Sep 09 09:52:08 2021 us=644942 cf_per = 0
Thu Sep 09 09:52:08 2021 us=644942 max_clients = 1024
Thu Sep 09 09:52:08 2021 us=644942 max_routes_per_client = 256
Thu Sep 09 09:52:08 2021 us=644942 auth_user_pass_verify_script = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 auth_user_pass_verify_script_via_file = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 auth_token_generate = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 auth_token_lifetime = 0
Thu Sep 09 09:52:08 2021 us=644942 client = ENABLED
Thu Sep 09 09:52:08 2021 us=644942 pull = ENABLED
Thu Sep 09 09:52:08 2021 us=644942 auth_user_pass_file = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 show_net_up = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 route_method = 0
Thu Sep 09 09:52:08 2021 us=644942 block_outside_dns = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 ip_win32_defined = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 ip_win32_type = 3
Thu Sep 09 09:52:08 2021 us=644942 dhcp_masq_offset = 0
Thu Sep 09 09:52:08 2021 us=644942 dhcp_lease_time = 31536000
Thu Sep 09 09:52:08 2021 us=644942 tap_sleep = 0
Thu Sep 09 09:52:08 2021 us=644942 dhcp_options = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 dhcp_renew = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 dhcp_pre_release = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 domain = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 netbios_scope = '[UNDEF]'
Thu Sep 09 09:52:08 2021 us=644942 netbios_node_type = 0
Thu Sep 09 09:52:08 2021 us=644942 disable_nbt = DISABLED
Thu Sep 09 09:52:08 2021 us=644942 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jul 14 2020
Thu Sep 09 09:52:08 2021 us=644942 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Sep 09 09:52:08 2021 us=644942 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Thu Sep 09 09:52:08 2021 us=660262 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 09 09:52:08 2021 us=660262 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 09 09:52:08 2021 us=660262 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Thu Sep 09 09:52:08 2021 us=769381 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Thu Sep 09 09:52:08 2021 us=769381 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu Sep 09 09:52:08 2021 us=769381 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu Sep 09 09:52:08 2021 us=769381 TCP/UDP: Preserving recently used remote address: [AF_INET]<server-ip>:1194
Thu Sep 09 09:52:08 2021 us=769381 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Sep 09 09:52:08 2021 us=769381 UDP link local: (not bound)
Thu Sep 09 09:52:08 2021 us=769381 UDP link remote: [AF_INET]<server-ip>:1194
Thu Sep 09 09:52:08 2021 us=816336 TLS: Initial packet from [AF_INET]<server-ip>:1194, sid=94431b51 8f7692ff
Thu Sep 09 09:52:08 2021 us=863689 VERIFY OK: depth=1, C=US, ST=MI, O=<company-name>, LLC, OU=Production, CN=<company-name>
Thu Sep 09 09:52:08 2021 us=863689 VERIFY X509NAME OK: CN=Server-i-<instance-id>, C=US, O=<company-name>
Thu Sep 09 09:52:08 2021 us=863689 VERIFY OK: depth=0, CN=Server-i-<instance-id>, C=US, O=<company-name>
Thu Sep 09 09:52:08 2021 us=909714 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1549'
Thu Sep 09 09:52:08 2021 us=909714 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-GCM'
Thu Sep 09 09:52:08 2021 us=909714 WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
Thu Sep 09 09:52:08 2021 us=909714 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Thu Sep 09 09:52:08 2021 us=909714 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Thu Sep 09 09:52:08 2021 us=909714 [Server-i-<instance-id>] Peer Connection Initiated with [AF_INET]<server-ip>:1194
Thu Sep 09 09:52:09 2021 us=957380 SENT CONTROL [Server-i-<instance-id>]: 'PUSH_REQUEST' (status=1)
Thu Sep 09 09:52:10 2021 us=3886 AUTH: Received control message: AUTH_FAILED
Thu Sep 09 09:52:10 2021 us=3886 TCP/UDP: Closing socket
Thu Sep 09 09:52:10 2021 us=3886 SIGTERM[soft,auth-failure] received, process exiting

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN ncp-ciphers not working

Post by TinCanTech » Thu Sep 09, 2021 6:39 pm

TinCanTech wrote:
Thu Sep 09, 2021 3:27 pm
Please post your server log at --verb 4
claude wrote:
Thu Sep 09, 2021 5:09 pm
Below is log from the client:
genius ..

claude
OpenVpn Newbie
Posts: 9
Joined: Wed Sep 08, 2021 6:49 pm

Re: OpenVPN ncp-ciphers not working

Post by claude » Fri Sep 10, 2021 12:04 am

server.log

2021-09-09 23:54:18 us=100693 Current Parameter Settings:
2021-09-09 23:54:18 us=100817 config = '/usr/local/etc/openvpn/openvpn.conf'
2021-09-09 23:54:18 us=100832 mode = 1
2021-09-09 23:54:18 us=100846 show_ciphers = DISABLED
2021-09-09 23:54:18 us=100861 show_digests = DISABLED
2021-09-09 23:54:18 us=100875 show_engines = DISABLED
2021-09-09 23:54:18 us=100892 genkey = DISABLED
2021-09-09 23:54:18 us=100907 genkey_filename = '[UNDEF]'
2021-09-09 23:54:18 us=100921 key_pass_file = '[UNDEF]'
2021-09-09 23:54:18 us=100935 show_tls_ciphers = DISABLED
2021-09-09 23:54:18 us=100949 connect_retry_max = 0
2021-09-09 23:54:18 us=100963 Connection profiles [0]:
2021-09-09 23:54:18 us=100978 proto = udp
2021-09-09 23:54:18 us=100992 local = '[UNDEF]'
2021-09-09 23:54:18 us=101006 local_port = '1194'
2021-09-09 23:54:18 us=101020 remote = '[UNDEF]'
2021-09-09 23:54:18 us=101034 remote_port = '1194'
2021-09-09 23:54:18 us=101048 remote_float = DISABLED
2021-09-09 23:54:18 us=101062 bind_defined = DISABLED
2021-09-09 23:54:18 us=101076 bind_local = ENABLED
2021-09-09 23:54:18 us=101090 bind_ipv6_only = DISABLED
2021-09-09 23:54:18 us=101104 connect_retry_seconds = 5
2021-09-09 23:54:18 us=101118 connect_timeout = 120
2021-09-09 23:54:18 us=101132 socks_proxy_server = '[UNDEF]'
2021-09-09 23:54:18 us=101146 socks_proxy_port = '[UNDEF]'
2021-09-09 23:54:18 us=101160 tun_mtu = 1500
2021-09-09 23:54:18 us=101174 tun_mtu_defined = ENABLED
2021-09-09 23:54:18 us=101188 link_mtu = 1500
2021-09-09 23:54:18 us=101202 link_mtu_defined = DISABLED
2021-09-09 23:54:18 us=101216 tun_mtu_extra = 0
2021-09-09 23:54:18 us=101230 tun_mtu_extra_defined = DISABLED
2021-09-09 23:54:18 us=101244 mtu_discover_type = -1
2021-09-09 23:54:18 us=101258 fragment = 0
2021-09-09 23:54:18 us=101272 mssfix = 1450
2021-09-09 23:54:18 us=101286 explicit_exit_notification = 0
2021-09-09 23:54:18 us=101300 tls_auth_file = '[INLINE]'
2021-09-09 23:54:18 us=101315 key_direction = 0
2021-09-09 23:54:18 us=101329 tls_crypt_file = '[UNDEF]'
2021-09-09 23:54:18 us=101343 tls_crypt_v2_file = '[UNDEF]'
2021-09-09 23:54:18 us=101357 Connection profiles END
2021-09-09 23:54:18 us=101370 remote_random = DISABLED
2021-09-09 23:54:18 us=101384 ipchange = '[UNDEF]'
2021-09-09 23:54:18 us=101398 dev = 'tun'
2021-09-09 23:54:18 us=101413 dev_type = '[UNDEF]'
2021-09-09 23:54:18 us=101427 dev_node = '[UNDEF]'
2021-09-09 23:54:18 us=101440 lladdr = '[UNDEF]'
2021-09-09 23:54:18 us=101454 topology = 3
2021-09-09 23:54:18 us=101469 ifconfig_local = '10.214.43.1'
2021-09-09 23:54:18 us=101483 ifconfig_remote_netmask = '255.255.255.0'
2021-09-09 23:54:18 us=101497 ifconfig_noexec = DISABLED
2021-09-09 23:54:18 us=101511 ifconfig_nowarn = DISABLED
2021-09-09 23:54:18 us=101525 ifconfig_ipv6_local = '[UNDEF]'
2021-09-09 23:54:18 us=101539 ifconfig_ipv6_netbits = 0
2021-09-09 23:54:18 us=101553 ifconfig_ipv6_remote = '[UNDEF]'
2021-09-09 23:54:18 us=101567 shaper = 0
2021-09-09 23:54:18 us=101581 mtu_test = 0
2021-09-09 23:54:18 us=101595 mlock = DISABLED
2021-09-09 23:54:18 us=101609 keepalive_ping = 5
2021-09-09 23:54:18 us=101623 keepalive_timeout = 120
2021-09-09 23:54:18 us=101637 inactivity_timeout = 0
2021-09-09 23:54:18 us=101650 ping_send_timeout = 5
2021-09-09 23:54:18 us=101664 ping_rec_timeout = 240
2021-09-09 23:54:18 us=101678 ping_rec_timeout_action = 2
2021-09-09 23:54:18 us=101692 ping_timer_remote = DISABLED
2021-09-09 23:54:18 us=101706 remap_sigusr1 = 0
2021-09-09 23:54:18 us=101720 persist_tun = ENABLED
2021-09-09 23:54:18 us=101734 persist_local_ip = DISABLED
2021-09-09 23:54:18 us=101748 persist_remote_ip = DISABLED
2021-09-09 23:54:18 us=101762 persist_key = ENABLED
2021-09-09 23:54:18 us=101776 passtos = DISABLED
2021-09-09 23:54:18 us=101877 resolve_retry_seconds = 1000000000
2021-09-09 23:54:18 us=101895 resolve_in_advance = DISABLED
2021-09-09 23:54:18 us=101909 username = 'nobody'
2021-09-09 23:54:18 us=101923 groupname = 'nogroup'
2021-09-09 23:54:18 us=101945 chroot_dir = '[UNDEF]'
2021-09-09 23:54:18 us=101960 cd_dir = '/usr/local/etc/openvpn'
2021-09-09 23:54:18 us=101974 writepid = '/var/run/openvpn.pid'
2021-09-09 23:54:18 us=101988 up_script = '[UNDEF]'
2021-09-09 23:54:18 us=102002 down_script = '[UNDEF]'
2021-09-09 23:54:18 us=102016 down_pre = DISABLED
2021-09-09 23:54:18 us=102030 up_restart = DISABLED
2021-09-09 23:54:18 us=102044 up_delay = DISABLED
2021-09-09 23:54:18 us=102058 daemon = ENABLED
2021-09-09 23:54:18 us=102072 inetd = 0
2021-09-09 23:54:18 us=102086 log = ENABLED
2021-09-09 23:54:18 us=102100 suppress_timestamps = DISABLED
2021-09-09 23:54:18 us=102114 machine_readable_output = DISABLED
2021-09-09 23:54:18 us=102128 nice = 0
2021-09-09 23:54:18 us=102141 verbosity = 4
2021-09-09 23:54:18 us=102155 mute = 0
2021-09-09 23:54:18 us=102169 gremlin = 0
2021-09-09 23:54:18 us=102183 status_file = '/var/run/openvpn.status'
2021-09-09 23:54:18 us=102197 status_file_version = 2
2021-09-09 23:54:18 us=102211 status_file_update_freq = 60
2021-09-09 23:54:18 us=102225 occ = ENABLED
2021-09-09 23:54:18 us=102239 rcvbuf = 0
2021-09-09 23:54:18 us=102253 sndbuf = 0
2021-09-09 23:54:18 us=102267 sockflags = 0
2021-09-09 23:54:18 us=102280 fast_io = ENABLED
2021-09-09 23:54:18 us=102294 comp.alg = 0
2021-09-09 23:54:18 us=102308 comp.flags = 0
2021-09-09 23:54:18 us=102322 route_script = '[UNDEF]'
2021-09-09 23:54:18 us=102336 route_default_gateway = '10.214.43.2'
2021-09-09 23:54:18 us=102350 route_default_metric = 0
2021-09-09 23:54:18 us=102364 route_noexec = DISABLED
2021-09-09 23:54:18 us=102378 route_delay = 0
2021-09-09 23:54:18 us=102392 route_delay_window = 30
2021-09-09 23:54:18 us=102406 route_delay_defined = DISABLED
2021-09-09 23:54:18 us=102420 route_nopull = DISABLED
2021-09-09 23:54:18 us=102434 route_gateway_via_dhcp = DISABLED
2021-09-09 23:54:18 us=102448 allow_pull_fqdn = DISABLED
2021-09-09 23:54:18 us=102462 management_addr = '[UNDEF]'
2021-09-09 23:54:18 us=102476 management_port = '[UNDEF]'
2021-09-09 23:54:18 us=102490 management_user_pass = '[UNDEF]'
2021-09-09 23:54:18 us=102504 management_log_history_cache = 250
2021-09-09 23:54:18 us=102518 management_echo_buffer_size = 100
2021-09-09 23:54:18 us=102532 management_write_peer_info_file = '[UNDEF]'
2021-09-09 23:54:18 us=102545 management_client_user = '[UNDEF]'
2021-09-09 23:54:18 us=102559 management_client_group = '[UNDEF]'
2021-09-09 23:54:18 us=102574 management_flags = 0
2021-09-09 23:54:18 us=102588 shared_secret_file = '[UNDEF]'
2021-09-09 23:54:18 us=102602 key_direction = 0
2021-09-09 23:54:18 us=102616 ciphername = 'AES-256-GCM'
2021-09-09 23:54:18 us=102629 ncp_enabled = ENABLED
2021-09-09 23:54:18 us=102644 ncp_ciphers = 'AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC'
2021-09-09 23:54:18 us=102658 authname = 'SHA1'
2021-09-09 23:54:18 us=102672 prng_hash = 'SHA1'
2021-09-09 23:54:18 us=102686 prng_nonce_secret_len = 16
2021-09-09 23:54:18 us=102699 keysize = 0
2021-09-09 23:54:18 us=102713 engine = DISABLED
2021-09-09 23:54:18 us=102727 replay = ENABLED
2021-09-09 23:54:18 us=102741 mute_replay_warnings = DISABLED
2021-09-09 23:54:18 us=102755 replay_window = 64
2021-09-09 23:54:18 us=102769 replay_time = 15
2021-09-09 23:54:18 us=102783 packet_id_file = '[UNDEF]'
2021-09-09 23:54:18 us=102797 test_crypto = DISABLED
2021-09-09 23:54:18 us=102811 tls_server = ENABLED
2021-09-09 23:54:18 us=102825 tls_client = DISABLED
2021-09-09 23:54:18 us=102839 ca_file = './ca.crt'
2021-09-09 23:54:18 us=102853 ca_path = '[UNDEF]'
2021-09-09 23:54:18 us=102867 dh_file = 'dh1024.pem'
2021-09-09 23:54:18 us=102880 cert_file = 'openvpn.crt'
2021-09-09 23:54:18 us=102894 extra_certs_file = '[UNDEF]'
2021-09-09 23:54:18 us=102909 priv_key_file = 'openvpn.key'
2021-09-09 23:54:18 us=102923 pkcs12_file = '[UNDEF]'
2021-09-09 23:54:18 us=102936 cipher_list = '[UNDEF]'
2021-09-09 23:54:18 us=102950 cipher_list_tls13 = '[UNDEF]'
2021-09-09 23:54:18 us=102967 tls_cert_profile = '[UNDEF]'
2021-09-09 23:54:18 us=102981 tls_verify = '[UNDEF]'
2021-09-09 23:54:18 us=102995 tls_export_cert = '[UNDEF]'
2021-09-09 23:54:18 us=103008 verify_x509_type = 0
2021-09-09 23:54:18 us=103022 verify_x509_name = '[UNDEF]'
2021-09-09 23:54:18 us=103036 crl_file = '[UNDEF]'
2021-09-09 23:54:18 us=103050 ns_cert_type = 0
2021-09-09 23:54:18 us=103064 remote_cert_ku = 0
2021-09-09 23:54:18 us=103078 remote_cert_ku = 0
2021-09-09 23:54:18 us=103092 remote_cert_ku = 0
2021-09-09 23:54:18 us=103105 remote_cert_ku = 0
2021-09-09 23:54:18 us=103119 remote_cert_ku = 0
2021-09-09 23:54:18 us=103133 remote_cert_ku = 0
2021-09-09 23:54:18 us=103147 remote_cert_ku = 0
2021-09-09 23:54:18 us=103161 remote_cert_ku = 0
2021-09-09 23:54:18 us=103174 remote_cert_ku = 0
2021-09-09 23:54:18 us=103188 remote_cert_ku = 0
2021-09-09 23:54:18 us=103202 remote_cert_ku[i] = 0
2021-09-09 23:54:18 us=103216 remote_cert_ku[i] = 0
2021-09-09 23:54:18 us=103230 remote_cert_ku[i] = 0
2021-09-09 23:54:18 us=103243 remote_cert_ku[i] = 0
2021-09-09 23:54:18 us=103257 remote_cert_ku[i] = 0
2021-09-09 23:54:18 us=103271 remote_cert_ku[i] = 0
2021-09-09 23:54:18 us=103285 remote_cert_eku = '[UNDEF]'
2021-09-09 23:54:18 us=103299 ssl_flags = 16
2021-09-09 23:54:18 us=103458 tls_timeout = 2
2021-09-09 23:54:18 us=103476 renegotiate_bytes = -1
2021-09-09 23:54:18 us=103491 renegotiate_packets = 0
2021-09-09 23:54:18 us=103505 renegotiate_seconds = 3600
2021-09-09 23:54:18 us=103519 handshake_window = 120
2021-09-09 23:54:18 us=103533 transition_window = 3600
2021-09-09 23:54:18 us=103547 single_session = DISABLED
2021-09-09 23:54:18 us=103561 push_peer_info = DISABLED
2021-09-09 23:54:18 us=103575 tls_exit = DISABLED
2021-09-09 23:54:18 us=103589 tls_crypt_v2_metadata = '[UNDEF]'
2021-09-09 23:54:18 us=103718 server_network = 10.214.43.0
2021-09-09 23:54:18 us=103878 server_netmask = 255.255.255.0
2021-09-09 23:54:18 us=103902 server_network_ipv6 = ::
2021-09-09 23:54:18 us=103916 server_netbits_ipv6 = 0
2021-09-09 23:54:18 us=103932 server_bridge_ip = 0.0.0.0
2021-09-09 23:54:18 us=103946 server_bridge_netmask = 0.0.0.0
2021-09-09 23:54:18 us=103961 server_bridge_pool_start = 0.0.0.0
2021-09-09 23:54:18 us=103975 server_bridge_pool_end = 0.0.0.0
2021-09-09 23:54:18 us=103990 push_entry = 'route-gateway 10.214.43.1'
2021-09-09 23:54:18 us=104004 push_entry = 'topology subnet'
2021-09-09 23:54:18 us=104018 push_entry = 'ping 5'
2021-09-09 23:54:18 us=104032 push_entry = 'ping-restart 120'
2021-09-09 23:54:18 us=104046 ifconfig_pool_defined = ENABLED
2021-09-09 23:54:18 us=104061 ifconfig_pool_start = 10.214.43.2
2021-09-09 23:54:18 us=104075 ifconfig_pool_end = 10.214.43.253
2021-09-09 23:54:18 us=104090 ifconfig_pool_netmask = 255.255.255.0
2021-09-09 23:54:18 us=104104 ifconfig_pool_persist_filename = '[UNDEF]'
2021-09-09 23:54:18 us=104118 ifconfig_pool_persist_refresh_freq = 600
2021-09-09 23:54:18 us=104132 ifconfig_ipv6_pool_defined = DISABLED
2021-09-09 23:54:18 us=104146 ifconfig_ipv6_pool_base = ::
2021-09-09 23:54:18 us=104160 ifconfig_ipv6_pool_netbits = 0
2021-09-09 23:54:18 us=104174 n_bcast_buf = 256
2021-09-09 23:54:18 us=104189 tcp_queue_limit = 64
2021-09-09 23:54:18 us=104202 real_hash_size = 256
2021-09-09 23:54:18 us=104217 virtual_hash_size = 256
2021-09-09 23:54:18 us=104231 client_connect_script = '[UNDEF]'
2021-09-09 23:54:18 us=104245 learn_address_script = '/usr/local/etc/openvpn/learnaddress.sh'
2021-09-09 23:54:18 us=104259 client_disconnect_script = '[UNDEF]'
2021-09-09 23:54:18 us=104297 client_config_dir = '[UNDEF]'
2021-09-09 23:54:18 us=104311 ccd_exclusive = DISABLED
2021-09-09 23:54:18 us=104325 tmp_dir = '/tmp'
2021-09-09 23:54:18 us=104339 push_ifconfig_defined = DISABLED
2021-09-09 23:54:18 us=104354 push_ifconfig_local = 0.0.0.0
2021-09-09 23:54:18 us=104368 push_ifconfig_remote_netmask = 0.0.0.0
2021-09-09 23:54:18 us=104428 push_ifconfig_ipv6_defined = DISABLED
2021-09-09 23:54:18 us=104444 push_ifconfig_ipv6_local = ::/0
2021-09-09 23:54:18 us=104458 push_ifconfig_ipv6_remote = ::
2021-09-09 23:54:18 us=104472 enable_c2c = DISABLED
2021-09-09 23:54:18 us=104486 duplicate_cn = DISABLED
2021-09-09 23:54:18 us=104500 cf_max = 0
2021-09-09 23:54:18 us=104514 cf_per = 0
2021-09-09 23:54:18 us=104528 max_clients = 50
2021-09-09 23:54:18 us=104542 max_routes_per_client = 256
2021-09-09 23:54:18 us=104557 auth_user_pass_verify_script = '[UNDEF]'
2021-09-09 23:54:18 us=104571 auth_user_pass_verify_script_via_file = DISABLED
2021-09-09 23:54:18 us=104585 auth_token_generate = DISABLED
2021-09-09 23:54:18 us=104599 auth_token_lifetime = 0
2021-09-09 23:54:18 us=104613 auth_token_secret_file = '[UNDEF]'
2021-09-09 23:54:18 us=104627 port_share_host = '[UNDEF]'
2021-09-09 23:54:18 us=104641 port_share_port = '[UNDEF]'
2021-09-09 23:54:18 us=104655 vlan_tagging = DISABLED
2021-09-09 23:54:18 us=104669 vlan_accept = all
2021-09-09 23:54:18 us=104683 vlan_pvid = 1
2021-09-09 23:54:18 us=104697 client = DISABLED
2021-09-09 23:54:18 us=104711 pull = DISABLED
2021-09-09 23:54:18 us=104725 auth_user_pass_file = '[UNDEF]'
2021-09-09 23:54:18 us=104740 OpenVPN 2.5.3 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul 7 2021
2021-09-09 23:54:18 us=104758 library versions: OpenSSL 1.1.1h-freebsd 22 Sep 2020, LZO 2.10
2021-09-09 23:54:18 us=105574 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-09-09 23:54:18 us=106777 Diffie-Hellman initialized with 1024 bit key
2021-09-09 23:54:18 us=107969 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-09 23:54:18 us=107989 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-09 23:54:18 us=108012 TLS-Auth MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2021-09-09 23:54:18 us=108746 TUN/TAP device /dev/tun0 opened
2021-09-09 23:54:18 us=108767 do_ifconfig, ipv4=1, ipv6=0
2021-09-09 23:54:18 us=108795 /sbin/ifconfig tun0 10.214.43.1 10.214.43.2 mtu 1500 netmask 255.255.255.0 up
2021-09-09 23:54:18 us=111228 /sbin/route add -net 10.214.43.0 10.214.43.2 255.255.255.0
add net 10.214.43.0: gateway 10.214.43.2
2021-09-09 23:54:18 us=112778 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-09-09 23:54:18 us=113078 Could not determine IPv4/IPv6 protocol. Using AF_INET6
2021-09-09 23:54:18 us=113105 Socket Buffers: R=[42080->42080] S=[9216->9216]
2021-09-09 23:54:18 us=113120 setsockopt(IPV6_V6ONLY=0)
2021-09-09 23:54:18 us=113149 UDPv6 link local (bound): [AF_INET6][undef]:1194
2021-09-09 23:54:18 us=113165 UDPv6 link remote: [AF_UNSPEC]
2021-09-09 23:54:18 us=113182 GID set to nogroup
2021-09-09 23:54:18 us=113202 UID set to nobody
2021-09-09 23:54:18 us=113226 MULTI: multi_init called, r=256 v=256
2021-09-09 23:54:18 us=113258 IFCONFIG POOL IPv4: base=10.214.43.2 size=252
2021-09-09 23:54:18 us=113314 Initialization Sequence Completed
2021-09-09 23:55:28 us=362978 MULTI: multi_create_instance called
2021-09-09 23:55:28 us=363032 73.144.221.52:50999 Re-using SSL/TLS context
2021-09-09 23:55:28 us=363092 73.144.221.52:50999 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-09 23:55:28 us=363104 73.144.221.52:50999 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-09 23:55:28 us=363273 73.144.221.52:50999 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2021-09-09 23:55:28 us=363285 73.144.221.52:50999 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-09-09 23:55:28 us=363323 73.144.221.52:50999 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
2021-09-09 23:55:28 us=363342 73.144.221.52:50999 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
2021-09-09 23:55:28 us=363395 73.144.221.52:50999 TLS: Initial packet from [AF_INET6]::ffff:73.144.221.52:50999, sid=98353b74 cfd179db
2021-09-09 23:55:28 us=447788 73.144.221.52:50999 VERIFY OK: depth=0, CN=<server>, C=US, O=<company-name>
2021-09-09 23:55:28 us=448067 73.144.221.52:50999 peer info: IV_VER=2.4.9
2021-09-09 23:55:28 us=448082 73.144.221.52:50999 peer info: IV_PLAT=win
2021-09-09 23:55:28 us=448091 73.144.221.52:50999 peer info: IV_PROTO=2
2021-09-09 23:55:28 us=448100 73.144.221.52:50999 peer info: IV_NCP=2
2021-09-09 23:55:28 us=448108 73.144.221.52:50999 peer info: IV_LZ4=1
2021-09-09 23:55:28 us=448117 73.144.221.52:50999 peer info: IV_LZ4v2=1
2021-09-09 23:55:28 us=448125 73.144.221.52:50999 peer info: IV_LZO=1
2021-09-09 23:55:28 us=448134 73.144.221.52:50999 peer info: IV_COMP_STUB=1
2021-09-09 23:55:28 us=448142 73.144.221.52:50999 peer info: IV_COMP_STUBv2=1
2021-09-09 23:55:28 us=448151 73.144.221.52:50999 peer info: IV_TCPNL=1
2021-09-09 23:55:28 us=448171 73.144.221.52:50999 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1541'
2021-09-09 23:55:28 us=448186 73.144.221.52:50999 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
2021-09-09 23:55:28 us=448197 73.144.221.52:50999 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
2021-09-09 23:55:28 us=448219 73.144.221.52:50999 Option inconsistency warnings triggering disconnect due to --opt-verify
2021-09-09 23:55:28 us=486480 73.144.221.52:50999 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
2021-09-09 23:55:28 us=486520 73.144.221.52:50999 [<server>] Peer Connection Initiated with [AF_INET6]::ffff:73.144.221.52:50999
2021-09-09 23:55:29 us=594865 73.144.221.52:50999 PUSH: Received control message: 'PUSH_REQUEST'
2021-09-09 23:55:29 us=594899 73.144.221.52:50999 Delayed exit in 5 seconds
2021-09-09 23:55:29 us=594915 73.144.221.52:50999 SENT CONTROL [<server>]: 'AUTH_FAILED' (status=1)
2021-09-09 23:55:34 us=790615 73.144.221.52:50999 SIGTERM[soft,delayed-exit] received, client-instance exiting
2021-09-09 23:55:39 us=881969 MULTI: multi_create_instance called
2021-09-09 23:55:39 us=882011 73.144.221.52:65469 Re-using SSL/TLS context
2021-09-09 23:55:39 us=882069 73.144.221.52:65469 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-09 23:55:39 us=882080 73.144.221.52:65469 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-09 23:55:39 us=882145 73.144.221.52:65469 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2021-09-09 23:55:39 us=882157 73.144.221.52:65469 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-09-09 23:55:39 us=882189 73.144.221.52:65469 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
2021-09-09 23:55:39 us=882199 73.144.221.52:65469 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
2021-09-09 23:55:39 us=882245 73.144.221.52:65469 TLS: Initial packet from [AF_INET6]::ffff:73.144.221.52:65469, sid=b0072bdc f76f1e8d
2021-09-09 23:55:39 us=960483 73.144.221.52:65469 VERIFY OK: depth=0, CN=<server>, C=US, O=<company-name>
2021-09-09 23:55:39 us=960722 73.144.221.52:65469 peer info: IV_VER=2.4.9
2021-09-09 23:55:39 us=960745 73.144.221.52:65469 peer info: IV_PLAT=win
2021-09-09 23:55:39 us=960754 73.144.221.52:65469 peer info: IV_PROTO=2
2021-09-09 23:55:39 us=960763 73.144.221.52:65469 peer info: IV_NCP=2
2021-09-09 23:55:39 us=960771 73.144.221.52:65469 peer info: IV_LZ4=1
2021-09-09 23:55:39 us=960779 73.144.221.52:65469 peer info: IV_LZ4v2=1
2021-09-09 23:55:39 us=960788 73.144.221.52:65469 peer info: IV_LZO=1
2021-09-09 23:55:39 us=960796 73.144.221.52:65469 peer info: IV_COMP_STUB=1
2021-09-09 23:55:39 us=960805 73.144.221.52:65469 peer info: IV_COMP_STUBv2=1
2021-09-09 23:55:39 us=960813 73.144.221.52:65469 peer info: IV_TCPNL=1
2021-09-09 23:55:39 us=960830 73.144.221.52:65469 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1541'
2021-09-09 23:55:39 us=960844 73.144.221.52:65469 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
2021-09-09 23:55:39 us=960856 73.144.221.52:65469 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
2021-09-09 23:55:39 us=960877 73.144.221.52:65469 Option inconsistency warnings triggering disconnect due to --opt-verify
2021-09-09 23:55:39 us=999494 73.144.221.52:65469 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
2021-09-09 23:55:39 us=999534 73.144.221.52:65469 [<server>] Peer Connection Initiated with [AF_INET6]::ffff:73.144.221.52:65469
2021-09-09 23:55:41 us=242601 73.144.221.52:65469 PUSH: Received control message: 'PUSH_REQUEST'
2021-09-09 23:55:41 us=242633 73.144.221.52:65469 Delayed exit in 5 seconds
2021-09-09 23:55:41 us=242650 73.144.221.52:65469 SENT CONTROL [<server>]: 'AUTH_FAILED' (status=1)
2021-09-09 23:55:46 us=670611 73.144.221.52:65469 SIGTERM[soft,delayed-exit] received, client-instance exiting
2021-09-09 23:55:51 us=407053 MULTI: multi_create_instance called
2021-09-09 23:55:51 us=407097 73.144.221.52:61955 Re-using SSL/TLS context
2021-09-09 23:55:51 us=407166 73.144.221.52:61955 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-09 23:55:51 us=407177 73.144.221.52:61955 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-09 23:55:51 us=407241 73.144.221.52:61955 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2021-09-09 23:55:51 us=407252 73.144.221.52:61955 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-09-09 23:55:51 us=407282 73.144.221.52:61955 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
2021-09-09 23:55:51 us=407291 73.144.221.52:61955 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
2021-09-09 23:55:51 us=407336 73.144.221.52:61955 TLS: Initial packet from [AF_INET6]::ffff:73.144.221.52:61955, sid=452bd74b bb2cef20
2021-09-09 23:55:51 us=494137 73.144.221.52:61955 VERIFY OK: depth=0, CN=<server>, C=US, O=<company-name>
2021-09-09 23:55:51 us=494408 73.144.221.52:61955 peer info: IV_VER=2.4.9
2021-09-09 23:55:51 us=494423 73.144.221.52:61955 peer info: IV_PLAT=win
2021-09-09 23:55:51 us=494432 73.144.221.52:61955 peer info: IV_PROTO=2
2021-09-09 23:55:51 us=494440 73.144.221.52:61955 peer info: IV_NCP=2
2021-09-09 23:55:51 us=494449 73.144.221.52:61955 peer info: IV_LZ4=1
2021-09-09 23:55:51 us=494457 73.144.221.52:61955 peer info: IV_LZ4v2=1
2021-09-09 23:55:51 us=494466 73.144.221.52:61955 peer info: IV_LZO=1
2021-09-09 23:55:51 us=494474 73.144.221.52:61955 peer info: IV_COMP_STUB=1
2021-09-09 23:55:51 us=494483 73.144.221.52:61955 peer info: IV_COMP_STUBv2=1
2021-09-09 23:55:51 us=494491 73.144.221.52:61955 peer info: IV_TCPNL=1
2021-09-09 23:55:51 us=494522 73.144.221.52:61955 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1541'
2021-09-09 23:55:51 us=494537 73.144.221.52:61955 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
2021-09-09 23:55:51 us=494549 73.144.221.52:61955 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
2021-09-09 23:55:51 us=494803 73.144.221.52:61955 Option inconsistency warnings triggering disconnect due to --opt-verify
2021-09-09 23:55:51 us=532419 73.144.221.52:61955 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
2021-09-09 23:55:51 us=532458 73.144.221.52:61955 [<server>] Peer Connection Initiated with [AF_INET6]::ffff:73.144.221.52:61955
2021-09-09 23:55:52 us=683877 73.144.221.52:61955 PUSH: Received control message: 'PUSH_REQUEST'
2021-09-09 23:55:52 us=683909 73.144.221.52:61955 Delayed exit in 5 seconds
2021-09-09 23:55:52 us=683926 73.144.221.52:61955 SENT CONTROL [<server>]: 'AUTH_FAILED' (status=1)

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN ncp-ciphers not working

Post by TinCanTech » Fri Sep 10, 2021 12:17 am

claude wrote:
Fri Sep 10, 2021 12:04 am
2021-09-09 23:55:51 us=494803 73.144.221.52:61955 Option inconsistency warnings triggering disconnect due to --opt-verify
--opt-verify is explained in the manual.

claude
OpenVpn Newbie
Posts: 9
Joined: Wed Sep 08, 2021 6:49 pm

Re: OpenVPN ncp-ciphers not working

Post by claude » Fri Sep 10, 2021 12:34 am

Thanks for pointing that out. I had read about the --opt-verify but where in the cipher negotiation documentation does it state that this shouldn't be used? From all the cipher documentation I read, it indicated that if the client's cipher was in the list of data-ciphers on the server, it would connect. I did not find anything that mentioned not using the --opt-verify.

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN ncp-ciphers not working

Post by TinCanTech » Fri Sep 10, 2021 1:37 am

claude wrote:
Fri Sep 10, 2021 12:34 am
I had read about the --opt-verify but where in the cipher negotiation documentation does it state that this shouldn't be used?
No where .. use it correctly.

claude
OpenVpn Newbie
Posts: 9
Joined: Wed Sep 08, 2021 6:49 pm

Re: OpenVPN ncp-ciphers not working

Post by claude » Fri Sep 10, 2021 10:35 am

I performed a test by removing the following directives from the server:
data-ciphers-fallback BF-CBC
data-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC:BF-CBC

I was expecting it not to work since BF-CBC was not in the list but it did work. That tells me that removing opt-verify just overrides everything and doesn't even look at the data-ciphers list. It would be helpful if the cipher negotiation documentation would state that.

claude
OpenVpn Newbie
Posts: 9
Joined: Wed Sep 08, 2021 6:49 pm

Re: OpenVPN ncp-ciphers not working

Post by claude » Tue Sep 14, 2021 8:20 pm

After investigating this further, I tested w/ a 2.4 server and 2.4 client setting logging to verb 9. I see the following after a connection got established which seemed to indicated that the cipher used was AES-256-GCM:

Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Outgoing Data Channel: CIPHER KEY: 0b45fc1c d2866973 9fb96896 160c66a4 841abe03 a2d2e315 0c9bc2f4 e7c74b56
Outgoing Data Channel: CIPHER block_size=16 iv_size=12
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: CIPHER KEY: ae77240b 95216441 ef46616e ff0c3937 c96ba1de ea1040b1 60f410d3 a99acd23
Incoming Data Channel: CIPHER block_size=16 iv_size=12

I tested this w/ a 2.4 client against a 2.5 server, removing the opt-verify and get same results above. Why is it that when I run a 2.4 client against a 2.5 server w/ the opt-verify, it fails w/ the following error? How is the client passing in these settings when the default in 2.4 is to use AES-256-GCM?

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1541'
WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Option inconsistency warnings triggering disconnect due to --opt-verify

User avatar
TinCanTech
Forum Team
Posts: 9655
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN ncp-ciphers not working

Post by TinCanTech » Tue Sep 14, 2021 8:31 pm

claude wrote:
Tue Sep 14, 2021 8:20 pm
Why is it that when I run a 2.4 client against a 2.5 server w/ the opt-verify, it fails
Because that is its purpose.

The error is:
Option inconsistency warnings triggering disconnect due to --opt-verify

Also, WRT Cipher negotiation, a lot has changed, this could be a tiny over-looked difference between the two versions.

Post Reply