Strange warnings in openvpn log

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
MatejKovacic
OpenVPN User
Posts: 44
Joined: Wed Jun 19, 2013 9:43 am

Strange warnings in openvpn log

Post by MatejKovacic » Fri Sep 15, 2017 9:21 pm

I have just set up OpenVPN server on Debian 9 (OpenVPN is version 2.4.0) and I am getting some strange warnings:

Fri Sep 15 22:46:39 2017 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1543', remote='link-mtu 1603'
Fri Sep 15 22:46:39 2017 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Fri Sep 15 22:46:39 2017 WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA512'
Fri Sep 15 22:46:39 2017 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Fri Sep 15 22:46:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

I do not understand this, because I am not even setting link-mtu and keysize, but there are still warnings.

I also do not understand this line completely:
Fri Sep 15 22:46:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

What does it mean: "cipher TLSv1/SSLv3"? I am requesting TLS version at least 1.2 in server config, so this (SSLv3) is quite confusing...

Here is the server config:

[oconf=]mode server
tls-server
local XX.XX.XX.XX
proto tcp
port 443
port-share 127.0.0.1 4443
dev tun
ca /etc/openvpn/serverkeys/ca.crt
cert /etc/openvpn/serverkeys/serverTCP.crt
key /etc/openvpn/serverkeys/serverTCP.key
dh /etc/openvpn/serverkeys/dh4096.pem
crl-verify /etc/openvpn/serverkeys/crl.pem
tls-crypt /etc/openvpn/serverkeys/ta.key
tls-version-min 1.2
remote-cert-tls client
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
auth SHA512
cipher AES-256-CBC
server 10.10.8.0 255.255.255.0
persist-key
persist-tun
topology subnet
push "topology subnet"
push "redirect-gateway def1"
push "remote-gateway 10.10.8.1"
push "route 10.10.9.0 255.255.255.0"
client-to-client
push "dhcp-option DNS 8.8.8.8"
user nobody
group nogroup
client-config-dir /etc/openvpn/ccd_tcp
keepalive 10 120
verb 3
status /var/log/openvpn/status_tcp.log
log /var/log/openvpn/openvpn_tcp.log
log-append /var/log/openvpn/openvpn_tcp.log
mute 20[/oconf]

And this is the client config (running from Ubuntu 17.04, OpenVPN is also version 2.4.0):

[oconf=]client
remote XX.XX.XX.XX 443
proto tcp
dev tun
mute-replay-warnings
tls-version-min 1.2
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
ping 10
ping-restart 60
verb 3
mute 20[/oconf]

And my last question... I am using ta.key for tls-crypt. I have generated it with command:

openvpn --genkey --secret ta.key

...and it is 2048 bit OpenVPN static key. Is it possible to use larger static keys, for instance 3072 bit? How to create them?

Post Reply