I have just set up OpenVPN server on Debian 9 (OpenVPN is version 2.4.0) and I am getting some strange warnings:
Fri Sep 15 22:46:39 2017 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1543', remote='link-mtu 1603'
Fri Sep 15 22:46:39 2017 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC'
Fri Sep 15 22:46:39 2017 WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth SHA512'
Fri Sep 15 22:46:39 2017 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256'
Fri Sep 15 22:46:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
I do not understand this, because I am not even setting link-mtu and keysize, but there are still warnings.
I also do not understand this line completely:
Fri Sep 15 22:46:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
What does it mean: "cipher TLSv1/SSLv3"? I am requesting TLS version at least 1.2 in server config, so this (SSLv3) is quite confusing...
Here is the server config:
[oconf=]mode server
tls-server
local XX.XX.XX.XX
proto tcp
port 443
port-share 127.0.0.1 4443
dev tun
ca /etc/openvpn/serverkeys/ca.crt
cert /etc/openvpn/serverkeys/serverTCP.crt
key /etc/openvpn/serverkeys/serverTCP.key
dh /etc/openvpn/serverkeys/dh4096.pem
crl-verify /etc/openvpn/serverkeys/crl.pem
tls-crypt /etc/openvpn/serverkeys/ta.key
tls-version-min 1.2
remote-cert-tls client
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
auth SHA512
cipher AES-256-CBC
server 10.10.8.0 255.255.255.0
persist-key
persist-tun
topology subnet
push "topology subnet"
push "redirect-gateway def1"
push "remote-gateway 10.10.8.1"
push "route 10.10.9.0 255.255.255.0"
client-to-client
push "dhcp-option DNS 8.8.8.8"
user nobody
group nogroup
client-config-dir /etc/openvpn/ccd_tcp
keepalive 10 120
verb 3
status /var/log/openvpn/status_tcp.log
log /var/log/openvpn/openvpn_tcp.log
log-append /var/log/openvpn/openvpn_tcp.log
mute 20[/oconf]
And this is the client config (running from Ubuntu 17.04, OpenVPN is also version 2.4.0):
[oconf=]client
remote XX.XX.XX.XX 443
proto tcp
dev tun
mute-replay-warnings
tls-version-min 1.2
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
ping 10
ping-restart 60
verb 3
mute 20[/oconf]
And my last question... I am using ta.key for tls-crypt. I have generated it with command:
openvpn --genkey --secret ta.key
...and it is 2048 bit OpenVPN static key. Is it possible to use larger static keys, for instance 3072 bit? How to create them?
Strange warnings in openvpn log
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN User
- Posts: 44
- Joined: Wed Jun 19, 2013 9:43 am