Need help configuring your VPN? Just post here and you'll get that help.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
GabrieleMax
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Mar 17, 2018 9:33 pm
Post
by GabrieleMax » Sat Mar 17, 2018 9:42 pm
Hi everybody!
I have these warnings showed from my client:
Code: Select all
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1586'
Mon Mar 12 23:16:40 2018 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Mon Mar 12 23:16:40 2018 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Mon Mar 12 23:16:40 2018 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Here below you can see my server.conf
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh4096.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
route 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
tls-crypt /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret
auth SHA512 # This needs to be in client.ovpn too though.
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
ncp-ciphers AES-256-GCM:AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 6
user ovpn
group ovpn
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
explicit-exit-notify 1
It seems everything is ok, I don't understand how could I fix the warning above :\
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Sat Mar 17, 2018 11:05 pm
GabrieleMax wrote: ↑Sat Mar 17, 2018 9:42 pm
It seems everything is ok
You must be using version 2.4.x ..
GabrieleMax wrote: ↑Sat Mar 17, 2018 9:42 pm
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
These are due to Negotiated Cypher Protocol .. they are harmless and can be ignored. (because the NCP will resolve it)
GabrieleMax wrote: ↑Sat Mar 17, 2018 9:42 pm
WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
You are pushing LZO anyway .. so this will be resolved from the push.
GabrieleMax wrote: ↑Sat Mar 17, 2018 9:42 pm
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1601', remote='link-mtu 1586'
Unless your MTU resolves to be like ~150 .. I believe this can also be ignored.
-
GabrieleMax
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Mar 17, 2018 9:33 pm
Post
by GabrieleMax » Sun Mar 18, 2018 10:42 am
Thank you very much for your quick reply!
TinCanTech wrote: ↑Sat Mar 17, 2018 11:05 pm
You must be using version 2.4.x ..
Code: Select all
root@Server01:/home/gabriele# apt-show-versions openvpn
openvpn:i386/buster 2.4.5-1 uptodate
TinCanTech wrote: ↑Sat Mar 17, 2018 11:05 pm
These are due to Negotiated Cypher Protocol .. they are harmless and can be ignored. (because the NCP will resolve it)
Ok but... I want to use on my server the best remote chiper like AES-256-CBC, I thought in my server.conf I wrote it but my client doesn't think the same (...), how could I force on my server.conf just AES-256-CBC?
I'd like to use also a remote 256 keysize but... I don't remember when and how I made it with 128 size...
TinCanTech wrote: ↑Sat Mar 17, 2018 11:05 pm
You are pushing LZO anyway .. so this will be resolved from the push.
Ok but... I'd like to use just new lzo version (lz4-v2), I think it's more secure than to enable also old version but when I configure a client I should enable old and new version if I don't like to see a warning message.
TinCanTech wrote: ↑Sat Mar 17, 2018 11:05 pm
Unless your MTU resolves to be like ~150 .. I believe this can also be ignored.
To be honest I never checked what MTU means so I don't know how and why I should manage it and how it could be better to set but I think I could find a lot of documents online about it.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Sun Mar 18, 2018 8:44 pm
GabrieleMax wrote: ↑Sun Mar 18, 2018 10:42 am
I want to use on my server the best remote chiper like AES-256-CBC
Negotiated Cipher Protocol will select the best cipher .. but if you want to disable it use --ncp-disable
GabrieleMax wrote: ↑Sun Mar 18, 2018 10:42 am
I'd like to use just new lzo version (lz4-v2)
See --
compress in
The Manual v24x
Pushing compress is recommended.
GabrieleMax wrote: ↑Sun Mar 18, 2018 10:42 am
I never checked what MTU means so I don't know how and why I should manage it
Generally openvpn manages MTU itself .. it is known to be in need of some work. If your VPN connects properly then you can usually ignore it (at this time).
I run multiple VPNs and they all have this MTU warning .. I don't believe it is worth resolving.
If you are very well informed as to how MTU works and you can code in C then you could submit patches and discuss the problem with the devs.
