ciphers never match

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
andresmorago
OpenVpn Newbie
Posts: 2
Joined: Wed Sep 16, 2020 3:51 pm

ciphers never match

Post by andresmorago » Wed Sep 16, 2020 4:02 pm

Hello to all
I apologize if this topic has been discussed before but none of the info ive found seems to fix my issue

I cant seem to be able to enforce using cipher AES-128-CBC and it will always default to AES-256, showing GCM which i never configured. Also sometimes the log will say that client and server cipher dont match

My openvpn server runs in ubuntu.
OpenVPN 2.4.4-2

server

local 172.26.9.180
port 443
proto udp
dev tun
duplicate-cn
keepalive 10 120

##SECURITY
tls-server
#certificate authority's cert.
ca ca.crt
#server's TLS key
key server.key
#VPN server's TLS cert.
cert server.crt
#DH parameter file.
dh dh.pem
#TLS Authentication
tls-auth tls.key 0
#tls-crypt tls.key
#
crl-verify crl.pem
auth SHA1
#ncp-disable
#cipher AES-256-CBC
cipher AES-128-CBC
#push "cipher AES-128-CBC"

topology subnet
server 10.0.2.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 127.0.0.1"
push "dhcp-option DNS 172.26.0.2"

push "route 10.0.0.0 255.255.255.0"
push "route 10.0.1.0 255.255.255.0"
push "route 10.0.2.0 255.255.255.0"

# Allow LAN routing between clients
client-to-client

sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify


client

client
dev tun
proto udp
remote xxxxxxx 443

#tun-mtu 1470
mssfix 1430


resolv-retry infinite
nobind
persist-key
persist-tun

#SECURITY
tls-client
remote-cert-tls server
auth SHA1
#ncp-disable
#cipher AES-256-CBC
cipher AES-128-CBC


ignore-unknown-option block-outside-dns
block-outside-dns
verb 3

Code: Select all

Wed Sep 16 11:00:03 2020 Unblocking outside dns using service succeeded.
Wed Sep 16 11:00:03 2020 SIGUSR1[soft,server-pushed-connection-reset] received, process restarting
Wed Sep 16 11:00:03 2020 MANAGEMENT: >STATE:1600272003,RECONNECTING,server-pushed-connection-reset,,,,,
Wed Sep 16 11:00:03 2020 Restart pause, 5 second(s)
Wed Sep 16 11:00:08 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxx:443
Wed Sep 16 11:00:08 2020 Socket Buffers: R=[65536->393216] S=[65536->393216]
Wed Sep 16 11:00:08 2020 UDP link local: (not bound)
Wed Sep 16 11:00:08 2020 UDP link remote: [AF_INET]xxxxxxx:443
Wed Sep 16 11:00:08 2020 MANAGEMENT: >STATE:1600272008,WAIT,,,,,,
Wed Sep 16 11:00:09 2020 MANAGEMENT: >STATE:1600272009,AUTH,,,,,,
Wed Sep 16 11:00:09 2020 TLS: Initial packet from [AF_INET]xxxxxxx:443, sid=b8471d69 ac30fc94
Wed Sep 16 11:00:09 2020 VERIFY OK: depth=1, CN=ChangeMe
Wed Sep 16 11:00:09 2020 VERIFY KU OK
Wed Sep 16 11:00:09 2020 Validating certificate extended key usage
Wed Sep 16 11:00:09 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Sep 16 11:00:09 2020 VERIFY EKU OK
Wed Sep 16 11:00:09 2020 VERIFY OK: depth=0, CN=server
Wed Sep 16 11:00:09 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Sep 16 11:00:09 2020 [server] Peer Connection Initiated with [AF_INET]xxxxxxx:443
Wed Sep 16 11:00:10 2020 MANAGEMENT: >STATE:1600272010,GET_CONFIG,,,,,,
Wed Sep 16 11:00:10 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Sep 16 11:00:11 2020 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 127.0.0.1,dhcp-option DNS 172.26.0.2,route 10.0.0.0 255.255.255.0,route 10.0.1.0 255.255.255.0,route 10.0.2.0 255.255.255.0,sndbuf 393216,rcvbuf 393216,route-gateway 10.0.2.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.0.2.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Sep 16 11:00:11 2020 OPTIONS IMPORT: timers and/or timeouts modified
Wed Sep 16 11:00:11 2020 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Sep 16 11:00:11 2020 Socket Buffers: R=[393216->393216] S=[393216->393216]
Wed Sep 16 11:00:11 2020 OPTIONS IMPORT: --ifconfig/up options modified
Wed Sep 16 11:00:11 2020 OPTIONS IMPORT: route options modified
Wed Sep 16 11:00:11 2020 OPTIONS IMPORT: route-related options modified
Wed Sep 16 11:00:11 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Sep 16 11:00:11 2020 OPTIONS IMPORT: peer-id set
Wed Sep 16 11:00:11 2020 OPTIONS IMPORT: adjusting link_mtu to 1624
Wed Sep 16 11:00:11 2020 OPTIONS IMPORT: data channel crypto options modified
Wed Sep 16 11:00:11 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Sep 16 11:00:11 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 16 11:00:11 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Sep 16 11:00:11 2020 Preserving previous TUN/TAP instance: Local Area Connection
Wed Sep 16 11:00:11 2020 Blocking outside dns using service succeeded.
Wed Sep 16 11:00:11 2020 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Wed Sep 16 11:00:11 2020 C:\Windows\system32\route.exe DELETE 10.0.0.0 MASK 255.255.255.0 10.0.2.1
Wed Sep 16 11:00:11 2020 Route deletion via service succeeded
Wed Sep 16 11:00:11 2020 C:\Windows\system32\route.exe DELETE 10.0.1.0 MASK 255.255.255.0 10.0.2.1
Wed Sep 16 11:00:11 2020 Route deletion via service succeeded
Wed Sep 16 11:00:11 2020 C:\Windows\system32\route.exe DELETE 10.0.2.0 MASK 255.255.255.0 10.0.2.1
Wed Sep 16 11:00:11 2020 Route deletion via service succeeded
Wed Sep 16 11:00:11 2020 C:\Windows\system32\route.exe DELETE xxxxxxx MASK 255.255.255.255 10.0.0.1
Wed Sep 16 11:00:11 2020 Route deletion via service succeeded
Wed Sep 16 11:00:11 2020 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.0.2.1
Wed Sep 16 11:00:11 2020 Route deletion via service succeeded
Wed Sep 16 11:00:11 2020 C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.0.2.1
Wed Sep 16 11:00:11 2020 Route deletion via service succeeded
Wed Sep 16 11:00:11 2020 Closing TUN/TAP interface
Wed Sep 16 11:00:11 2020 TAP: DHCP address released
Wed Sep 16 11:00:11 2020 Unblocking outside dns using service succeeded.
Wed Sep 16 11:00:12 2020 interactive service msg_channel=624
Wed Sep 16 11:00:12 2020 ROUTE_GATEWAY 10.0.0.1/255.255.255.0 I=19 HWADDR=7c:b2:7d:d0:32:8e
Wed Sep 16 11:00:12 2020 open_tun
Wed Sep 16 11:00:12 2020 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{91F308C8-3DF4-433F-8D3C-95A9D0A0C1EA}.tap
Wed Sep 16 11:00:12 2020 TAP-Windows Driver Version 9.24 
Wed Sep 16 11:00:12 2020 Set TAP-Windows TUN subnet mode network/local/netmask = 10.0.2.0/10.0.2.2/255.255.255.0 [SUCCEEDED]
Wed Sep 16 11:00:12 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.2.2/255.255.255.0 on interface {91F308C8-3DF4-433F-8D3C-95A9D0A0C1EA} [DHCP-serv: 10.0.2.254, lease-time: 31536000]
Wed Sep 16 11:00:12 2020 Successful ARP Flush on interface [14] {91F308C8-3DF4-433F-8D3C-95A9D0A0C1EA}
Wed Sep 16 11:00:12 2020 MANAGEMENT: >STATE:1600272012,ASSIGN_IP,,10.0.2.2,,,,
Wed Sep 16 11:00:12 2020 Blocking outside dns using service succeeded.
Wed Sep 16 11:00:17 2020 TEST ROUTES: 4/4 succeeded len=3 ret=1 a=0 u/d=up
Wed Sep 16 11:00:17 2020 C:\Windows\system32\route.exe ADD xxxxxxx MASK 255.255.255.255 10.0.0.1
Wed Sep 16 11:00:17 2020 Route addition via service succeeded
Wed Sep 16 11:00:17 2020 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.2.1
Wed Sep 16 11:00:17 2020 Route addition via service succeeded
Wed Sep 16 11:00:17 2020 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.2.1
Wed Sep 16 11:00:17 2020 Route addition via service succeeded
Wed Sep 16 11:00:17 2020 MANAGEMENT: >STATE:1600272017,ADD_ROUTES,,,,,,
Wed Sep 16 11:00:17 2020 C:\Windows\system32\route.exe ADD 10.0.0.0 MASK 255.255.255.0 10.0.2.1
Wed Sep 16 11:00:17 2020 Route addition via service succeeded
Wed Sep 16 11:00:17 2020 C:\Windows\system32\route.exe ADD 10.0.1.0 MASK 255.255.255.0 10.0.2.1
Wed Sep 16 11:00:17 2020 Route addition via service succeeded
Wed Sep 16 11:00:17 2020 C:\Windows\system32\route.exe ADD 10.0.2.0 MASK 255.255.255.0 10.0.2.1
Wed Sep 16 11:00:17 2020 Route addition via service succeeded
Wed Sep 16 11:00:17 2020 Initialization Sequence Completed
Wed Sep 16 11:00:17 2020 MANAGEMENT: >STATE:1600272017,CONNECTED,SUCCESS,10.0.2.2,xxxxxxx,443,,

User avatar
Pippin
Forum Team
Posts: 869
Joined: Wed Jul 01, 2015 8:03 am

Re: ciphers never match

Post by Pippin » Wed Sep 16, 2020 4:05 pm

See the --ncp-XXX directives in manual 2.4:
https://community.openvpn.net/openvpn/w ... n24ManPage

andresmorago
OpenVpn Newbie
Posts: 2
Joined: Wed Sep 16, 2020 3:51 pm

Re: ciphers never match

Post by andresmorago » Wed Sep 16, 2020 4:07 pm

thanks
so using ncp-disable on the server will help?

am i missing anything?

User avatar
Pippin
Forum Team
Posts: 869
Joined: Wed Jul 01, 2015 8:03 am

Re: ciphers never match

Post by Pippin » Wed Sep 16, 2020 4:09 pm

It's more like we miss something, please read:
viewtopic.php?t=22603

User avatar
Pippin
Forum Team
Posts: 869
Joined: Wed Jul 01, 2015 8:03 am

Re: ciphers never match

Post by Pippin » Wed Sep 16, 2020 4:13 pm

You have edited your post... that said ...throwing errors... but yes, ncp-disable should help you.

Post Reply