'link-mtu' is used inconsistently

slaver7 · Post by **slaver7** » Sun Jan 26, 2020 11:04 am

Hi,

If an ios client connect to the server, I get an error

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1449', remote='link-mtu 1421'
Option inconsistency warnings triggering disconnect due to --opt-verify

Any reason why the link-mtu differs?

server.conf

server 172.31.252.0 255.255.255.0
topology subnet

user nobody
group nogroup

dev tun0
proto udp6
port 1194

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh none
ecdh-curve secp521r1
crl-verify /etc/openvpn/keys/crl.pem
tls-crypt /etc/openvpn/keys/ta.key
auth none

mssfix 1300

sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

# https://community.openvpn.net/openvpn/wiki/VORACLE
#compress lz4-v2
status-version 2

push "dhcp-option DISABLE-NBT"

keepalive 10 60
verb 3

auth none
cipher AES-256-GCM
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2

persist-key
persist-tun

plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf login

script-security 2
auth-user-pass-verify "/bin/bash -c 'test \"$common_name\" == \"$username\"'" via-env
duplicate-cn

explicit-exit-notify 0
remote-cert-tls client
fast-io
opt-verify
reneg-sec 86400
mute-replay-warnings

client.ovpn

client

dev tun
remote server 1194
proto udp

resolv-retry infinite
auth-retry none
auth-user-pass

nobind
persist-key
persist-tun

tun-mtu 1400

auth none
ecdh-curve secp521r1
cipher AES-256-GCM
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
remote-cert-tls server

mute-replay-warnings
explicit-exit-notify 1

verb 3
mute 20

reneg-sec 0
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

Should I disable "opt-verify" when ios clients want to connect?

TinCanTech · Post by **TinCanTech** » Sun Jan 26, 2020 12:51 pm

slaver7 wrote: ↑
Sun Jan 26, 2020 11:04 am
WARNING: 'link-mtu' is used inconsistently

This is a known bug and can be ignored for the most part. Every log will see this message.

slaver7 wrote: ↑
Sun Jan 26, 2020 11:04 am
Option inconsistency warnings triggering disconnect due to --opt-verify

Need to see the full log to explain this ..

Please see:
viewtopic.php?f=30&t=22603#p68963

slaver7 · Post by **slaver7** » Sun Jan 26, 2020 10:53 pm

Code: Select all

Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> TLS: Initial packet from [AF_INET6]::ffff:<IP>:63899, sid=19a5bff2 1d030f40
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> WARNING: Failed to stat CRL file, not (re)loading CRL.
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> VERIFY OK: depth=1, CN=server CA
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> VERIFY KU OK
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> Validating certificate extended key usage
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> VERIFY EKU OK
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> VERIFY OK: depth=0, CN=jkr
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_GUI_VER=net.openvpn.connect.ios_3.1.1-2819
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_VER=3.git::2ae73415
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_PLAT=ios
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_NCP=2
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_TCPNL=1
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_PROTO=2
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> TLS: Username/Password authentication succeeded for username 'jkr'
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> Option inconsistency warnings triggering disconnect due to --opt-verify
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> [jkr] Peer Connection Initiated with [AF_INET6]::ffff:<IP>:63899
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> PUSH: Received control message: 'PUSH_REQUEST'
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> Delayed exit in 5 seconds
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> SENT CONTROL [jkr]: 'AUTH_FAILED' (status=1)
Jan 26 11:45:56 ip-10-124-4-33 ovpn-server[16397]: <IP> SIGTERM[soft,delayed-exit] received, client-instance exiting

If opt-verify is set a client with inconsistently config must be reject, right?

TinCanTech · Post by **TinCanTech** » Sun Jan 26, 2020 11:27 pm

slaver7 wrote: ↑
Sun Jan 26, 2020 11:04 am
Should I disable "opt-verify" when ios clients want to connect?

Or fix the options which you chose to badly configure ..

slaver7 · Post by **slaver7** » Tue Jan 28, 2020 10:08 pm

How?

How can I fix the link-mtu issues described above if its a known bug? It just happens on the mobile clients

TinCanTech · Post by **TinCanTech** » Wed Jan 29, 2020 1:04 am

The warning in the log is a known bug .. but it does not interfere with the function of your VPN.

slaver7 · Post by **slaver7** » Wed Jan 29, 2020 7:49 pm

Okay I get it.

Set

Code: Select all

opt-verify

on the server configuration results in a badly configuration in this case, since opt-verify thread warnings as a reason to reject such clients?

TinCanTech · Post by **TinCanTech** » Wed Jan 29, 2020 9:31 pm

I had to test this myself but you are correct, those warnings are not compatible with --opt-verify

slaver7 · Post by **slaver7** » Fri Jan 31, 2020 8:59 pm

Thanks for the confirmation.

antioch · Post by **antioch** » Sun May 29, 2022 5:24 pm

TinCanTech wrote: ↑
Wed Jan 29, 2020 9:31 pm
I had to test this myself but you are correct, those warnings are not compatible with --opt-verify

for clarification, youre saying that theres no way to employ opt-verify when mobile clients are present?

TinCanTech · Post by **TinCanTech** » Sun May 29, 2022 6:53 pm

antioch wrote: ↑
Sun May 29, 2022 5:24 pm
for clarification, youre saying that theres no way to employ opt-verify when mobile clients are present?

No, that is not the point.

The point is: --opt-verify will disconnect clients with incompatible settings.

The problem is: All clients will likely have some incompatible settings because Openvpn is free and nobody has the time to make this work as intended.

If you use it then you will have problems.

OpenVPN Support Forum

'link-mtu' is used inconsistently

'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently