Hi.
I've been using OpenVPN 2.4.6 in pfsense from a long time but now I'm setting up a second server, with 2.6.5 version.
I've installed both clients and configs in my Windows machine, so I currently have client 2.6.5 running with 2 different configs (one from the new and one from the old server), but I can only connect to the new server. I read that some parameter names were replaced and new ones were created.
So, my question is, is it possible to use the 2.6.5 client to connect to both 2.4.6 and 2.6.5 servers.
Thanks for your time.
rdquit
Can a "modern" client connect to an "old" server?
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
rdquit
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Sep 26, 2023 3:06 pm
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1292
- Joined: Tue Feb 16, 2021 10:41 am
Re: Can a "modern" client connect to an "old" server?
Hello rdquit,
Yes, very possible. However, as you might understand, between the time 2.4.6 was released (April 2018), and version 2.6.5 was released (June 2023) there have been 5 years of changes. That means you may need to make some adjustments.
It would be helpful to post configs (without private keys and such) and any error messages you get.
Kind regards,
Johan
Yes, very possible. However, as you might understand, between the time 2.4.6 was released (April 2018), and version 2.6.5 was released (June 2023) there have been 5 years of changes. That means you may need to make some adjustments.
It would be helpful to post configs (without private keys and such) and any error messages you get.
Kind regards,
Johan
OpenVPN Inc.Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
rdquit
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Sep 26, 2023 3:06 pm
Re: Can a "modern" client connect to an "old" server?
Hello, Johan.
I'm so sorry for the late response.
#########################
The old config given by the 2.4.6 Client Export Wizard
#########################
dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote <my server ip> <my server port> udp
verify-x509-name "Certificado OpenVPN" name
auth-user-pass
pkcs12 LXVPN01-UDP4-1194-VPNUser1.p12
tls-auth LXVPN01-UDP4-1194-VPNUser1-tls.key 1
remote-cert-tls server
comp-lzo adaptive
##########################
The errors I get when trying to use it with the 2.6.5 client
##########################
2023-10-04 15:04:35 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
2023-10-04 15:04:35 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-10-04 15:04:35 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
2023-10-04 15:04:35 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
2023-10-04 15:04:35 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-10-04 15:04:35 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-10-04 15:04:35 DCO version: v0
2023-10-04 15:04:37 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-10-04 15:04:37 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-10-04 15:04:37 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-10-04 15:04:37 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-10-04 15:04:37 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-10-04 15:04:49 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-10-04 15:04:49 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-10-04 15:04:49 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-10-04 15:04:49 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-10-04 15:04:59 ERROR: could not read Private Key username/password/ok/string from management interface
2023-10-04 15:04:59 Exiting due to fatal error
###########################
Thank you very much for your time.
Rafael
I'm so sorry for the late response.
#########################
The old config given by the 2.4.6 Client Export Wizard
#########################
dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote <my server ip> <my server port> udp
verify-x509-name "Certificado OpenVPN" name
auth-user-pass
pkcs12 LXVPN01-UDP4-1194-VPNUser1.p12
tls-auth LXVPN01-UDP4-1194-VPNUser1-tls.key 1
remote-cert-tls server
comp-lzo adaptive
##########################
The errors I get when trying to use it with the 2.6.5 client
##########################
2023-10-04 15:04:35 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
2023-10-04 15:04:35 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-10-04 15:04:35 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). OpenVPN ignores --cipher for cipher negotiations.
2023-10-04 15:04:35 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
2023-10-04 15:04:35 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-10-04 15:04:35 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-10-04 15:04:35 DCO version: v0
2023-10-04 15:04:37 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-10-04 15:04:37 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-10-04 15:04:37 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-10-04 15:04:37 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-10-04 15:04:37 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-10-04 15:04:49 OpenSSL: error:0308010C:digital envelope routines::unsupported
2023-10-04 15:04:49 OpenSSL: error:11800071:PKCS12 routines::mac verify failure
2023-10-04 15:04:49 Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption
2023-10-04 15:04:49 SIGUSR1[soft,private-key-password-failure] received, process restarting
2023-10-04 15:04:59 ERROR: could not read Private Key username/password/ok/string from management interface
2023-10-04 15:04:59 Exiting due to fatal error
###########################
Thank you very much for your time.
Rafael