'link-mtu' is used inconsistently

slaver7 · Post by **slaver7** » Sun Jan 26, 2020 11:04 am

Hi,

If an ios client connect to the server, I get an error

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1449', remote='link-mtu 1421'
Option inconsistency warnings triggering disconnect due to --opt-verify

Any reason why the link-mtu differs?

server.conf

1

server 172.31.252.0 255.255.255.0

2

topology subnet

3

user nobody

4

group nogroup

5

dev tun0

6

proto udp6

7

port 1194

8

ca /etc/openvpn/keys/ca.crt

9

cert /etc/openvpn/keys/server.crt

10

key /etc/openvpn/keys/server.key

11

dh none

12

ecdh-curve secp521r1

13

crl-verify /etc/openvpn/keys/crl.pem

14

tls-crypt /etc/openvpn/keys/ta.key

15

auth none

16

mssfix 1300

17

sndbuf 393216

18

rcvbuf 393216

19

push "sndbuf 393216"

20

push "rcvbuf 393216"

21

status-version 2

22

push "dhcp-option DISABLE-NBT"

23

keepalive 10 60

24

verb 3

25

auth none

26

cipher AES-256-GCM

27

tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

28

tls-version-min 1.2

29

persist-key

30

persist-tun

31

plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf login

32

script-security 2

33

auth-user-pass-verify "/bin/bash -c 'test \"$common_name\" == \"$username\"'" via-env

34

duplicate-cn

35

explicit-exit-notify 0

36

remote-cert-tls client

37

fast-io

38

opt-verify

39

reneg-sec 86400

40

mute-replay-warnings

client.ovpn

1

client

2

dev tun

3

remote server 1194

4

proto udp

5

resolv-retry infinite

6

auth-retry none

7

auth-user-pass

8

nobind

9

persist-key

10

persist-tun

11

tun-mtu 1400

12

auth none

13

ecdh-curve secp521r1

14

cipher AES-256-GCM

15

tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

16

remote-cert-tls server

17

mute-replay-warnings

18

explicit-exit-notify 1

19

verb 3

20

mute 20

21

reneg-sec 0

22

<ca>

23

--STRIPPED INLINE CA CERT--

24

</ca>

25

<tls-crypt>

26

-----BEGIN OpenVPN Static key V1-----

27

-----END OpenVPN Static key V1-----

28

</tls-crypt>

29

<key>

30

--STRIPPED INLINE KEY--

31

</key>

32

<cert>

33

--STRIPPED INLINE CERT--

34

</cert>

Should I disable "opt-verify" when ios clients want to connect?

TinCanTech · Post by **TinCanTech** » Sun Jan 26, 2020 12:51 pm

slaver7 wrote: ↑
Sun Jan 26, 2020 11:04 am
WARNING: 'link-mtu' is used inconsistently

This is a known bug and can be ignored for the most part. Every log will see this message.

slaver7 wrote: ↑
Sun Jan 26, 2020 11:04 am
Option inconsistency warnings triggering disconnect due to --opt-verify

Need to see the full log to explain this ..

Please see:
viewtopic.php?f=30&t=22603#p68963

slaver7 · Post by **slaver7** » Sun Jan 26, 2020 10:53 pm

Code: Select all

Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> TLS: Initial packet from [AF_INET6]::ffff:<IP>:63899, sid=19a5bff2 1d030f40
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> WARNING: Failed to stat CRL file, not (re)loading CRL.
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> VERIFY OK: depth=1, CN=server CA
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> VERIFY KU OK
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> Validating certificate extended key usage
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> VERIFY EKU OK
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> VERIFY OK: depth=0, CN=jkr
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_GUI_VER=net.openvpn.connect.ios_3.1.1-2819
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_VER=3.git::2ae73415
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_PLAT=ios
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_NCP=2
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_TCPNL=1
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> peer info: IV_PROTO=2
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> TLS: Username/Password authentication succeeded for username 'jkr'
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> Option inconsistency warnings triggering disconnect due to --opt-verify
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384, 521 bit EC, curve: secp521r1
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> [jkr] Peer Connection Initiated with [AF_INET6]::ffff:<IP>:63899
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> PUSH: Received control message: 'PUSH_REQUEST'
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> Delayed exit in 5 seconds
Jan 26 11:45:51 ip-10-124-4-33 ovpn-server[16397]: <IP> SENT CONTROL [jkr]: 'AUTH_FAILED' (status=1)
Jan 26 11:45:56 ip-10-124-4-33 ovpn-server[16397]: <IP> SIGTERM[soft,delayed-exit] received, client-instance exiting

If opt-verify is set a client with inconsistently config must be reject, right?

TinCanTech · Post by **TinCanTech** » Sun Jan 26, 2020 11:27 pm

slaver7 wrote: ↑
Sun Jan 26, 2020 11:04 am
Should I disable "opt-verify" when ios clients want to connect?

Or fix the options which you chose to badly configure ..

slaver7 · Post by **slaver7** » Tue Jan 28, 2020 10:08 pm

How?

How can I fix the link-mtu issues described above if its a known bug? It just happens on the mobile clients

TinCanTech · Post by **TinCanTech** » Wed Jan 29, 2020 1:04 am

The warning in the log is a known bug .. but it does not interfere with the function of your VPN.

slaver7 · Post by **slaver7** » Wed Jan 29, 2020 7:49 pm

Okay I get it.

Set

Code: Select all

opt-verify

on the server configuration results in a badly configuration in this case, since opt-verify thread warnings as a reason to reject such clients?

TinCanTech · Post by **TinCanTech** » Wed Jan 29, 2020 9:31 pm

I had to test this myself but you are correct, those warnings are not compatible with --opt-verify

slaver7 · Post by **slaver7** » Fri Jan 31, 2020 8:59 pm

Thanks for the confirmation.

antioch · Post by **antioch** » Sun May 29, 2022 5:24 pm

TinCanTech wrote: ↑
Wed Jan 29, 2020 9:31 pm
I had to test this myself but you are correct, those warnings are not compatible with --opt-verify

for clarification, youre saying that theres no way to employ opt-verify when mobile clients are present?

TinCanTech · Post by **TinCanTech** » Sun May 29, 2022 6:53 pm

antioch wrote: ↑
Sun May 29, 2022 5:24 pm
for clarification, youre saying that theres no way to employ opt-verify when mobile clients are present?

No, that is not the point.

The point is: --opt-verify will disconnect clients with incompatible settings.

The problem is: All clients will likely have some incompatible settings because Openvpn is free and nobody has the time to make this work as intended.

If you use it then you will have problems.

OpenVPN Support Forum

'link-mtu' is used inconsistently

'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently

Re: 'link-mtu' is used inconsistently