WARNING: 'cipher' is used inconsistently,

[BobAGI]

In January 2018 have set up an OpenVPN server on a Linux Ubuntu 16.04 machine at home.
Openvpn reports this version: OpenVPN 2.4.4 x86_64-pc-linux-gnu

It is used by family members to access the home network while traveling.

Now I inspected the logs and found a strange warning as follows:

Code: Select all

IV_GUI_VER=net.openvpn.connect.ios_1.2.7-4
peer info: IV_VER=3.1.2
peer info: IV_PLAT=ios
peer info: IV_NCP=2
info: IV_TCPNL=1
peer info: IV_PROTO=2
peer info: IV_LZO=1
peer info: IV_AUTO_SESS=1
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1525'
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Why does this happen and should I be worried?
This is not the case when I connect myself, the warnings come when my brother-in-law connects from an iPad.
I only use Windows and Android devices myself.

The server.conf file has this:

View Originalserver.conf

1

port 1191

2

3

proto udp

4

5

dev tun

6

7

ca /etc/openvpn/keys/ca.crt

8

9

cert /etc/openvpn/keys/server.crt

10

11

key /etc/openvpn/keys/server.key # This file should be kept secret

12

13

dh /etc/openvpn/keys/dh2048.pem

14

15

topology subnet

16

17

server 10.8.0.0 255.255.255.0 'nopool'

18

19

ifconfig-pool 10.8.0.2 10.8.0.127 255.255.255.0

20

21

ifconfig-pool-persist ipp.txt

22

23

push "route 192.168.119.0 255.255.255.0"

24

25

push "redirect-gateway def1 bypass-dhcp"

26

27

keepalive 10 120

28

29

tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret

30

31

cipher AES-256-CBC

32

33

comp-lzo

34

35

max-clients 20

36

37

#user openvpn

38

39

#group nogroup

40

41

persist-key

42

43

persist-tun

44

45

status /etc/openvpn/log/openvpn-status.log

46

47

log /etc/openvpn/log/openvpn.log

48

49

verb 4

50

51

mute 10

52

53

explicit-exit-notify 1

54

55

push "explicit-exit-notify 1"

56

57

#Testing to use larger buffers for tunnel

58

59

push "sndbuf 262144"

60

61

push "rcvbuf 262144"

62

1

port 1191

2

proto udp

3

dev tun

4

ca /etc/openvpn/keys/ca.crt

5

cert /etc/openvpn/keys/server.crt

6

key /etc/openvpn/keys/server.key

7

dh /etc/openvpn/keys/dh2048.pem

8

topology subnet

9

server 10.8.0.0 255.255.255.0 'nopool'

10

ifconfig-pool 10.8.0.2 10.8.0.127 255.255.255.0

11

ifconfig-pool-persist ipp.txt

12

push "route 192.168.119.0 255.255.255.0"

13

push "redirect-gateway def1 bypass-dhcp"

14

keepalive 10 120

15

tls-auth /etc/openvpn/keys/ta.key 0

16

cipher AES-256-CBC

17

comp-lzo

18

max-clients 20

19

persist-key

20

persist-tun

21

status /etc/openvpn/log/openvpn-status.log

22

log /etc/openvpn/log/openvpn.log

23

verb 4

24

mute 10

25

explicit-exit-notify 1

26

push "explicit-exit-notify 1"

27

push "sndbuf 262144"

28

push "rcvbuf 262144"

And the client OVPN file has this:

View Originalxxx.ovpn

1

client

2

3

dev tun

4

5

proto udp

6

7

remote vpn.xxxx.com 1191

8

9

resolv-retry infinite

10

11

nobind

12

13

persist-key

14

15

persist-tun

16

17

mute-replay-warnings

18

19

auth-nocache

20

21

remote-cert-tls server

22

23

key-direction 1

24

25

cipher AES-256-CBC

26

27

comp-lzo

28

29

verb 1

30

31

mute 20

32

33

explicit-exit-notify 1

34

1

client

2

dev tun

3

proto udp

4

remote vpn.xxxx.com 1191

5

resolv-retry infinite

6

nobind

7

persist-key

8

persist-tun

9

mute-replay-warnings

10

auth-nocache

11

remote-cert-tls server

12

key-direction 1

13

cipher AES-256-CBC

14

comp-lzo

15

verb 1

16

mute 20

17

explicit-exit-notify 1

[TinCanTech]

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1525'
WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'

--link-mtu is a problem with the MTU code, it is not quite right ..
--cipher is due to negotiated cipher protocol and is a known bug
as openvpn works anyway it is not considered to be important currently.

OpenVPN 2.4.4 x86_64-pc-linux-gnu

2.4.5 is now the official release.

[BobAGI]

--link-mtu is a problem with the MTU code, it is not quite right ..
--cipher is due to negotiated cipher protocol and is a known bug
as openvpn works anyway it is not considered to be important currently.

Is this a problem on the iOS client side, then?
It looks to come from the client...

OpenVPN 2.4.4 x86_64-pc-linux-gnu

2.4.5 is now the official release.

I had to go through loops to get the 2.4.4 version on to the Ubuntu server, the official apt-get version was quite older.
I think I had to change server for apt-get if I remember correctly.
Should I try to upgrade?
And can I use apt-get install for that?
(I am currently overseas so I would need to use OpenVPN to access the server in that case)