Can't connect with Windows to OVPN server

[commy]

Hi there,

I'm trying to connect to an OpenVPN server which is basically my router.
I receive this error:

2021-04-30 14:39:25 OPTIONS IMPORT: timers and/or timeouts modified
2021-04-30 14:39:25 OPTIONS IMPORT: --ifconfig/up options modified
2021-04-30 14:39:25 OPTIONS IMPORT: route options modified
2021-04-30 14:39:25 OPTIONS ERROR: failed to negotiate cipher with server. Configure --data-ciphers-fallback if you want to connect to this server.
2021-04-30 14:39:25 ERROR: Failed to apply push options
2021-04-30 14:39:25 Failed to open tun/tap interface
2021-04-30 14:39:25 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2021-04-30 14:39:25 MANAGEMENT: >STATE:1619786365,RECONNECTING,process-push-msg-failed,,,,,
2021-04-30 14:39:25 Restart pause, 5 second(s)


I just searched for the error and found some users saying just add "ncp-disable" in my OpenVPN config on the client. But then I get this error message which I don't understand:

2021-04-30 14:51:49 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2021-04-30 14:51:49 DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
Options error: --ncp-disable needs an explicit --cipher or --data-ciphers-fallback config option
Use --help for more information.

Please could you help me?
If I have to add something to my config (like ncp disable...) will this affect the security level?

Here is my current config:

client
dev tun
proto udp
remote ***HOSTNAME*** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 NAS.p12
comp-lzo
verb 3
remote-cert-tls server
ncp-disable


Thanks a lot

[TinCanTech]

See if you can find a suitable combination here:
https://community.openvpn.net/openvpn/w ... egotiation

[commy]

Thanks for your quick reply!!

I found this site too but I still don't get it
Do I have to know the OpenVPN version which uses my router? What should I try to add to the config, something like data-ciphers ... ?

kind regards

[commy]

Ok... I just found out that my router Easybox uses OpenVPN 2.3.6 as server.

So I would need to add „—cipher“ to my config?

Thanks

[TinCanTech]

I believe you need --cipher in your server:

Code: Select all

cipher AES-256-GCM

The client should pick that automatically.

[commy]

Sadly I cant modify such parameters on the server.

Any chance to solve the issue on client side (maybe in the .ovpn file)?
Should I try an older OpenVPN client

[TinCanTech]

What cipher does your server use ?

[commy]

Sorry, but I dont know. All I know is that the connection over iOS app works fine and the installed version on the server.

[TinCanTech]

Try reading the log on your iOS device and also look for the log on your server.

You may need to consult your router manual ..

[commy]

The log on iOS has the information. Thanks for the hint !

cipher: BF-CBC
digest: SHA1
compress: LZO_STUB
peer ID: -1

I removed now the "ncp disable" line from my config and added "cipher BF-CBC".

Aaaaaaaand it works!!

The log just shows some WARNINGS about security. I think the one is about COMPRESSION and the other about SWEET32 attacks.

Any chance to avoid those insecurities?

LOG Warnings;

Sat May 01 20:30:51 2021 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Sat May 01 20:30:51 2021 DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
Sat May 01 20:31:00 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 01 20:31:00 2021 WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.6.
Sat May 01 20:31:04 2021 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.

[TinCanTech]

The log just shows some WARNINGS about security. I think the one is about COMPRESSION and the other about SWEET32 attacks.

Any chance to avoid those insecurities?

Sure, configure your server to use a secure cipher and to not use compression.

[commy]

Ok... I now just changed in the config to this:

cipher AES-256-CBC

Now the WARNINGS disappeared.
I think I should add the cipher AES-256-CBC line to my OVPN config on the iPhone?

The log on Windows just shows this error:
Sat May 01 21:02:45 2021 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Sat May 01 21:02:45 2021 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC'
Sat May 01 21:02:51 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat May 01 21:03:06 2021 Authenticate/Decrypt packet error: cipher final failed
Sat May 01 21:03:17 2021 Authenticate/Decrypt packet error: cipher final failed
Sat May 01 21:03:27 2021 Authenticate/Decrypt packet error: cipher final failed


I think the Compression error will only go away with another server config?
Deprecated Option? Don't know...
And cipher final failed? Don't know too...

[TinCanTech]

You have to change your server config. not your client.

[commy]

Ok, I think I have to live with this issue because I can't change the compression

What about the other two errors?
Sat May 01 21:02:45 2021 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC'
Sat May 01 21:03:06 2021 Authenticate/Decrypt packet error: cipher final failed

You helped me a lot sir, many thanks again! I really appreciate this

[TinCanTech]

Learn how to configure tour server.

[commy]

I can't change the configuration on the server

[TinCanTech]

Then you need a better router.

[ninaaa]

Hello,
ask for support, can't get to my openvpn server (this is physically far away)


Many Thanks



Sun May 02 11:34:22 2021 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Sun May 02 11:34:22 2021 Windows version 6.1 (Windows 7) 64bit
Sun May 02 11:34:22 2021 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Sun May 02 11:34:22 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun May 02 11:34:22 2021 Need hold release from management interface, waiting...
Sun May 02 11:34:23 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'state on'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'log all on'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'echo all on'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'bytecount 5'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'hold off'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'hold release'
Sun May 02 11:34:23 2021 MANAGEMENT: CMD 'password [...]'
Sun May 02 11:34:23 2021 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun May 02 11:34:23 2021 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun May 02 11:34:23 2021 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun May 02 11:34:23 2021 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun May 02 11:34:23 2021 MANAGEMENT: >STATE:xxxxx,
Sun May 02 11:34:23 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxx
Sun May 02 11:34:23 2021 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun May 02 11:34:23 2021 UDP link local: (not bound)
Sun May 02 11:34:23 2021 UDP link remote: [AF_INET]xxxxxxxxx
Sun May 02 11:34:23 2021 MANAGEMENT: >STATE:xxxx
Sun May 02 11:35:23 2021 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun May 02 11:35:23 2021 TLS Error: TLS handshake failed

[TinCanTech]

I need a Ferrari .. it is financially very far away.

Many Thanks

https://github.com/TinCanTech/easy-tls

[ninaaa]

thanks,

I don't know where the problem is?
it always worked.
I can't get any further with ping, I just want to know whether my Vpn server is running