OpenVPN Support Forum

New to Open VPN - Checked to see if this was asked before and could not find anything - Any help is greatly appreciated

Fri Nov 18 17:19:15 2022 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
Fri Nov 18 17:19:15 2022 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

The first warning is about what it says Drop --cipher and use --data-cipher accordingly (I'd suggest to check the manpage, because the syntax is slightly different).

For the secod warning I presume you could check the manpage for --remote-cert-tls, but I am not 100% sure.

For the secod warning I presume you could check the manpage for --remote-cert-tls, but I am not 100% sure.


This is make sure you should buy Assess server so you dont get that scare warning about certificate or you will have that warning all time when you use it.

You have make your owe choice . Pay money or let it be.

In order to make it disappear you need changing it in openssl config so it will include SKU extension which preven man middle attack.

Trouble is person who wrote Easy RSA intended leave it warning so people will move to commercial software or you can correct it if you try to learn to use openssl.

Please cite your sources when you make such (false) accusations

Why does client connect to open access server will not have that scare warning at all? This is so different between paid version and free community . The same source but the way it work is not.

When use Easy RSA to use openssl to generate certificate in openssl config they just forgot to add " extendedKeyUsage= TLS Web Server Authentication" but this is include in open access server .

That is why peoples dont know how and why. But it is ok for personal use anyway. For business they need to buy paid version for full protection.

Peoples can use XCA to create full certificate and use in openvpn and can add whatever yhey like but take time to learn and use it .

300000 wrote: ↑

Fri Dec 02, 2022 9:27 pm

Why does client connect to open access server will not have that scare warning at all? This is so different between paid version and free community . The same source but the way it work is not.

because the PKI on Access Server is configured properly automatically.
A user creating his own PKI/configuration may not do the right thing and the warning shows up (not sure why you think it's scary though)

300000 wrote: ↑

Fri Dec 02, 2022 9:27 pm

When use Easy RSA to use openssl to generate certificate in openssl config they just forgot to add " extendedKeyUsage= TLS Web Server Authentication" but this is include in open access server .

Indeed, if you don't know what you are doing it's easy to end up with something that misses some attribute or something else.
This is true for anything in life..

300000 wrote: ↑

Fri Dec 02, 2022 9:27 pm

That is why peoples dont know how and why. But it is ok for personal use anyway. For business they need to buy paid version for full protection.

Peoples can use XCA to create full certificate and use in openvpn and can add whatever yhey like but take time to learn and use it .

Again, you can learn what you need to do and do it right, like with everything else.
If you don't want to learn..well, feel free to do what you want