Version 2.5 not support static key?

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
zxun
OpenVPN User
Posts: 24
Joined: Mon Jan 04, 2021 2:26 am

Version 2.5 not support static key?

Post by zxun » Sat Sep 16, 2023 2:21 pm

I have been using static key as the cipher between a single server and a single client:

Code: Select all

openvpn --genkey --secret static.key
and here is the config of client:
client v2.4.11

daemon
dev tun
remote [server IP]
rport 1100
lport 1100
proto udp
ifconfig 10.0.0.2 10.0.0.1
secret static.key 1
writepid /run/tunpid
log-append /var/openvpn.log
verb 4


I copied previous config of server v2.4 to a new server but on v2.5

noticing that "Cipher BF-CBC not supported" Error on v2.5, I add one line to the config, and now the config of the server:
server v2.5.9

dev tun0
lport 1100
proto udp
ifconfig 10.0.0.1 10.0.0.2
cipher AES-256-CBC
secret static.key 0
log-append /var/openvpn.log


But now a new issue appears on openvpn.log of server:

Code: Select all

2023-09-16 13:51:36 net_addr_ptp_v4_add: 10.0.0.1 peer 10.0.0.2 dev tun0
2023-09-16 13:51:36 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-09-16 13:51:36 UDPv4 link local (bound): [AF_INET][undef]:1100
2023-09-16 13:51:36 UDPv4 link remote: [AF_UNSPEC]
2023-09-16 14:01:17 Authenticate/Decrypt packet error: cipher final failed
2023-09-16 14:01:18 Authenticate/Decrypt packet error: cipher final failed
2023-09-16 14:01:21 Authenticate/Decrypt packet error: cipher final failed
2023-09-16 14:01:25 Authenticate/Decrypt packet error: cipher final failed
2023-09-16 14:01:27 Authenticate/Decrypt packet error: cipher final failed
2023-09-16 14:01:37 Authenticate/Decrypt packet error: cipher final failed
What is wrong with the new version?
Is the cipher between a pair of server and client permanently disabled?
Last edited by zxun on Sun Sep 17, 2023 3:55 am, edited 5 times in total.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Version 2.5 not support static key?

Post by openvpn_inc » Sat Sep 16, 2023 6:30 pm

Hello,

Sounds like you need to also update the cipher on the client side so it matches what the server now expects.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

zxun
OpenVPN User
Posts: 24
Joined: Mon Jan 04, 2021 2:26 am

Re: Version 2.5 not support static key?

Post by zxun » Sun Sep 17, 2023 3:45 am

openvpn_inc wrote:
Sat Sep 16, 2023 6:30 pm
Hello,

Sounds like you need to also update the cipher on the client side so it matches what the server now expects.

Kind regards,
Johan
Hi Johan!

I have made another static key under the version 2.5 on that client machine by `openvpn --genkey --secret static2.key`
It would give out a warning like this

Code: Select all

WARNING: Using --genkey --secret filename is depreciated  Use --genkey secret filename instead
but nevertheless generated the key file "static2.key". And I compared it with 'static.key' generated under version 2.4.11, the format has no difference, with the same envelope like this:

Code: Select all

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
......the key string......
-----END OpenVPN Static key V1-----
Therefore I copied 'static2.key' generated by version 2.5.9 back to the server machine under version 2.4.11, and then copied it to the old client server with the same old version 2.4.11. After that I changed the configuration on both old machines to use 'static2.key' instead, then restart the server and the client - and it worked!

So it is not true that the old version cannot read the new key. It is not the key format that made the difference, but the new program does not support using static key to form a single p-to-p tunnel. Sorry that I did not flush the old client machine with the new openvpn version, because I cannot afford ruining the functioning tunnel between two old versions.

Post Reply