Version 2.5 not support static key?

[zxun]

I have been using static key as the cipher between a single server and a single client:

Code: Select all

openvpn --genkey --secret static.key

and here is the config of client:

View Originalclient v2.4.11

daemon
dev tun
remote [server IP]
rport 1100
lport 1100
proto udp
ifconfig 10.0.0.2 10.0.0.1
secret static.key 1
writepid /run/tunpid
log-append /var/openvpn.log
verb 4

I copied previous config of server v2.4 to a new server but on v2.5

noticing that "Cipher BF-CBC not supported" Error on v2.5, I add one line to the config, and now the config of the server:

View Originalserver v2.5.9

dev tun0
lport 1100
proto udp
ifconfig 10.0.0.1 10.0.0.2
cipher AES-256-CBC
secret static.key 0
log-append /var/openvpn.log

But now a new issue appears on openvpn.log of server:

Code: Select all

2023-09-16 13:51:36 net_addr_ptp_v4_add: 10.0.0.1 peer 10.0.0.2 dev tun0
2023-09-16 13:51:36 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-09-16 13:51:36 UDPv4 link local (bound): [AF_INET][undef]:1100
2023-09-16 13:51:36 UDPv4 link remote: [AF_UNSPEC]
2023-09-16 14:01:17 Authenticate/Decrypt packet error: cipher final failed
2023-09-16 14:01:18 Authenticate/Decrypt packet error: cipher final failed
2023-09-16 14:01:21 Authenticate/Decrypt packet error: cipher final failed
2023-09-16 14:01:25 Authenticate/Decrypt packet error: cipher final failed
2023-09-16 14:01:27 Authenticate/Decrypt packet error: cipher final failed
2023-09-16 14:01:37 Authenticate/Decrypt packet error: cipher final failed

What is wrong with the new version?
Is the cipher between a pair of server and client permanently disabled?

[openvpn_inc]

Hello,

Sounds like you need to also update the cipher on the client side so it matches what the server now expects.

Kind regards,
Johan

[zxun]

Hello,

Sounds like you need to also update the cipher on the client side so it matches what the server now expects.

Kind regards,
Johan

Hi Johan!

I have made another static key under the version 2.5 on that client machine by `openvpn --genkey --secret static2.key`
It would give out a warning like this

Code: Select all

WARNING: Using --genkey --secret filename is depreciated  Use --genkey secret filename instead

but nevertheless generated the key file "static2.key". And I compared it with 'static.key' generated under version 2.4.11, the format has no difference, with the same envelope like this:

Code: Select all

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
......the key string......
-----END OpenVPN Static key V1-----

Therefore I copied 'static2.key' generated by version 2.5.9 back to the server machine under version 2.4.11, and then copied it to the old client server with the same old version 2.4.11. After that I changed the configuration on both old machines to use 'static2.key' instead, then restart the server and the client - and it worked!

So it is not true that the old version cannot read the new key. It is not the key format that made the difference, but the new program does not support using static key to form a single p-to-p tunnel. Sorry that I did not flush the old client machine with the new openvpn version, because I cannot afford ruining the functioning tunnel between two old versions.