search

Nyr / openvpn-install

OpenVPN road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora
MIT License
18.72k stars 4.82k forks source link

TLS and cipher issues #1052

Closed Frankedinven closed 11 months ago

Frankedinven commented 1 year ago

encountered this issue, what to do?

### **Sun Jul 16 20:32:47 2023 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. Sun Jul 16 20:32:47 2023 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-128-CBC). OpenVPN ignores --cipher for cipher negotiations.** Sun Jul 16 20:32:47 2023 Note: '--allow-compression' is not set to 'no', disabling data channel offload. Sun Jul 16 20:32:47 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023 Sun Jul 16 20:32:47 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable Sun Jul 16 20:32:47 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10 Sun Jul 16 20:32:47 2023 DCO version: v0 Sun Jul 16 20:32:47 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343 Sun Jul 16 20:32:47 2023 Need hold release from management interface, waiting... Sun Jul 16 20:32:48 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52359 Sun Jul 16 20:32:48 2023 MANAGEMENT: CMD 'state on' Sun Jul 16 20:32:48 2023 MANAGEMENT: CMD 'log on all' Sun Jul 16 20:32:48 2023 MANAGEMENT: CMD 'echo on all' Sun Jul 16 20:32:48 2023 MANAGEMENT: CMD 'bytecount 5' Sun Jul 16 20:32:48 2023 MANAGEMENT: CMD 'state' Sun Jul 16 20:32:48 2023 MANAGEMENT: CMD 'hold off' Sun Jul 16 20:32:48 2023 MANAGEMENT: CMD 'hold release' Sun Jul 16 20:32:48 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]139.162.154.54:1194 Sun Jul 16 20:32:48 2023 Socket Buffers: R=[65536->65536] S=[65536->65536] Sun Jul 16 20:32:48 2023 UDPv4 link local: (not bound) Sun Jul 16 20:32:48 2023 UDPv4 link remote: [AF_INET]139.162.154.54:1194 Sun Jul 16 20:32:48 2023 MANAGEMENT: >STATE:1689546768,WAIT,,,,,, Sun Jul 16 20:32:48 2023 MANAGEMENT: >STATE:1689546768,AUTH,,,,,, Sun Jul 16 20:32:48 2023 TLS: Initial packet from [AF_INET]139.162.154.54:1194, sid=7382e86c 1dec440f Sun Jul 16 20:32:48 2023 VERIFY OK: depth=1, CN=ChangeMe Sun Jul 16 20:32:48 2023 VERIFY KU OK Sun Jul 16 20:32:48 2023 Validating certificate extended key usage Sun Jul 16 20:32:48 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jul 16 20:32:48 2023 VERIFY EKU OK Sun Jul 16 20:32:48 2023 VERIFY OK: depth=0, CN=server Sun Jul 16 20:33:48 2023 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sun Jul 16 20:33:48 2023 TLS Error: TLS handshake failed Sun Jul 16 20:33:48 2023 SIGUSR1[soft,tls-error] received, process restarting Sun Jul 16 20:33:48 2023 MANAGEMENT: >STATE:1689546828,RECONNECTING,tls-error,,,,, Sun Jul 16 20:33:48 2023 Restart pause, 1 second(s) Sun Jul 16 20:33:49 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]139.162.154.54:1194 Sun Jul 16 20:33:49 2023 Socket Buffers: R=[65536->65536] S=[65536->65536] Sun Jul 16 20:33:49 2023 UDPv4 link local: (not bound) Sun Jul 16 20:33:49 2023 UDPv4 link remote: [AF_INET]139.162.154.54:1194 Sun Jul 16 20:33:49 2023 MANAGEMENT: >STATE:1689546829,WAIT,,,,,, Sun Jul 16 20:33:49 2023 MANAGEMENT: >STATE:1689546829,AUTH,,,,,, Sun Jul 16 20:33:49 2023 TLS: Initial packet from [AF_INET]139.162.154.54:1194, sid=19d04519 56f98c1b Sun Jul 16 20:33:49 2023 VERIFY OK: depth=1, CN=ChangeMe Sun Jul 16 20:33:49 2023 VERIFY KU OK Sun Jul 16 20:33:49 2023 Validating certificate extended key usage Sun Jul 16 20:33:49 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jul 16 20:33:49 2023 VERIFY EKU OK Sun Jul 16 20:33:49 2023 VERIFY OK: depth=0, CN=server

ikidou commented 11 months ago

replace cipher AES-256-CBC to data-ciphers AES-128-GCM or other OpenVPN Recommended cipher:

sudo sed -i 's|cipher AES-256-CBC|data-ciphers AES-128-GCM|' /etc/openvpn/server/server.conf
sudo sed -i 's|cipher AES-256-CBC|data-ciphers AES-128-GCM|' /etc/openvpn/server/client-common.txt
sudo sed -i 's|cipher AES-256-CBC|data-ciphers AES-128-GCM|' <youclient.ovpn>
sudo systemctl restart openvpn
pvanthony commented 11 months ago

replace cipher AES-256-CBC to data-ciphers AES-128-GCM or other OpenVPN Recommended cipher:

* AES-256-GCM

* AES-128-GCM

* CHACHA20-POLY1305
sudo sed -i 's|cipher AES-256-CBC|data-ciphers AES-128-GCM|' /etc/openvpn/server/server.conf
sudo sed -i 's|cipher AES-256-CBC|data-ciphers AES-128-GCM|' /etc/openvpn/server/client-common.txt
sudo sed -i 's|cipher AES-256-CBC|data-ciphers AES-128-GCM|' <youclient.ovpn>
sudo systemctl restart openvpn

This works for me. Thank you for sharing the solution.

Nyr commented 11 months ago

This is a benign warning about a parameter which is there for legacy reasons. You can ignore the warning and there is no need to take any action.

The data-ciphers parameter is not required and there is absolutely no need to set it.