search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.92k stars 3.01k forks source link

2.4.6: linux client cannot dynamically negotiate ciphers (unlike Open VPN for Android 0.7.46) #368

Closed mmokrejs closed 1 year ago

mmokrejs commented 1 year ago

Provided I got the phone app working with tls-crypt-v2 I find it cumbersome the Linux client fails with:

ERROR: failed to negotiate cipher with peer and --data-ciphers-fallback not enabled. No usable data channel cipher

Here is a full log from client:

Jul 17 14:55:19 client1 systemd[1]: Starting openvpn-client@mydomain.service...
Jul 17 14:55:19 client1 openvpn[56971]: Current Parameter Settings:
Jul 17 14:55:19 client1 openvpn[56971]:   config = 'mydomain.conf'
Jul 17 14:55:19 client1 openvpn[56971]:   mode = 0
Jul 17 14:55:19 client1 openvpn[56971]:   persist_config = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   persist_mode = 1
Jul 17 14:55:19 client1 openvpn[56971]:   show_ciphers = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   show_digests = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   show_engines = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   genkey = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   genkey_filename = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   key_pass_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   show_tls_ciphers = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   connect_retry_max = 0
Jul 17 14:55:19 client1 openvpn[56971]: Connection profiles [0]:
Jul 17 14:55:19 client1 openvpn[56971]:   proto = udp
Jul 17 14:55:19 client1 openvpn[56971]:   local = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   local_port = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   remote = 'myserver_ip'
Jul 17 14:55:19 client1 openvpn[56971]:   remote_port = '1196'
Jul 17 14:55:19 client1 openvpn[56971]:   remote_float = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   bind_defined = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   bind_local = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   bind_ipv6_only = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   connect_retry_seconds = 1
Jul 17 14:55:19 client1 openvpn[56971]:   connect_timeout = 120
Jul 17 14:55:19 client1 openvpn[56971]:   socks_proxy_server = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   socks_proxy_port = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   tun_mtu = 1500
Jul 17 14:55:19 client1 openvpn[56971]:   tun_mtu_defined = ENABLED
Jul 17 14:55:19 client1 openvpn[56971]:   link_mtu = 1500
Jul 17 14:55:19 client1 openvpn[56971]:   link_mtu_defined = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   tun_mtu_extra = 0
Jul 17 14:55:19 client1 openvpn[56971]:   tun_mtu_extra_defined = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   tls_mtu = 1250
Jul 17 14:55:19 client1 openvpn[56971]:   mtu_discover_type = -1
Jul 17 14:55:19 client1 openvpn[56971]:   fragment = 0
Jul 17 14:55:19 client1 openvpn[56971]:   mssfix = 1492
Jul 17 14:55:19 client1 openvpn[56971]:   mssfix_encap = ENABLED
Jul 17 14:55:19 client1 openvpn[56971]:   mssfix_fixed = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   explicit_exit_notification = 0
Jul 17 14:55:19 client1 openvpn[56971]:   tls_auth_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   key_direction = not set
Jul 17 14:55:19 client1 openvpn[56971]:   tls_crypt_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   tls_crypt_v2_file = 'keys/client1.tls-crypt-v2.key'
Jul 17 14:55:19 client1 openvpn[56971]: Connection profiles END
Jul 17 14:55:19 client1 openvpn[56971]:   remote_random = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   ipchange = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   dev = 'tun'
Jul 17 14:55:19 client1 openvpn[56971]:   dev_type = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   dev_node = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   lladdr = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   topology = 1
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_local = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_remote_netmask = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_noexec = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_nowarn = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_ipv6_local = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_ipv6_netbits = 0
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_ipv6_remote = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   shaper = 0
Jul 17 14:55:19 client1 openvpn[56971]:   mtu_test = 0
Jul 17 14:55:19 client1 openvpn[56971]:   mlock = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   keepalive_ping = 10
Jul 17 14:55:19 client1 openvpn[56971]:   keepalive_timeout = 600
Jul 17 14:55:19 client1 openvpn[56971]:   inactivity_timeout = 0
Jul 17 14:55:19 client1 openvpn[56971]:   session_timeout = 0
Jul 17 14:55:19 client1 openvpn[56971]:   inactivity_minimum_bytes = 0
Jul 17 14:55:19 client1 openvpn[56971]:   ping_send_timeout = 10
Jul 17 14:55:19 client1 openvpn[56971]:   ping_rec_timeout = 600
Jul 17 14:55:19 client1 openvpn[56971]:   ping_rec_timeout_action = 2
Jul 17 14:55:19 client1 openvpn[56971]:   ping_timer_remote = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   remap_sigusr1 = 0
Jul 17 14:55:19 client1 openvpn[56971]:   persist_tun = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   persist_local_ip = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   persist_remote_ip = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   persist_key = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   passtos = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   resolve_retry_seconds = 1000000000
Jul 17 14:55:19 client1 openvpn[56971]:   resolve_in_advance = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   username = 'nobody'
Jul 17 14:55:19 client1 openvpn[56971]:   groupname = 'nobody'
Jul 17 14:55:19 client1 openvpn[56971]:   chroot_dir = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   cd_dir = '/etc/openvpn/mydomain'
Jul 17 14:55:19 client1 openvpn[56971]:   writepid = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   up_script = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   down_script = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   down_pre = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   up_restart = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   up_delay = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   daemon = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   log = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   suppress_timestamps = ENABLED
Jul 17 14:55:19 client1 openvpn[56971]:   machine_readable_output = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   nice = 0
Jul 17 14:55:19 client1 openvpn[56971]:   verbosity = 5
Jul 17 14:55:19 client1 openvpn[56971]:   mute = 0
Jul 17 14:55:19 client1 openvpn[56971]:   gremlin = 0
Jul 17 14:55:19 client1 openvpn[56971]:   status_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   status_file_version = 1
Jul 17 14:55:19 client1 openvpn[56971]:   status_file_update_freq = 60
Jul 17 14:55:19 client1 openvpn[56971]:   occ = ENABLED
Jul 17 14:55:19 client1 openvpn[56971]:   rcvbuf = 0
Jul 17 14:55:19 client1 openvpn[56971]:   sndbuf = 0
Jul 17 14:55:19 client1 openvpn[56971]:   mark = 0
Jul 17 14:55:19 client1 openvpn[56971]:   sockflags = 0
Jul 17 14:55:19 client1 openvpn[56971]:   fast_io = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   comp.alg = 0
Jul 17 14:55:19 client1 openvpn[56971]:   comp.flags = 24
Jul 17 14:55:19 client1 openvpn[56971]:   route_script = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   route_default_gateway = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   route_default_metric = 0
Jul 17 14:55:19 client1 openvpn[56971]:   route_noexec = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   route_delay = 0
Jul 17 14:55:19 client1 openvpn[56971]:   route_delay_window = 30
Jul 17 14:55:19 client1 openvpn[56971]:   route_delay_defined = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   route_nopull = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   route_gateway_via_dhcp = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   allow_pull_fqdn = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   management_addr = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   management_port = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   management_user_pass = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   management_log_history_cache = 250
Jul 17 14:55:19 client1 openvpn[56971]:   management_echo_buffer_size = 100
Jul 17 14:55:19 client1 openvpn[56971]:   management_client_user = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   management_client_group = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   management_flags = 0
Jul 17 14:55:19 client1 openvpn[56971]:   shared_secret_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   key_direction = not set
Jul 17 14:55:19 client1 openvpn[56971]:   ciphername = 'BF-CBC'
Jul 17 14:55:19 client1 openvpn[56971]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305'
Jul 17 14:55:19 client1 openvpn[56971]:   authname = 'SHA256'
Jul 17 14:55:19 client1 openvpn[56971]:   engine = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   replay = ENABLED
Jul 17 14:55:19 client1 openvpn[56971]:   mute_replay_warnings = ENABLED
Jul 17 14:55:19 client1 openvpn[56971]:   replay_window = 64
Jul 17 14:55:19 client1 openvpn[56971]:   replay_time = 15
Jul 17 14:55:19 client1 openvpn[56971]:   packet_id_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   test_crypto = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   tls_server = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   tls_client = ENABLED
Jul 17 14:55:19 client1 openvpn[56971]:   ca_file = 'keys/ca.crt'
Jul 17 14:55:19 client1 openvpn[56971]:   ca_path = '[UNDEF]'
Jul 17 14:55:19 client1 systemd[1]: Started openvpn-client@mydomain.service.
Jul 17 14:55:19 client1 openvpn[56971]:   dh_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   cert_file = 'keys/client1.mydomain.cz.crt'
Jul 17 14:55:19 client1 openvpn[56971]:   extra_certs_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   priv_key_file = 'keys/client1.mydomain.cz.key'
Jul 17 14:55:19 client1 openvpn[56971]:   pkcs12_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   cipher_list = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   cipher_list_tls13 = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   tls_cert_profile = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   tls_verify = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   tls_export_cert = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   verify_x509_type = 0
Jul 17 14:55:19 client1 openvpn[56971]:   verify_x509_name = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   crl_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   ns_cert_type = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 65535
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_ku[i] = 0
Jul 17 14:55:19 client1 openvpn[56971]:   remote_cert_eku = 'TLS Web Server Authentication'
Jul 17 14:55:19 client1 openvpn[56971]:   ssl_flags = 192
Jul 17 14:55:19 client1 openvpn[56971]:   tls_timeout = 2
Jul 17 14:55:19 client1 openvpn[56971]:   renegotiate_bytes = -1
Jul 17 14:55:19 client1 openvpn[56971]:   renegotiate_packets = 0
Jul 17 14:55:19 client1 openvpn[56971]:   renegotiate_seconds = 3600
Jul 17 14:55:19 client1 openvpn[56971]:   handshake_window = 60
Jul 17 14:55:19 client1 openvpn[56971]:   transition_window = 3600
Jul 17 14:55:19 client1 openvpn[56971]:   single_session = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   push_peer_info = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   tls_exit = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   tls_crypt_v2_metadata = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   server_network = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   server_netmask = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   server_network_ipv6 = ::
Jul 17 14:55:19 client1 openvpn[56971]:   server_netbits_ipv6 = 0
Jul 17 14:55:19 client1 openvpn[56971]:   server_bridge_ip = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   server_bridge_netmask = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   server_bridge_pool_start = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   server_bridge_pool_end = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_pool_defined = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_pool_start = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_pool_end = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_pool_netmask = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_pool_persist_filename = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_pool_persist_refresh_freq = 600
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_ipv6_pool_defined = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_ipv6_pool_base = ::
Jul 17 14:55:19 client1 openvpn[56971]:   ifconfig_ipv6_pool_netbits = 0
Jul 17 14:55:19 client1 openvpn[56971]:   n_bcast_buf = 256
Jul 17 14:55:19 client1 openvpn[56971]:   tcp_queue_limit = 64
Jul 17 14:55:19 client1 openvpn[56971]:   real_hash_size = 256
Jul 17 14:55:19 client1 openvpn[56971]:   virtual_hash_size = 256
Jul 17 14:55:19 client1 openvpn[56971]:   client_connect_script = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   learn_address_script = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   client_disconnect_script = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   client_crresponse_script = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   client_config_dir = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   ccd_exclusive = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   tmp_dir = '/tmp'
Jul 17 14:55:19 client1 openvpn[56971]:   push_ifconfig_defined = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   push_ifconfig_local = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   push_ifconfig_remote_netmask = 0.0.0.0
Jul 17 14:55:19 client1 openvpn[56971]:   push_ifconfig_ipv6_defined = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   push_ifconfig_ipv6_local = ::/0
Jul 17 14:55:19 client1 openvpn[56971]:   push_ifconfig_ipv6_remote = ::
Jul 17 14:55:19 client1 openvpn[56971]:   enable_c2c = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   duplicate_cn = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   cf_max = 0
Jul 17 14:55:19 client1 openvpn[56971]:   cf_per = 0
Jul 17 14:55:19 client1 openvpn[56971]:   cf_initial_max = 100
Jul 17 14:55:19 client1 openvpn[56971]:   cf_initial_per = 10
Jul 17 14:55:19 client1 openvpn[56971]:   max_clients = 1024
Jul 17 14:55:19 client1 openvpn[56971]:   max_routes_per_client = 256
Jul 17 14:55:19 client1 openvpn[56971]:   auth_user_pass_verify_script = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   auth_user_pass_verify_script_via_file = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   auth_token_generate = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   auth_token_lifetime = 0
Jul 17 14:55:19 client1 openvpn[56971]:   auth_token_secret_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   port_share_host = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   port_share_port = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]:   vlan_tagging = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   vlan_accept = all
Jul 17 14:55:19 client1 openvpn[56971]:   vlan_pvid = 1
Jul 17 14:55:19 client1 openvpn[56971]:   client = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   pull = DISABLED
Jul 17 14:55:19 client1 openvpn[56971]:   auth_user_pass_file = '[UNDEF]'
Jul 17 14:55:19 client1 openvpn[56971]: OpenVPN 2.6.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Jul 17 14:55:19 client1 openvpn[56971]: library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
Jul 17 14:55:19 client1 openvpn[56971]: WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Jul 17 14:55:19 client1 openvpn[56971]: WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Jul 17 14:55:19 client1 openvpn[56971]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 client1 openvpn[56971]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 client1 openvpn[56971]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 client1 openvpn[56971]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 client1 openvpn[56971]: Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Jul 17 14:55:19 client1 openvpn[56971]: TUN/TAP device tun0 opened
Jul 17 14:55:19 client1 openvpn[56971]: do_ifconfig, ipv4=0, ipv6=0
Jul 17 14:55:19 client1 openvpn[56971]: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Jul 17 14:55:19 client1 openvpn[56971]: TCP/UDP: Preserving recently used remote address: [AF_INET]myserver_ip:1196
Jul 17 14:55:19 client1 openvpn[56971]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jul 17 14:55:19 client1 openvpn[56971]: UDPv4 link local: (not bound)
Jul 17 14:55:19 client1 openvpn[56971]: UDPv4 link remote: [AF_INET]myserver_ip:1196
Jul 17 14:55:19 client1 openvpn[56971]: GID set to nobody
Jul 17 14:55:19 client1 openvpn[56971]: UID set to nobody
Jul 17 14:55:19 client1 openvpn[56971]: WRTLS: Initial packet from [AF_INET]myserver_ip:1196, sid=26749c5b c3aa26bb
Jul 17 14:55:19 client1 openvpn[56971]: WRWRVERIFY OK: depth=1, CN=myserver.mydomain
Jul 17 14:55:19 client1 openvpn[56971]: VERIFY KU OK
Jul 17 14:55:19 client1 openvpn[56971]: Validating certificate extended key usage
Jul 17 14:55:19 client1 openvpn[56971]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jul 17 14:55:19 client1 openvpn[56971]: VERIFY EKU OK
Jul 17 14:55:19 client1 openvpn[56971]: VERIFY OK: depth=0, CN=myserver.mydomain
Jul 17 14:55:19 client1 openvpn[56971]: WWRRWRP2P mode NCP negotiation result: TLS_export=0, DATA_v2=0, peer-id 0, cipher=(not negotiated, fallback-cipher: none)
Jul 17 14:55:19 client1 openvpn[56971]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 521 bit ECsecp521r1, signature: ecdsa-with-SHA512
Jul 17 14:55:19 client1 openvpn[56971]: [myserver.mydomain] Peer Connection Initiated with [AF_INET]myserver_ip:1196
Jul 17 14:55:19 client1 openvpn[56971]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jul 17 14:55:19 client1 openvpn[56971]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Jul 17 14:55:20 client1 openvpn[56971]: WERROR: failed to negotiate cipher with peer and --data-ciphers-fallback not enabled. No usable data channel cipher
Jul 17 14:55:20 client1 openvpn[56971]: ERROR: Failed to apply P2P negotiated protocol options
Jul 17 14:55:20 client1 openvpn[56971]: TCP/UDP: Closing socket
Jul 17 14:55:20 client1 openvpn[56971]: Closing TUN/TAP interface
Jul 17 14:55:20 client1 openvpn[56971]: SIGUSR1[soft,connection initialisation failed] received, process restarting
Jul 17 14:55:20 client1 openvpn[56971]: Restart pause, 1 second(s)
Jul 17 14:55:21 client1 openvpn[56971]: WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Jul 17 14:55:21 client1 openvpn[56971]: WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Jul 17 14:55:21 client1 openvpn[56971]: Error: private key password verification failed
Jul 17 14:55:21 client1 openvpn[56971]: Exiting due to fatal error
Jul 17 14:55:21 client1 systemd[1]: openvpn-client@mydomain.service: Main process exited, code=exited, status=1/FAILURE
Jul 17 14:55:21 client1 systemd[1]: openvpn-client@mydomain.service: Failed with result 'exit-code'.

Server logged:

Jul 17 14:55:03 myserver openvpn[6671]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Jul 17 14:55:03 myserver openvpn[6671]: Current Parameter Settings:
Jul 17 14:55:03 myserver openvpn[6671]:   config = '/etc/openvpn/server/server2023/server2023.conf'
Jul 17 14:55:03 myserver openvpn[6671]:   mode = 1
Jul 17 14:55:03 myserver openvpn[6671]:   persist_config = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   persist_mode = 1
Jul 17 14:55:03 myserver openvpn[6671]:   show_ciphers = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   show_digests = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   show_engines = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   genkey = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   genkey_filename = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   key_pass_file = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   show_tls_ciphers = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   connect_retry_max = 0
Jul 17 14:55:03 myserver openvpn[6671]: Connection profiles [0]:
Jul 17 14:55:03 myserver openvpn[6671]:   proto = udp4
Jul 17 14:55:03 myserver openvpn[6671]:   local = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   local_port = '1196'
Jul 17 14:55:03 myserver openvpn[6671]:   remote = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   remote_port = '1196'
Jul 17 14:55:03 myserver openvpn[6671]:   remote_float = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   bind_defined = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   bind_local = ENABLED
Jul 17 14:55:03 myserver openvpn[6671]:   bind_ipv6_only = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   connect_retry_seconds = 1
Jul 17 14:55:03 myserver openvpn[6671]:   connect_timeout = 120
Jul 17 14:55:03 myserver openvpn[6671]:   socks_proxy_server = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   socks_proxy_port = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   tun_mtu = 1500
Jul 17 14:55:03 myserver openvpn[6671]:   tun_mtu_defined = ENABLED
Jul 17 14:55:03 myserver openvpn[6671]:   link_mtu = 1500
Jul 17 14:55:03 myserver openvpn[6671]:   link_mtu_defined = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   tun_mtu_extra = 0
Jul 17 14:55:03 myserver openvpn[6671]:   tun_mtu_extra_defined = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   tls_mtu = 1250
Jul 17 14:55:03 myserver openvpn[6671]:   mtu_discover_type = -1
Jul 17 14:55:03 myserver openvpn[6671]:   fragment = 0
Jul 17 14:55:03 myserver openvpn[6671]:   mssfix = 1492
Jul 17 14:55:03 myserver openvpn[6671]:   mssfix_encap = ENABLED
Jul 17 14:55:03 myserver openvpn[6671]:   mssfix_fixed = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   explicit_exit_notification = 1
Jul 17 14:55:03 myserver openvpn[6671]:   tls_auth_file = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   key_direction = not set
Jul 17 14:55:03 myserver openvpn[6671]:   tls_crypt_file = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   tls_crypt_v2_file = '/etc/openvpn/server/server2023/keys/myserver.tls-crypt-v2.key'
Jul 17 14:55:03 myserver openvpn[6671]: Connection profiles END
Jul 17 14:55:03 myserver openvpn[6671]:   remote_random = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   ipchange = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   dev = 'tun'
Jul 17 14:55:03 myserver openvpn[6671]:   dev_type = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   dev_node = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   lladdr = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   topology = 3
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_local = 'WW.WW.WW.1'
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_remote_netmask = '255.255.255.0'
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_noexec = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_nowarn = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_ipv6_local = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_ipv6_netbits = 0
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_ipv6_remote = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   shaper = 0
Jul 17 14:55:03 myserver openvpn[6671]:   mtu_test = 0
Jul 17 14:55:03 myserver openvpn[6671]:   mlock = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   keepalive_ping = 60
Jul 17 14:55:03 myserver openvpn[6671]:   keepalive_timeout = 600
Jul 17 14:55:03 myserver openvpn[6671]:   inactivity_timeout = 0
Jul 17 14:55:03 myserver openvpn[6671]:   session_timeout = 0
Jul 17 14:55:03 myserver openvpn[6671]:   inactivity_minimum_bytes = 0
Jul 17 14:55:03 myserver openvpn[6671]:   ping_send_timeout = 60
Jul 17 14:55:03 myserver openvpn[6671]:   ping_rec_timeout = 1200
Jul 17 14:55:03 myserver openvpn[6671]:   ping_rec_timeout_action = 2
Jul 17 14:55:03 myserver openvpn[6671]:   ping_timer_remote = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   remap_sigusr1 = 0
Jul 17 14:55:03 myserver openvpn[6671]:   persist_tun = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   persist_local_ip = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   persist_remote_ip = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   persist_key = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   passtos = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   resolve_retry_seconds = 1000000000
Jul 17 14:55:03 myserver openvpn[6671]:   resolve_in_advance = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   username = 'openvpn'
Jul 17 14:55:03 myserver openvpn[6671]:   groupname = 'openvpn'
Jul 17 14:55:03 myserver openvpn[6671]:   chroot_dir = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   cd_dir = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   writepid = '/run/openvpn.server2023.pid'
Jul 17 14:55:03 myserver openvpn[6671]:   up_script = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   down_script = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   down_pre = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   up_restart = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   up_delay = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   daemon = ENABLED
Jul 17 14:55:03 myserver openvpn[6671]:   log = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   suppress_timestamps = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   machine_readable_output = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   nice = 0
Jul 17 14:55:03 myserver openvpn[6671]:   verbosity = 5
Jul 17 14:55:03 myserver openvpn[6671]:   mute = 0
Jul 17 14:55:03 myserver openvpn[6671]:   gremlin = 0
Jul 17 14:55:03 myserver openvpn[6671]:   status_file = 'openvpn-status2023.log'
Jul 17 14:55:03 myserver openvpn[6671]:   status_file_version = 1
Jul 17 14:55:03 myserver openvpn[6671]:   status_file_update_freq = 60
Jul 17 14:55:03 myserver openvpn[6671]:   occ = ENABLED
Jul 17 14:55:03 myserver openvpn[6671]:   rcvbuf = 0
Jul 17 14:55:03 myserver openvpn[6671]:   sndbuf = 0
Jul 17 14:55:03 myserver openvpn[6671]:   mark = 0
Jul 17 14:55:03 myserver openvpn[6671]:   sockflags = 0
Jul 17 14:55:03 myserver openvpn[6671]:   fast_io = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   comp.alg = 0
Jul 17 14:55:03 myserver openvpn[6671]:   comp.flags = 24
Jul 17 14:55:03 myserver openvpn[6671]:   route_script = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   route_default_gateway = 'WW.WW.WW.2'
Jul 17 14:55:03 myserver openvpn[6671]:   route_default_metric = 0
Jul 17 14:55:03 myserver openvpn[6671]:   route_noexec = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   route_delay = 0
Jul 17 14:55:03 myserver openvpn[6671]:   route_delay_window = 30
Jul 17 14:55:03 myserver openvpn[6671]:   route_delay_defined = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   route_nopull = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   route_gateway_via_dhcp = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   allow_pull_fqdn = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   management_addr = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   management_port = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   management_user_pass = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   management_log_history_cache = 250
Jul 17 14:55:03 myserver openvpn[6671]:   management_echo_buffer_size = 100
Jul 17 14:55:03 myserver openvpn[6671]:   management_client_user = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   management_client_group = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   management_flags = 0
Jul 17 14:55:03 myserver openvpn[6671]:   shared_secret_file = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   key_direction = not set
Jul 17 14:55:03 myserver openvpn[6671]:   ciphername = 'BF-CBC'
Jul 17 14:55:03 myserver openvpn[6671]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305'
Jul 17 14:55:03 myserver openvpn[6671]:   authname = 'SHA256'
Jul 17 14:55:03 myserver openvpn[6671]:   engine = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   replay = ENABLED
Jul 17 14:55:03 myserver openvpn[6671]:   mute_replay_warnings = ENABLED
Jul 17 14:55:03 myserver openvpn[6671]:   replay_window = 64
Jul 17 14:55:03 myserver openvpn[6671]:   replay_time = 15
Jul 17 14:55:03 myserver openvpn[6671]:   packet_id_file = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   test_crypto = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   tls_server = ENABLED
Jul 17 14:55:03 myserver openvpn[6671]:   tls_client = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   ca_file = '/etc/openvpn/server/server2023/keys/ca.crt'
Jul 17 14:55:03 myserver openvpn[6671]:   ca_path = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   dh_file = '/etc/openvpn/server/server2023/keys/dh4096.pem'
Jul 17 14:55:03 myserver openvpn[6671]:   cert_file = '/etc/openvpn/server/server2023/keys/myserver.mydomain.crt'
Jul 17 14:55:03 myserver openvpn[6671]:   extra_certs_file = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   priv_key_file = '/etc/openvpn/server/server2023/keys/myserver.mydomain.key'
Jul 17 14:55:03 myserver openvpn[6671]:   pkcs12_file = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   cipher_list = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   cipher_list_tls13 = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   tls_cert_profile = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   tls_verify = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   tls_export_cert = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   verify_x509_type = 0
Jul 17 14:55:03 myserver openvpn[6671]:   verify_x509_name = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   crl_file = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   ns_cert_type = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 65535
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_ku[i] = 0
Jul 17 14:55:03 myserver openvpn[6671]:   remote_cert_eku = 'TLS Web Client Authentication'
Jul 17 14:55:03 myserver openvpn[6671]:   ssl_flags = 192
Jul 17 14:55:03 myserver openvpn[6671]:   tls_timeout = 2
Jul 17 14:55:03 myserver openvpn[6671]:   renegotiate_bytes = -1
Jul 17 14:55:03 myserver openvpn[6671]:   renegotiate_packets = 0
Jul 17 14:55:03 myserver openvpn[6671]:   renegotiate_seconds = 3600
Jul 17 14:55:03 myserver openvpn[6671]:   handshake_window = 60
Jul 17 14:55:03 myserver openvpn[6671]:   transition_window = 3600
Jul 17 14:55:03 myserver openvpn[6671]:   single_session = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   push_peer_info = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   tls_exit = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   tls_crypt_v2_metadata = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   server_network = WW.WW.WW.0
Jul 17 14:55:03 myserver openvpn[6671]:   server_netmask = 255.255.255.0
Jul 17 14:55:03 myserver openvpn[6671]:   server_network_ipv6 = ::
Jul 17 14:55:03 myserver openvpn[6671]:   server_netbits_ipv6 = 0
Jul 17 14:55:03 myserver openvpn[6671]:   server_bridge_ip = 0.0.0.0
Jul 17 14:55:03 myserver openvpn[6671]:   server_bridge_netmask = 0.0.0.0
Jul 17 14:55:03 myserver openvpn[6671]:   server_bridge_pool_start = 0.0.0.0
Jul 17 14:55:03 myserver openvpn[6671]:   server_bridge_pool_end = 0.0.0.0
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'route WW.WW.WW.0 255.255.255.0'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'route 192.168.252.0 255.255.255.0'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'route 192.168.253.0 255.255.255.0'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'route 192.168.254.0 255.255.255.0'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'route 192.168.1.0 255.255.255.0'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'dhcp-option DNS 193.17.47.1'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'dhcp-option DNS 185.43.135.1'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'dhcp-option WINS 192.168.1.254'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'route-gateway WW.WW.WW.1'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'topology subnet'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'ping 60'
Jul 17 14:55:03 myserver openvpn[6671]:   push_entry = 'ping-restart 600'
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_pool_defined = ENABLED
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_pool_start = WW.WW.WW.2
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_pool_end = WW.WW.WW.254
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_pool_netmask = 255.255.255.0
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_pool_persist_filename = 'ipp.txt'
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_pool_persist_refresh_freq = 600
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_ipv6_pool_defined = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_ipv6_pool_base = ::
Jul 17 14:55:03 myserver openvpn[6671]:   ifconfig_ipv6_pool_netbits = 0
Jul 17 14:55:03 myserver openvpn[6671]:   n_bcast_buf = 256
Jul 17 14:55:03 myserver openvpn[6671]:   tcp_queue_limit = 64
Jul 17 14:55:03 myserver openvpn[6671]:   real_hash_size = 256
Jul 17 14:55:03 myserver openvpn[6671]:   virtual_hash_size = 256
Jul 17 14:55:03 myserver openvpn[6671]:   client_connect_script = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   learn_address_script = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   client_disconnect_script = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   client_crresponse_script = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   client_config_dir = '/etc/openvpn/server/server2023/staticclients'
Jul 17 14:55:03 myserver openvpn[6671]:   ccd_exclusive = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   tmp_dir = '/tmp'
Jul 17 14:55:03 myserver openvpn[6671]:   push_ifconfig_defined = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   push_ifconfig_local = 0.0.0.0
Jul 17 14:55:03 myserver openvpn[6671]:   push_ifconfig_remote_netmask = 0.0.0.0
Jul 17 14:55:03 myserver openvpn[6671]:   push_ifconfig_ipv6_defined = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   push_ifconfig_ipv6_local = ::/0
Jul 17 14:55:03 myserver openvpn[6671]:   push_ifconfig_ipv6_remote = ::
Jul 17 14:55:03 myserver openvpn[6671]:   enable_c2c = ENABLED
Jul 17 14:55:03 myserver openvpn[6671]:   duplicate_cn = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   cf_max = 0
Jul 17 14:55:03 myserver openvpn[6671]:   cf_per = 0
Jul 17 14:55:03 myserver openvpn[6671]:   cf_initial_max = 100
Jul 17 14:55:03 myserver openvpn[6671]:   cf_initial_per = 10
Jul 17 14:55:03 myserver openvpn[6671]:   max_clients = 1024
Jul 17 14:55:03 myserver openvpn[6671]:   max_routes_per_client = 256
Jul 17 14:55:03 myserver openvpn[6671]:   auth_user_pass_verify_script = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   auth_user_pass_verify_script_via_file = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   auth_token_generate = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   auth_token_lifetime = 0
Jul 17 14:55:03 myserver openvpn[6671]:   auth_token_secret_file = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   port_share_host = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   port_share_port = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]:   vlan_tagging = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   vlan_accept = all
Jul 17 14:55:03 myserver openvpn[6671]:   vlan_pvid = 1
Jul 17 14:55:03 myserver openvpn[6671]:   client = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   pull = DISABLED
Jul 17 14:55:03 myserver openvpn[6671]:   auth_user_pass_file = '[UNDEF]'
Jul 17 14:55:03 myserver openvpn[6671]: OpenVPN 2.6.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Jul 17 14:55:03 myserver openvpn[6671]: library versions: OpenSSL 1.1.1u  30 May 2023, LZO 2.10
Jul 17 14:55:03 myserver openvpn[6673]: WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Jul 17 14:55:03 myserver openvpn[6673]: WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Jul 17 14:55:03 myserver openvpn[6673]: Diffie-Hellman initialized with 4096 bit key
Jul 17 14:55:03 myserver openvpn[6673]: tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:03 myserver openvpn[6673]: tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:03 myserver openvpn[6673]: TLS-Auth MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Jul 17 14:55:03 myserver openvpn[6673]: TUN/TAP device tun1 opened
Jul 17 14:55:03 myserver openvpn[6673]: do_ifconfig, ipv4=1, ipv6=0
Jul 17 14:55:03 myserver openvpn[6673]: /bin/ip link set dev tun1 up mtu 1500
Jul 17 14:55:03 myserver openvpn[6673]: /bin/ip link set dev tun1 up
Jul 17 14:55:04 myserver openvpn[6673]: /bin/ip addr add dev tun1 WW.WW.WW.1/24
Jul 17 14:55:04 myserver openvpn[6673]: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Jul 17 14:55:04 myserver openvpn[6673]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jul 17 14:55:04 myserver openvpn[6673]: UDPv4 link local (bound): [AF_INET][undef]:1196
Jul 17 14:55:04 myserver openvpn[6673]: UDPv4 link remote: [AF_UNSPEC]
Jul 17 14:55:04 myserver openvpn[6673]: GID set to openvpn
Jul 17 14:55:04 myserver openvpn[6673]: UID set to openvpn
Jul 17 14:55:04 myserver openvpn[6673]: MULTI: multi_init called, r=256 v=256
Jul 17 14:55:04 myserver openvpn[6673]: IFCONFIG POOL IPv4: base=WW.WW.WW.2 size=253
Jul 17 14:55:04 myserver openvpn[6673]: ifconfig_pool_read(), in='client1.mydomain,WW.WW.WW.2,'
Jul 17 14:55:04 myserver openvpn[6673]: succeeded -> ifconfig_pool_set(hand=0)
Jul 17 14:55:04 myserver openvpn[6673]: ifconfig_pool_read(), in='client2.mydomain,WW.WW.WW.3,'
Jul 17 14:55:04 myserver openvpn[6673]: succeeded -> ifconfig_pool_set(hand=1)
Jul 17 14:55:04 myserver openvpn[6673]: IFCONFIG POOL LIST
Jul 17 14:55:04 myserver openvpn[6673]: client1.mydomain,WW.WW.WW.2,
Jul 17 14:55:04 myserver openvpn[6673]: client2.mydomain,WW.WW.WW.3,
Jul 17 14:55:04 myserver openvpn[6673]: Initialization Sequence Completed
Jul 17 14:55:19 myserver openvpn[6673]: Control Channel: using tls-crypt-v2 key
Jul 17 14:55:19 myserver openvpn[6673]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 myserver openvpn[6673]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 myserver openvpn[6673]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 myserver openvpn[6673]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 myserver openvpn[6673]: Connection Attempt Control Channel: using tls-crypt-v2 key
Jul 17 14:55:19 myserver openvpn[6673]: Connection Attempt Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 myserver openvpn[6673]: Connection Attempt Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 myserver openvpn[6673]: Connection Attempt Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 myserver openvpn[6673]: Connection Attempt Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 myserver openvpn[6673]: Connection Attempt MULTI: multi_create_instance called
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 Re-using SSL/TLS context
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 tls-crypt-v2 server key: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 tls-crypt-v2 server key: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 Control Channel: using tls-crypt-v2 key
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 VERIFY OK: depth=1, CN=myserver.mydomain
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 VERIFY KU OK
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 Validating certificate extended key usage
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 VERIFY EKU OK
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 VERIFY OK: depth=0, CN=client2.mydomain
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 peer info: IV_PROTO=746
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 TLS: tls_multi_process: initial untrusted session promoted to trusted
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 521 bit EC, curve secp521r1, signature: ecdsa-with-SHA512
Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 [client2.mydomain] Peer Connection Initiated with [AF_INET]client2_ip:53828
Jul 17 14:55:19 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 MULTI_sva: pool returned IPv4=WW.WW.WW.3, IPv6=(Not enabled)
Jul 17 14:55:19 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 MULTI: Learn: WW.WW.WW.3 -> client2.mydomain/client2_ip:53828
Jul 17 14:55:19 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 MULTI: primary virtual IP for client2.mydomain/client2_ip:53828: WW.WW.WW.3
Jul 17 14:55:19 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Jul 17 14:55:19 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Outgoing dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Outgoing dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Incoming dynamic tls-crypt: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 17 14:55:19 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Incoming dynamic tls-crypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 17 14:55:19 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 17 14:55:19 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jul 17 14:55:20 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Data Channel: cipher 'AES-256-GCM', peer-id: 0
Jul 17 14:55:20 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Timers: ping 60, ping-restart 1200
Jul 17 14:55:20 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
Jul 17 14:55:34 myserver openvpn[6673]: read UDPv4 [ECONNREFUSED]: Connection refused (fd=7,code=111)

I edited the config files although some of the path are partly visible in the logs above:

2.6.4 client config:

tls-crypt-v2 keys/client1.tls-crypt-v2.key
tls-client
dev tun
proto udp
remote xx.xx.xx.xx 1196 # another instance runs on port 1194 but uses different LAN
resolv-retry infinite
nobind
user nobody
group nobody
mute-replay-warnings
ca keys/ca.crt
cert keys/client1.crt
key keys/client1.key
keepalive 10 600
remote-cert-tls server
auth SHA256
verb 5
auth-nocache

2.6.4 server config:

mode server
block-ipv6
port 1196 # must be specified on cmdline
tls-crypt-v2 /some/full/path/to/myserver.tls-crypt-v2.key
tls-server
dev tun
proto udp4
resolv-retry infinite
user nobody
group nobody
mute-replay-warnings
ca /some/full/path/to/ca.key
key  /some/full/path/to/myserver.key
cert /some/full/path/to/myserver.crt
dh /some/full/path/to/dh4096.pem
topology subnet
server WW.WW.WW.0 255.255.255.0
client-to-client
ifconfig-pool-persist ipp.txt
client-config-dir /some/full/path/to/staticclients
status openvpn-status2023.log
keepalive 60 600
remote-cert-tls client
tls-version-min 1.2
auth SHA256
verb 5
explicit-exit-notify 1
push "route XX.XX.XX.0 255.255.255.0"
push "route YY.YY.YY.0 255.255.255.0"
push "dhcp-option DNS 193.17.47.1"
push "dhcp-option DNS 185.43.135.1"
push "dhcp-option WINS AA.AA.AA.AA"
schwabe commented 1 year ago

You are running the client without client or pull ie in p2p mode. Either you run both sides in p2p mode or you one side with --server and the other side with --pull/--client. Trying to use p2p mode one side and --server on the other will just break.

mmokrejs commented 1 year ago

Differences in openvpn --show-ciphers outputs:

$ diff -u -w /tmp/myserver.ciphers.txt /tmp/client2.ciphers.txt
--- /tmp/myserver.ciphers.txt   2023-07-17 15:31:00.268477628 +0200
+++ /tmp/client2.ciphers.txt    2023-07-17 15:31:28.668477493 +0200
@@ -9,16 +9,19 @@
 AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
 AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
 AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
+AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
 AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
 AES-192-CBC  (192 bit key, 128 bit block)
 AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
 AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
 AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
+AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
 AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
 AES-256-CBC  (256 bit key, 128 bit block)
 AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
 AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
 AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
+AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
 AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
 ARIA-128-CBC  (128 bit key, 128 bit block)
 ARIA-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
@@ -54,29 +57,14 @@
 CAMELLIA-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
 CAMELLIA-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)
 CHACHA20-POLY1305  (256 bit key, stream cipher, TLS client/server mode only)
-SEED-CBC  (128 bit key, 128 bit block)
-SEED-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
-SEED-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
 SM4-CBC  (128 bit key, 128 bit block)
 SM4-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
+SM4-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
 SM4-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
-AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
-AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
-AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)

 The following ciphers have a block size of less than 128 bits, 
 and are therefore deprecated.  Do not use unless you have to.

-BF-CBC  (128 bit key, 64 bit block)
-BF-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
-BF-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
-CAST5-CBC  (128 bit key, 64 bit block)
-CAST5-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
-CAST5-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
-DES-CBC  (64 bit key, 64 bit block)
-DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
-DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
-DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
 DES-EDE-CBC  (128 bit key, 64 bit block)
 DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
 DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
@@ -85,17 +73,4 @@
 DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
 DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
 DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
-DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
-DESX-CBC  (192 bit key, 64 bit block)
-IDEA-CBC  (128 bit key, 64 bit block)
-IDEA-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
-IDEA-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
-RC2-40-CBC  (40 bit key, 64 bit block)
-RC2-64-CBC  (64 bit key, 64 bit block)
-RC2-CBC  (128 bit key, 64 bit block)
-RC2-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
-RC2-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
-RC5-CBC  (128 bit key, 64 bit block)
-RC5-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
-RC5-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
client2 # emerge -pv openvpn openssl

These are the packages that would be merged, in order:

Calculating dependencies... done!
Dependency resolution took 1.72 s.

[ebuild   R    ] dev-libs/openssl-3.1.1-r1:0/3::gentoo  USE="asm -fips -ktls -rfc3779 -sctp -static-libs -test -tls-compression -vanilla -verify-sig -weak-ssl-ciphers" CPU_FLAGS_X86="(sse2)" 0 KiB
[ebuild   R    ] net-vpn/openvpn-2.6.4::gentoo  USE="inotify iproute2 lz4 lzo openssl pam plugins systemd -dco -down-root -examples -mbedtls -pkcs11 (-selinux) -test" 0 KiB
myserver # emerge -pv openvpn openssl

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] dev-libs/openssl-1.1.1u:0/1.1::gentoo  USE="asm -rfc3779 -sctp (-sslv3) -static-libs -test -tls-compression -tls-heartbeat -vanilla -verify-sig -weak-ssl-ciphers" CPU_FLAGS_X86="(sse2)" 9,661 KiB
[ebuild   R    ] net-vpn/openvpn-2.6.4::gentoo  USE="examples inotify iproute2 lz4 lzo openssl pam plugins -dco -down-root -mbedtls -pkcs11 (-selinux) -systemd -test" 0 KiB

Total: 2 packages (2 reinstalls), Size of downloads: 9,661 KiB

WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:

dev-libs/openssl:0

  (dev-libs/openssl-3.0.9-r1:0/3::gentoo, ebuild scheduled for merge) USE="asm -fips -ktls -rfc3779 -sctp -static-libs -test -tls-compression -vanilla -verify-sig -weak-ssl-ciphers" CPU_FLAGS_X86="(sse2)" conflicts with
    >=dev-libs/openssl-1.0.0:0/1.1= required by (dev-db/mariadb-10.5.16:10.5/18::gentoo, installed) USE="backup cracklib pam perl server userland_GNU xml -bindist -columnstore -debug -extraengine -galera -innodb-lz4 -innodb-lzo -innodb-snappy -jdbc -jemalloc -kerberos -latin1 (-mroonga) -numa -odbc -oqgraph -profiling -rocksdb -s3 (-selinux) -sphinx -sst-mariabackup -sst-rsync -static -systemd -systemtap -tcmalloc -test -yassl"
                            ^^^^^^^
cron2 commented 1 year ago

Having a SSL lib without AES-GCM ciphers would be bad indeed - but this is not problem here, the server log shows that the client signals AES-GCM support, and the server is willing to accept it:

Jul 17 14:55:19 myserver openvpn[6673]: client2_ip:53828 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Jul 17 14:55:20 myserver openvpn[6673]: client2.mydomain/client2_ip:53828 Data Channel: cipher 'AES-256-GCM', peer-id: 0

(maybe there is a bug lurking here, if the server SSL library really has no AES-256-GCM and we do not properly check, but this is not why the client is giving up)

Arne already spotted the real problem:

OpenVPN 2.6.x can auto-negotate ciphers in two modes - peer2peer (which means no client and no server or mode server in the config, just udp-client and udp-server) or real point2multipoint. The second version has a real server, and all clients must have client in their config files.

The Android client can only do client, so it's possible that it can work "as client" if there is no client in the config file - but the linux binary can do all variants, so it needs to be explicitely told what you want it to do.

With 2.5, such configs used to work (by falling back to BF-CBC), but this was more "good luck" than "by design" - and we needed to change this behaviour to get rid of BF-CBC, which is considered insecure today.

mmokrejs commented 1 year ago

I apologize that during all my experiments I commented out the client option from the config file. I was not aware of the P2P mode.

Indeed, the "OpenVPN for Android" app for openvpn 2.x core it included the client option in the generated .ovpn file, I just checked that now.

The openvpn --show-ciphers should be stable-sorted, ideally.

Thank you for your help and detailed explanations.

schwabe commented 1 year ago

--show-ciphers is using the same order as OpenSSL provides. It is not intended for anything than debug purposes.