OpenVPN / openvpn3

OpenVPN 3 is a C++ class library that implements the functionality of an OpenVPN client, and is protocol-compatible with the OpenVPN 2.x branch.
https://openvpn.net
Other
998 stars 397 forks source link

link-mtu and auth are incorrect when server has ncp-disable and cipher AES-256-GCM #91

Open tomty89 opened 5 years ago

tomty89 commented 5 years ago

Both ics-openvpn with openvpn3 and OpenVPN Connect on Android shows the problem:

Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_VER=2.5_master
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_PLAT=android
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_PROTO=2
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_NCP=2
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_LZ4=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_LZ4v2=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_LZO=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_COMP_STUB=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_COMP_STUBv2=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_TCPNL=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 [f5122] Peer Connection Initiated with [AF_INET]192.168.1.131:43902
Nov 03 13:50:31 archlinux openvpn[18325]: f5122/192.168.1.131:43902 MULTI_sva: pool returned IPv4=192.168.145.3, IPv6=(Not enabled)
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_VER=3.2__qa:d87f5bbc04)
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_PLAT=android
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_NCP=2
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_TCPNL=1
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_PROTO=2
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_AUTO_SESS=1
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 [f5122] Peer Connection Initiated with [AF_INET]192.168.1.131:52861
Nov 03 13:50:45 archlinux openvpn[18325]: MULTI_sva: pool returned IPv4=192.168.145.3, IPv6=(Not enabled)
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_GUI_VER=OC30Android
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_VER=3.git::728733ae:Release
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_PLAT=android
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_NCP=2
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_TCPNL=1
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_PROTO=2
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_AUTO_SESS=1
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 [f5122] Peer Connection Initiated with [AF_INET]192.168.1.131:54952
Nov 03 13:51:25 archlinux openvpn[18325]: f5122/192.168.1.131:54952 MULTI_sva: pool returned IPv4=192.168.145.3, IPv6=(Not enabled)

As you can see, openvpn 2.5 (in ics-openvpn) doesn't have the same issue.

tomty89 commented 5 years ago

Btw, if AES-256-GCM is used via NCP, the problem does NOT occur.

tomty89 commented 5 years ago

Hmm, seems like it has already been addressed with 29e060f.

dsommers commented 5 years ago

Hmm, seems like it has already been addressed with 29e060f.

It would surprise me a lot if that commit changes this issue.

Can you please provide some logs where we can see where this issue does not appear? Also which version of the OpenVPN server are you running?

tomty89 commented 5 years ago

I already did? The first part of the logs shows that OpenVPN 2.x clients will not cause this. I can also provide logs with without ncp-disable set on the server, in which OpenVPN 3.x will not cause this either even when AES-256-GCM is used.

I thought that commit would fix this as it seems to be relevant, haven't actually tested though. That's why I haven't closed this yet.

Server is 2.4.7.