Bug#1011473: 2.5 clients cannot connect to a 2.6 server

Wed, 25 May 2022 04:51:17 -0700 

Am 2022-05-25 09:28, schrieb Bernhard Schmidt:

Control: tags -1 moreinfo

Hi Wolfgang,
openvpn 2.5.6 with openssl 1.1 seem unable to establish a connection to a sid openvpn-server upgraded to 2.6.0~git20220518+dco-1.
I checked the configs. They work if both sides are 2.5.6 or both sides are 2.6 with openssl 3. 

I also see the following warning message in this case:
"WARNING: tun-mtu is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'"
Also in peer-mode 2.5.6 and 2.6 (both debian sid) do not work together. 

Maybe this very new patch fixes the issue:
https://github.com/OpenVPN/openvpn/commit/88342ed8277c579704c0e67feb4278aeaa544027 I did not tested this hypothesis yet, though. 

No, this patch is about something else (a spurious warning seen in
#1011372 when both sides actually use the same algorithm, but call it
differently).


Yes, I now tested that.

Maybe it is because of that tun-mtu warning as opt-verify is set.



Could you please check the release notes at
https://github.com/OpenVPN/openvpn/blob/dco/Changes.rst  for relevant
changes and post logs/redacted config to this bug?
I read them and I found nothing problematic. There is no problem with a 2.5.6 server and a 2.6 + openssl3 client, but a 2.5.6 client and a 2.6 + openssl3 server seem not to work together. 

Here the config server (redacted):
=========================================================================================
mode                    server
user                    openvpn
group                   openvpn
local                   X
lport                   Y
persist-local-ip
proto                   udp6
dev                     gu6
dev-type                tap
persist-tun
auth                    SHA256
cipher                  AES-256-GCM
data-ciphers            AES-256-GCM
tls-version-min         1.2
tls-cipher              TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-server
dh                      none
x509-username-field     OU
tls-verify "/etc/openvpn/my-verify-cn /etc/openvpn_allowed_clients" 
tls-crypt-v2            /etc/openvpn/tls-key-server
ca                      /etc/openvpn/ca_cert.pem
cert                    /etc/openvpn/server_cert.pem
key                     /etc/openvpn/server_key.pem
persist-key
keepalive               10 60
mute                    2
ping-timer-rem
syslog
verb                    4
opt-verify
script-security         2
=========================================================================================

Here the config on the client (redacted):
=========================================================================================
client
remote                  X
port                    Y
proto                   udp
dev-type                tap
dev                     gu6
auth                    SHA256
cipher                  AES-256-GCM
data-ciphers            AES-256-GCM
tls-version-min         1.2
tls-cipher              TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-client
verify-x509-name        "DC=de, DC=A, OU=GU6, CN=blabla" subject
tls-crypt-v2            my_tls-key-client
ca                      ca_cert.pem
cert                    my_cert.pem
key                     my_key.pem
keepalive               10 60
ping-timer-rem
pull
verb                    4
nobind
=========================================================================================


log (also redacted):
=========================================================================================
Mai 23 19:13:31 server gu6[8334]: 1 variation(s) on previous 2 message(s) suppressed by --mute 
Mai 23 19:13:31 server gu6[8334]: NOTE: --mute triggered...
Mai 23 19:13:31 server gu6[8334]: 5 variation(s) on previous 2 message(s) suppressed by --mute 
Mai 23 19:13:31 server gu6[8334]: NOTE: --mute triggered...
Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 1 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 1 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 2 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 2 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 2 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 10 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_VER=2.5.6 Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_PLAT=linux 
Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_PROTO=6
Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_CIPHERS=AES-256-GCM 
Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_LZ4=1
Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_LZ4v2=1
Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_LZO=1
Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_COMP_STUB=1 Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_COMP_STUBv2=1 
Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_TCPNL=1
Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532' Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 1 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 1 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 1 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 1 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:31 server gu6[8334]: 2a01:a:b:c::1234 [r1h8PXRwkObqqyvcysUeFsK9bUMCpt7f] Peer Connection Initiated with [AF_INET6]2a01:a:b:c::1234:54365 
=========================================================================================


another try:
=========================================================================================
Mai 23 19:13:36 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:37 server gu6[8334]: 1 variation(s) on previous 2 message(s) suppressed by --mute 
Mai 23 19:13:37 server gu6[8334]: NOTE: --mute triggered...
Mai 23 19:13:37 server gu6[8334]: 5 variation(s) on previous 2 message(s) suppressed by --mute 
Mai 23 19:13:37 server gu6[8334]: NOTE: --mute triggered...
Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 1 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 1 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 2 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 2 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 2 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 10 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_VER=2.5.6 Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_PLAT=linux 
Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_PROTO=6
Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_CIPHERS=AES-256-GCM 
Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_LZ4=1
Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_LZ4v2=1
Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_LZO=1
Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_COMP_STUB=1 Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_COMP_STUBv2=1 
Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 peer info: IV_TCPNL=1
Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532' Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 1 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 1 variation(s) on previous 2 message(s) suppressed by --mute Mai 23 19:13:37 server gu6[8334]: 2a01:a:b:c::1234 NOTE: --mute triggered... 
=========================================================================================


Regards,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

Reply via email to