[contribteam] [Bug 9925] missing parameter in openvpn.conf for win10 clients

[bugzilla-daemon]

https://bugs.contribs.org/show_bug.cgi?id=9925

            Bug ID: 9925
           Summary: missing parameter in openvpn.conf for win10 clients
    Classification: Contribs
           Product: SME Contribs
           Version: 9.1
          Hardware: ---
                OS: ---
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: smeserver-openvpn-routed
          Assignee: dan...@firewall-services.com
          Reporter: mvo2...@gmx.com
        QA Contact: contribteam@lists.contribs.org
  Target Milestone: ---

Created attachment 5760
  --> https://bugs.contribs.org/attachment.cgi?id=5760&action=edit
windows 10 working client config

config: SME 9.1 up to date (2016-01-17)
openvpn.x86_64                      2.3.14-1.el6       @epel
smeserver-openvpn-routed.noarch     0.1.5-1.el6.fws    @fws

I had a running VPN client config on windows10 with openvpn client 2.3.12.0 and
a windows 10 machine with client version 2.4.0-I601 (latest version). Both
worked fine with the SME8 openvpn-routed contrib. 

I migrated to SME9 last weekend and I was unable to get the configuration
running. It failed with the following errors (/var/log/openvpn-routed/current) 

Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from [AF_INET]mylocalip:1194

To get it working correctly I had to add two configuration statements in
/etc/openvpn/routed/openvpn.conf server config: 

auth SHA256 (1)
cipher AES-256-CBC (2)

I added (1) a custom template
/etc/e-smith/templates/etc/openvpn/routed/openvpn.conf/30cert (added 'auth
SHA256\n' without quotes after the tls auth statement) 
I decided to use the database configuration parameter cipher for (2), which is
present in the templates, but not documented in the wiki.

The first time I tried this, I used the config statements from the wiki page of
openvpn-bridge contrib (don't type by habd if its not necessary). It did not
work as expected, got me confused. 

These are the config database entry's for the cipher statement in both contribs
with a working configuration:
openvpn-bridge=service
    cipher=AES-256-CBC
openvpn-routed=service
    Cipher=AES-256-CBC

I was fooled by the uppercase 'C'. It may be a good idea to change this in the
60options template in a future release. 

For reference I added my working windows10 client config 

regards, Marcel

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail contribteam-unsubscr...@lists.contribs.org
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/