On 29/06/17 08:55, Philipp Helo Rehs wrote:
Hello, i am running Redhat 7 and use openvpn 2.4.3 from epel but i have got a big problem since the update from 2.3.x Jun 28 18:32:38 vpn openvpn-zuvsupport[23218]: TCP connection established with [AF_INET]x.x.x.x:39682
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682 Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn/ccd/username:1: reset-routes (2.4.3)
Infact, invalid options in CCD can be safely ignored, they do not effect client connection.
Jun 28 18:32:39 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682 MULTI_sva: pool returned IPv4=10.8.25.3, IPv6=(Not enabled) Jun 28 18:32:39 vpn openvpn[23218]: RTNETLINK answers: No such process
That is odd .. I don't know what causes that.
Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682 Data Channel: using negotiated cipher 'AES-256-GCM' Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682 OpenSSL: error:0607A082:digital envelope routines:EVP_CIPHER_CTX_set_key_length:invalid key length Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682 EVP set key size Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682 Exiting due to fatal error Jun 28 18:32:40 vpn openvpn-zuvsupport[23218]: username/x.x.x.x:39682 Closing TUN/TAP interface
This is caused by --keysize 128 in your server config. AES-256-* cannot use --keysize 128 (or at all because they are 256 only) --keysize is likely to be deprecated quite soon. See --show-ciphers for a list of ciphers that can/not use --keysize
The Configuration looks like this: # Server Config local y.y.y.y port 1203 proto tcp dev tun2570 topology subnet server 10.8.25.0 255.255.255.0 mode server tls-server persist-key persist-tun #client-to-client # Wollen wir das ? keepalive 10 120 management 127.0.0.1 5564 #Sicherheit ca vpn_ca.crt cert vpn.crt key vpn.key keysize 128
*** ^ This one ..
dh dh1024.pem auth SHA256 cipher AES-128-CBC script-security 3 # Leider benötigt damit man ein eigenes Verifizierungs-Script nutzen kann #Performance (Sicherlich noch zu verbessern) #tun-mtu 1500 #fragment 1415 #mssfix 1410 #Authetifizierung auth-user-pass-verify /etc/openvpn/scripts/verify_user.py via-env username-as-common-name client-config-dir /etc/openvpn/ccd #duplicate-cn client-cert-not-required learn-address /etc/openvpn/scripts/ldapAuth.py ifconfig-pool-persist /etc/openvpn/ipp-zuvsupport.txt #Logging status /etc/openvpn/status/zuvsupport.log 10 verb 2 syslog openvpn-zuvsupport daemon mute-replay-warnings Do you have any idea to fix this? Kind Regards Philipp Rehs University Düsseldorf ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
