• Hello everyone,

    i have 3 pfsense boxes on hardware, all running version 2.4.5-p1. (latest)

    same Open VPN configuration on all. The client exports are different !!! actually 1-2 are working, 3 is not. All exports is with windows 10 latest export (2.5, not legacy)

    The difference is on Cipher lines. i don't know why. Anyone with experience with this ?
    Servers and settings and networks are ok , triple checked. If i manually edit the .ovpn pfsense 3 is working. I just want to know what's wrong. Thanks for any suggestions.

    pfsense1-pfSense-UDP4-1194-config.ovpn

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    data-ciphers AES-128-GCM
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 192.168.2.21 1194 udp4
    auth-user-pass
    ca makariou-pfSense-UDP4-1194-ca.crt
    tls-auth makariou-pfSense-UDP4-1194-tls.key 1
    remote-cert-tls server

    pfsense2-pfSense-UDP4-1194-config.ovpn

    dev tun
    persist-tun
    persist-key
    ncp-ciphers AES-128-GCM
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 192.168.2.22 1194 udp
    auth-user-pass
    ca pfSense-client-UDP4-1194-ca.crt
    tls-auth pfSense-client-UDP4-1194-tls.key 1
    remote-cert-tls server

    pfsense3-pfSense-UDP4-1194-config.ovpn

    dev tun
    persist-tun
    persist-key
    data-ciphers AES-128-GCM
    data-ciphers-fallback AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 192.168.2.23 1194 udp4
    auth-user-pass
    ca pfSense-client-UDP4-1194-ca.crt
    tls-auth pfSense-client-UDP4-1194-tls.key 1
    remote-cert-tls server

    Error from windows client:

    2020-12-30 21:48:12 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020
    2020-12-30 21:48:12 Windows version 10.0 (Windows 10 or greater) 64bit
    2020-12-30 21:48:12 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
    Enter Management Password:
    2020-12-30 21:48:14 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.2.23:1194
    2020-12-30 21:48:14 UDPv4 link local (bound): [AF_INET][undef]:1194
    2020-12-30 21:48:14 UDPv4 link remote: [AF_INET]192.168.2.23:1194
    2020-12-30 21:48:14 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    2020-12-30 21:48:14 [VPN-certificate] Peer Connection Initiated with [AF_INET]192.168.2.23:1194
    2020-12-30 21:48:16 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-128-GCM') if you want to connect to this server.
    2020-12-30 21:48:16 ERROR: Failed to apply push options
    2020-12-30 21:48:16 Failed to open tun/tap interface
    2020-12-30 21:48:16 SIGUSR1[soft,process-push-msg-failed] received, process restarting

    (and repeats...)


  • @bambos
    Look at your ciphers , in the server definitions

    They are not the same on all 3 instances.

    Maybe make 3 use the same ciphers as 1 or 2


  • Dear @bingo600 ,

    The ciphers are the same on all 3 setups. The issue is that one of them exporting on cipher line an added term of "fallback". This instance is not working, reporting the error on log i have posted before.


    data-ciphers AES-128-GCM
    data-ciphers-fallback AES-128-CBC

    If i edit manually the .ovpn file, is Working ! My question is: what caused this and if it is a bug of the export tool. In that case, how i can export manually ?


  • I have notice that the VPN client export package version was different !

    The latest one (1.5_4) adding this fallback AES line causing issues on Latest Windows 10 package. On legacy Windows package is ok !!!

    How we can transfer this bug to developers ?


  • @bambos :

    Or check the new

    f3a80a39-3d31-48da-a005-30cfb324fc61-image.png

    ?

  • Rebel Alliance Developer Netgate

    It's not a bug.

    Option 1: Update your clients to OpenVPN 2.5.x
    Option 2: Check the legacy box before exporting