Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Some warnings on OpenVPN client connections

    OpenVPN
    1
    1
    405
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • _neok_
      _neok
      last edited by

      Hi all, I am using pfSENSE CE 2.6.0 in which I configured an OpenVPN server to which several clients connect using OpenVPN Connect V3 (Windows).
      The server works fine and the clients connect without problems with cipher AES-256-GCM. But there are some warnings in the OpenVPN server log that I would like to know what they are due to.

      May 30 15:37:26	openvpn	24642	152.171.135.2:26292 WARNING: 'keysize' is used inconsistently, local='keysize 192', remote='keysize 128'
May 30 15:37:26	openvpn	24642	152.171.135.2:26292 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
May 30 15:37:26	openvpn	24642	152.171.135.2:26292 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1553'

      This is the server and client configuration I am using.

      server:

      <openvpn>
      <openvpn-server>
      <vpnid>1</vpnid>
      <mode>server_tls</mode>
      <protocol>UDP4</protocol>
      <dev_mode>tun</dev_mode>
      <interface>wan</interface>
      <ipaddr></ipaddr>
      <local_port>1194</local_port>
      <description><![CDATA[OpenVPN-TSA]]></description>
      <custom_options>reneg-sec 0
      push "dhcp-option ADAPTER_DOMAIN_SUFFIX domain.local"</custom_options>
      <tls>blablabla</tls>
      <tls_type>crypt</tls_type>
      <tlsauth_keydir>0</tlsauth_keydir>
      <caref>628bd437b8d94</caref>
      <crlref>628bd47295128</crlref>
      <ocspurl></ocspurl>
      <certref>628bef8b0b14e</certref>
      <dh_length>none</dh_length>
      <ecdh_curve>none</ecdh_curve>
      <cert_depth>1</cert_depth>
      <remote_cert_tls>yes</remote_cert_tls>
      <data_ciphers_fallback>AES-192-GCM</data_ciphers_fallback>
      <digest>SHA256</digest>
      <engine>rdrand</engine>
      <tunnel_network>192.168.21.0/24</tunnel_network>
      <tunnel_networkv6></tunnel_networkv6>
      <remote_network></remote_network>
      <remote_networkv6></remote_networkv6>
      <gwredir></gwredir>
      <gwredir6></gwredir6>
      <local_network>10.10.8.0/22,192.168.20.0/27,192.168.119.0/24</local_network>
      <local_networkv6></local_networkv6>
      <maxclients>50</maxclients>
      <allow_compression>no</allow_compression>
      <compression></compression>
      <compression_push></compression_push>
      <passtos></passtos>
      <client2client></client2client>
      <dynamic_ip>yes</dynamic_ip>
      <topology>subnet</topology>
      <serverbridge_dhcp></serverbridge_dhcp>
      <serverbridge_interface>none</serverbridge_interface>
      <serverbridge_routegateway></serverbridge_routegateway>
      <serverbridge_dhcp_start></serverbridge_dhcp_start>
      <serverbridge_dhcp_end></serverbridge_dhcp_end>
      <dns_domain>domain.local</dns_domain>
      <dns_server1>10.10.8.3</dns_server1>
      <dns_server2>10.10.8.2</dns_server2>
      <dns_server3></dns_server3>
      <dns_server4></dns_server4>
      <username_as_common_name><![CDATA[disabled]]></username_as_common_name>
      <exit_notify>1</exit_notify>
      <sndrcvbuf></sndrcvbuf>
      <push_register_dns>yes</push_register_dns>
      <netbios_enable></netbios_enable>
      <netbios_ntype>0</netbios_ntype>
      <netbios_scope></netbios_scope>
      <create_gw>v4only</create_gw>
      <verbosity_level>1</verbosity_level>
      <data_ciphers>AES-256-GCM</data_ciphers>
      <ncp_enable>enabled</ncp_enable>
      <ping_method>keepalive</ping_method>
      <keepalive_interval>10</keepalive_interval>
      <keepalive_timeout>60</keepalive_timeout>
      <ping_seconds>10</ping_seconds>
      <ping_push></ping_push>
      <ping_action>ping_restart</ping_action>
      <ping_action_seconds>60</ping_action_seconds>
      <ping_action_push></ping_action_push>
      <inactive_seconds>300</inactive_seconds>
      </openvpn-server>

      client:

      dev tun
      persist-tun
      persist-key
      data-ciphers AES-256-GCM:AES-192-GCM
      data-ciphers-fallback AES-192-GCM
      auth SHA256
      tls-client
      client
      resolv-retry infinite

      lport 0
      verify-x509-name "www.somedomain.com" name
      remote-cert-tls server
      explicit-exit-notify
      key-direction 1
      <connection>
      remote openvpn1.somedomain.com 1194 udp
      </connection>
      <connection>
      remote openvpn2.somedomain.com 1194 udp
      </connection>

      <ca>
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
      </ca>
      <cert>
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
      </cert>
      <key>
      -----BEGIN PRIVATE KEY-----
      -----END PRIVATE KEY-----
      </key>
      <tls-crypt>

      2048 bit OpenVPN static key

      -----BEGIN OpenVPN Static key V1-----
      -----END OpenVPN Static key V1-----
      </tls-crypt>

      Any hints as to what these warnings are due to would be more than appreciated.

      Thanks
      Gabriel

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.