Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    getting rid of openvpn warnings

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw
      last edited by

      We run pfsense-22.05, with OpenVPN-server-2.6.

      I configured an openvpn-server instance following the docs mostly.

      Here an edited and anonymized config taken from the filesystem:

      dev ovpns2
disable-dco
verb 4
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 10.100.99.203
engine rdrand
tls-server
server 172.x.y.0 255.255.255.0
client-config-dir /var/etc/openvpn/server2/csc
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user TERBUDEsTERBUDI= true server2 1194
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpntest.my.tld' 2"
lport 1194
management /var/etc/openvpn/server2/sock unix
push "route 10.x.y.0 255.255.0.0"
push "route 10.yy.z.0 255.255.255.0"
push "dhcp-option DOMAIN some.tld"
push "dhcp-option DNS 10.0.0.69"
push "register-dns"
duplicate-cn
remote-cert-tls client
capath /var/etc/openvpn/server2/ca
cert /var/etc/openvpn/server2/cert 
key /var/etc/openvpn/server2/key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server2/tls-auth 0
data-ciphers AES-256-CBC:AES-256-GCM
data-ciphers-fallback AES-256-GCM
allow-compression no
persist-remote-ip
float
topology subnet
push "dhcp-option DOMAIN another.tld"

push "dhcp-option DOMAIN more.tld"

push "dhcp-option DOMAIN some.tld"

      That server works OK, I use it with my Fedora 37 beta workstation with openvpn-client 2.5.x, and we are also able to establish a tunnel with tunnelblick on apple hardware.

      But it isn't perfect, we see these warnings:

      WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1553'

      I fiddled with the exported config (produced by the pfsense-package "openvpn-client-export-1.6_8").

      I don't have "keysize" in my ovpn, for example, why does it complain then? Is it because of different releases on client and server?

      edited ovpn:

      dev tun
persist-tun
persist-key
data-ciphers AES-256-CBC:AES-256-GCM
data-ciphers-fallback AES-256-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote vpntest.our.tld 1194 udp
verify-x509-name "vpntest.our.tld" name

remote-cert-tls server

auth-user-pass
auth-nocache

explicit-exit-notify
verb 4

ca our_chain.pem
key my_key.pem
cert my_cert.pem

tls-auth tls.key 1

      (I also wonder if nmcli import in GNOME does change or skip settings when I import the config into GNOME NetworkManager).

      I understand that some of these warnings might be safely ignored, my customer asks me to make sure if we could fix that anyway.

      hints welcome, thanks in advance.

      S 1 Reply Last reply Reply Quote 0
      • S
        sgw @sgw
        last edited by sgw

        I changed "data-ciphers" following this information: link

        Reasonable?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.