OpenVPN Connection Issues - Ciphers
-
Hi all!
Having some major issues trying to connect to my UDP-based tun OpenVPN Remote Access Server using both OpenVPN Connect (iOS) and Viscosity, with the former returning AUTH_FAILED and Viscosity rejecting the authentication. I have verified that the user/pass combination works using the Diagnostics tab. I’ve set up a CA, server and user certificates, making sure to set the user cert CN equal to the username to match “username-as-common-name”.
Here’s the server config file:
dev ovpns1
verb 6
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local XXX.XXX.XXX.XXX
tls-server
server 10.0.10.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' true server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'user' 1 "
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 2
push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DNS 10.0.0.1"
push "register-dns"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.4096
crl-verify /var/etc/openvpn/server1.crl-verify
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo no
persist-remote-ip
float
tls-version-min 1.2This is the client config:
persist-tun
persist-key
cipher AES-256-CBC
auth SHA256
tls-client
client
remote XXX.XXX.XXX.XXX 1194 udp
lport 0
verify-x509-name "user" name
auth-user-pass
ns-cert-type server
comp-lzo no
tls-version-min 1.2
<ca>–---BEGIN CERTIFICATE-----[CERT HERE]
–---END CERTIFICATE-----</ca>
<cert>-----BEGIN CERTIFICATE-----
[CERT HERE]
–---END CERTIFICATE-----</cert>
<key>-----BEGIN PRIVATE KEY-----
[PRIVATE KEY HERE]
–---END PRIVATE KEY-----</key>
<tls-auth>#2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
[OPENVPN STATIC KEY HERE]
–---END OpenVPN Static key V1-----</tls-auth>
key-direction 1Below are the server connection logs from pfsense syslog for when trying to connect with the iOS OpenVPN Connect app...
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Re-using SSL/TLS context
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 LZO compression initialized
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Control Channel MTU parms [ L:1570 D:178 EF:78 EB:0 ET:0 EL:3 ]
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Data Channel MTU parms [ L:1570 D:1450 EF:70 EB:143 ET:0 EL:3 AF:3/1 ]
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Local Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1570,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Local Options hash (VER=V4): '8a3b3cca'
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Expected Remote Options hash (VER=V4): '73e43c96'
pid=0 DATA len=0
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:28762, sid=5303e20b 9a86cf51
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [66] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [66] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ 0 ] pid=1 DATA len=0
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [62] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]
pid=2 DATA len=74
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [166] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_V1 kid=0 pid=[ #3 ] [ 2 ] pid=1 DATA len=100
pid=2 DATA len=100
pid=3 DATA len=100
pid=4 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #4 ] [ 1 ]
pid=5 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #5 ] [ 2 ]
pid=6 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #6 ] [ 3 ]
pid=7 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #7 ] [ 4 ]
pid=8 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #8 ] [ 5 ]
pid=9 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #9 ] [ 6 ]
pid=10 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #10 ] [ 7 ]
pid=11 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #11 ] [ 8 ]
pid=12 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #12 ] [ 9 ]
pid=13 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #13 ] [ 10 ]
pid=14 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #14 ] [ 11 ]
pid=15 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #15 ] [ 12 ]
pid=16 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #16 ] [ 13 ]
pid=17 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #17 ] [ 14 ]
pid=18 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #18 ] [ 15 ]
pid=19 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #19 ] [ 16 ]
pid=20 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #20 ] [ 17 ]
pid=21 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #21 ] [ 18 ]
pid=22 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #22 ] [ 19 ]
pid=23 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #23 ] [ 20 ]
pid=24 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #24 ] [ 21 ]
pid=25 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #25 ] [ 22 ]
pid=26 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #26 ] [ 23 ]
pid=27 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #27 ] [ 24 ]
pid=28 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #28 ] [ 25 ]
pid=29 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #29 ] [ 26 ]
pid=30 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #30 ] [ 27 ]
pid=31 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #31 ] [ 28 ]
pid=32 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #32 ] [ 29 ]
pid=33 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #33 ] [ 30 ]
pid=34 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #34 ] [ 31 ]
pid=35 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #35 ] [ 32 ]
pid=36 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #36 ] [ 33 ]
pid=37 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #37 ] [ 34 ]
pid=38 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #38 ] [ 35 ]
pid=39 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #39 ] [ 36 ]
pid=40 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #40 ] [ 37 ]
pid=41 DATA len=100
05:20:37 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #41 ] [ 38 ]
pid=42 DATA len=100
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #42 ] [ 39 ]
pid=43 DATA len=100
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #43 ] [ 40 ]
pid=44 DATA len=100
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #44 ] [ 41 ]
pid=45 DATA len=100
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #45 ] [ 42 ]
pid=46 DATA len=100
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #46 ] [ 43 ]
pid=47 DATA len=100
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #47 ] [ 44 ]
pid=48 DATA len=100
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #48 ] [ 45 ]
pid=49 DATA len=100
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #49 ] [ 46 ]
pid=50 DATA len=100
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #50 ] [ 47 ]
pid=51 DATA len=100
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #51 ] [ 48 ]
pid=52 DATA len=70
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #52 ] [ 49 ]
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #53 ] [ 50 ]
05:20:38 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #54 ] [ 51 ]
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [1416] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_V1 kid=0 pid=[ #55 ] [ 52 ] pid=3 DATA len=1350
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [62] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #55 ] [ 3 ]
pid=4 DATA len=1350
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 VERIFY SCRIPT OK: depth=1, C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=internal-ca
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 CRL CHECK OK: C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=internal-ca
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 VERIFY OK: depth=1, C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=internal-ca
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 VERIFY SCRIPT OK: depth=0, C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=user
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 CRL CHECK OK: C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=user
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 VERIFY OK: depth=0, C=US, ST=internal, L=Int, O=IntPF, emailAddress=pfsenselocal@localpfsense, CN=user
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [62] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #56 ] [ 4 ]
pid=5 DATA len=117
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [141] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_V1 kid=0 pid=[ #57 ] [ 5 ] pid=53 DATA len=75
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [551] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_V1 kid=0 pid=[ #58 ] [ 53 ] pid=6 DATA len=485
05:20:39 openvpn: user 'user' could not authenticate.
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1 #<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 TLS Auth Error: Auth Username/Password verification failed for peer
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [166] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_CONTROL_V1 kid=0 pid=[ #58 ] [ 6 ] pid=54 DATA len=100
pid=55 DATA len=100
pid=56 DATA len=77
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #59 ] [ 54 ]
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #60 ] [ 55 ]
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 READ [62] from [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #61 ] [ 56 ]05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 [user] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:28762
pid=7 DATA len=69
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 PUSH: Received control message: 'PUSH_REQUEST'
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Delayed exit in 5 seconds
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 SENT CONTROL [user]: 'AUTH_FAILED' (status=1)
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 UDPv4 WRITE [62] to [AF_INET]XXX.XXX.XXX.XXX:28762: P_ACK_V1 kid=0 pid=[ #61 ] [ 7 ]
pid=57 DATA len=69
pid=57 DATA len=69
05:20:42 openvpn[97951]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
05:20:42 openvpn[97951]: MANAGEMENT: CMD 'status 2'
05:20:42 openvpn[97951]: MANAGEMENT: CMD 'quit'
05:20:42 openvpn[97951]: MANAGEMENT: Client disconnected
05:20:44 openvpn[97951]: XXX.XXX.XXX.XXX:28762 SIGTERM[soft,delayed-exit] received, client-instance exitingThe cipher choice (esp SHA digest!) in this line rather surprises me as well given the settings I set in the client and server configs… perhaps to do with OpenVPN Connect (iOS) settings (force AES-CBC ciphers was disabled; with it enabled, however, SHA digest was still being used)
05:20:39 openvpn[97951]: XXX.XXX.XXX.XXX:28762 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Hopefully I’ve given enough detail necessary to help! I really hope I can get this to work, but security is something I do not wish to compromise on security… tried with SHA384 and SHA512 digest algos as well, but both (unsurprisingly) failed... (mind you SHA384 officially is supported according to the openvpn supported ciphers list in pfsense shell)...
Thanks!