openvpn3 link-mtu and auth are incorrect when server has ncp-disable and cipher AES-256-GCM

link-mtu and auth are incorrect when server has ncp-disable and cipher AES-256-GCM

Open tomty89 opened this issue 4 years ago • 4 comments

Both ics-openvpn with openvpn3 and OpenVPN Connect on Android shows the problem:

Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_VER=2.5_master
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_PLAT=android
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_PROTO=2
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_NCP=2
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_LZ4=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_LZ4v2=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_LZO=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_COMP_STUB=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_COMP_STUBv2=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_TCPNL=1
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
Nov 03 13:50:31 archlinux openvpn[18325]: 192.168.1.131:43902 [f5122] Peer Connection Initiated with [AF_INET]192.168.1.131:43902
Nov 03 13:50:31 archlinux openvpn[18325]: f5122/192.168.1.131:43902 MULTI_sva: pool returned IPv4=192.168.145.3, IPv6=(Not enabled)
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_VER=3.2__qa:d87f5bbc04)
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_PLAT=android
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_NCP=2
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_TCPNL=1
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_PROTO=2
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 peer info: IV_AUTO_SESS=1
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Nov 03 13:50:45 archlinux openvpn[18325]: 192.168.1.131:52861 [f5122] Peer Connection Initiated with [AF_INET]192.168.1.131:52861
Nov 03 13:50:45 archlinux openvpn[18325]: MULTI_sva: pool returned IPv4=192.168.145.3, IPv6=(Not enabled)
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_GUI_VER=OC30Android
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_VER=3.git::728733ae:Release
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_PLAT=android
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_NCP=2
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_TCPNL=1
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_PROTO=2
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 peer info: IV_AUTO_SESS=1
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1521'
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'
Nov 03 13:51:25 archlinux openvpn[18325]: 192.168.1.131:54952 [f5122] Peer Connection Initiated with [AF_INET]192.168.1.131:54952
Nov 03 13:51:25 archlinux openvpn[18325]: f5122/192.168.1.131:54952 MULTI_sva: pool returned IPv4=192.168.145.3, IPv6=(Not enabled)

As you can see, openvpn 2.5 (in ics-openvpn) doesn't have the same issue.

Nov 03 '19 06:11 tomty89

Btw, if AES-256-GCM is used via NCP, the problem does NOT occur.

Nov 03 '19 06:11 tomty89

Hmm, seems like it has already been addressed with 29e060f.

Nov 06 '19 04:11 tomty89

Hmm, seems like it has already been addressed with 29e060f.

It would surprise me a lot if that commit changes this issue.

Can you please provide some logs where we can see where this issue does not appear? Also which version of the OpenVPN server are you running?

Nov 06 '19 09:11 dsommers

I already did? The first part of the logs shows that OpenVPN 2.x clients will not cause this. I can also provide logs with without ncp-disable set on the server, in which OpenVPN 3.x will not cause this either even when AES-256-GCM is used.

I thought that commit would fix this as it seems to be relevant, haven't actually tested though. That's why I haven't closed this yet.

Server is 2.4.7.

Nov 06 '19 10:11 tomty89

openvpn3 openvpn3 copied to clipboard

link-mtu and auth are incorrect when server has ncp-disable and cipher AES-256-GCM

openvpn3
openvpn3 copied to clipboard