Upgrading to openvpn 2.6 breaks communication in a tunnel I'm using. Downgrading back to openvpn 2.5 fixes the problem. Openvpn brings up the tunnel interface but cannot receive data. Syslog reports auth algo inconsistency when initializing and auth errors when receiving traffic. I do not host the openvpn server so no logs from the server side. Looks like a problem with the authentication algorhithm. The auth parameter in my client config is set to "SHA256" yet the syslog reports it as "SHA2-256". Syslog when starting openvpn: May 21 10:44:07 hanuri ovpn-tunnel[40673]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. May 21 10:44:07 hanuri ovpn-tunnel[40673]: Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. May 21 10:44:07 hanuri ovpn-tunnel[40673]: OpenVPN 2.6_git x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on May 20 2022 May 21 10:44:07 hanuri ovpn-tunnel[40673]: library versions: OpenSSL 3.0.3 3 May 2022, LZO 2.10 May 21 10:44:07 hanuri ovpn-tunnel[40674]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 21 10:44:07 hanuri ovpn-tunnel[40674]: TUN/TAP device tun0 opened May 21 10:44:07 hanuri ovpn-tunnel[40674]: /opt/script/tunnel_postconfig.sh tun0 1500 0 init May 21 10:44:07 hanuri ovpn-tunnel[40674]: TCP/UDP: Preserving recently used remote address: [AF_INET]nn.nn.nn.nn:1194 May 21 10:44:07 hanuri ovpn-tunnel[40674]: Note: enable extended error passing on TCP/UDP socket failed (IPV6_RECVERR): Protocol not available (errno=92) May 21 10:44:07 hanuri ovpn-tunnel[40674]: UDPv4 link local: (not bound) May 21 10:44:07 hanuri ovpn-tunnel[40674]: UDPv4 link remote: [AF_INET]nn.nn.nn.nn:1194 May 21 10:44:07 hanuri ovpn-tunnel[40674]: WARNING: 'auth' is used inconsistently, local='auth SHA2-256', remote='auth SHA256' May 21 10:44:07 hanuri ovpn-tunnel[40674]: [openvpn] Peer Connection Initiated with [AF_INET]nn.nn.nn.nn:1194 May 21 10:44:08 hanuri ovpn-tunnel[40674]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this May 21 10:44:08 hanuri ovpn-tunnel[40674]: Initialization Sequence Completed May 21 10:44:27 hanuri ovpn-tunnel[40674]: Authenticate/Decrypt packet error: packet HMAC authentication failed May 21 10:44:33 hanuri last message repeated 5 times tunnel.conf: -8<- tls-client dev tun proto udp4 remote nn.nn.nn.nn 1194 cipher AES-256-CBC auth SHA256 resolv-retry 60 nobind persist-key persist-tun ca keys/tunnel-ca.crt cert keys/tunnel.crt key keys/tunnel.key remote-cert-tls server tls-auth keys/tunnel-ta.key 1 comp-lzo verb 1 route-nopull tun-ipv6 script-security 2 up /opt/script/tunnel_postconfig.sh -8<-
Hi Antti, > Upgrading to openvpn 2.6 breaks communication in a tunnel I'm using. > Downgrading back to openvpn 2.5 fixes the problem. > > Openvpn brings up the tunnel interface but cannot receive data. Syslog > reports auth algo inconsistency when initializing and auth errors when > receiving traffic. could you please check the changelog at https://github.com/OpenVPN/openvpn/blob/dco/Changes.rst whether some of the options described there make any sense to you? I'm especially thinking of Compatibility mode (--compat-mode) The modernisation of defaults can impact the compatibility of OpenVPN 2.6.0 with older peers. The options --compat-mode allows UIs to provide users with an easy way to still connect to older servers. Could you set verb 2 I'm hoping to find some clue in the data pushed by the remote side. Best Regards, Bernhard
Hi Bernhard, "--cipher argument is no longer appended to --data-ciphers" Adding "data-ciphers AES-256-CBC" to my client config makes it work on openvpn 2.6. Thank you for your help! Turns out it was a user error after all. :(
We believe that the bug you reported is fixed in the latest version of openvpn, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1011372@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <berni@debian.org> (supplier of updated openvpn package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Mon, 30 May 2022 15:44:41 +0200 Source: openvpn Architecture: source Version: 2.6.0~git20220518+dco-2 Distribution: unstable Urgency: medium Maintainer: Bernhard Schmidt <berni@debian.org> Changed-By: Bernhard Schmidt <berni@debian.org> Closes: 1011372 Changes: openvpn (2.6.0~git20220518+dco-2) unstable; urgency=medium . * Add d/NEWS entry about the release notes and DCO (Closes: #1011372) Checksums-Sha1: 0b335bdd49bdc15aebb5824adeb434b0897f40c7 2289 openvpn_2.6.0~git20220518+dco-2.dsc 4fc06128c3b0193dd841fa80d9441400fddd5cfd 59356 openvpn_2.6.0~git20220518+dco-2.debian.tar.xz a28c4c3f1ad41934824307fdcc7920b9be384996 7862 openvpn_2.6.0~git20220518+dco-2_amd64.buildinfo Checksums-Sha256: 5ac84304c1ca44301c676fe00389dbeccd79d2cb22241b9c2eb3545a48b26d2f 2289 openvpn_2.6.0~git20220518+dco-2.dsc b27c3813f448738a62d9a14702d572feb8caf50ba3f21dd2508d9654711a6873 59356 openvpn_2.6.0~git20220518+dco-2.debian.tar.xz 62bdb437479997b3ea700126687f9d3473e0ce328a319b8e407aea363ae64c9e 7862 openvpn_2.6.0~git20220518+dco-2_amd64.buildinfo Files: 9c5952aab835e4e6e5f79d7feef8efbf 2289 net optional openvpn_2.6.0~git20220518+dco-2.dsc 8a4e3be2ed2d29a43c15cd1fa70af2d2 59356 net optional openvpn_2.6.0~git20220518+dco-2.debian.tar.xz e7565c18fa58847acf3652b5c67e69ae 7862 net optional openvpn_2.6.0~git20220518+dco-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmKUzGcRHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJOighAAhkQRGiaefaUsx/KqfmZjTB0XWyS16MW4 KdK3XMLBPp7i/Vq/lCI+bQrbWj64GU99ZZPuHGFL3eJpSYPjyNh2j6gM2Q8EZAKo iKmHmA70ULrNve8CdMS+B0zAy8dSbyxcaK4+7cBlH0e70sjZ/L95YoXAwsGBQ4Gz Kx19uiKPYvRlsb8GroAafnez7vhD5aihvZOitALB9J1+G7snhAGpwUnQb8XfPkFA V/qpW5fFR9Qh682HGt20XOBEDQkUHixCcM9OfwV8Bc8mYVnNcBf6P4mBWyVB1wJR JBFrjKhzsHW9bdd6aEPUmZ7PNV2AxeGDNLNKyeUeKdXLk/mcFCd1wanb59jBewNP OdomeCd/di7lcWOgpRKSCdCl6/av04qK4IqtI0XK0eF6TudX+iGqFH6Jb38mEFb8 mnNKjZDQ6y0GBz6VQwBKhCydNxrubnVVAjyfBsgeoPT5hi7hCHfk0h5vff/amQqK llLACigxCIJUCiGM8JnKUxrdQ+d5WIJo47L17CWsvVgQKHiczJPhO1TuBKbBW88r M4OsMFIPaTOjRG8vCeCp3ah+KfJZZ6N8c4yxMr2Toq5NhwlLCoFZEEalXuoswXqr XCaWWEgHn+ynSP6Nz/Gnuw3rWtf8wtH44Z98BQ+vqRjmwiEYHxPLZoXi2IndHQVg vWEjgaihuD8= =4oWx -----END PGP SIGNATURE-----