OpenVPN troubleshooting: Client wont connect to server
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hi,
I have configured the openVPN server on my Archer AX50 router before and I was able to connect with OpenVPN client without problems.
At one point the connection couldnt be established anymore. I generated new certificate and downloaded new openVPN config file but it doesn't work. Here are my settings:
-Enable VPN server: checked
-Service type: UDP
-Service port: 1194
-VPN subnet: 10.8.0.0 (255.255.255.0)
-Internet and Home Network.
My ISP modem is in bridge mode and I am using DDNS. I change the public IP address in .opvn config file to DDNS address.
I tried changing many things including the subnet mask and service type to UDP but the connection wont go through. I am trying connect to server with client command line interface on my linux (Ubuntu) machine with: openvpn3 session-start --config OpenVPN-Config.ovpn.
If I print the log when connecting (openvpn3 log --log-level 6 --config OpenVPN-Config.ovpn) I get the error: Client DEBUG: Client exception in transport_recv: crypto_alg: AES-128-CBC: bad cipher for data channel use.
Does anyone know where is the problem?
Thanks for help
Sure, no problem, it's everyone's freedom.
Today I had some spare time to dig into this.
I installed the OpenVPN 3 Client for Linux on my Linux Mint. There is also an older openvpn 2.5.9 installed.
Well, openvpn 2.5.9 connects just fine to my Archer AX50, but openvpn3 v3.8.2 throws the same error that you reported and no working connection is established.
Then I also found this https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst
If you scroll down to the section "OpenVPN 3 clients" it says right there that the old CBC ciphers (which are used by the OpenVPN server of the AX50) have been disabled in newer versions of the OpenVPN 3.x library.
Now you might ask why the Windows Connect client v3.x works. Well, I don't know. Explanations I can think of are that the developers of the Windows client either use an older OpenVPN 3.x library that still had the CBC ciphers enabled or that they re-enabled the old ciphers in the newer source code. After all, OpenVPN Inc., the company who makes the OpenVPN Connect client for Windows, is a commercial entity, so they will want their stuff to work conveniently for as many users as possible, and not cause lots of support requests.
