openvpn / openvpn Goto Github PK

OpenVPN is an open source VPN daemon

License: Other

Makefile 0.70% C 95.05% Shell 1.46% M4 1.28% Python 0.36% CMake 1.14% BitBake 0.02%

security vpn

openvpn's Introduction

OpenVPN -- A Secure tunneling daemon

Copyright (C) 2002-2022 OpenVPN Inc. This program is free software;
you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2
as published by the Free Software Foundation.

*************************************************************************

To get the latest release of OpenVPN, go to:

	https://openvpn.net/community-downloads/

To Build and Install,

	tar -zxf openvpn-<version>.tar.gz
	cd openvpn-<version>
	./configure
	make
	make install

or see the file INSTALL for more info.

For information on how to build OpenVPN on/for Windows with MinGW
or MSVC see README.cmake.md.

*************************************************************************

For detailed information on OpenVPN, including examples, see the man page
  http://openvpn.net/man.html

For a sample VPN configuration, see
  http://openvpn.net/howto.html

To report an issue, see
  https://github.com/OpenVPN/openvpn/issues/new
  (Note: We recently switched to GitHub for reporting new issues,
   old issues can be found at:
   https://community.openvpn.net/openvpn/report)

For a description of OpenVPN's underlying protocol,
  see the file ssl.h included in the source distribution.

*************************************************************************

Other Files & Directories:

* configure.ac -- script to rebuild our configure
  script and makefile.

* sample/sample-scripts/verify-cn

  A sample perl script which can be used with OpenVPN's
  --tls-verify option to provide a customized authentication
  test on embedded X509 certificate fields.

* sample/sample-keys/

  Sample RSA keys and certificates.  DON'T USE THESE FILES
  FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE.

* sample/sample-config-files/

  A collection of OpenVPN config files and scripts from
  the HOWTO at http://openvpn.net/howto.html

*************************************************************************

Note that easy-rsa and tap-windows are now maintained in their own subprojects.
Their source code is available here:

  https://github.com/OpenVPN/easy-rsa
  https://github.com/OpenVPN/tap-windows6

Community-provided Windows installers (MSI) and Debian packages are built from

  https://github.com/OpenVPN/openvpn-build

See the INSTALL file for usage information.

openvpn's People

Contributors

Stargazers

Watchers

Forkers

alonbl mattock jbcjanssen mutualmobile xyyhun nferch aarontc jait dflemstr saycv caesarfang dolfly cpatulea jamesyonan dev-life fknittel fabianbergmark mludvig liuhangyu anlaneg jedjones-uk russlank jglick pei6810 bryankim220 towardsmath inncapsule svintus rohanrajkalra siefca albeon jpilcher1 jdpurdyvi adarqui duliangang jimmygan ouzhiyin crass ichizok chrisballinger hessu evintao udbxtd2008 andreax79 mmta41 cardenio anthrax1 jasoncc perezkarjee wwwiretap redteam queuingkoala tejblum visense khmcgrath syzzer speakinghedge pcmedic friedbutter paohui azntouille csdexter fanta271 kangsterizer fjsnogueira hotelzululima diaahussein xdongp haninyc hazenme stamhe starlessboi betashepherd mbbill harrydlee zeroyou wrjlinuxer alex-vpn alonebaby mozuck b-rich tempbottle foresthz liurunner shopify phihag psing008 qqzhang finchvpn chiforbogdan clowwindy acidburn0zzz shivanshuag harsh1618 razzziel tjuyzl tomato42 tdivine mozilla kuna-systems

openvpn's Issues

Windows: SIGHUP restart fails when using wintun driver

Describe the bug
After a successful connection using OpenVPN-GUI, reconnecting fails with "All wintun adapters on this system are currently in use or disabled." The actual error appears to be with registering ring buffers (see logs below).

To Reproduce
Start a connection on Windows with --windows-driver wintun using OpenVPN-GUI. Once connected, press reconnect which sends SIGHUP. After receiving PUSH_REPLY, the connection will fail with the above error. Tested only using OpenVPN-GUI as wintun needs SYSTEM privileges, but the error doesn't appear to be related to the GUI.

Expected behavior
SIGHUP restart should work

Version information (please complete the following information):

OS: Windows 10
OpenVPN version: 2.6_rc1

Additional context
Logs after first successful connection (excuse the hacked-up highlighting of errors)

2022-12-28 08:39:23 us=46000 Initialization Sequence Completed
2022-12-28 08:39:23 us=46000 MANAGEMENT: >STATE:1672245563,CONNECTED,SUCCESS,10.9.0.10,x.y.z.136,1194,,,2600:x:y:z::1008
2022-12-28 08:39:27 us=578000 MANAGEMENT: CMD 'signal SIGHUP'
2022-12-28 08:39:27 us=578000 TCP/UDP: Closing socket
2022-12-28 08:39:27 us=578000 Closing TUN/TAP interface
2022-12-28 08:39:27 us=578000 delete_route_ipv6(2600:x:y:z::/64)
2022-12-28 08:39:27 us=578000 IPv6 route deletion via service succeeded
2022-12-28 08:39:27 us=578000 INET6 address service: remove 2600:x:y:z::1008/128
2022-12-28 08:39:27 us=578000 Deleting IPv4 dns servers on 'OpenVPN Wintun' (if_index = 9) using service
2022-12-28 08:39:27 us=656000 IPv4 dns servers deleted using service
2022-12-28 08:39:27 us=656000 INET address service: remove 10.9.0.10/24
2022-12-28 08:39:27 us=671000 SIGHUP[hard,] received, process restarting
2022-12-28 08:39:27 us=671000 MANAGEMENT: >STATE:1672245567,RECONNECTING,SIGHUP,,,,,
2022-12-28 08:39:27 us=671000 --windows-driver is set to 'wintun'. Disabling Data Channel Offload
...
...
2022-12-28 08:39:27 us=687000 Restart pause, 1 second(s)
2022-12-28 08:39:28 us=703000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-12-28 08:39:28 us=703000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-12-28 08:39:28 us=703000 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2022-12-28 08:39:28 us=703000 MANAGEMENT: >STATE:1672245568,RESOLVE,,,,,,
2022-12-28 08:39:28 us=703000 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2022-12-28 08:39:28 us=703000 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
2022-12-28 08:39:28 us=703000 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
2022-12-28 08:39:28 us=703000 TCP/UDP: Preserving recently used remote address: [AF_INET]x.y.z.136:1194
2022-12-28 08:39:28 us=703000 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-12-28 08:39:28 us=703000 UDPv4 link local: (not bound)
2022-12-28 08:39:28 us=703000 UDPv4 link remote: [AF_INET]x.y.z.136:1194
2022-12-28 08:39:28 us=703000 MANAGEMENT: >STATE:1672245568,WAIT,,,,,,
2022-12-28 08:39:28 us=734000 MANAGEMENT: >STATE:1672245568,AUTH,,,,,,
2022-12-28 08:39:28 us=734000 TLS: Initial packet from [AF_INET]x.y.z.136:1194, sid=38e44662 ec6699b3
2022-12-28 08:39:28 us=781000 VERIFY OK: depth=1, C=CA, ST=ON, L=Toronto, O=Foo, OU=IT, CN=Foo CA, [email protected]
2022-12-28 08:39:28 us=781000 VERIFY KU OK
2022-12-28 08:39:28 us=781000 Validating certificate extended key usage
2022-12-28 08:39:28 us=781000 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-12-28 08:39:28 us=781000 VERIFY EKU OK
2022-12-28 08:39:28 us=781000 VERIFY OK: depth=0, C=CA, ST=ON, L=Toronto, O=Foo, OU=IT, CN=ec-384r1, name=server, [email protected]
2022-12-28 08:39:28 us=828000 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 384 bit EC, curve secp384r1, signature: RSA-SHA256
2022-12-28 08:39:28 us=828000 [ec-384r1] Peer Connection Initiated with [AF_INET]x.y.z.136:1194
2022-12-28 08:39:28 us=828000 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2022-12-28 08:39:28 us=828000 TLS: tls_multi_process: initial untrusted session promoted to trusted
2022-12-28 08:39:28 us=859000 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,explicit-exit-notify 1,tun-ipv6,tun-ipv6,route-gateway 10.9.0.1,topology subnet,ping 30,ping-restart 60,ifconfig-ipv6 2600:x:y:z::1008/64 2600:x:y:z::1,ifconfig 10.9.0.10 255.255.255.0,peer-id 2,auth-tokenSESS_ID,cipher AES-256-GCM,key-derivation tls-ekm'
2022-12-28 08:39:28 us=859000 Pushed option removed by filter: 'route 192.168.0.0 255.255.255.0'
2022-12-28 08:39:28 us=859000 OPTIONS IMPORT: timers and/or timeouts modified
2022-12-28 08:39:28 us=859000 OPTIONS IMPORT: explicit notify parm(s) modified
2022-12-28 08:39:28 us=859000 OPTIONS IMPORT: --ifconfig/up options modified
2022-12-28 08:39:28 us=859000 OPTIONS IMPORT: route-related options modified
2022-12-28 08:39:28 us=859000 OPTIONS IMPORT: peer-id set
2022-12-28 08:39:28 us=859000 OPTIONS IMPORT: data channel crypto options modified
2022-12-28 08:39:28 us=859000 interactive service msg_channel=680
2022-12-28 08:39:28 us=859000 open_tun
! 2022-12-28 08:39:28 us=875000 Register ring buffers failed using service: An attempt was made to perform an initialization operation when initialization has already been completed.   [status=0x4df]
! 2022-12-28 08:39:28 us=875000 Failed to register {B34A7ADA-8A81-44F0-9C23-AF21CA64895D} adapter ring buffers
2022-12-28 08:39:28 us=875000 MANAGEMENT: Client disconnected
! 2022-12-28 08:39:28 us=875000 All wintun adapters on this system are currently in use or disabled.
2022-12-28 08:39:28 us=875000 Exiting due to fatal error

OpenVPN GUI scans config-auto

Describe the bug
OpenVPN GUI scans config-auto.

To Reproduce

Copy ovpn config file to C:\Program Files\OpenVPN\config-auto\ folder;
Open OpenVPN GUI context menu in notification area and see that the ovpn config from config-auto is displayed.

Expected behavior
Ovpn configs from the config-auto folder should not be displayed as described in config-auto\README.txt

Version information (please complete the following information):

OS: Windows 11 Pro 22H2 22621.900 and Windows 10 Pro 22H2 19045.2311
OpenVPN version: 2.5.8. In versions 2.5.7 and below the bug is not reproduced.

Are 'user nobody' and 'group nogroup' deprecated on Windows as of 2.6?

Describe the bug
I notice these two lines when connecting with OpenVPN-2.6.0-I003-amd64:

Tue Jan 31 21:34:19 2023 NOTE: --user option is not implemented on Windows
Tue Jan 31 21:34:19 2023 NOTE: --group option is not implemented on Windows

To Reproduce

In your normal ovpn, also have these two lines if you don't already:
user nobody
group nogroup
Connect
View log

Expected behavior
I expected to connect, and do, and still do without the above lines, but I'm just wondering if it's correct that these are no longer in the Windows client, and if so, what that means. Maybe it's unimportant, but I thought it was for a security reason.

Version information (please complete the following information):

OS: Windows 11
OpenVPN version: 2.6.0

Additional context
All but sure this is new as of 2.6.0, but even if it's not, the question stands.

2.6_beta1 + p2p --secret + DCO does not work

Describe the bug
2.6_beta1 enables DCO mode for p2p --secret setups, and later crashes because all the TLS bits are not initialized

To Reproduce
Run 2.6_beta1 on a DCO-enabled linux system, with a p2p --secret config

Expected behavior
message in the log file "disabling data channel offload", and running without DCO

Version information (please complete the following information):

OS: Ubuntu 20.04
OpenVPN version: 2.6_beta1

Authentication plugins coexistance

Scenario:

A server with two authentication plugins is stated, one of them makes a check against with a file and the other against a database.

The former can fulfill synchronously, the second, deferred. Assuming they are loaded in order based on the position within the configuration file.

The plugin_call_ssl function's main loop calls the first plugin, returns OPENVPN_PLUGIN_FUNC_ERROR because the given user/pass is not listed in the file. Then calls the second and returns OPENVPN_PLUGIN_FUNC_DEFERRED to do async check on the database.

Because error was set to true, the authentication fails always no matter if the user is valid on the database.

Also, if the user/pass exists in the file of the first plugin, the function will return OPENVPN_PLUGIN_FUNC_DEFERRED because deferred_auth_done was set to true in the loop.

Probably, in order to fix this, compatibility with previous version must be broken.

Kind regards,
Mauro.

[Mac] OpenVPN Connect 3.3.5 - no internet after disconnect

Tested on Mac OS 12.6.1 and Mac OS 13.1
OpenVPN Connect 3.3.5

Internet does not work after VPN Disconnect.
Workaround - disconnect and connect to Wi-Fi

ping after VPN disconnect

alex@MacBook-Air ~ % ping 8.8.4.4            

PING 8.8.4.4 (8.8.4.4): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: No route to host
Request timeout for icmp_seq 1
ping: sendto: No route to host
Request timeout for icmp_seq 2
ping: sendto: No route to host
Request timeout for icmp_seq 3
ping: sendto: No route to host
Request timeout for icmp_seq 4

Broken L2TP/IPSec after OpenVPN installed on Windows 11

To Reproduce
Install Windows 11 22H2 (on VirtualBox in my case).
Configure L2TP/IPSec VPN connection with pre-shared key in built-in Windows VPN client. All needed settings can be done via GUI.
Add Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule = 2
Reboot system.
Check that L2TP\IPSec connection can be established.
Install OpenVPN client community edition with default settings.
Check that L2TP\IPSec connection can not be established with error: "The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer."
Uninstall OpenVPN client.
Check that L2TP\IPSec connection still can not be established with same error.

Expected behavior
L2TP/IPSec connection should work.

Version information (please complete the following information):

OS: Windows 11 22H2 (VirtualBox, official image)
OpenVPN version: 2.5.8

Change IPv4 routing setup on Windows to use CreateIpForwardEntry2()

As discussed in the context of commit 9c6d72c (https://www.mail-archive.com/[email protected]/msg25926.html) the current "install routes on Windows, with metric" is quite ugly, with the Vista+ workaround of using increasing metric values in a loop until things succeed.

The correct fix is to move this all to CreateIpForwardEntry2() and stop using the pre-Vista APIs.

This is something to tackle after 2.6 release, in the "early 2.7 cleanup / restructure" phase.

No IPv4 Address

Describe the bug
When using OpenVPN 2.6.0, our Windows clients can't assign the IPv4 address given by the server, which results in a later failure when the client tries to set routes dependent on that IPv4 address. The issue does not appear when using the old tap-windows6 driver by setting disable-dco in the client config.

Redacted Log (I hope it is still readable enough):

2023-01-27 13:56:46 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-01-27 13:56:46 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jan 25 2023
2023-01-27 13:56:46 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-01-27 13:56:46 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2023-01-27 13:56:46 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2023-01-27 13:56:46 Need hold release from management interface, waiting...
2023-01-27 13:56:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:62515
2023-01-27 13:56:47 MANAGEMENT: CMD 'state on'
2023-01-27 13:56:47 MANAGEMENT: CMD 'log on all'
2023-01-27 13:56:47 MANAGEMENT: CMD 'echo on all'
2023-01-27 13:56:47 MANAGEMENT: CMD 'bytecount 5'
2023-01-27 13:56:47 MANAGEMENT: CMD 'state'
2023-01-27 13:56:47 MANAGEMENT: CMD 'hold off'
2023-01-27 13:56:47 MANAGEMENT: CMD 'hold release'
2023-01-27 13:56:47 MANAGEMENT: >STATE:1674824207,RESOLVE,,,,,,
2023-01-27 13:56:47 TCP/UDP: Preserving recently used remote address: [AF_INET]REMOTE_IP:1194
2023-01-27 13:56:47 ovpn-dco device [OpenVPN Data Channel Offload] opened
2023-01-27 13:56:47 UDP link local: (not bound)
2023-01-27 13:56:47 UDP link remote: [AF_INET]REMOTE_IP:1194
2023-01-27 13:56:47 MANAGEMENT: >STATE:1674824207,WAIT,,,,,,
2023-01-27 13:56:47 MANAGEMENT: >STATE:1674824207,AUTH,,,,,,
2023-01-27 13:56:47 TLS: Initial packet from [AF_INET]REMOTE_IP:1194, sid=xxxxxxxx xxxxxxxx
2023-01-27 13:56:47 VERIFY OK: depth=3, REDACTED
2023-01-27 13:56:47 VERIFY OK: depth=2, REDACTED
2023-01-27 13:56:47 VERIFY OK: depth=1, REDACTED
2023-01-27 13:56:47 VERIFY KU OK
2023-01-27 13:56:47 Validating certificate extended key usage
2023-01-27 13:56:47 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-01-27 13:56:47 VERIFY EKU OK
2023-01-27 13:56:47 VERIFY X509NAME OK: REDACTED
2023-01-27 13:56:47 VERIFY OK: depth=0, REDACTED
2023-01-27 13:56:47 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2023-01-27 13:56:47 [REMOTE_DOMAIN] Peer Connection Initiated with [AF_INET]REMOTE_IP:1194
2023-01-27 13:56:47 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-01-27 13:56:47 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-01-27 13:56:47 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS DNS_v4_IP,dhcp-option DNS6 DNS_v6_IP,dhcp-option NTP NTP_v4_IP_1,dhcp-option NTP NTP_v4_IP_2,dhcp-option DOMAIN COMPANY_DOMAIN,ip-win32 dynamic 0 86400,route COMPANY_IP_NET 255.255.0.0,route-ipv6 COMPANY_IP_NET_v6/48,route remote_host 255.255.255.255 net_gateway,tun-ipv6,route-gateway VPN_CLIENT_IPv4_GATEWAY,topology subnet,ping 15,ping-restart 120,ifconfig-ipv6 VPN_CLIENT_IPv6/64 VPN_CLIENT_IPv6_GATEWAY,ifconfig VPN_CLIENT_IPv4 255.255.255.0,peer-id 3,cipher AES-256-GCM'
2023-01-27 13:56:47 OPTIONS IMPORT: timers and/or timeouts modified
2023-01-27 13:56:47 OPTIONS IMPORT: --ifconfig/up options modified
2023-01-27 13:56:47 OPTIONS IMPORT: route options modified
2023-01-27 13:56:47 OPTIONS IMPORT: route-related options modified
2023-01-27 13:56:47 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-01-27 13:56:47 OPTIONS IMPORT: peer-id set
2023-01-27 13:56:47 OPTIONS IMPORT: data channel crypto options modified
2023-01-27 13:56:47 interactive service msg_channel=572
2023-01-27 13:56:47 GDG6: remote_host_ipv6=n/a
2023-01-27 13:56:47 NOTE: GetBestInterfaceEx returned error: Element nicht gefunden.   (code=1168)
2023-01-27 13:56:47 MANAGEMENT: >STATE:1674824207,ASSIGN_IP,,VPN_CLIENT_IPv4,,,,,VPN_CLIENT_IPv6
2023-01-27 13:56:47 IPv4 MTU set to 1300 on interface 9 using service
2023-01-27 13:56:47 INET6 address service: add VPN_CLIENT_IPv6/128
2023-01-27 13:56:47 add_route_ipv6(VPN_CLIENT_IPv6_NETWORK/64 -> VPN_CLIENT_IPv6 metric 0) IF 9
2023-01-27 13:56:47 IPv6 route addition via service succeeded
2023-01-27 13:56:47 IPv6 dns servers set using service
2023-01-27 13:56:47 IPv6 MTU set to 1300 on interface 9 using service
2023-01-27 13:56:47 C:\WINDOWS\system32\route.exe ADD REMOTE_IP MASK 255.255.255.255 DEFAULT_IPv4_GATEWAY
2023-01-27 13:56:47 Route addition via service succeeded
2023-01-27 13:56:47 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 VPN_CLIENT_IPv4_GATEWAY
2023-01-27 13:56:47 Warning: route gateway is not reachable on any active network adapters: VPN_CLIENT_IPv4_GATEWAY
2023-01-27 13:56:47 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 VPN_CLIENT_IPv4_GATEWAY
2023-01-27 13:56:47 Warning: route gateway is not reachable on any active network adapters: VPN_CLIENT_IPv4_GATEWAY
2023-01-27 13:56:47 MANAGEMENT: >STATE:1674824207,ADD_ROUTES,,,,,,
2023-01-27 13:56:47 C:\WINDOWS\system32\route.exe ADD COMPANY_IP_NET MASK 255.255.0.0 VPN_CLIENT_IPv4_GATEWAY METRIC 200
2023-01-27 13:56:47 Warning: route gateway is not reachable on any active network adapters: VPN_CLIENT_IPv4_GATEWAY
2023-01-27 13:56:47 C:\WINDOWS\system32\route.exe ADD REMOTE_IP MASK 255.255.255.255 DEFAULT_IPv4_GATEWAY METRIC 200
2023-01-27 13:56:47 Route addition via service failed because route exists
2023-01-27 13:56:47 add_route_ipv6(COMPANY_IP_NET_v6/48 -> VPN_CLIENT_IPv6_GATEWAY metric 200) IF 9
2023-01-27 13:56:47 IPv6 route addition via service succeeded
2023-01-27 13:56:47 add_route_ipv6(::/3 -> VPN_CLIENT_IPv6_GATEWAY metric 200) IF 9
2023-01-27 13:56:47 IPv6 route addition via service succeeded
2023-01-27 13:56:47 add_route_ipv6(2000::/4 -> VPN_CLIENT_IPv6_GATEWAY metric 200) IF 9
2023-01-27 13:56:47 IPv6 route addition via service succeeded
2023-01-27 13:56:47 add_route_ipv6(3000::/4 -> VPN_CLIENT_IPv6_GATEWAY metric 200) IF 9
2023-01-27 13:56:47 IPv6 route addition via service succeeded
2023-01-27 13:56:47 add_route_ipv6(fc00::/7 -> VPN_CLIENT_IPv6_GATEWAY metric 200) IF 9
2023-01-27 13:56:47 IPv6 route addition via service succeeded
2023-01-27 13:56:47 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-01-27 13:56:47 Initialization Sequence Completed
2023-01-27 13:56:47 MANAGEMENT: >STATE:1674824207,CONNECTED,ROUTE_ERROR,VPN_CLIENT_IPv4,REMOTE_IP,1194,,,VPN_CLIENT_IPv6

Tested on Windows 10 2004, which should correspond to 20H1. I have also tested the same config on 21H2 with the same results.

Is this an issue in our config or a problem in the new dco driver?

Expected behavior
A working IPv4 address and correctly configured routes

Version information (please complete the following information):

OS: Windows 10
OpenVPN version: 2.6.0

ccd files are no longer read (permission denied) after upgrade to 2.6.0 (openvpn-server)

Describe the bug
Without changing any config file, neither on client nor server side, the server complains, ccd files are no longer readable.

Could not access file 'fmly/ccd/name': Permission denied (errno=13)

To Reproduce
It always reproduces.

Expected behavior
Behave like 2.5.8 is that regard.

Version information (please complete the following information):

OS: Arch Linux
OpenVPN version: 2.6.0
Kernel: 5.15.0-1-lts

Additional context
Of course that ccd folder is in the server.conf:
client-config-dir fmly/ccd

The ccd file itself and all its subfolders have ownership openvpn:network and are readable and executable, respectively.

Downgrading to 2.5.8 immediately fixes the issue.

I'm happy to give as many more information as you need!

Not ratelimited "read TCPv6_SERVER []: Bad file descriptor (fd=-1,code=9)"

Describe the bug
We run a big eduVPN installation for the Munich universities. Out of curiosity we added an additional node running OpenVPN 2.6_beta1 and DCO. We have come across a few issues that I cannot easily reproduce, but reporting neverless as discussed with Gert.

We have enabled logging (verb 3) and the logging immediately pegged the CPU at 100% (rsyslogd and systemd-journal). Within five minutes 29 million lines

12:26:54 eduvpn-n09 openvpn[147602]: d400821cdfd1c0294d1ec1b8bd15b768/2001:9e8:xxxx read TCPv6_SERVER []: Bad file descriptor (fd=-1,code=9)

have been generated (same pid, same peer IP)

To Reproduce
Unsure

Expected behavior
Connection is terminated and/or the logging is ratelimited to a sane amount

Version information (please complete the following information):

OS: Debian Bullseye
OpenVPN version: 2.6_beta1

Management command status without the ROUTING_TABLE ?

Will it make sense to have a status 4 returning the same information as status 2/3 but without the ROUTING_TABLE ?

Traffic blocks using a combination of a deffered and a not deferred plugin

Not a bug only uncertainty about the internal workings.
We are using an AUTH_USER_PASS_VERIFY and a TLS_VERIFY plugin. The first one is deferred and is used for authentication with ldap. The second one is used only for logging the certificate expiry time. We are running a cluster of 3 instances with about 900 concurrent users.

It is very difficult to find out what really was happening but it seems that if the performance of the ldap request are deteriorating at a certain moment the vpn traffic gets blocked completely. If we disable the TLS_VERIFY plugin this never happens.

Is the plugin verification process waiting somehow on the deferred verification?

To Reproduce
Reproduction is very difficult.

Expected behavior
I expected, but this is maybe not true, that the 2 plugins are completely independent.

Version information (please complete the following information):

OS: Debian 10
OpenVPN version: 2.4.7

Additional context
The source code of the TLS_VERIFY plugin can be found here https://github.com/gerardborst/log-cert-expire-times/tree/1.0.5.
I also have a newer version which doesn't write to its own file but to the plugin log.
I also tried to use x509-track but discovered that the "Not After" time doesn't have an asn1 id so it isn't possible to refer to that.

Problem with OpenVPN from reconnections. More yellow icons and a complete rejection of work.

OS: [Windows Server 22 and Windows 10/11]
OpenVPN version: [2.5.5 - 2.6_rc18]

There's a problem that I've been seeing for over a year now, and I'm not the only one. I have a program to work with that uses.ovpn configs to change my IP. Every 10 minutes it is automatically disconnected from the previous config connects to a new random one which are found by the path C:\Program Files\OpenVPN\config Approximately after ~150 such reconnected OpenVPN stops working. A lot of yellow icons appear in the tray and if you swipe the mouse pointer over them, they will simply disappear. If you restart the OpenVPN GUI it will appear in the tray with the usual white icon. but if you try to connect to the config, the icon immediately disappears and the connection does not occur. Only rebooting the PC/Server helps, after which everything works without problems

2.6_rc18:

2.5.5: Accompanied by such a notification when the OpenVPN GUI was restarted - "OpenVPNServiceInteractive" is not started. Wintun driver will not work.

Also, around the same time, the clipboard stops working, and strange artifacts appear in the "Windows Explorer path."
P.S. But this is a "Windows" problem (with an RDP connection), it periodically occurs without OpenVPN installed. Maybe these problems are interrelated?!

please help solve this problem!

Tunnel fails shortly after being created

Describe the bug
I am setting up vpn tunnels between multiple RockPi's (clients) on my home network and a cloud VM (server). After connecting a client to the server a timeout consistently occurs, after which the client attempts to reinitialize a new tunnel resulting in a tun0 and tun1. This seems to cause a conflict such that I can no longer access the RockPi via the VPN tunnel created initially. I have generated the server.conf and client.conf files via PiVPN.

To Reproduce

Set up server and client with the following configuration
Server:
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee.crt
key /etc/openvpn/easy-rsa/pki/private/vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DOMAIN searchdomain.example.com"
push "dhcp-option DNS 9.9.9.9"
push "dhcp-option DNS 149.112.112.112"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
#cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 4
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
client:
client
dev tun
proto udp
remote 160.119.253.173 1194
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee name
#cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
persist-tun
log-append /var/log/openvpn/the.log
Set up tunnel by running client.conf as daemon on RockPi and wait a few minutes for timeout

Expected behavior
Upon creating tunnel, tun0 will be set up. After timeout occurs on client side, tun1 will be initialized alongside existing tun0 (client side). Pi will then no longer be accessible from VM through vpn tunnel.

Version information (please complete the following information):

OS (VM): Ubuntu 18.04.6
OpenVPN version: OpenVPN 2.4.4
OS (RockPi): Ubuntu 20.04
OpenVPN version: OpenVPN 2.4.7

Additional context

example logs

From client side (/var/log/openvpn/the.log)
Fri Feb 3 06:58:53 2023 [vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee] Inactivity timeout (--ping-restart), restarting
Fri Feb 3 06:58:53 2023 SIGUSR1[soft,ping-restart] received, process restarting
Fri Feb 3 06:58:53 2023 Restart pause, 5 second(s)
Fri Feb 3 06:58:58 2023 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Feb 3 06:58:58 2023 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Feb 3 06:58:58 2023 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Feb 3 06:58:58 2023 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Feb 3 06:58:58 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]160.119.253.173:1194
Fri Feb 3 06:58:58 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Fri Feb 3 06:58:58 2023 UDP link local: (not bound)
Fri Feb 3 06:58:58 2023 UDP link remote: [AF_INET]160.119.253.173:1194
Fri Feb 3 06:58:58 2023 TLS: Initial packet from [AF_INET]160.119.253.173:1194, sid=4a610490 41177b45
Fri Feb 3 06:58:59 2023 VERIFY OK: depth=1, CN=ChangeMe
Fri Feb 3 06:58:59 2023 VERIFY KU OK
Fri Feb 3 06:58:59 2023 Validating certificate extended key usage
Fri Feb 3 06:58:59 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Feb 3 06:58:59 2023 VERIFY EKU OK
Fri Feb 3 06:58:59 2023 VERIFY X509NAME OK: CN=vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee
Fri Feb 3 06:58:59 2023 VERIFY OK: depth=0, CN=vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee
Fri Feb 3 06:58:59 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Fri Feb 3 06:58:59 2023 [vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee] Peer Connection Initiated with [AF_INET]160.119.253.173:1194
Fri Feb 3 06:59:00 2023 SENT CONTROL [vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee]: 'PUSH_REQUEST' (status=1)
Fri Feb 3 06:59:00 2023 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN searchdomain.example.com,dhcp-option DNS 9.9.9.9,dhcp-option DNS 149.112.112.112,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.8.0.12 255.255.255.0,peer-id 4,cipher AES-256-GCM'
Fri Feb 3 06:59:00 2023 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.4.7)
Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: route options modified
Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: route-related options modified
Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: peer-id set
Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: adjusting link_mtu to 1624
Fri Feb 3 06:59:00 2023 OPTIONS IMPORT: data channel crypto options modified
Fri Feb 3 06:59:00 2023 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Feb 3 06:59:00 2023 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Feb 3 06:59:00 2023 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Feb 3 06:59:00 2023 Preserving previous TUN/TAP instance: tun1
Fri Feb 3 06:59:00 2023 Initialization Sequence Completed
Fri Feb 3 07:02:43 2023 [vm594xjpu_ead5609c-735f-481b-97c1-4338332607ee] Inactivity timeout (--ping-restart), restarting

From server side (/var/log/openvpn.log)
Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: MULTI: multi_create_instance called
Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Re-using SSL/TLS context
Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA256,keysize 128,key-method 2,tls-server'
Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1553,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA256,keysize 128,key-method 2,tls-client'
Feb 3 06:58:58 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 TLS: Initial packet from [AF_INET]41.216.204.204:23760, sid=868dca55 28b05f9d
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 VERIFY OK: depth=1, CN=ChangeMe
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 VERIFY KU OK
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Validating certificate extended key usage
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 VERIFY EKU OK
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 VERIFY OK: depth=0, CN=agent-2
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_VER=2.4.7
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_PLAT=linux
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_PROTO=2
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_NCP=2
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_LZ4=1
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_LZ4v2=1
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_LZO=1
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_COMP_STUB=1
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_COMP_STUBv2=1
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 peer info: IV_TCPNL=1
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: 41.216.204.204:23760 [agent-2] Peer Connection Initiated with [AF_INET]41.216.204.204:23760
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: MULTI: new connection by client 'agent-2' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/agent-2
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: MULTI: Learn: 10.8.0.12 -> agent-2/41.216.204.204:23760
Feb 3 06:58:59 vm594xjpu ovpn-server[10622]: MULTI: primary virtual IP for agent-2/41.216.204.204:23760: 10.8.0.12
Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 PUSH: Received control message: 'PUSH_REQUEST'
Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 SENT CONTROL [agent-2]: 'PUSH_REPLY,dhcp-option DOMAIN searchdomain.example.com,dhcp-option DNS 9.9.9.9,dhcp-option DNS 149.112.112.112,block-outside-dns,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 120,ifconfig 10.8.0.12 255.255.255.0,peer-id 4,cipher AES-256-GCM' (status=1)
Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 Data Channel: using negotiated cipher 'AES-256-GCM'
Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 ]
Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 3 06:59:00 vm594xjpu ovpn-server[10622]: agent-2/41.216.204.204:23760 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

ifconfig from client side
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.12 netmask 255.255.255.0 destination 10.8.0.12
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.12 netmask 255.255.255.0 destination 10.8.0.12
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 3783 bytes 269287 (269.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6989 bytes 5973610 (5.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

I get two errors with any server configuration: "Linux ip addr del failed: external program exited with error status: 2" and "RTNETLINK answers: Operation not permitted"

Hi! When installing any version of openvpn server in the log files, I get the following errors:

«Linux ip addr del failed: external program exited with error status: 2»
«RTNETLINK answers: Operation not permitted»

What does it mean? How to fix it?

To Reproduce
Install a VPN on the server.
To run.
View logs

OS: ubuntu 20.04 LTS
OpenVPN version: any

I am grateful for any help

OpenVPN 2.6.0 --inactive does not work with ovpn-dco-win

Installer：OpenVPN-2.6.0-I003-amd64.msi
OS: Windows 10 22H2 [10.0.19045.2546]

According to the reference manual:
--inactive args Causes OpenVPN to exit after n seconds of inactivity on the TUN/TAP device.
Valid syntaxes:
inactive n
inactive n bytes

The server push configuration is as follows: inactive 600 10000

The client will automatically disconnect when the time comes, no matter how much data is transferred.
The 2.4.x/2.5.x version is able to handle it correctly.

Key Log Information:

2023-01-29 20:57:38 OpenVPN 2.6.0 [git:v2.6.0/b999466418dddb89] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jan 25 2023
2023-01-29 20:57:38 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-01-29 20:57:38 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2023-01-29 20:57:41 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,inactive 600 10000,redirect-private def1,...
2023-01-29 20:57:46 Initialization Sequence Completed
2023-01-29 20:57:46 MANAGEMENT: >STATE:1674997066,CONNECTED,SUCCESS
2023-01-29 21:07:41 Inactivity timeout (--inactive), exiting
2023-01-29 21:07:41 SIGTERM received, sending exit notification to peer

Bytes in: 326926 (319.3 KiB) out: 160551(156.8 KiB) OpenVPN GUI 11.37.0.0/2.6.0

Notify users about available updates for their client?

Just wondering the above. GitHub's Watch Releases feature doesn't work because the project has no releases in the GitHub sense. The official OpenVPN download pages RSS feed links to comments only and not the actual releases. This renders staying fully patched extremely difficult. Any ideas?

dhcp-option DNS in client config is broken for dco-win

Since both wintun and dco-win set ip_win32_type to IPW32_SET_NETSH, having dhcp-option DNS 8.8.8.8 in config breaks it because of this code:


    if (options->tuntap_options.dhcp_options
        && options->windows_driver != WINDOWS_DRIVER_WINTUN
        && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
        && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
    {
        msg(M_USAGE, "--dhcp-option requires --ip-win32 dynamic or adaptive");
    }

Windows client outputs "git:none"

Describe the bug
OpenVPN outputs git commit id and branch name, When built from tag, it outputs none.

To Reproduce

PS C:\Program Files\OpenVPN beta\bin> .\openvpn.exe --version
OpenVPN 2.6_beta2 [git:none/566c0791caddc52e] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Dec 15 2022
library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
Windows version 10.0 (Windows 10 or greater), amd64 executable

Expected behavior
I expect it to print v2.6_beta2.

Windows: --persist-tun on client does not work when auth-token is in use

(Edited: on further look, this is not specific to DCO)
Describe the bug
Client on Windows using dco-win and persist-tun fails to restart on SIGUSR1 at first attempt when auth-token is in use, and goes through a second round which succeeds. But it causes existing TCP connections through the tunnel to close, as if persist-tun is not in use. If auth-token is not in use, works as expected.
Edit: even without DCO, tun gets re-opened killing existing connections thrugh the tunnel, though it doesnt go through an extra cycle of SIGUSR1. So the real issue is not specific to DCO.

To Reproduce
Run windows client with --persist-tun and without --windows-driver foo option so that dco-win will get used. Connect to a server that will push an auth-token. Send SIGUSR1 to the client to restart.

Expected behaviour
--persist-tun should work even when auth-token is in use.

Version information (please complete the following information):

Client OS: Windows 10
Client OpenVPN version: 2.6_beta2

Additional Comments
This may not be specific to Windows and appears to be related to tun re-opening when pulled options change -- in this case auth-token changes. A known issue, possibly?

`print_windows_driver()` should be moved out of tun.h

tun.h has a static-but-not-inline function

static const char *
print_windows_driver(enum windows_driver_type windows_driver)
{
    switch (windows_driver)
    {
        case WINDOWS_DRIVER_TAP_WINDOWS6:
            return "tap-windows6";

which creates a warning on windows (MinGW at least) compiles for each module that pulls in tun.h one way or the other

... -c -o xkey_helper.o xkey_helper.c
In file included from socket.h:37,
                 from manage.h:31,
                 from xkey_helper.c:35:
tun.h:665:1: warning: ‘print_windows_driver’ defined but not used [-Wunused-function]
  665 | print_windows_driver(enum windows_driver_type windows_driver)
      | ^~~~~~~~~~~~~~~~~~~~

and it really shouldn't be there in the first place - non-inline functions should not be in header files, ever. So I think this should either go to win32.c or tun.c, and tun.h should only have a prototype for it (it's called mostly from tun.c but also from dco.c).

centos 7 openssl-1.1.1k openvpn-2.5.4 build fail

crypto_openssl.o: In function ui_reader': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:1068: undefined reference to SSL_CTX_get_default_passwd_cb'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:1069: undefined reference to SSL_CTX_get_default_passwd_cb_userdata' crypto_openssl.o: In function cipher_ctx_init':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:772: undefined reference to EVP_CIPHER_CTX_reset' crypto_openssl.o: In function md_ctx_new':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:942: undefined reference to EVP_MD_CTX_new' crypto_openssl.o: In function md_ctx_init':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:958: undefined reference to EVP_MD_CTX_reset' crypto_openssl.o: In function hmac_ctx_new':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:998: undefined reference to HMAC_CTX_new' crypto_openssl.o: In function hmac_ctx_init':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:1015: undefined reference to HMAC_CTX_reset' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:1019: undefined reference to HMAC_size'
crypto_openssl.o: In function hmac_ctx_size': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:1031: undefined reference to HMAC_size'
crypto_openssl.o: In function crypto_init_lib': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:155: undefined reference to OPENSSL_init_crypto'
crypto_openssl.o: In function md_ctx_free': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:950: undefined reference to EVP_MD_CTX_free'
crypto_openssl.o: In function md_ctx_cleanup': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:965: undefined reference to EVP_MD_CTX_reset'
crypto_openssl.o: In function hmac_ctx_free': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:1006: undefined reference to HMAC_CTX_free'
crypto_openssl.o: In function hmac_ctx_cleanup': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/crypto_openssl.c:1025: undefined reference to HMAC_CTX_reset'
ssl_openssl.o: In function openvpn_extkey_rsa_finish': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1194: undefined reference to RSA_meth_free'
ssl_openssl.o: In function openvpn_extkey_ec_finish': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1352: undefined reference to EC_KEY_get_method'
ssl_openssl.o: In function tls_ctx_server_new': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:112: undefined reference to TLS_server_method'
ssl_openssl.o: In function tls_ctx_client_new': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:130: undefined reference to TLS_client_method'
ssl_openssl.o: In function tls_ctx_set_options': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:345: undefined reference to SSL_CTX_set_options'
ssl_openssl.o: In function tls_ctx_restrict_ciphers_tls13': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:530: undefined reference to SSL_CTX_set_ciphersuites'
ssl_openssl.o: In function tls_ctx_set_cert_profile': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:556: undefined reference to SSL_CTX_set_security_level'
ssl_openssl.o: In function tls_ctx_check_cert_time': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:638: undefined reference to X509_get0_notBefore'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:648: undefined reference to X509_get0_notAfter' ssl_openssl.o: In function tls_ctx_load_ecdh_params':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:713: undefined reference to SSL_CTX_set_options' ssl_openssl.o: In function sk_X509_num':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:99: undefined reference to OPENSSL_sk_num' ssl_openssl.o: In function sk_X509_value':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:99: undefined reference to OPENSSL_sk_value' /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:99: undefined reference to OPENSSL_sk_value'
ssl_openssl.o: In function sk_X509_num': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:99: undefined reference to OPENSSL_sk_num'
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:99: undefined reference to OPENSSL_sk_num' ssl_openssl.o: In function sk_X509_value':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:99: undefined reference to OPENSSL_sk_value' ssl_openssl.o: In function sk_X509_num':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:99: undefined reference to OPENSSL_sk_num' ssl_openssl.o: In function tls_ctx_load_cert_file':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:967: undefined reference to SSL_CTX_get_default_passwd_cb_userdata' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:967: undefined reference to SSL_CTX_get_default_passwd_cb'
ssl_openssl.o: In function tls_ctx_load_priv_file': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1036: undefined reference to SSL_CTX_get_default_passwd_cb_userdata'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1036: undefined reference to SSL_CTX_get_default_passwd_cb' ssl_openssl.o: In function backend_tls_ctx_reload_crl':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1091: undefined reference to X509_STORE_get0_objects' ssl_openssl.o: In function sk_X509_OBJECT_num':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509_vfy.h:58: undefined reference to OPENSSL_sk_num' ssl_openssl.o: In function sk_X509_OBJECT_value':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509_vfy.h:58: undefined reference to OPENSSL_sk_value' ssl_openssl.o: In function backend_tls_ctx_reload_crl':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1096: undefined reference to X509_OBJECT_get_type' ssl_openssl.o: In function sk_X509_OBJECT_delete':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509_vfy.h:58: undefined reference to OPENSSL_sk_delete' ssl_openssl.o: In function backend_tls_ctx_reload_crl':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1099: undefined reference to X509_OBJECT_free' ssl_openssl.o: In function tls_ctx_use_management_external_key':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1486: undefined reference to X509_get0_pubkey' ssl_openssl.o: In function tls_ctx_use_external_ec_key':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1421: undefined reference to EC_KEY_OpenSSL' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1421: undefined reference to EC_KEY_METHOD_new'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1428: undefined reference to EC_KEY_METHOD_set_init' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1429: undefined reference to EC_KEY_METHOD_set_sign'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1431: undefined reference to EVP_PKEY_get0_EC_KEY' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1437: undefined reference to EC_KEY_set_method'
ssl_openssl.o: In function tls_ctx_use_external_rsa_key': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1283: undefined reference to EVP_PKEY_get0_RSA'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1287: undefined reference to RSA_meth_new' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1290: undefined reference to RSA_meth_set_pub_enc'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1291: undefined reference to RSA_meth_set_pub_dec' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1292: undefined reference to RSA_meth_set_priv_enc'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1293: undefined reference to RSA_meth_set_priv_dec' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1294: undefined reference to RSA_meth_set_init'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1295: undefined reference to RSA_meth_set_finish' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1296: undefined reference to RSA_meth_set0_app_data'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1309: undefined reference to RSA_get0_key' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1310: undefined reference to RSA_set0_key'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1311: undefined reference to RSA_set_flags' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1314: undefined reference to RSA_meth_free'
ssl_openssl.o: In function tls_ctx_use_external_ec_key': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1439: undefined reference to EC_KEY_METHOD_free'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1434: undefined reference to EC_KEY_METHOD_free' ssl_openssl.o: In function tls_ctx_use_external_rsa_key':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1337: undefined reference to RSA_meth_free' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1290: undefined reference to RSA_meth_set_pub_enc'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1291: undefined reference to RSA_meth_set_pub_dec' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1292: undefined reference to RSA_meth_set_priv_enc'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1293: undefined reference to RSA_meth_set_priv_dec' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1294: undefined reference to RSA_meth_set_init'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1295: undefined reference to RSA_meth_set_finish' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1296: undefined reference to RSA_meth_set0_app_data'
ssl_openssl.o: In function sk_X509_INFO_num': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:254: undefined reference to OPENSSL_sk_num'
ssl_openssl.o: In function sk_X509_INFO_value': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:254: undefined reference to OPENSSL_sk_value'
ssl_openssl.o: In function sk_X509_NAME_find': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:77: undefined reference to OPENSSL_sk_find'
ssl_openssl.o: In function sk_X509_NAME_num': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:77: undefined reference to OPENSSL_sk_num'
ssl_openssl.o: In function sk_X509_INFO_num': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:254: undefined reference to OPENSSL_sk_num'
ssl_openssl.o: In function sk_X509_INFO_pop_free': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:254: undefined reference to OPENSSL_sk_pop_free'
ssl_openssl.o: In function sk_X509_NAME_new': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:77: undefined reference to OPENSSL_sk_new'
ssl_openssl.o: In function sk_X509_NAME_push': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:77: undefined reference to OPENSSL_sk_push'
ssl_openssl.o: In function sk_X509_NAME_num': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509.h:77: undefined reference to OPENSSL_sk_num'
ssl_openssl.o: In function print_cert_details': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:2071: undefined reference to EVP_PKEY_get0_EC_KEY'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:2073: undefined reference to EVP_PKEY_get0_EC_KEY' ssl_openssl.o: In function show_available_tls_ciphers_list':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:2161: undefined reference to TLS_method' /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:2193: undefined reference to SSL_get1_supported_ciphers'
ssl_openssl.o: In function sk_SSL_CIPHER_num': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/ssl.h:958: undefined reference to OPENSSL_sk_num'
ssl_openssl.o: In function sk_SSL_CIPHER_value': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/ssl.h:958: undefined reference to OPENSSL_sk_value'
ssl_openssl.o: In function sk_SSL_CIPHER_free': /home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/ssl.h:958: undefined reference to OPENSSL_sk_free'
ssl_openssl.o: In function get_highest_preference_tls_cipher': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:2275: undefined reference to TLS_method'
ssl_openssl.o: In function openvpn_extkey_ec_finish': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:1353: undefined reference to EC_KEY_METHOD_free'
ssl_openssl.o: In function tls_ctx_set_cert_profile': /home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:548: undefined reference to SSL_CTX_set_security_level'
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:552: undefined reference to SSL_CTX_set_security_level' ssl_openssl.o: In function get_ssl_library_version':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_openssl.c:2296: undefined reference to OpenSSL_version' ssl_verify_openssl.o: In function sk_ASN1_OBJECT_num':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/asn1.h:536: undefined reference to OPENSSL_sk_num' ssl_verify_openssl.o: In function sk_ASN1_OBJECT_value':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/asn1.h:536: undefined reference to OPENSSL_sk_value' ssl_verify_openssl.o: In function sk_ASN1_OBJECT_num':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/asn1.h:536: undefined reference to OPENSSL_sk_num' ssl_verify_openssl.o: In function sk_ASN1_OBJECT_pop_free':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/asn1.h:536: undefined reference to OPENSSL_sk_pop_free' ssl_verify_openssl.o: In function tls_verify_crl_missing':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_verify_openssl.c:781: undefined reference to X509_STORE_get0_objects' ssl_verify_openssl.o: In function sk_X509_OBJECT_value':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509_vfy.h:58: undefined reference to OPENSSL_sk_value' ssl_verify_openssl.o: In function tls_verify_crl_missing':
/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn/ssl_verify_openssl.c:786: undefined reference to X509_OBJECT_get_type' ssl_verify_openssl.o: In function sk_X509_OBJECT_num':
/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/openssl/x509_vfy.h:58: undefined reference to `OPENSSL_sk_num'
collect2: error: ld returned 1 exit status
make[3]: *** [Makefile:638：openvpn] 错误 1
make[3]: 离开目录“/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src/openvpn”
make[2]: *** [Makefile:432：all-recursive] 错误 1
make[2]: 离开目录“/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4/src”
make[1]: *** [Makefile:613：all-recursive] 错误 1
make[1]: 离开目录“/home/jin/openvpn-build/generic/tmp/openvpn-2.5.4”
make: *** [Makefile:501：all] 错误 2

./configure OPENSSL_LIBS="-L/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k -lssl -lcrypto" OPENSSL_CFLAGS="-I/home/jin/openvpn-build/generic/tmp/openssl-1.1.1k/include/"

make -j 4

No data flow after random time frame

With OpenVPN 2.6.0 while connecting to a up-to-date Synology NAS, the connection is established and after a while the data flow stops working. Connection appears to be still up, but I am unable to ping or access any of the remote location's devices.

I am using following ovpn config file

dev tun
tls-client
remote 1194
pull
proto udp
script-security 2
reneg-sec 0
cipher AES-256-CBC
data-ciphers 'AES-256-CBC'
auth SHA512
auth-user-pass

-----BEGIN CERTIFICATE-----
cert data
-----END CERTIFICATE-----

On a Windows 10 22H2 x64 all patched up system.
With OpenVPN version: 2.6.0

The OpenVPN 2.5.8 works with the same confix file just fine, no issues there.

sudo in learn-address-script fails to run commands with 2.6-rc

Describe the bug

As we install user-specific nft-firewall-rules when the user logs into our OpenVPN-service, we need to run nftables-commands via sudo in our learn-address-scripts. When we tried to run 2.6-rc1/rc2 on Ubuntu 22.10 the scripts we used before throws the error sudo: unable to change to root gid: Operation not permitted when calling the nft-binary via sudo.

This mechanism runs on our production-OpenVPN-Servers (currently with 2.5.8 on Ubuntu 20.04 LTS) since years without any problem. The configuration-snippet:

learn-address /path/to/scripts/openVPN-learnAddress
script-security 3

While testing OpenVPN 2.6-rc1/rc2 and the behaviour with the failing sudo occurred on our Testsystem (Ubuntu 22.10, OpenVPN 2.6-rc2), the Linux-Capabilities came to our attention. So I logged, with which capabilities the script is running (using /sbin/capsh --print):

Logsnippet 2.6

Logsnippet OpenVPN 2.6_rc2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]

Jan 14 12:18:50 localhost openvpn[432999]: Current: =
Jan 14 12:18:50 localhost openvpn[432999]: Bounding set =
Jan 14 12:18:50 localhost openvpn[432999]: Ambient set =
Jan 14 12:18:50 localhost openvpn[432999]: Current IAB: !cap_chown,!cap_dac_override,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setgid,!cap_setuid,!cap_setpcap,!cap_linux_immutable,!cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,!cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_chroot,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_write,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Jan 14 12:18:50 localhost openvpn[432999]: Securebits: 00/0x0/1'b0
Jan 14 12:18:50 localhost openvpn[432999]:  secure-noroot: no (unlocked)
Jan 14 12:18:50 localhost openvpn[432999]:  secure-no-suid-fixup: no (unlocked)
Jan 14 12:18:50 localhost openvpn[432999]:  secure-keep-caps: no (unlocked)
Jan 14 12:18:50 localhost openvpn[432999]:  secure-no-ambient-raise: no (unlocked)
Jan 14 12:18:50 localhost openvpn[432999]: uid=996(openvpn) euid=996(openvpn)
Jan 14 12:18:50 localhost openvpn[432999]: gid=996(openvpn)
Jan 14 12:18:50 localhost openvpn[432999]: groups=
Jan 14 12:18:50 localhost openvpn[432999]: Guessed mode: UNCERTAIN (0)

The same system with the same settings, downgraded to OpenVPN 2.5, works:

Logsnippet 2.5

Version: OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD]

Jan 14 13:39:50 localhost openvpn[435304]: Current: =
Jan 14 13:39:50 localhost openvpn[435304]: Bounding set =cap_dac_override,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write
Jan 14 13:39:50 localhost openvpn[435304]: Ambient set =
Jan 14 13:39:50 localhost openvpn[435304]: Current IAB: !cap_chown,!cap_dac_read_search,!cap_fowner,!cap_fsetid,!cap_kill,!cap_setpcap,!cap_linux_immutable,!cap_net_broadcast,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,!cap_audit_control,!cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Jan 14 13:39:50 localhost openvpn[435304]: Securebits: 00/0x0/1'b0
Jan 14 13:39:50 localhost openvpn[435304]:  secure-noroot: no (unlocked)
Jan 14 13:39:50 localhost openvpn[435304]:  secure-no-suid-fixup: no (unlocked)
Jan 14 13:39:50 localhost openvpn[435304]:  secure-keep-caps: no (unlocked)
Jan 14 13:39:50 localhost openvpn[435304]:  secure-no-ambient-raise: no (unlocked)
Jan 14 13:39:50 localhost openvpn[435304]: uid=996(openvpn) euid=996(openvpn)
Jan 14 13:39:50 localhost openvpn[435304]: gid=996(openvpn)
Jan 14 13:39:50 localhost openvpn[435304]: groups=996(openvpn)
Jan 14 13:39:50 localhost openvpn[435304]: Guessed mode: UNCERTAIN (0)

So the difference between these two is the "Bounding set", where setuid/setgid was allowed in 2.5.

Maybe OpenVPN is dropping too much privileges/capabilities in 2.6? Or is this wanted behavior, as this sudo-solution could potentially lead to security-issues? (In the latter case, we would have to rewrite our firewall-setup-phase).

To Reproduce
Run any command via sudo (for becoming another user) in a learn-address-script.

Expected behavior
Run the sudo-commands as called in the learn-address-script.

Version information (please complete the following information):

OS: Ubuntu 22.10 (kinetic)
OpenVPN version: OpenVPN 2.6_rc2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]

Link IPv4 and IPv6 into a single instance on the server (connection server <-> client)

Doing some research I noticed that the documentation says that IPv4 and IPv6 are supported simultaneously but it doesn't make it clear where. According to the manual and some tests i noted regardless of the proto used in the tunnel it is possible to travel IPv4 and IPv6 normally, what changes is the connection protocol (transport) between server and client: udp/udp4/udp6.

My intention is to allow clients to connect (transport) over both IPv4 and IPv6 using a single server instance. So far it seems to me that IPv4 and IPv6 connection/transport is not possible with a single instance, 1 instance is needed for IPv4 and another for IPv6.

if anyone knows, thanks

auth-token verification logs erroneous password verification

A server using --auth-gen-token outputs an erroneous log message stating password verification, when ONLY an auth-token has been verified -- at renegotiation time --reneg-sec.

OS: Linux
OpenVPN version: master

https://community.openvpn.net/openvpn/ticket/840#comment:6

Log example:

CLIENT-01/10.1.101.21:64070 TLS: Username/auth-token authentication succeeded for username 'dan10'
CLIENT-01/10.1.101.21:64070 TLS: Username/Password authentication succeeded for username 'dan10' 
CLIENT-01/10.1.101.21:64070 SENT CONTROL [CLIENT-01]: 'PUSH_REPLY, auth-tokenSESS_ID' (status=1)

password cannot be verified because password was not sent, the client uses --auth-nocache.

Unexpected way to run DCO with topology NET30 (windows/client)

It is possible to use DCO with --topology net30 on a Windows client.

Steps to reproduce:
Linux server.
Windows client with DCO support.
(Configs attached below)

Expected behavior
That DCO should not support --topology net30

Version information:

Server: Ubuntu 22.04 / OpenVPN 2.5.8
Client: Win10 / OpenVPN version: 2.6_beta1

For the duration of the client connection, I was using VNC to connect to the server desktop.

My logs:

SERVER:

root@home openvpn # openvpn tuns_23456u.conf 
2022-12-12 19:10:01 Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
2022-12-12 19:10:01 us=578018 WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
2022-12-12 19:10:01 us=578042 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-12-12 19:10:01 us=578190 Current Parameter Settings:
2022-12-12 19:10:01 us=578203   config = 'tuns_23456u.conf'
2022-12-12 19:10:01 us=578217   mode = 1
2022-12-12 19:10:01 us=578229   persist_config = DISABLED
2022-12-12 19:10:01 us=578240   persist_mode = 1
2022-12-12 19:10:01 us=578252   show_ciphers = DISABLED
2022-12-12 19:10:01 us=578263   show_digests = DISABLED
2022-12-12 19:10:01 us=578273   show_engines = DISABLED
2022-12-12 19:10:01 us=578284   genkey = DISABLED
2022-12-12 19:10:01 us=578294   genkey_filename = '[UNDEF]'
2022-12-12 19:10:01 us=578305   key_pass_file = '[UNDEF]'
2022-12-12 19:10:01 us=578315   show_tls_ciphers = DISABLED
2022-12-12 19:10:01 us=578326   connect_retry_max = 0
2022-12-12 19:10:01 us=578336 Connection profiles [0]:
2022-12-12 19:10:01 us=578350   proto = udp
2022-12-12 19:10:01 us=578360   local = '[UNDEF]'
2022-12-12 19:10:01 us=578370   local_port = '23456'
2022-12-12 19:10:01 us=578381   remote = '[UNDEF]'
2022-12-12 19:10:01 us=578391   remote_port = '23456'
2022-12-12 19:10:01 us=578402   remote_float = DISABLED
2022-12-12 19:10:01 us=578412   bind_defined = DISABLED
2022-12-12 19:10:01 us=578422   bind_local = ENABLED
2022-12-12 19:10:01 us=578432   bind_ipv6_only = DISABLED
2022-12-12 19:10:01 us=578442   connect_retry_seconds = 5
2022-12-12 19:10:01 us=578453   connect_timeout = 120
2022-12-12 19:10:01 us=578463   socks_proxy_server = '[UNDEF]'
2022-12-12 19:10:01 us=578474   socks_proxy_port = '[UNDEF]'
2022-12-12 19:10:01 us=578485   tun_mtu = 1500
2022-12-12 19:10:01 us=578496   tun_mtu_defined = ENABLED
2022-12-12 19:10:01 us=578506   link_mtu = 1500
2022-12-12 19:10:01 us=578517   link_mtu_defined = DISABLED
2022-12-12 19:10:01 us=578528   tun_mtu_extra = 0
2022-12-12 19:10:01 us=578538   tun_mtu_extra_defined = DISABLED
2022-12-12 19:10:01 us=578550   mtu_discover_type = -1
2022-12-12 19:10:01 us=578562   fragment = 0
2022-12-12 19:10:01 us=578571   mssfix = 1450
2022-12-12 19:10:01 us=578582   explicit_exit_notification = 0
2022-12-12 19:10:01 us=578593   tls_auth_file = '[INLINE]'
2022-12-12 19:10:01 us=578603   key_direction = not set
2022-12-12 19:10:01 us=578613   tls_crypt_file = '[UNDEF]'
2022-12-12 19:10:01 us=578623   tls_crypt_v2_file = '[UNDEF]'
2022-12-12 19:10:01 us=578635 Connection profiles END
2022-12-12 19:10:01 us=578646   remote_random = DISABLED
2022-12-12 19:10:01 us=578656   ipchange = '[UNDEF]'
2022-12-12 19:10:01 us=578667   dev = 'tun'
2022-12-12 19:10:01 us=578677   dev_type = '[UNDEF]'
2022-12-12 19:10:01 us=578687   dev_node = '[UNDEF]'
2022-12-12 19:10:01 us=578698   lladdr = '[UNDEF]'
2022-12-12 19:10:01 us=578708   topology = 1
2022-12-12 19:10:01 us=578719   ifconfig_local = '10.23.45.1'
2022-12-12 19:10:01 us=578729   ifconfig_remote_netmask = '10.23.45.2'
2022-12-12 19:10:01 us=578740   ifconfig_noexec = DISABLED
2022-12-12 19:10:01 us=578750   ifconfig_nowarn = DISABLED
2022-12-12 19:10:01 us=578760   ifconfig_ipv6_local = '[UNDEF]'
2022-12-12 19:10:01 us=578771   ifconfig_ipv6_netbits = 0
2022-12-12 19:10:01 us=578781   ifconfig_ipv6_remote = '[UNDEF]'
2022-12-12 19:10:01 us=578791   shaper = 0
2022-12-12 19:10:01 us=578802   mtu_test = 0
2022-12-12 19:10:01 us=578811   mlock = DISABLED
2022-12-12 19:10:01 us=578823   keepalive_ping = 10
2022-12-12 19:10:01 us=578832   keepalive_timeout = 30
2022-12-12 19:10:01 us=578844   inactivity_timeout = 0
2022-12-12 19:10:01 us=578854   inactivity_minimum_bytes = 0
2022-12-12 19:10:01 us=578863   ping_send_timeout = 10
2022-12-12 19:10:01 us=578874   ping_rec_timeout = 60
2022-12-12 19:10:01 us=578886   ping_rec_timeout_action = 2
2022-12-12 19:10:01 us=578897   ping_timer_remote = DISABLED
2022-12-12 19:10:01 us=578908   remap_sigusr1 = 0
2022-12-12 19:10:01 us=578918   persist_tun = DISABLED
2022-12-12 19:10:01 us=578927   persist_local_ip = DISABLED
2022-12-12 19:10:01 us=578937   persist_remote_ip = DISABLED
2022-12-12 19:10:01 us=578947   persist_key = DISABLED
2022-12-12 19:10:01 us=578956   passtos = DISABLED
2022-12-12 19:10:01 us=578966   resolve_retry_seconds = 1000000000
2022-12-12 19:10:01 us=578976   resolve_in_advance = DISABLED
2022-12-12 19:10:01 us=578986   username = '[UNDEF]'
2022-12-12 19:10:01 us=578996   groupname = '[UNDEF]'
2022-12-12 19:10:01 us=579005   chroot_dir = '[UNDEF]'
2022-12-12 19:10:01 us=579015   cd_dir = '/etc/openvpn'
2022-12-12 19:10:01 us=579025   writepid = '[UNDEF]'
2022-12-12 19:10:01 us=579035   up_script = '[UNDEF]'
2022-12-12 19:10:01 us=579045   down_script = '[UNDEF]'
2022-12-12 19:10:01 us=579055   down_pre = DISABLED
2022-12-12 19:10:01 us=579065   up_restart = DISABLED
2022-12-12 19:10:01 us=579075   up_delay = DISABLED
2022-12-12 19:10:01 us=579084   daemon = DISABLED
2022-12-12 19:10:01 us=579094   inetd = 0
2022-12-12 19:10:01 us=579104   log = DISABLED
2022-12-12 19:10:01 us=579113   suppress_timestamps = DISABLED
2022-12-12 19:10:01 us=579123   machine_readable_output = DISABLED
2022-12-12 19:10:01 us=579133   nice = 0
2022-12-12 19:10:01 us=579143   verbosity = 4
2022-12-12 19:10:01 us=579152   mute = 0
2022-12-12 19:10:01 us=579162   gremlin = 0
2022-12-12 19:10:01 us=579172   status_file = '[UNDEF]'
2022-12-12 19:10:01 us=579183   status_file_version = 1
2022-12-12 19:10:01 us=579193   status_file_update_freq = 60
2022-12-12 19:10:01 us=579203   occ = ENABLED
2022-12-12 19:10:01 us=579213   rcvbuf = 0
2022-12-12 19:10:01 us=579223   sndbuf = 0
2022-12-12 19:10:01 us=579233   mark = 0
2022-12-12 19:10:01 us=579242   sockflags = 0
2022-12-12 19:10:01 us=579252   fast_io = DISABLED
2022-12-12 19:10:01 us=579262   comp.alg = 0
2022-12-12 19:10:01 us=579272   comp.flags = 0
2022-12-12 19:10:01 us=579282   route_script = '[UNDEF]'
2022-12-12 19:10:01 us=579292   route_default_gateway = '[UNDEF]'
2022-12-12 19:10:01 us=579302   route_default_metric = 0
2022-12-12 19:10:01 us=579312   route_noexec = DISABLED
2022-12-12 19:10:01 us=579322   route_delay = 0
2022-12-12 19:10:01 us=579332   route_delay_window = 30
2022-12-12 19:10:01 us=579342   route_delay_defined = DISABLED
2022-12-12 19:10:01 us=579352   route_nopull = DISABLED
2022-12-12 19:10:01 us=579361   route_gateway_via_dhcp = DISABLED
2022-12-12 19:10:01 us=579371   allow_pull_fqdn = DISABLED
2022-12-12 19:10:01 us=579382   route 10.23.45.0/255.255.255.0/default (not set)/default (not set)
2022-12-12 19:10:01 us=579392   management_addr = '[UNDEF]'
2022-12-12 19:10:01 us=579402   management_port = '[UNDEF]'
2022-12-12 19:10:01 us=579413   management_user_pass = '[UNDEF]'
2022-12-12 19:10:01 us=579423   management_log_history_cache = 250
2022-12-12 19:10:01 us=579433   management_echo_buffer_size = 100
2022-12-12 19:10:01 us=579442   management_write_peer_info_file = '[UNDEF]'
2022-12-12 19:10:01 us=579453   management_client_user = '[UNDEF]'
2022-12-12 19:10:01 us=579463   management_client_group = '[UNDEF]'
2022-12-12 19:10:01 us=579473   management_flags = 0
2022-12-12 19:10:01 us=579483   shared_secret_file = '[UNDEF]'
2022-12-12 19:10:01 us=579494   key_direction = not set
2022-12-12 19:10:01 us=579504   ciphername = 'BF-CBC'
2022-12-12 19:10:01 us=579513   ncp_enabled = ENABLED
2022-12-12 19:10:01 us=579524   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2022-12-12 19:10:01 us=579534   authname = 'SHA1'
2022-12-12 19:10:01 us=579544   prng_hash = 'SHA1'
2022-12-12 19:10:01 us=579554   prng_nonce_secret_len = 16
2022-12-12 19:10:01 us=579564   keysize = 0
2022-12-12 19:10:01 us=579574   engine = DISABLED
2022-12-12 19:10:01 us=579584   replay = ENABLED
2022-12-12 19:10:01 us=579594   mute_replay_warnings = DISABLED
2022-12-12 19:10:01 us=579604   replay_window = 64
2022-12-12 19:10:01 us=579614   replay_time = 15
2022-12-12 19:10:01 us=579624   packet_id_file = '[UNDEF]'
2022-12-12 19:10:01 us=579634   test_crypto = DISABLED
2022-12-12 19:10:01 us=579644   tls_server = ENABLED
2022-12-12 19:10:01 us=579654   tls_client = DISABLED
2022-12-12 19:10:01 us=579664   ca_file = '[INLINE]'
2022-12-12 19:10:01 us=579674   ca_path = '[UNDEF]'
2022-12-12 19:10:01 us=579684   dh_file = '[UNDEF]'
2022-12-12 19:10:01 us=579694   cert_file = '[INLINE]'
2022-12-12 19:10:01 us=579704   extra_certs_file = '[UNDEF]'
2022-12-12 19:10:01 us=579714   priv_key_file = '[INLINE]'
2022-12-12 19:10:01 us=579724   pkcs12_file = '[UNDEF]'
2022-12-12 19:10:01 us=579734   cipher_list = '[UNDEF]'
2022-12-12 19:10:01 us=579744   cipher_list_tls13 = '[UNDEF]'
2022-12-12 19:10:01 us=579754   tls_cert_profile = '[UNDEF]'
2022-12-12 19:10:01 us=579764   tls_verify = '[UNDEF]'
2022-12-12 19:10:01 us=579774   tls_export_cert = '[UNDEF]'
2022-12-12 19:10:01 us=579784   verify_x509_type = 0
2022-12-12 19:10:01 us=579794   verify_x509_name = '[UNDEF]'
2022-12-12 19:10:01 us=579804   crl_file = '[UNDEF]'
2022-12-12 19:10:01 us=579814   ns_cert_type = 0
2022-12-12 19:10:01 us=579824   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579834   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579844   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579854   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579864   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579874   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579884   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579894   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579904   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579914   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579924   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579934   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579944   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579954   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579964   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579974   remote_cert_ku[i] = 0
2022-12-12 19:10:01 us=579985   remote_cert_eku = '[UNDEF]'
2022-12-12 19:10:01 us=579998   ssl_flags = 0
2022-12-12 19:10:01 us=580008   tls_timeout = 2
2022-12-12 19:10:01 us=580018   renegotiate_bytes = -1
2022-12-12 19:10:01 us=580028   renegotiate_packets = 0
2022-12-12 19:10:01 us=580038   renegotiate_seconds = 3600
2022-12-12 19:10:01 us=580048   handshake_window = 60
2022-12-12 19:10:01 us=580058   transition_window = 3600
2022-12-12 19:10:01 us=580068   single_session = DISABLED
2022-12-12 19:10:01 us=580078   push_peer_info = DISABLED
2022-12-12 19:10:01 us=580088   tls_exit = DISABLED
2022-12-12 19:10:01 us=580098   tls_crypt_v2_metadata = '[UNDEF]'
2022-12-12 19:10:01 us=580108   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580118   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580128   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580138   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580148   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580158   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580168   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580176   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580186   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580199   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580208   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580218   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580229   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580239   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580249   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580259   pkcs11_protected_authentication = DISABLED
2022-12-12 19:10:01 us=580269   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580279   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580289   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580299   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580310   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580319   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580329   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580339   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580349   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580359   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580369   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580379   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580389   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580399   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580409   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580420   pkcs11_private_mode = 00000000
2022-12-12 19:10:01 us=580430   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580440   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580450   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580460   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580469   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580479   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580489   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580499   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580509   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580519   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580529   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580539   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580549   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580559   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580569   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580579   pkcs11_cert_private = DISABLED
2022-12-12 19:10:01 us=580589   pkcs11_pin_cache_period = -1
2022-12-12 19:10:01 us=580599   pkcs11_id = '[UNDEF]'
2022-12-12 19:10:01 us=580609   pkcs11_id_management = DISABLED
2022-12-12 19:10:01 us=580621   server_network = 10.23.45.0
2022-12-12 19:10:01 us=580631   server_netmask = 255.255.255.0
2022-12-12 19:10:01 us=580642   server_network_ipv6 = ::
2022-12-12 19:10:01 us=580651   server_netbits_ipv6 = 0
2022-12-12 19:10:01 us=580662   server_bridge_ip = 0.0.0.0
2022-12-12 19:10:01 us=580673   server_bridge_netmask = 0.0.0.0
2022-12-12 19:10:01 us=580693   server_bridge_pool_start = 0.0.0.0
2022-12-12 19:10:01 us=580704   server_bridge_pool_end = 0.0.0.0
2022-12-12 19:10:01 us=580714   push_entry = 'route 10.23.45.1'
2022-12-12 19:10:01 us=580724   push_entry = 'topology net30'
2022-12-12 19:10:01 us=580734   push_entry = 'ping 10'
2022-12-12 19:10:01 us=580744   push_entry = 'ping-restart 30'
2022-12-12 19:10:01 us=580755   ifconfig_pool_defined = ENABLED
2022-12-12 19:10:01 us=580766   ifconfig_pool_start = 10.23.45.4
2022-12-12 19:10:01 us=580777   ifconfig_pool_end = 10.23.45.251
2022-12-12 19:10:01 us=580788   ifconfig_pool_netmask = 0.0.0.0
2022-12-12 19:10:01 us=580797   ifconfig_pool_persist_filename = '[UNDEF]'
2022-12-12 19:10:01 us=580808   ifconfig_pool_persist_refresh_freq = 600
2022-12-12 19:10:01 us=580818   ifconfig_ipv6_pool_defined = DISABLED
2022-12-12 19:10:01 us=580829   ifconfig_ipv6_pool_base = ::
2022-12-12 19:10:01 us=580839   ifconfig_ipv6_pool_netbits = 0
2022-12-12 19:10:01 us=580849   n_bcast_buf = 256
2022-12-12 19:10:01 us=580859   tcp_queue_limit = 64
2022-12-12 19:10:01 us=580869   real_hash_size = 256
2022-12-12 19:10:01 us=580879   virtual_hash_size = 256
2022-12-12 19:10:01 us=580889   client_connect_script = '[UNDEF]'
2022-12-12 19:10:01 us=580898   learn_address_script = '[UNDEF]'
2022-12-12 19:10:01 us=580908   client_disconnect_script = '[UNDEF]'
2022-12-12 19:10:01 us=580919   client_config_dir = '[UNDEF]'
2022-12-12 19:10:01 us=580929   ccd_exclusive = DISABLED
2022-12-12 19:10:01 us=580939   tmp_dir = '/tmp'
2022-12-12 19:10:01 us=580949   push_ifconfig_defined = DISABLED
2022-12-12 19:10:01 us=580960   push_ifconfig_local = 0.0.0.0
2022-12-12 19:10:01 us=580970   push_ifconfig_remote_netmask = 0.0.0.0
2022-12-12 19:10:01 us=580982   push_ifconfig_ipv6_defined = DISABLED
2022-12-12 19:10:01 us=580992   push_ifconfig_ipv6_local = ::/0
2022-12-12 19:10:01 us=581002   push_ifconfig_ipv6_remote = ::
2022-12-12 19:10:01 us=581010   enable_c2c = DISABLED
2022-12-12 19:10:01 us=581022   duplicate_cn = DISABLED
2022-12-12 19:10:01 us=581032   cf_max = 0
2022-12-12 19:10:01 us=581042   cf_per = 0
2022-12-12 19:10:01 us=581053   max_clients = 1024
2022-12-12 19:10:01 us=581064   max_routes_per_client = 256
2022-12-12 19:10:01 us=581076   auth_user_pass_verify_script = '[UNDEF]'
2022-12-12 19:10:01 us=581089   auth_user_pass_verify_script_via_file = DISABLED
2022-12-12 19:10:01 us=581101   auth_token_generate = DISABLED
2022-12-12 19:10:01 us=581112   auth_token_lifetime = 0
2022-12-12 19:10:01 us=581122   auth_token_secret_file = '[UNDEF]'
2022-12-12 19:10:01 us=581133   port_share_host = '[UNDEF]'
2022-12-12 19:10:01 us=581145   port_share_port = '[UNDEF]'
2022-12-12 19:10:01 us=581156   vlan_tagging = DISABLED
2022-12-12 19:10:01 us=581169   vlan_accept = all
2022-12-12 19:10:01 us=581181   vlan_pvid = 1
2022-12-12 19:10:01 us=581193   client = DISABLED
2022-12-12 19:10:01 us=581204   pull = DISABLED
2022-12-12 19:10:01 us=581214   auth_user_pass_file = '[UNDEF]'
2022-12-12 19:10:01 us=581227 OpenVPN 2.5.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 28 2022
2022-12-12 19:10:01 us=581252 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
2022-12-12 19:10:01 us=582745 ECDH curve secp384r1 added
2022-12-12 19:10:01 us=582847 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-12-12 19:10:01 us=582864 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-12-12 19:10:01 us=582883 TLS-Auth MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2022-12-12 19:10:01 us=583179 ROUTE_GATEWAY 10.1.101.1/255.255.255.0 IFACE=enp5s0 HWADDR=24:b6:fd:31:bc:ca
2022-12-12 19:10:01 us=583699 TUN/TAP device tun0 opened
2022-12-12 19:10:01 us=583750 do_ifconfig, ipv4=1, ipv6=0
2022-12-12 19:10:01 us=583770 /sbin/ip link set dev tun0 up mtu 1500
2022-12-12 19:10:01 us=592480 /sbin/ip link set dev tun0 up
2022-12-12 19:10:01 us=594143 /sbin/ip addr add dev tun0 local 10.23.45.1 peer 10.23.45.2
2022-12-12 19:10:01 us=597821 /sbin/ip route add 10.23.45.0/24 via 10.23.45.2
2022-12-12 19:10:01 us=600051 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
2022-12-12 19:10:01 us=600096 Could not determine IPv4/IPv6 protocol. Using AF_INET
2022-12-12 19:10:01 us=600132 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-12-12 19:10:01 us=600160 UDPv4 link local (bound): [AF_INET][undef]:23456
2022-12-12 19:10:01 us=600175 UDPv4 link remote: [AF_UNSPEC]
2022-12-12 19:10:01 us=600196 MULTI: multi_init called, r=256 v=256
2022-12-12 19:10:01 us=600232 IFCONFIG POOL IPv4: base=10.23.45.4 size=62
2022-12-12 19:10:01 us=600272 Initialization Sequence Completed
2022-12-12 19:10:08 us=929289 MULTI: multi_create_instance called
2022-12-12 19:10:08 us=929507 10.1.101.21:52401 Re-using SSL/TLS context
2022-12-12 19:10:08 us=929829 10.1.101.21:52401 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-12-12 19:10:08 us=929934 10.1.101.21:52401 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-12-12 19:10:08 us=930316 10.1.101.21:52401 Control Channel MTU parms [ L:1621 D:1184 EF:66 EB:0 ET:0 EL:3 ]
2022-12-12 19:10:08 us=930387 10.1.101.21:52401 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
2022-12-12 19:10:08 us=930541 10.1.101.21:52401 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2022-12-12 19:10:08 us=930600 10.1.101.21:52401 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2022-12-12 19:10:08 us=930711 10.1.101.21:52401 TLS: Initial packet from [AF_INET]10.1.101.21:52401, sid=51e82df0 9e5495bd
2022-12-12 19:10:08 us=971826 10.1.101.21:52401 VERIFY OK: depth=1, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=Easy-RSA CA, [email protected], serialNumber=.
2022-12-12 19:10:08 us=972867 10.1.101.21:52401 VERIFY OK: depth=0, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=CLIENT-01, [email protected], serialNumber=.
2022-12-12 19:10:08 us=973969 10.1.101.21:52401 peer info: IV_VER=2.6_beta1
2022-12-12 19:10:08 us=973997 10.1.101.21:52401 peer info: IV_PLAT=win
2022-12-12 19:10:08 us=974012 10.1.101.21:52401 peer info: IV_TCPNL=1
2022-12-12 19:10:08 us=974023 10.1.101.21:52401 peer info: IV_MTU=1600
2022-12-12 19:10:08 us=974035 10.1.101.21:52401 peer info: IV_NCP=2
2022-12-12 19:10:08 us=974046 10.1.101.21:52401 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2022-12-12 19:10:08 us=974057 10.1.101.21:52401 peer info: IV_PROTO=478
2022-12-12 19:10:08 us=974069 10.1.101.21:52401 peer info: IV_LZO_STUB=1
2022-12-12 19:10:08 us=974079 10.1.101.21:52401 peer info: IV_COMP_STUB=1
2022-12-12 19:10:08 us=974090 10.1.101.21:52401 peer info: IV_COMP_STUBv2=1
2022-12-12 19:10:08 us=974100 10.1.101.21:52401 peer info: IV_GUI_VER=OpenVPN_GUI_11
2022-12-12 19:10:08 us=974110 10.1.101.21:52401 peer info: IV_SSO=openurl,crtext
2022-12-12 19:10:08 us=974135 10.1.101.21:52401 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1544'
2022-12-12 19:10:08 us=976361 10.1.101.21:52401 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 456 bit ED448, signature: ED448
2022-12-12 19:10:08 us=976404 10.1.101.21:52401 [CLIENT-01] Peer Connection Initiated with [AF_INET]10.1.101.21:52401
2022-12-12 19:10:08 us=976432 CLIENT-01/10.1.101.21:52401 MULTI_sva: pool returned IPv4=10.23.45.6, IPv6=(Not enabled)
2022-12-12 19:10:08 us=976469 CLIENT-01/10.1.101.21:52401 MULTI: Learn: 10.23.45.6 -> CLIENT-01/10.1.101.21:52401
2022-12-12 19:10:08 us=976481 CLIENT-01/10.1.101.21:52401 MULTI: primary virtual IP for CLIENT-01/10.1.101.21:52401: 10.23.45.6
2022-12-12 19:10:08 us=976499 CLIENT-01/10.1.101.21:52401 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-12-12 19:10:08 us=976521 CLIENT-01/10.1.101.21:52401 Data Channel MTU parms [ L:1549 D:1450 EF:49 EB:406 ET:0 EL:3 AF:14/121 ]
2022-12-12 19:10:08 us=976595 CLIENT-01/10.1.101.21:52401 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-12-12 19:10:08 us=976610 CLIENT-01/10.1.101.21:52401 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-12-12 19:10:08 us=976644 CLIENT-01/10.1.101.21:52401 SENT CONTROL [CLIENT-01]: 'PUSH_REPLY,route 10.23.45.1,topology net30,ping 10,ping-restart 30,ifconfig 10.23.45.6 10.23.45.5,peer-id 0,cipher AES-256-GCM' (status=1)
2022-12-12 19:10:09 us=229059 CLIENT-01/10.1.101.21:52401 MULTI: bad source address from client [::], packet dropped

CLIENT:

2022-12-12 18:42:00 us=953000 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-12-12 18:42:00 us=953000 Current Parameter Settings:
2022-12-12 18:42:00 us=953000   config = 'testc_23456u.ovpn'
2022-12-12 18:42:00 us=953000   mode = 0
2022-12-12 18:42:00 us=953000   show_ciphers = DISABLED
2022-12-12 18:42:00 us=953000   show_digests = DISABLED
2022-12-12 18:42:00 us=953000   show_engines = DISABLED
2022-12-12 18:42:00 us=953000   genkey = DISABLED
2022-12-12 18:42:00 us=953000   genkey_filename = '[UNDEF]'
2022-12-12 18:42:00 us=953000   key_pass_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   show_tls_ciphers = DISABLED
2022-12-12 18:42:00 us=953000   connect_retry_max = 0
2022-12-12 18:42:00 us=953000 Connection profiles [0]:
2022-12-12 18:42:00 us=953000   proto = udp
2022-12-12 18:42:00 us=953000   local = '[UNDEF]'
2022-12-12 18:42:00 us=953000   local_port = '[UNDEF]'
2022-12-12 18:42:00 us=953000   remote = '10.1.101.101'
2022-12-12 18:42:00 us=953000   remote_port = '23456'
2022-12-12 18:42:00 us=953000   remote_float = DISABLED
2022-12-12 18:42:00 us=953000   bind_defined = DISABLED
2022-12-12 18:42:00 us=953000   bind_local = DISABLED
2022-12-12 18:42:00 us=953000   bind_ipv6_only = DISABLED
2022-12-12 18:42:00 us=953000   connect_retry_seconds = 5
2022-12-12 18:42:00 us=953000   connect_timeout = 120
2022-12-12 18:42:00 us=953000   socks_proxy_server = '[UNDEF]'
2022-12-12 18:42:00 us=953000   socks_proxy_port = '[UNDEF]'
2022-12-12 18:42:00 us=953000   tun_mtu = 1500
2022-12-12 18:42:00 us=953000   tun_mtu_defined = ENABLED
2022-12-12 18:42:00 us=953000   link_mtu = 1500
2022-12-12 18:42:00 us=953000   link_mtu_defined = DISABLED
2022-12-12 18:42:00 us=953000   tun_mtu_extra = 0
2022-12-12 18:42:00 us=953000   tun_mtu_extra_defined = DISABLED
2022-12-12 18:42:00 us=953000   tls_mtu = 1250
2022-12-12 18:42:00 us=953000   mtu_discover_type = -1
2022-12-12 18:42:00 us=953000   fragment = 0
2022-12-12 18:42:00 us=953000   mssfix = 1492
2022-12-12 18:42:00 us=953000   mssfix_encap = ENABLED
2022-12-12 18:42:00 us=953000   mssfix_fixed = DISABLED
2022-12-12 18:42:00 us=953000   explicit_exit_notification = 0
2022-12-12 18:42:00 us=953000   tls_auth_file = '[INLINE]'
2022-12-12 18:42:00 us=953000   key_direction = not set
2022-12-12 18:42:00 us=953000   tls_crypt_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   tls_crypt_v2_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000 Connection profiles END
2022-12-12 18:42:00 us=953000   remote_random = DISABLED
2022-12-12 18:42:00 us=953000   ipchange = '[UNDEF]'
2022-12-12 18:42:00 us=953000   dev = 'tun'
2022-12-12 18:42:00 us=953000   dev_type = '[UNDEF]'
2022-12-12 18:42:00 us=953000   dev_node = '[UNDEF]'
2022-12-12 18:42:00 us=953000   tuntap_options.disable_dco = DISABLED
2022-12-12 18:42:00 us=953000   lladdr = '[UNDEF]'
2022-12-12 18:42:00 us=953000   topology = 1
2022-12-12 18:42:00 us=953000   ifconfig_local = '[UNDEF]'
2022-12-12 18:42:00 us=953000   ifconfig_remote_netmask = '[UNDEF]'
2022-12-12 18:42:00 us=953000   ifconfig_noexec = DISABLED
2022-12-12 18:42:00 us=953000   ifconfig_nowarn = DISABLED
2022-12-12 18:42:00 us=953000   ifconfig_ipv6_local = '[UNDEF]'
2022-12-12 18:42:00 us=953000   ifconfig_ipv6_netbits = 0
2022-12-12 18:42:00 us=953000   ifconfig_ipv6_remote = '[UNDEF]'
2022-12-12 18:42:00 us=953000   shaper = 0
2022-12-12 18:42:00 us=953000   mtu_test = 0
2022-12-12 18:42:00 us=953000   mlock = DISABLED
2022-12-12 18:42:00 us=953000   keepalive_ping = 0
2022-12-12 18:42:00 us=953000   keepalive_timeout = 0
2022-12-12 18:42:00 us=953000   inactivity_timeout = 0
2022-12-12 18:42:00 us=953000   session_timeout = 0
2022-12-12 18:42:00 us=953000   inactivity_minimum_bytes = 0
2022-12-12 18:42:00 us=953000   ping_send_timeout = 0
2022-12-12 18:42:00 us=953000   ping_rec_timeout = 0
2022-12-12 18:42:00 us=953000   ping_rec_timeout_action = 0
2022-12-12 18:42:00 us=953000   ping_timer_remote = DISABLED
2022-12-12 18:42:00 us=953000   remap_sigusr1 = 0
2022-12-12 18:42:00 us=953000   persist_tun = DISABLED
2022-12-12 18:42:00 us=953000   persist_local_ip = DISABLED
2022-12-12 18:42:00 us=953000   persist_remote_ip = DISABLED
2022-12-12 18:42:00 us=953000   persist_key = DISABLED
2022-12-12 18:42:00 us=953000   passtos = DISABLED
2022-12-12 18:42:00 us=953000   resolve_retry_seconds = 1000000000
2022-12-12 18:42:00 us=953000   resolve_in_advance = DISABLED
2022-12-12 18:42:00 us=953000   username = '[UNDEF]'
2022-12-12 18:42:00 us=953000   groupname = '[UNDEF]'
2022-12-12 18:42:00 us=953000   chroot_dir = '[UNDEF]'
2022-12-12 18:42:00 us=953000   cd_dir = '[UNDEF]'
2022-12-12 18:42:00 us=953000   writepid = '[UNDEF]'
2022-12-12 18:42:00 us=953000   up_script = '[UNDEF]'
2022-12-12 18:42:00 us=953000   down_script = '[UNDEF]'
2022-12-12 18:42:00 us=953000   down_pre = DISABLED
2022-12-12 18:42:00 us=953000   up_restart = DISABLED
2022-12-12 18:42:00 us=953000   up_delay = DISABLED
2022-12-12 18:42:00 us=953000   daemon = DISABLED
2022-12-12 18:42:00 us=953000   log = ENABLED
2022-12-12 18:42:00 us=953000   suppress_timestamps = DISABLED
2022-12-12 18:42:00 us=953000   machine_readable_output = DISABLED
2022-12-12 18:42:00 us=953000   nice = 0
2022-12-12 18:42:00 us=953000   verbosity = 4
2022-12-12 18:42:00 us=953000   mute = 0
2022-12-12 18:42:00 us=953000   status_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   status_file_version = 1
2022-12-12 18:42:00 us=953000   status_file_update_freq = 60
2022-12-12 18:42:00 us=953000   occ = ENABLED
2022-12-12 18:42:00 us=953000   rcvbuf = 0
2022-12-12 18:42:00 us=953000   sndbuf = 0
2022-12-12 18:42:00 us=953000   sockflags = 0
2022-12-12 18:42:00 us=953000   fast_io = DISABLED
2022-12-12 18:42:00 us=953000   comp.alg = 0
2022-12-12 18:42:00 us=953000   comp.flags = 24
2022-12-12 18:42:00 us=953000   route_script = '[UNDEF]'
2022-12-12 18:42:00 us=953000   route_default_gateway = '[UNDEF]'
2022-12-12 18:42:00 us=953000   route_default_metric = 0
2022-12-12 18:42:00 us=953000   route_noexec = DISABLED
2022-12-12 18:42:00 us=953000   route_delay = 0
2022-12-12 18:42:00 us=953000   route_delay_window = 30
2022-12-12 18:42:00 us=953000   route_delay_defined = DISABLED
2022-12-12 18:42:00 us=953000   route_nopull = DISABLED
2022-12-12 18:42:00 us=953000   route_gateway_via_dhcp = DISABLED
2022-12-12 18:42:00 us=953000   allow_pull_fqdn = DISABLED
2022-12-12 18:42:00 us=953000   Pull filters:
2022-12-12 18:42:00 us=953000     ignore "route-method"
2022-12-12 18:42:00 us=953000   management_addr = '127.0.0.1'
2022-12-12 18:42:00 us=953000   management_port = '25342'
2022-12-12 18:42:00 us=953000   management_user_pass = 'stdin'
2022-12-12 18:42:00 us=953000   management_log_history_cache = 250
2022-12-12 18:42:00 us=953000   management_echo_buffer_size = 100
2022-12-12 18:42:00 us=953000   management_client_user = '[UNDEF]'
2022-12-12 18:42:00 us=953000   management_client_group = '[UNDEF]'
2022-12-12 18:42:00 us=953000   management_flags = 6
2022-12-12 18:42:00 us=953000   shared_secret_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   key_direction = not set
2022-12-12 18:42:00 us=953000   ciphername = 'BF-CBC'
2022-12-12 18:42:00 us=953000   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2022-12-12 18:42:00 us=953000   authname = 'SHA1'
2022-12-12 18:42:00 us=953000   engine = DISABLED
2022-12-12 18:42:00 us=953000   replay = ENABLED
2022-12-12 18:42:00 us=953000   mute_replay_warnings = DISABLED
2022-12-12 18:42:00 us=953000   replay_window = 64
2022-12-12 18:42:00 us=953000   replay_time = 15
2022-12-12 18:42:00 us=953000   packet_id_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   test_crypto = DISABLED
2022-12-12 18:42:00 us=953000   tls_server = DISABLED
2022-12-12 18:42:00 us=953000   tls_client = ENABLED
2022-12-12 18:42:00 us=953000   ca_file = '[INLINE]'
2022-12-12 18:42:00 us=953000   ca_path = '[UNDEF]'
2022-12-12 18:42:00 us=953000   dh_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   cert_file = '[INLINE]'
2022-12-12 18:42:00 us=953000   extra_certs_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   priv_key_file = '[INLINE]'
2022-12-12 18:42:00 us=953000   pkcs12_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   cryptoapi_cert = '[UNDEF]'
2022-12-12 18:42:00 us=953000   cipher_list = '[UNDEF]'
2022-12-12 18:42:00 us=953000   cipher_list_tls13 = '[UNDEF]'
2022-12-12 18:42:00 us=953000   tls_cert_profile = '[UNDEF]'
2022-12-12 18:42:00 us=953000   tls_verify = '[UNDEF]'
2022-12-12 18:42:00 us=953000   tls_export_cert = '[UNDEF]'
2022-12-12 18:42:00 us=953000   verify_x509_type = 0
2022-12-12 18:42:00 us=953000   verify_x509_name = '[UNDEF]'
2022-12-12 18:42:00 us=953000   crl_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   ns_cert_type = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_ku[i] = 0
2022-12-12 18:42:00 us=953000   remote_cert_eku = '[UNDEF]'
2022-12-12 18:42:00 us=953000   ssl_flags = 192
2022-12-12 18:42:00 us=953000   tls_timeout = 2
2022-12-12 18:42:00 us=953000   renegotiate_bytes = -1
2022-12-12 18:42:00 us=953000   renegotiate_packets = 0
2022-12-12 18:42:00 us=953000   renegotiate_seconds = 3600
2022-12-12 18:42:00 us=953000   handshake_window = 60
2022-12-12 18:42:00 us=953000   transition_window = 3600
2022-12-12 18:42:00 us=953000   single_session = DISABLED
2022-12-12 18:42:00 us=953000   push_peer_info = DISABLED
2022-12-12 18:42:00 us=953000   tls_exit = DISABLED
2022-12-12 18:42:00 us=953000   tls_crypt_v2_metadata = '[UNDEF]'
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_protected_authentication = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_private_mode = 00000000
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_cert_private = DISABLED
2022-12-12 18:42:00 us=953000   pkcs11_pin_cache_period = -1
2022-12-12 18:42:00 us=953000   pkcs11_id = '[UNDEF]'
2022-12-12 18:42:00 us=953000   pkcs11_id_management = DISABLED
2022-12-12 18:42:00 us=953000   server_network = 0.0.0.0
2022-12-12 18:42:00 us=953000   server_netmask = 0.0.0.0
2022-12-12 18:42:00 us=953000   server_network_ipv6 = ::
2022-12-12 18:42:00 us=953000   server_netbits_ipv6 = 0
2022-12-12 18:42:00 us=953000   server_bridge_ip = 0.0.0.0
2022-12-12 18:42:00 us=953000   server_bridge_netmask = 0.0.0.0
2022-12-12 18:42:00 us=953000   server_bridge_pool_start = 0.0.0.0
2022-12-12 18:42:00 us=953000   server_bridge_pool_end = 0.0.0.0
2022-12-12 18:42:00 us=953000   ifconfig_pool_defined = DISABLED
2022-12-12 18:42:00 us=953000   ifconfig_pool_start = 0.0.0.0
2022-12-12 18:42:00 us=953000   ifconfig_pool_end = 0.0.0.0
2022-12-12 18:42:00 us=953000   ifconfig_pool_netmask = 0.0.0.0
2022-12-12 18:42:00 us=953000   ifconfig_pool_persist_filename = '[UNDEF]'
2022-12-12 18:42:00 us=953000   ifconfig_pool_persist_refresh_freq = 600
2022-12-12 18:42:00 us=953000   ifconfig_ipv6_pool_defined = DISABLED
2022-12-12 18:42:00 us=953000   ifconfig_ipv6_pool_base = ::
2022-12-12 18:42:00 us=953000   ifconfig_ipv6_pool_netbits = 0
2022-12-12 18:42:00 us=953000   n_bcast_buf = 256
2022-12-12 18:42:00 us=953000   tcp_queue_limit = 64
2022-12-12 18:42:00 us=953000   real_hash_size = 256
2022-12-12 18:42:00 us=953000   virtual_hash_size = 256
2022-12-12 18:42:00 us=953000   client_connect_script = '[UNDEF]'
2022-12-12 18:42:00 us=953000   learn_address_script = '[UNDEF]'
2022-12-12 18:42:00 us=953000   client_disconnect_script = '[UNDEF]'
2022-12-12 18:42:00 us=953000   client_crresponse_script = '[UNDEF]'
2022-12-12 18:42:00 us=953000   client_config_dir = '[UNDEF]'
2022-12-12 18:42:00 us=953000   ccd_exclusive = DISABLED
2022-12-12 18:42:00 us=953000   tmp_dir = 'C:\Users\den\AppData\Local\Temp\'
2022-12-12 18:42:00 us=953000   push_ifconfig_defined = DISABLED
2022-12-12 18:42:00 us=953000   push_ifconfig_local = 0.0.0.0
2022-12-12 18:42:00 us=953000   push_ifconfig_remote_netmask = 0.0.0.0
2022-12-12 18:42:00 us=953000   push_ifconfig_ipv6_defined = DISABLED
2022-12-12 18:42:00 us=953000   push_ifconfig_ipv6_local = ::/0
2022-12-12 18:42:00 us=953000   push_ifconfig_ipv6_remote = ::
2022-12-12 18:42:00 us=953000   enable_c2c = DISABLED
2022-12-12 18:42:00 us=953000   duplicate_cn = DISABLED
2022-12-12 18:42:00 us=953000   cf_max = 0
2022-12-12 18:42:00 us=953000   cf_per = 0
2022-12-12 18:42:00 us=953000   max_clients = 1024
2022-12-12 18:42:00 us=953000   max_routes_per_client = 256
2022-12-12 18:42:00 us=953000   auth_user_pass_verify_script = '[UNDEF]'
2022-12-12 18:42:00 us=953000   auth_user_pass_verify_script_via_file = DISABLED
2022-12-12 18:42:00 us=953000   auth_token_generate = DISABLED
2022-12-12 18:42:00 us=953000   auth_token_lifetime = 0
2022-12-12 18:42:00 us=953000   auth_token_secret_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   vlan_tagging = DISABLED
2022-12-12 18:42:00 us=953000   vlan_accept = all
2022-12-12 18:42:00 us=953000   vlan_pvid = 1
2022-12-12 18:42:00 us=953000   client = ENABLED
2022-12-12 18:42:00 us=953000   pull = ENABLED
2022-12-12 18:42:00 us=953000   auth_user_pass_file = '[UNDEF]'
2022-12-12 18:42:00 us=953000   show_net_up = DISABLED
2022-12-12 18:42:00 us=953000   route_method = 3
2022-12-12 18:42:00 us=953000   block_outside_dns = DISABLED
2022-12-12 18:42:00 us=953000   ip_win32_defined = DISABLED
2022-12-12 18:42:00 us=953000   ip_win32_type = 1
2022-12-12 18:42:00 us=953000   dhcp_masq_offset = 0
2022-12-12 18:42:00 us=953000   dhcp_lease_time = 31536000
2022-12-12 18:42:00 us=953000   tap_sleep = 0
2022-12-12 18:42:00 us=953000   dhcp_options = DISABLED
2022-12-12 18:42:00 us=953000   dhcp_renew = DISABLED
2022-12-12 18:42:00 us=953000   dhcp_pre_release = DISABLED
2022-12-12 18:42:00 us=953000   domain = '[UNDEF]'
2022-12-12 18:42:00 us=953000   netbios_scope = '[UNDEF]'
2022-12-12 18:42:00 us=953000   netbios_node_type = 0
2022-12-12 18:42:00 us=953000   disable_nbt = DISABLED
2022-12-12 18:42:00 us=953000 OpenVPN 2.6_beta1 [git:release/2.6/e778a6fd26d849dc] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Dec  2 2022
2022-12-12 18:42:00 us=968000 Windows version 10.0 (Windows 10 or greater), amd64 executable
2022-12-12 18:42:00 us=968000 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2022-12-12 18:42:00 us=968000 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
2022-12-12 18:42:00 us=968000 Need hold release from management interface, waiting...
2022-12-12 18:42:01 us=265000 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:63964
2022-12-12 18:42:01 us=375000 MANAGEMENT: CMD 'state on'
2022-12-12 18:42:01 us=375000 MANAGEMENT: CMD 'log on all'
2022-12-12 18:42:01 us=859000 MANAGEMENT: CMD 'echo on all'
2022-12-12 18:42:01 us=859000 MANAGEMENT: CMD 'bytecount 5'
2022-12-12 18:42:01 us=875000 MANAGEMENT: CMD 'state'
2022-12-12 18:42:01 us=875000 MANAGEMENT: CMD 'hold off'
2022-12-12 18:42:01 us=875000 MANAGEMENT: CMD 'hold release'
2022-12-12 18:42:01 us=875000 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-12-12 18:42:01 us=890000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-12-12 18:42:01 us=890000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-12-12 18:42:01 us=890000 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2022-12-12 18:42:01 us=890000 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2022-12-12 18:42:01 us=890000 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2022-12-12 18:42:01 us=890000 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2022-12-12 18:42:01 us=890000 TCP/UDP: Preserving recently used remote address: [AF_INET]10.1.101.101:23456
2022-12-12 18:42:01 us=906000 ovpn-dco device [OpenVPN Data Channel Offload] opened
2022-12-12 18:42:01 us=906000 UDP link local: (not bound)
2022-12-12 18:42:01 us=906000 UDP link remote: [AF_INET]10.1.101.101:23456
2022-12-12 18:42:01 us=906000 MANAGEMENT: >STATE:1670870521,WAIT,,,,,,
2022-12-12 18:42:01 us=906000 MANAGEMENT: >STATE:1670870521,AUTH,,,,,,
2022-12-12 18:42:01 us=906000 TLS: Initial packet from [AF_INET]10.1.101.101:23456, sid=414480a0 7653e0ef
2022-12-12 18:42:01 us=937000 VERIFY OK: depth=1, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=Easy-RSA CA, [email protected], serialNumber=.
2022-12-12 18:42:01 us=953000 VERIFY OK: depth=0, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=SERVER-01, [email protected], serialNumber=.
2022-12-12 18:42:01 us=968000 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 456 bit ED448, signature: ED448
2022-12-12 18:42:01 us=968000 [SERVER-01] Peer Connection Initiated with [AF_INET]10.1.101.101:23456
2022-12-12 18:42:01 us=968000 PUSH: Received control message: 'PUSH_REPLY,route 10.23.45.1,topology net30,ifconfig 10.23.45.6 10.23.45.5,peer-id 0,cipher AES-256-GCM'
2022-12-12 18:42:01 us=968000 OPTIONS IMPORT: --ifconfig/up options modified
2022-12-12 18:42:01 us=968000 OPTIONS IMPORT: route options modified
2022-12-12 18:42:01 us=968000 OPTIONS IMPORT: peer-id set
2022-12-12 18:42:01 us=968000 OPTIONS IMPORT: data channel crypto options modified
2022-12-12 18:42:01 us=968000 interactive service msg_channel=752
2022-12-12 18:42:02 do_ifconfig, ipv4=1, ipv6=0
2022-12-12 18:42:02 MANAGEMENT: >STATE:1670870522,ASSIGN_IP,,10.23.45.6,,,,
2022-12-12 18:42:02 INET address service: add 10.23.45.6/30
2022-12-12 18:42:02 IPv4 MTU set to 1500 on interface 13 using service
2022-12-12 18:42:02 MANAGEMENT: >STATE:1670870522,ADD_ROUTES,,,,,,
2022-12-12 18:42:02 C:\WINDOWS\system32\route.exe ADD 10.23.45.1 MASK 255.255.255.255 10.23.45.5 METRIC 200
2022-12-12 18:42:02 us=15000 Route addition via service succeeded
2022-12-12 18:42:02 us=15000 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-12-12 18:42:02 us=15000 Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2022-12-12 18:42:02 us=15000 Initialization Sequence Completed
2022-12-12 18:42:02 us=15000 MANAGEMENT: >STATE:1670870522,CONNECTED,SUCCESS,10.23.45.6,10.1.101.101,23456,,
2022-12-12 19:10:04 us=390000 read UDP: The specified network name is no longer available.   (fd=420,code=64)
2022-12-12 19:10:04 us=390000 [SERVER-01] Inactivity timeout (--ping-restart), restarting
2022-12-12 19:10:04 us=390000 C:\WINDOWS\system32\route.exe DELETE 10.23.45.1 MASK 255.255.255.255 10.23.45.5
2022-12-12 19:10:04 us=421000 Route deletion via service succeeded
2022-12-12 19:10:04 us=421000 Closing DCO interface
2022-12-12 19:10:04 us=421000 Deleting IPv4 dns servers on 'OpenVPN Data Channel Offload' (if_index = 13) using service
2022-12-12 19:10:04 us=640000 IPv4 dns servers deleted using service
2022-12-12 19:10:04 us=640000 INET address service: remove 10.23.45.6/30
2022-12-12 19:10:04 us=640000 SIGUSR1[soft,ping-restart] received, process restarting
2022-12-12 19:10:04 us=640000 MANAGEMENT: >STATE:1670872204,RECONNECTING,ping-restart,,,,,
2022-12-12 19:10:04 us=640000 Restart pause, 5 second(s)
2022-12-12 19:10:09 us=703000 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-12-12 19:10:09 us=703000 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-12-12 19:10:09 us=703000 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-12-12 19:10:09 us=703000 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2022-12-12 19:10:09 us=703000 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2022-12-12 19:10:09 us=703000 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2022-12-12 19:10:09 us=703000 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2022-12-12 19:10:09 us=703000 TCP/UDP: Preserving recently used remote address: [AF_INET]10.1.101.101:23456
2022-12-12 19:10:09 us=718000 ovpn-dco device [OpenVPN Data Channel Offload] opened
2022-12-12 19:10:09 us=718000 UDP link local: (not bound)
2022-12-12 19:10:09 us=718000 UDP link remote: [AF_INET]10.1.101.101:23456
2022-12-12 19:10:09 us=718000 MANAGEMENT: >STATE:1670872209,WAIT,,,,,,
2022-12-12 19:10:09 us=718000 MANAGEMENT: >STATE:1670872209,AUTH,,,,,,
2022-12-12 19:10:09 us=718000 TLS: Initial packet from [AF_INET]10.1.101.101:23456, sid=b78f9a26 e6114e61
2022-12-12 19:10:09 us=750000 VERIFY OK: depth=1, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=Easy-RSA CA, [email protected], serialNumber=.
2022-12-12 19:10:09 us=750000 VERIFY OK: depth=0, C=00, ST=home, L=wiscii glaß, O=tct, OU=tct @ $&$, CN=SERVER-01, [email protected], serialNumber=.
2022-12-12 19:10:09 us=765000 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1544', remote='link-mtu 1541'
2022-12-12 19:10:09 us=765000 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 456 bit ED448, signature: ED448
2022-12-12 19:10:09 us=765000 [SERVER-01] Peer Connection Initiated with [AF_INET]10.1.101.101:23456
2022-12-12 19:10:09 us=765000 PUSH: Received control message: 'PUSH_REPLY,route 10.23.45.1,topology net30,ping 10,ping-restart 30,ifconfig 10.23.45.6 10.23.45.5,peer-id 0,cipher AES-256-GCM'
2022-12-12 19:10:09 us=765000 OPTIONS IMPORT: timers and/or timeouts modified
2022-12-12 19:10:09 us=765000 OPTIONS IMPORT: --ifconfig/up options modified
2022-12-12 19:10:09 us=765000 OPTIONS IMPORT: route options modified
2022-12-12 19:10:09 us=765000 OPTIONS IMPORT: peer-id set
2022-12-12 19:10:09 us=765000 OPTIONS IMPORT: data channel crypto options modified
2022-12-12 19:10:09 us=765000 interactive service msg_channel=752
2022-12-12 19:10:09 us=796000 do_ifconfig, ipv4=1, ipv6=0
2022-12-12 19:10:09 us=796000 MANAGEMENT: >STATE:1670872209,ASSIGN_IP,,10.23.45.6,,,,
2022-12-12 19:10:09 us=796000 INET address service: add 10.23.45.6/30
2022-12-12 19:10:09 us=796000 IPv4 MTU set to 1500 on interface 13 using service
2022-12-12 19:10:09 us=796000 MANAGEMENT: >STATE:1670872209,ADD_ROUTES,,,,,,
2022-12-12 19:10:09 us=796000 C:\WINDOWS\system32\route.exe ADD 10.23.45.1 MASK 255.255.255.255 10.23.45.5 METRIC 200
2022-12-12 19:10:09 us=812000 Route addition via service succeeded
2022-12-12 19:10:09 us=812000 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-12-12 19:10:09 us=812000 Data Channel MTU parms [ mss_fix:1400 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2022-12-12 19:10:09 us=812000 Initialization Sequence Completed
2022-12-12 19:10:09 us=812000 MANAGEMENT: >STATE:1670872209,CONNECTED,SUCCESS,10.23.45.6,10.1.101.101,23456,,
2022-12-12 19:54:09 us=140000 C:\WINDOWS\system32\route.exe DELETE 10.23.45.1 MASK 255.255.255.255 10.23.45.5
2022-12-12 19:54:09 us=140000 Route deletion via service succeeded
2022-12-12 19:54:09 us=140000 Closing DCO interface
2022-12-12 19:54:09 us=140000 Deleting IPv4 dns servers on 'OpenVPN Data Channel Offload' (if_index = 13) using service
2022-12-12 19:54:09 us=390000 IPv4 dns servers deleted using service
2022-12-12 19:54:09 us=390000 INET address service: remove 10.23.45.6/30
2022-12-12 19:54:09 us=390000 SIGTERM[hard,] received, process exiting
2022-12-12 19:54:09 us=390000 MANAGEMENT: >STATE:1670874849,EXITING,SIGTERM,,,,,

Full server and client configs, with working inline certs/keys.

SERVER:

port 23456
proto udp
dev tun

verb 4
cd /etc/openvpn

server 10.23.45.0 255.255.255.0

dh none
ecdh-curve secp384r1

keepalive 10 30


<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
b1e1cd5f4bb00992d5d375f3a8f7ee33
d543871c6263112a1ed5773c688f1d7a
09b77b76802fc32fa7c82353321034b8
766ba77eac2d44adf6e74f2d85a924c6
f83faeea44dcdfbe23066196bbf0bbaa
141a0f506c109afcdf026dc6351e0db7
b34bc2405b510044873027c2351b7900
3eec8b145e9076a526ff2cf8eacf1de3
040493bd1ae27b510a483640ae318e34
7103dda7c53e2ecd8190fe9211af4414
816c3d32a6a8c200e8a0355f446b920c
4899a0a2f9d47b6fe77d6e20ef1a5086
d23a87d99da660d2d1bf57e364cb92c5
f044496f1d814be11c73e87933df403d
7773092676c138c34b464670162122e7
89eaa0f326689128850400aec6fd915d
-----END OpenVPN Static key V1-----
</tls-auth>
;key-direction 1

########################

# server: SERVER-01

<ca>
-----BEGIN CERTIFICATE-----
MIIDVDCCAtSgAwIBAgIUXR+jKg45t4r5kUI2rgx8RFOPy5UwBQYDK2VxMIGWMQsw
CQYDVQQGEwIwMDENMAsGA1UECAwEaG9tZTEVMBMGA1UEBwwMd2lzY2lpIGdsYcOf
MQwwCgYDVQQKDAN0Y3QxEjAQBgNVBAsMCXRjdCBAICQmJDEUMBIGA1UEAwwLRWFz
eS1SU0EgQ0ExHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1wbGUubmV0MQowCAYDVQQF
EwEuMB4XDTIyMTIxMjE3NDkwMVoXDTMyMTIwOTE3NDkwMVowgZYxCzAJBgNVBAYT
AjAwMQ0wCwYDVQQIDARob21lMRUwEwYDVQQHDAx3aXNjaWkgZ2xhw58xDDAKBgNV
BAoMA3RjdDESMBAGA1UECwwJdGN0IEAgJCYkMRQwEgYDVQQDDAtFYXN5LVJTQSBD
QTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBsZS5uZXQxCjAIBgNVBAUTAS4wQzAF
BgMrZXEDOgALG1fJKUk5ehUq4nVUkPzvArj5oP/KM3KOwZlHsdhVf8Jpnn2bHcw8
u31Ow4bQkyBzv1LCfojvHwCjggEXMIIBEzAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
BBQf86RZp+lN0kljSxLcsKKdjivrljCB1gYDVR0jBIHOMIHLgBQf86RZp+lN0klj
SxLcsKKdjivrlqGBnKSBmTCBljELMAkGA1UEBhMCMDAxDTALBgNVBAgMBGhvbWUx
FTATBgNVBAcMDHdpc2NpaSBnbGHDnzEMMAoGA1UECgwDdGN0MRIwEAYDVQQLDAl0
Y3QgQCAkJiQxFDASBgNVBAMMC0Vhc3ktUlNBIENBMR0wGwYJKoZIhvcNAQkBFg5t
ZUBleGFtcGxlLm5ldDEKMAgGA1UEBRMBLoIUXR+jKg45t4r5kUI2rgx8RFOPy5Uw
CwYDVR0PBAQDAgEGMAUGAytlcQNzADSPM80MStQhVALsTfhqYr2QEoVKmSeLw5Y4
c3ITUFVaEGTgNFhZ1kqAw52ysc4hdwBDQKO3kEO1ANrI6zXps7vGOzack50lK1gq
VlGQMUnxAlVuCitNZrMQ1DOr3FOBOjOBXfVNjtm+2iyvqWZ8ZgwWAA==
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:20:df:30:8a:93:8e:a9:39:96:45:dc:34:9c:78:cc
        Signature Algorithm: ED448
        Issuer: C=00, ST=home, L=wiscii gla\xC3\x9F, O=tct, OU=tct @ $&$, CN=Easy-RSA CA/[email protected]/serialNumber=.
        Validity
            Not Before: Dec 12 17:49:20 2022 GMT
            Not After : Mar 16 17:49:20 2025 GMT
        Subject: C=00, ST=home, L=wiscii gla\xC3\x9F, O=tct, OU=tct @ $&$, CN=SERVER-01/[email protected]/serialNumber=.
        Subject Public Key Info:
            Public Key Algorithm: ED448
                ED448 Public-Key:
                pub:
                    48:31:d8:03:71:e4:7e:d3:a9:9a:3d:35:0c:3a:81:
                    50:a2:7f:3c:11:e6:fd:d9:77:e6:1d:4e:05:d1:99:
                    25:f7:11:1b:35:e4:6f:5f:84:82:b0:f9:e1:e9:81:
                    b0:70:0d:75:6a:d6:98:c9:42:c7:67:00
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                75:36:AB:4D:41:82:B1:A3:94:9D:DA:7A:AD:33:EF:46:C2:9A:B4:B7
            X509v3 Authority Key Identifier: 
                keyid:1F:F3:A4:59:A7:E9:4D:D2:49:63:4B:12:DC:B0:A2:9D:8E:2B:EB:96
                DirName:/C=00/ST=home/L=wiscii gla\xC3\x9F/O=tct/OU=tct @ $&$/CN=Easy-RSA CA/[email protected]/serialNumber=.
                serial:5D:1F:A3:2A:0E:39:B7:8A:F9:91:42:36:AE:0C:7C:44:53:8F:CB:95

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:SERVER-01
    Signature Algorithm: ED448
         f7:39:33:f2:26:7c:1f:01:c9:96:8e:36:44:8e:be:15:d3:f8:
         4f:06:91:a2:a1:29:45:15:63:72:f7:09:72:f2:77:5a:f2:a1:
         72:94:c1:8a:af:32:5c:49:63:d6:58:e4:7d:71:58:fa:1c:f7:
         0a:a0:80:c5:7e:87:3f:4b:bb:55:de:6b:26:6b:21:92:56:9f:
         7d:a8:e4:50:a2:18:af:19:d7:f7:d3:56:19:06:97:98:1b:a9:
         cc:d1:2c:97:20:d7:c5:7f:08:a7:38:bf:96:56:5a:0a:ec:75:
         48:d9:9a:83:37:00
-----BEGIN CERTIFICATE-----
MIIDdjCCAvagAwIBAgIQYSDfMIqTjqk5lkXcNJx4zDAFBgMrZXEwgZYxCzAJBgNV
BAYTAjAwMQ0wCwYDVQQIDARob21lMRUwEwYDVQQHDAx3aXNjaWkgZ2xhw58xDDAK
BgNVBAoMA3RjdDESMBAGA1UECwwJdGN0IEAgJCYkMRQwEgYDVQQDDAtFYXN5LVJT
QSBDQTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBsZS5uZXQxCjAIBgNVBAUTAS4w
HhcNMjIxMjEyMTc0OTIwWhcNMjUwMzE2MTc0OTIwWjCBlDELMAkGA1UEBhMCMDAx
DTALBgNVBAgMBGhvbWUxFTATBgNVBAcMDHdpc2NpaSBnbGHDnzEMMAoGA1UECgwD
dGN0MRIwEAYDVQQLDAl0Y3QgQCAkJiQxEjAQBgNVBAMMCVNFUlZFUi0wMTEdMBsG
CSqGSIb3DQEJARYObWVAZXhhbXBsZS5uZXQxCjAIBgNVBAUTAS4wQzAFBgMrZXED
OgBIMdgDceR+06maPTUMOoFQon88Eeb92XfmHU4F0Zkl9xEbNeRvX4SCsPnh6YGw
cA11ataYyULHZwCjggE/MIIBOzAJBgNVHRMEAjAAMB0GA1UdDgQWBBR1NqtNQYKx
o5Sd2nqtM+9Gwpq0tzCB1gYDVR0jBIHOMIHLgBQf86RZp+lN0kljSxLcsKKdjivr
lqGBnKSBmTCBljELMAkGA1UEBhMCMDAxDTALBgNVBAgMBGhvbWUxFTATBgNVBAcM
DHdpc2NpaSBnbGHDnzEMMAoGA1UECgwDdGN0MRIwEAYDVQQLDAl0Y3QgQCAkJiQx
FDASBgNVBAMMC0Vhc3ktUlNBIENBMR0wGwYJKoZIhvcNAQkBFg5tZUBleGFtcGxl
Lm5ldDEKMAgGA1UEBRMBLoIUXR+jKg45t4r5kUI2rgx8RFOPy5UwEwYDVR0lBAww
CgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMBQGA1UdEQQNMAuCCVNFUlZFUi0wMTAF
BgMrZXEDcwD3OTPyJnwfAcmWjjZEjr4V0/hPBpGioSlFFWNy9wly8nda8qFylMGK
rzJcSWPWWOR9cVj6HPcKoIDFfoc/S7tV3msmayGSVp99qORQohivGdf301YZBpeY
G6nM0SyXINfFfwinOL+WVloK7HVI2ZqDNwA=
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MEcCAQAwBQYDK2VxBDsEOda/biZ/2BY6EAjq+wa5w1higx3SpsAFjo+Mz84jqiCM
47MsM5fDlrLqaVgvWyqxGishnRK+oB3K4A==
-----END PRIVATE KEY-----
</key>

CLIENT:

dev tun
;windows-driver wintun


remote 10.1.101.101 23456 udp

client

verb 4

# client: CLIENT-01

<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
b1e1cd5f4bb00992d5d375f3a8f7ee33
d543871c6263112a1ed5773c688f1d7a
09b77b76802fc32fa7c82353321034b8
766ba77eac2d44adf6e74f2d85a924c6
f83faeea44dcdfbe23066196bbf0bbaa
141a0f506c109afcdf026dc6351e0db7
b34bc2405b510044873027c2351b7900
3eec8b145e9076a526ff2cf8eacf1de3
040493bd1ae27b510a483640ae318e34
7103dda7c53e2ecd8190fe9211af4414
816c3d32a6a8c200e8a0355f446b920c
4899a0a2f9d47b6fe77d6e20ef1a5086
d23a87d99da660d2d1bf57e364cb92c5
f044496f1d814be11c73e87933df403d
7773092676c138c34b464670162122e7
89eaa0f326689128850400aec6fd915d
-----END OpenVPN Static key V1-----
</tls-auth>

<ca>
-----BEGIN CERTIFICATE-----
MIIDVDCCAtSgAwIBAgIUXR+jKg45t4r5kUI2rgx8RFOPy5UwBQYDK2VxMIGWMQsw
CQYDVQQGEwIwMDENMAsGA1UECAwEaG9tZTEVMBMGA1UEBwwMd2lzY2lpIGdsYcOf
MQwwCgYDVQQKDAN0Y3QxEjAQBgNVBAsMCXRjdCBAICQmJDEUMBIGA1UEAwwLRWFz
eS1SU0EgQ0ExHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1wbGUubmV0MQowCAYDVQQF
EwEuMB4XDTIyMTIxMjE3NDkwMVoXDTMyMTIwOTE3NDkwMVowgZYxCzAJBgNVBAYT
AjAwMQ0wCwYDVQQIDARob21lMRUwEwYDVQQHDAx3aXNjaWkgZ2xhw58xDDAKBgNV
BAoMA3RjdDESMBAGA1UECwwJdGN0IEAgJCYkMRQwEgYDVQQDDAtFYXN5LVJTQSBD
QTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBsZS5uZXQxCjAIBgNVBAUTAS4wQzAF
BgMrZXEDOgALG1fJKUk5ehUq4nVUkPzvArj5oP/KM3KOwZlHsdhVf8Jpnn2bHcw8
u31Ow4bQkyBzv1LCfojvHwCjggEXMIIBEzAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
BBQf86RZp+lN0kljSxLcsKKdjivrljCB1gYDVR0jBIHOMIHLgBQf86RZp+lN0klj
SxLcsKKdjivrlqGBnKSBmTCBljELMAkGA1UEBhMCMDAxDTALBgNVBAgMBGhvbWUx
FTATBgNVBAcMDHdpc2NpaSBnbGHDnzEMMAoGA1UECgwDdGN0MRIwEAYDVQQLDAl0
Y3QgQCAkJiQxFDASBgNVBAMMC0Vhc3ktUlNBIENBMR0wGwYJKoZIhvcNAQkBFg5t
ZUBleGFtcGxlLm5ldDEKMAgGA1UEBRMBLoIUXR+jKg45t4r5kUI2rgx8RFOPy5Uw
CwYDVR0PBAQDAgEGMAUGAytlcQNzADSPM80MStQhVALsTfhqYr2QEoVKmSeLw5Y4
c3ITUFVaEGTgNFhZ1kqAw52ysc4hdwBDQKO3kEO1ANrI6zXps7vGOzack50lK1gq
VlGQMUnxAlVuCitNZrMQ1DOr3FOBOjOBXfVNjtm+2iyvqWZ8ZgwWAA==
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a7:93:94:fe:87:14:99:6c:eb:8f:c9:f8:8e:76:79:18
        Signature Algorithm: ED448
        Issuer: C=00, ST=home, L=wiscii gla\xC3\x9F, O=tct, OU=tct @ $&$, CN=Easy-RSA CA/[email protected]/serialNumber=.
        Validity
            Not Before: Dec 12 17:49:34 2022 GMT
            Not After : Mar 16 17:49:34 2025 GMT
        Subject: C=00, ST=home, L=wiscii gla\xC3\x9F, O=tct, OU=tct @ $&$, CN=CLIENT-01/[email protected]/serialNumber=.
        Subject Public Key Info:
            Public Key Algorithm: ED448
                ED448 Public-Key:
                pub:
                    25:61:fc:35:f9:7e:e8:f0:72:07:30:ad:e3:72:c3:
                    ea:1d:20:0e:bd:29:33:e5:77:c3:c2:f9:b2:6d:26:
                    90:81:4f:15:93:58:8d:32:5c:f1:95:96:a9:32:d9:
                    4c:47:0c:04:6e:aa:5e:95:40:6f:92:80
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                86:91:7A:30:E7:44:13:A5:FC:B5:9D:2E:EE:BB:C1:38:38:35:39:8A
            X509v3 Authority Key Identifier: 
                keyid:1F:F3:A4:59:A7:E9:4D:D2:49:63:4B:12:DC:B0:A2:9D:8E:2B:EB:96
                DirName:/C=00/ST=home/L=wiscii gla\xC3\x9F/O=tct/OU=tct @ $&$/CN=Easy-RSA CA/[email protected]/serialNumber=.
                serial:5D:1F:A3:2A:0E:39:B7:8A:F9:91:42:36:AE:0C:7C:44:53:8F:CB:95

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: ED448
         26:35:6f:90:7b:9d:d6:58:78:84:1e:05:80:68:8c:82:e3:c0:
         dd:8e:09:c4:b7:91:3c:39:0f:d4:b1:0d:55:da:42:46:36:fc:
         44:bb:ac:77:e1:39:f5:46:d4:66:64:b5:c3:8c:7b:d7:3f:86:
         9e:f9:00:de:a4:e4:0b:3a:be:ef:84:3b:e9:3d:b0:87:c8:33:
         89:74:35:40:05:6b:9a:36:4f:9d:0f:86:fa:e5:2b:16:ce:ce:
         ed:a3:2e:71:dd:08:27:77:a5:de:d0:27:d8:35:45:d5:f4:24:
         ac:db:b1:fd:10:00
-----BEGIN CERTIFICATE-----
MIIDYTCCAuGgAwIBAgIRAKeTlP6HFJls64/J+I52eRgwBQYDK2VxMIGWMQswCQYD
VQQGEwIwMDENMAsGA1UECAwEaG9tZTEVMBMGA1UEBwwMd2lzY2lpIGdsYcOfMQww
CgYDVQQKDAN0Y3QxEjAQBgNVBAsMCXRjdCBAICQmJDEUMBIGA1UEAwwLRWFzeS1S
U0EgQ0ExHTAbBgkqhkiG9w0BCQEWDm1lQGV4YW1wbGUubmV0MQowCAYDVQQFEwEu
MB4XDTIyMTIxMjE3NDkzNFoXDTI1MDMxNjE3NDkzNFowgZQxCzAJBgNVBAYTAjAw
MQ0wCwYDVQQIDARob21lMRUwEwYDVQQHDAx3aXNjaWkgZ2xhw58xDDAKBgNVBAoM
A3RjdDESMBAGA1UECwwJdGN0IEAgJCYkMRIwEAYDVQQDDAlDTElFTlQtMDExHTAb
BgkqhkiG9w0BCQEWDm1lQGV4YW1wbGUubmV0MQowCAYDVQQFEwEuMEMwBQYDK2Vx
AzoAJWH8Nfl+6PByBzCt43LD6h0gDr0pM+V3w8L5sm0mkIFPFZNYjTJc8ZWWqTLZ
TEcMBG6qXpVAb5KAo4IBKTCCASUwCQYDVR0TBAIwADAdBgNVHQ4EFgQUhpF6MOdE
E6X8tZ0u7rvBODg1OYowgdYGA1UdIwSBzjCBy4AUH/OkWafpTdJJY0sS3LCinY4r
65ahgZykgZkwgZYxCzAJBgNVBAYTAjAwMQ0wCwYDVQQIDARob21lMRUwEwYDVQQH
DAx3aXNjaWkgZ2xhw58xDDAKBgNVBAoMA3RjdDESMBAGA1UECwwJdGN0IEAgJCYk
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTEdMBsGCSqGSIb3DQEJARYObWVAZXhhbXBs
ZS5uZXQxCjAIBgNVBAUTAS6CFF0foyoOObeK+ZFCNq4MfERTj8uVMBMGA1UdJQQM
MAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAFBgMrZXEDcwAmNW+Qe53WWHiEHgWA
aIyC48DdjgnEt5E8OQ/UsQ1V2kJGNvxEu6x34Tn1RtRmZLXDjHvXP4ae+QDepOQL
Or7vhDvpPbCHyDOJdDVABWuaNk+dD4b65SsWzs7toy5x3Qgnd6Xe0CfYNUXV9CSs
27H9EAA=
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MEcCAQAwBQYDK2VxBDsEOZd4zLg8dAfe0aXdtmVOzXdnjngsTD+fV0CobBlarN6Q
/8XLGGEedtRdIoimdo2MWmdvfm9ufBcrtg==
-----END PRIVATE KEY-----
</key>

[2.6 beta1 w/ dco] server side explicit-exit-notify not working

server client both 2.6 beta1 w/ dco
server config:

daemon
port 1080
proto udp
float
explicit-exit-notify 1
tun-mtu 1428
dev tun21
txqueuelen 1000
client-config-dir /etc/openvpn/ccd1
persist-tun
persist-key
data-ciphers AES-128-GCM
auth SHA512
auth-nocache
allow-compression no
tls-crypt tlscrypt.key
ca ca.crt
cert server.crt
key server.key
dh dh.pem
remote-cert-eku "TLS Web Client Authentication"
reneg-sec 0
hand-window 5
tran-window 86000
server 10.0.0.0 255.255.255.0
block-ipv6
topology subnet
client-to-client
replay-window 5000 3
connect-retry 3 15
ping 0
ping-restart 3600
sndbuf 11796480
rcvbuf 11796480
mlock
push "sndbuf 11796480"
push "rcvbuf 11796480"

client config:

daemon
dev tun11
persist-tun
proto udp
tun-mtu 1428
remote 127.0.0.1 1080
nobind
explicit-exit-notify 2
connect-retry 1 3
client
allow-compression no
data-ciphers AES-128-GCM
auth SHA512
auth-nocache
script-security 2
remote-cert-tls server
tls-crypt tlscrypt.key
ca ca.crt
cert main1.crt
key main1.key
reneg-sec 0
hand-window 5
tran-window 86000
persist-key
ping 0
ping-restart 3600
replay-window 5000 3
mute 20
mlock

Describe the bug/To Reproduce
Establish a TLS config connection first
then send server a SIGUSR1/SIGHUP/SIGTERM
server will log(this one is SIGTERM):

2022-12-07 11:26:09 event_wait : Interrupted system call (fd=-1,code=4)
2022-12-07 11:26:09 SENT CONTROL [Client]: 'RESTART' (status=1)
2022-12-07 11:26:11 Closing DCO interface

but client receives nothing/log nothing, need a manual SIGUSR1 on client to reestablish connection.

Expected behavior
Client receives RESTART then generates an internal SIGUSR1. This makes client will reconnect after server reboot.

Version information (please complete the following information):

Server OS: Ubuntu 20/22 5.15.0-1026-aws/5.4.0-135-generic/5.15.0-56-generic
Client OS: Ubuntu 22 5.15.0-56-generic
OpenVPN version: 2.6 beta1 w/ dco

OpenVPN: allow storing authentication user name in configuration

Describe the bug
It would be nice, if it was possible to require certificate authentication and use a static challenge without username and password to make it possible to implement e.g. TOTP with a auth-user-pass-verify script. Static challenges are only activated if auth-user-pass is configured as well, this strictly requires a username and a password. We can configure static credentials with e.g. "auth-user-pass credentials.txt" and just add some static values in two lines in that file but it is not possible to store them inside the ovpn file as inline configuration parameter. This was actually promised for openvpn 2.4.x in the old bug ticket https://community.openvpn.net/openvpn/ticket/628 but unfortunately never implemented.

To Reproduce
add the following to your configuration:

<auth-user-pass>
username
password
</auth-user-pass>

Expected behavior
(1) I was hoping that OpenVPN would takeover the username for the username field and the string password for the password, however it only returns an error saying that this is not an inline parameter. It would also absolutely fine, if the contents of the inline parameter had to be base64 encoded.

(2) Additionally it would be great, if static-challenge would use an empty username and an empty password if auth-user-pass is not configured while static-challenge is.

Version information (please complete the following information):

OS: Linux
OpenVPN version: 2.5.6 (community edition)

[2.6 beta1] TLS client dco module crash(?) after 14-15 TLS renegotiation

Describe the bug

2022-12-08 02:38:25 us=845277 VERIFY EKU OK
2022-12-08 02:38:25 us=845295 VERIFY OK: depth=0, CN=server
2022-12-08 02:38:25 us=921607 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2022-12-08 02:38:40 us=998290 TLS: soft reset sec=15/15 bytes=0/-1 pkts=0/0
2022-12-08 02:38:40 us=998991 Assertion failed at dco.c:175 (primary->dco_status != DCO_NOT_INSTALLED)

To Reproduce
A normal TLS setup was established, then after around 15+ successful TLS: soft reset this happens.

Config same as #192 (comment) except server dco disabled because TLS reneg doesn't work with it on

Expected behavior
Nothing happens

Version information (please complete the following information):

OS: Ubuntu 22.04
OpenVPN version: 2.6 beta1

DCO servers do not handle full --ifconfig-pool gracefully

Describe the bug
TCP servers do not properly expire clients, so the pool fills, and when the pool is full, clients can no longer connect and the syslog is full of "DCO errors"

To Reproduce
run a TCP server, connect a few 10.000 clients with different usernames (=new IP address assignment per client), disconnect right away

Expected behavior
dco-linux needs to inform userland about closed TCP sessions, but until this can be done, userland should log this in a more useful way (see below)

Version information (please complete the following information):

OS: Ubuntu 20.04
OpenVPN version: master + bandaid patch, as of Dec 22, 2022

Additional context

Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: 2001:608:0:814::f000:21 [gremlin46393] Peer Connection Initiated with [AF_INET6]2001:608:0:814::f000:21:24792
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 MULTI: no free --ifconfig-pool addresses are available
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 MULTI: no dynamic or static remote--ifconfig address is available for gremlin46393/2001:608:0:814::f000:21
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 dco_new_peer: peer-id 0, fd 9, remote addr: [undefined]
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 dco_new_peer: netlink reports error (-7): Invalid input data or parameter: No such file or directory (errno=2)
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 dco_new_peer: failed to send netlink message: Invalid argument (-22)
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 Cannot add peer to DCO for gremlin46393/2001:608:0:814::f000:21: Invalid argument (-22)
Dec 22 12:01:36 ubuntu2004 tun-tcp-p2mp-username-cn[1659541]: gremlin46393/2001:608:0:814::f000:21 Delayed exit in 5 seconds

Azure Gateway and OpenVPN versions past 2.5.8 incompatible (being investigated by Azure Gateway production team)

I've noticed that when my Windows 11 OpenVPN clients upgraded this week to the Jan. 25 release that the legacy service (auto-start it at boot to enable VPN to Azure Gateway) will no longer start. They all use the OpenVPN 64-bit MSI.

client-connect script blocks openvpn server

I had an issue with client-connect script execution. We do some operations in client-connect script which takes 20-30 seconds. During the execution of this script all traffic on the openvpn server is blocked, or not processed.
If I telnet into management port and run status command there, then output of that command is returned after client-connect script done processing. During execution of this script, no other user is able to connect to openvpn-server.

To Reproduce

Create client-connect script (php) and put sleep(30); in it.
connect one user.
within 30 seconds (during execution of client-connect script), try to connect another user whose connection will not be processed until client-connect script for previous user is not done processing.

Expected behavior
I should be able to connect other users when client-connect for previous user is executing.

Version information (please complete the following information):

OS: Debian 9
OpenVPN version: 2.5.8-stretch0 (also tested with 2.5.0-stretch0, 2.5.7-stretch0, 2.4.7-stretch0 same behavior)

Additional context
As per this: https://community.openvpn.net/openvpn/ticket/1244
Same issue was fixed, but unable to get it working as expected.

Thanks,

[2.6 beta1 w/ dco] SIGUSR1 causing crash. persist-remote-ip but with static remote ip specified(?)

Describe the bug
with persist-tun:

2022-12-07 16:13:31 UDPv4 link local: (not bound)
2022-12-07 16:13:31 UDPv4 link remote: [AF_INET]**127.0.0.1:12345**
2022-12-07 16:13:31 dco_do_write: netlink reports error (-1): Unspecific failure
2022-12-07 16:13:31 dco_do_write: failed to send netlink message: No route to host (-113)
2022-12-07 16:13:31 write UDPv4 []: Success (fd=4,code=0)
2022-12-07 16:13:33 dco_do_write: netlink reports error (-1): Unspecific failure
2022-12-07 16:13:33 dco_do_write: failed to send netlink message: No route to host (-113)
2022-12-07 16:13:33 write UDPv4 []: Success (fd=4,code=0)

then stuck, not crashing, a SIGHUP can "fix" it

without persist-tun:

2022-12-07 16:13:31 UDPv4 link local: (not bound)
2022-12-07 16:13:31 UDPv4 link remote: [AF_INET]127.0.0.1:12345

crashed

To Reproduce
Ubuntu 22. dco on.

client config:

remote 127.0.0.1:12345
persist-local-ip
persist-remote-ip
persist-tun
persist-key

Expected behavior
2.5.8 good. remove persist-remote-ip is good as 2.5.8.

Version information (please complete the following information):

OS: Ubuntu 22.04
OpenVPN version: 2.6 beta1
Repeat for peer if relevant

FreeBSD: OpenVPN PID logged in syslog is off-by-one from actual OpenVPN PID

Describe the bug
Running OpenVPN on FreeBSD with --daemon (which implies --syslog) shows off-by-one PID in syslog

To Reproduce
Run OpenVPN on FreeBSD with --daemon, compare PID in syslog and ps

Dec 14 11:58:20 fbsd14 tun-udp-p2p-tls-sha256[46924]: dco_update_keys: peer_id=-1

# ps axwwwwwu |grep tls-sha256
root    46925   0.0  0.2 18208  8148  -  Ss   11:39       0:00.26 ./bin/openvpn --daemon tun-udp-p2p-tls-sha256 --cd tun-udp-p2p-tls-sha256 --config server.conf --writepid ../openvpn-tun-udp-p2p-tls-sha256.pid

Expected behavior
actuall process PID visible in syslog

Version information (please complete the following information):

OS: FreeBSD 14
OpenVPN version: 2.6_beta1

Additional context
I assume this is caused by doing openlog() before daemon() or something like that... does not happen on Linux.

OpenSSL legacy provider not shipped 2.6beta1 MSI

Currently we lack support for the legacy provider of OpenSSL:

 .\openvpn --providers default legacy --show-ciphers
2022-12-05 13:30:49 OpenSSL: error:12800067:DSO support routines::could not load the shared library
2022-12-05 13:30:49 OpenSSL: error:12800067:DSO support routines::could not load the shared library
2022-12-05 13:30:49 OpenSSL: error:07880025:common libcrypto routines::reason(524325)
2022-12-05 13:30:49 failed to load provider 'legacy'
2022-12-05 13:30:49 Exiting due to fatal error

After manually copying the legacy.dll running OpenSSL.exe still does not work since it has the wrong search path by default:

.\openssl.exe ciphers -provider legacy
ciphers: unable to load provider legacy
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
586D0000:error:12800067:DSO support routines:win32_load:could not load the shared 
library:crypto\dso\dso_win32.c:108:filename(C:\buildbot\windows-server-2019-static-msbuild\vcpkg\packages\openssl_x64- 
windows-ovpn\bin\legacy.dll)
586D0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:152:
586D0000:error:07880025:common libcrypto routines:provider_init:reason(524325):crypto\provider_core.c:912:name=legacy

Manually adding the search path works:

.\openssl.exe ciphers  -provider-path .  -provider legacy -provider default

PS C:\Program Files\OpenVPN\bin> .\openssl.exe ciphers  -provider-path .  -provider legacy -provider default
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA

We could build OpenSSL with no-modules to enable legacy provider as internal module but that probably also blocks/disables other features (it will internally enable the STATIC_LEGACY define).

To enable it in OpenVPN, we need to define the environment variable as well:


PS C:\Program Files\OpenVPN\bin> $env:OPENSSL_MODULES='C:\Program Files\OpenVPN\bin'
PS C:\Program Files\OpenVPN\bin> .\openvpn --providers default legacy --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN.  Each cipher shown below may be used as a
parameter to the --data-ciphers (or --cipher) option. In static
key mode only CBC mode is allowed.
See also openssl list -cipher-algorithms

AES-128-CBC  (128 bit key, 128 bit block)
AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
[...]

BF-CBC  (128 bit key, 64 bit block)
[...]

[2.6 beta1 w/ dco]Remove link-mtu warning.

Identical --cipher/--data-cipher AES-128-GCM/--auth SHA256/--data-cipher-fallback/compression no setting among server and clients, no link-mtu config.

Client still log:
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1516', remote='link-mtu 1513'

Lack of documentation on how it's computed, and no real effect, DEPRECATED anyway, just remove it.

OpenVPN-2.6.0-I001-amd64(win10-22H2) Right click exception

OS: win10-22H2
OpenVPN version: OpenVPN-2.6.0-I001-amd64
Problem description：
Small icon after startup, Right click exception,Please refer to the picture（although I use Chinese, it doesn't affect your test）

Options error: Unrecognized option --keysize

How to specify the logging level?

How to set the logging level for vpn server launched via systemd?
Verb directive from server config is not applied.
The unit file is not at all clear what launches: ExecStart=/bin/true

Uninterruptible loops and lost signals

Based on Trac issues 311 and 639 recreated here for better visibility and ease of follow up

Describe the bug
SIGTERM/SIGINT are lost in some cases leading to non-interruptible (or hard to interrupt) loops

To Reproduce
On Windows and Linux: use a bogus dns server and run the client preferably with with an unresolvable remote like
openvpn --client --remote foo.bar <other options>
When the process stalls in getaddrinfo() press ctrl-C. Instead of exiting, the connection will repeatedly restart after a couple of rounds of timeout in getaddrinfo(). In this case ctrl-C pressed during address resolution is lost on Linux.

Pressing ctrl-C when the process is in sleep() (restart delay) does terminate the process on Linux. But, on Windows ctrl-C is always lost unless --management option is also used.

Windows only: Just use an unresolvable remote with working dns server (but no --management option) and the process goes into a SIGUSR1 restart loop that is not interruptible even during the restart delay.

Expected behaviour

On pressing ctrl-C or sending SIGTERM or SIGINT, the process should terminate once address resolution times out. Although getaddrinfo() is not interruptible, the signal does get delivered during it and it should not be lost. On Windows, restart loops must be interruptible even if ---management option is not used.

Version information (please complete the following information):

OpenVPN version: 2.6_beta2

Additional context
As discussed under https://community.openvpn.net/openvpn/ticket/639, this appears to be caused by lower priority signals (SIGUSR1, for example) overwriting pending SIGTERM before it gets processed.

Propose to fix by

(i) set all signals through functions (no direct re-write of volatile variables)
(ii) prioritize signals in order of importance
(iii) On windows, signal is not picked up in openvpn_sleep() unless management is active. Fix this
(iv) use sigaction instead of old signal API

https://github.com/selvanair/openvpn/tree/signals

(iv) is may be too intrusive for 2.6 at this stage, but (i) to (iii) are simple and will fix the above buggy behaviour in practice, even if not fool-proof.

v2.6.008 OpenVPNgui is asking for password and should not with Remote Access ( SSL/TLS )

v2.6.008 OpenVPNgui is asking for password and should not.
reverted to previous version 2.5.040 and it is working fine with Remote Access ( SSL/TLS ). No popup.

on win10.
installed today using winget -> KO
removed and reinstalled specifying v2.5.040 -> OK

Error in server mode

when enabled on the server, stop working with this error:

2022-09-19 17:26:15 Bruno-Casa/2804:14d:5ca0::XXX SIGTERM[soft,ovpn-dco: ping expired] received, client-instance exiting

Linux SRV01 5.19.0-1-amd64 OpenVPN/ovpn-dco#1 SMP PREEMPT_DYNAMIC Debian 5.19.6-1 (2022-09-01) x86_64 GNU/Linux
openvpn 2.6.0~git20220818-1

ovpn-dco/0.0+git20220816, 5.19.0-1-amd64, x86_64:

2.6 for arm64 problem in apply push option

I can successful installed new version 2.6 release version today without any error.
Any config connecting show me error in connection process and loop retrying connection.
Please resolve this problem.

Access violation in interactive service

When iservice is unable to apply "block-outside-dns", access violation happens during undo phase.

Steps to reproduce:

Install SonicWall Global VPN Client
Install OpenVPN 2.6.0
Try to connect with profile which uses DCO and has "block-outside-dns"

There is a compatibility issue with dco driver and Sonicwall driver, but interactive service should not crash regardless of it. The access violation seem to happen inside WFP, but that does not excuse us :)

Configuration .ovpn ExpressVPN does not work OpenVPN 2.6_rc18

OS: [Windows Server22]
OpenVPN version: [2.6_rc18]

Configuration .ovpn ExpressVPN does not work

dev tun
fast-io
persist-key
persist-tun
nobind
remote germany-frankfurt-1-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass

<cert>
-----BEGIN CERTIFICATE-----
MIIDTjCCAregAwIBAgIDKzZvMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UEChMM
Rm9ydC1GdW5zdG9uMRgwFgYDVQQDEw9Gb3J0LUZ1bnN0b24gQ0ExITAfBgkqhkiG
9w0BCQEWEm1lQG15aG9zdC5teWRvbWFpbjAgFw0xNjExMDMwMzA2MThaGA8yMDY2
MTEwMzAzMDYxOFowgYoxCzAJBgNVBAYTAlZHMQwwCgYDVQQIDANCVkkxEzARBgNV
BAoMCkV4cHJlc3NWUE4xEzARBgNVBAsMCkV4cHJlc3NWUE4xHDAaBgNVBAMME2V4
cHJlc3N2cG5fY3VzdG9tZXIxJTAjBgkqhkiG9w0BCQEWFnN1cHBvcnRAZXhwcmVz
c3Zwbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrOYt/KOi2
uMDGev3pXg8j1SO4J/4EVWDF7vJcKr2jrZlqD/zuAFx2W1YWvwumPO6PKH4PU962
1aNdiumaUkv/RplCfznnnxqobhJuTE2oA+rS1bOq+9OhHwF9jgNXNVk+XX4d0toS
T5uGE6Z3OdmPBur8o5AlCf78PDSAwpFOw5HrgLqOEU4hTweC1/czX2VsvsHv22HR
I6JMZgP8gGQii/p9iukqfaJvGdPciL5p1QRBUQIi8P8pNvEp1pVIpxYj7/LOUqb2
DxFvgmp2v1IQ0Yu88SWsFk84+xAYHzfkLyS31Sqj5uLRBnJqx3fIlOihQ50GI72f
wPMwo+OippvVAgMBAAGjPzA9MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgSw
MB0GA1UdDgQWBBSkBM1TCX9kBgFsv2RmOzudMXa9njANBgkqhkiG9w0BAQsFAAOB
gQA+2e4b+33zFmA+1ZQ46kWkfiB+fEeDyMwMLeYYyDS2d8mZhNZKdOw7dy4Ifz9V
qzp4aKuQ6j61c6k1UaQQL0tskqWVzslSFvs9NZyUAJLLdGUc5TT2MiLwiXQwd4Uv
H6bGeePdhvB4+ZbW7VMD7TE8hZhjhAL4F6yAP1EQvg3LDA==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqzmLfyjotrjAxnr96V4PI9UjuCf+BFVgxe7yXCq9o62Zag/8
7gBcdltWFr8Lpjzujyh+D1PettWjXYrpmlJL/0aZQn85558aqG4SbkxNqAPq0tWz
qvvToR8BfY4DVzVZPl1+HdLaEk+bhhOmdznZjwbq/KOQJQn+/Dw0gMKRTsOR64C6
jhFOIU8Hgtf3M19lbL7B79th0SOiTGYD/IBkIov6fYrpKn2ibxnT3Ii+adUEQVEC
IvD/KTbxKdaVSKcWI+/yzlKm9g8Rb4Jqdr9SENGLvPElrBZPOPsQGB835C8kt9Uq
o+bi0QZyasd3yJTooUOdBiO9n8DzMKPjoqab1QIDAQABAoIBAHgsekC0SKi+AOcN
OZqJ3pxqophE0V7fQX2KWGXhxZnUZMFxGTc936deMYzjZ1y0lUa6x8cgOUcfqHol
3hDmw9oWBckLHGv5Wi9umdb6DOLoZO62+FQATSdfaJ9jheq2Ub2YxsRN0apaXzB6
KDKz0oM0+sZ4Udn9Kw6DfuIELRIWwEx4w0v3gKW7YLC4Jkc4AwLkPK03xEA/qImf
kCmaMPLhrgVQt+IFfP8bXzL7CCC04rNU/IS8pyjex+iUolnQZlbXntF7Bm4V2mz0
827ZVqrgAb/hEQRlsTW3rRkVh+rrdoUE7BCZRTFmRCbLoShjN6XuSf4sAus8ch4U
EN12gN0CgYEA4o/tSvij1iPaXLmt4KOEuxqmSGB8MLKhFde8lBbNdrDgxiIH9bH7
khKx15XRTX0qLDbs8b2/UJygZG0Aa1kIBqZTXTgeMAuxPRTesALJPdqQ/ROnbJcd
FkI7gllrAG8VB0fH4wTRsRd0vWEB6YlCdE107u6LEsLAHxOj9Q5819cCgYEAwXjx
9RkQ2qITBx5Ewib8YsltA0n3cmRomPicLlsnKV5DfvyCLpFIsZ1h3f9dUpfxRLwz
p8wcoLiq9cCoOGdu1udw/yBTqmhaXWhUK/g77f9Ze2ZB1OEhuyKLYJ1vW/h/Z/a1
aPCMxZqsDTPCePsuO8Cez5gqs8LjM3W7EyzRxDMCgYEAvhHrDFt975fSiLoJgo0M
PIAGAnBXn+8sLwv3m/FpW+rWF8LTFK/Fku12H5wDpNOdvswxijkauIE+GiJMGMLv
dcyx4WHECaC1h73reJRNykOEIZ0Md5BrCZJ1JEzp9Mo8RQhWTEFtvfkkqgApP4g0
pSeaMx0StaGG1kt+4IbP+68CgYBrZdQKlquAck/Vt7u7eyDHRcE5/ilaWtqlb/xi
zz7h++3D5C/v4b5UumTFcyg+3RGVclPKZcfOgDSGzzeSd/hTW46iUTOgeOUQzQVM
kzPRXdoyYgVRQtgSpY5xR3O1vjAbahwx8LZ0SvQPMBhYSDbV/Isr+fBacWjl/Aip
EEwxeQKBgQDdrAEnVlOFoCLw4sUjsPoxkLjhTAgI7CYk5NNxX67Rnj0tp+Y49+sG
Uhl5sCGfMKkLShiON5P2oxZa+B0aPtQjsdnsFPa1uaZkK4c++SS6AetzYRpVDLmL
p7/1CulE0z3O0sBekpwiuaqLJ9ZccC81g4+2j8j6c50rIAct3hxIxw==
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
48d9999bd71095b10649c7cb471c1051
b1afdece597cea06909b99303a18c674
01597b12c04a787e98cdb619ee960d90
a0165529dc650f3a5c6fbe77c91c137d
cf55d863fcbe314df5f0b45dbe974d9b
de33ef5b4803c3985531c6c23ca6906d
6cd028efc8585d1b9e71003566bd7891
b9cc9212bcba510109922eed87f5c8e6
6d8e59cbd82575261f02777372b2cd4c
a5214c4a6513ff26dd568f574fd40d6c
d450fc788160ff68434ce2bf6afb00e7
10a3198538f14c4d45d84ab42637872e
778a6b35a124e700920879f1d003ba93
dccdb953cdf32bea03f365760b0ed800
2098d4ce20d045b45a83a8432cc73767
7aed27125592a7148d25c87fdbe0a3f6
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
MIIF+DCCA+CgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBhDELMAkGA1UEBhMCVkcx
DDAKBgNVBAgMA0JWSTETMBEGA1UECgwKRXhwcmVzc1ZQTjETMBEGA1UECwwKRXhw
cmVzc1ZQTjEWMBQGA1UEAwwNRXhwcmVzc1ZQTiBDQTElMCMGCSqGSIb3DQEJARYW
c3VwcG9ydEBleHByZXNzdnBuLmNvbTAeFw0xNTEwMjEwMDAwMDBaFw0yNjA0MDEy
MTEyMDBaMIGEMQswCQYDVQQGEwJWRzEMMAoGA1UECAwDQlZJMRMwEQYDVQQKDApF
eHByZXNzVlBOMRMwEQYDVQQLDApFeHByZXNzVlBOMRYwFAYDVQQDDA1FeHByZXNz
VlBOIENBMSUwIwYJKoZIhvcNAQkBFhZzdXBwb3J0QGV4cHJlc3N2cG4uY29tMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxzXvHZ25OsESKRMQFINHJNqE
9kVRLWJS50oVB2jxobudPhCsWvJSApvar8CB2RrqkVMhXu2HT3FBtDL91INg070q
AyjjRpzEbDPWqQ1+G0tk0sjiJt2mXPJK2IlNFnhe6rTs09Pkpcp8qRhfZay/dIlm
agohQAr4JvYL1Ajg9A3sLb8JkY03H6GhOF8EKYTqhrEppCcg4sQKQhNSytRoQAm8
Ta+tnTYIedwWpqjUXP9YXFOvljPaixfYug24eAkpTjeuWTcELSyfnuiBeK+z9+5O
YunhqFt2QZMq33kLFZGMN2gHRCzngxxphurypsPRo7jiFgQI1yLt8uZsEZ+otGEK
91jjKfOC+g9TBy2RUtxk1neWcQ6syXDuc3rBNrGA8iM0ZoEqQ1BC8xWr3NYlSjqN
+1mgpTAX3/Dxze4GzHd7AmYaYJV8xnKBVNphlMlg1giCAu5QXjMxPbfCgZiEFq/u
q0SOKQJeT3AI/uVPSvwCMWByjyMbDpKKAK8Hy3UT5m4bCNu8J7bxj+vdnq0A2HPw
tF0FwBl/TIM3zNsyFrZZ0j6jLRT50mFsgDBKcD4L/J5rjdCsKPu5rodhxe38rCx2
GknP1Zkov4yoVCcR48+CQwg3oBkq0/EflvWUvcYApzs9SomUM/g+8Q/V0WOfJmFW
uxN9YntZlnzHRSRjrvMCAwEAAaNzMHEwHQYDVR0OBBYEFIzmQGj8xS+0LLklwqHD
45VVOZRJMB8GA1UdIwQYMBaAFIzmQGj8xS+0LLklwqHD45VVOZRJMA8GA1UdEwEB
/wQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBFjANBgkqhkiG
9w0BAQ0FAAOCAgEAbHfuMKtojm1NgX7qSU2Rm2B5L8G0FuFP0L40dj8O5WHt45j2
z8coMK90vrUnQEZNQmRzot7v3XjVzVlxBWYSsCEApTsSDNi/4BNFP8H/BUUtJuy2
GFTO4wDVJnqNkZOHBmyVD75s1Y+W8a+zB4jkMeDEhOHZdwQ0l1fJDDgXal5f1UT5
F5WH6/RwHmWTwX4GxuCiIVtx70CjkXqhM8yZtTp1UtHLRNYcNSIes0vrAPHPgoA5
z9B8UvsOjuP+mfcjzi0LGGrY+2pJu0BKO2dRnarIZZABETIisI3FokoTszx5jpRP
yxyUTuRDKWHrvi0PPtOmC8nFahfugWFUi6uBsqCaSeuex+ahnTPCq0b1l0Ozpg0Y
eE8CW1TL9Y92b01up2c+PP6wZOIm3JyTH+L5smDFbh80V42dKyGNdPXMg5IcJhj3
YfAy4k8h/qbWY57KFcIzKx40bFsoI7PeydbGtT/dIoFLSZRLW5bleXNgG9mXZp27
0UeEC6CpATCS6uVl8LVT1I02uulHUpFaRmTEOrmMxsXGt6UAwYTY55K/B8uuID34
1xKbeC0kzhuN2gsL5UJaocBHyWK/AqwbeBttdhOCLwoaj7+nSViPxICObKrg3qav
GNCvtwy/fEegK9X/wlp2e2CFlIhFbadeXOBr9Fn8ypYPP17mTqe98OJYM04=
-----END CERTIFICATE-----
</ca>

What needs to be fixed in the config?

[2.6 beta1 w/ dco] server side explicit-exit-notify not working

Describe the bug
server client both 2.6 beta1 w/ dco
server:
udp
explicit-exit-notify 1
client:
udp
explicit-exit-notify 2

To Reproduce
Establish a TLS config connection first
then send server a SIGUSR1/SIGHUP/SIGTERM
server will log(this one is SIGTERM):

2022-12-07 11:26:09 event_wait : Interrupted system call (fd=-1,code=4)
2022-12-07 11:26:09 SENT CONTROL [Client]: 'RESTART' (status=1)
2022-12-07 11:26:11 Closing DCO interface

but client receives nothing/log nothing, need a manual SIGUSR1 on client to reestablish connection.

Expected behavior
Client receives RESTART then generates an internal SIGUSR1. This makes client will reconnect after server reboot.

Version information (please complete the following information):

OS: Ubuntu 22.04
OpenVPN version: 2.6 beta1 w/ dco
Repeat for peer if relevant

[2.6 beta1] server with "connect-retry 0" crash under SIGUSR1, fine with "connect-retry 1+"

Describe the bug
As title, you can only set connect-retry >1.

Expected behavior
Normal TLS setup.
Or allow 0 so can restart server with SIGUSR1 without wait time.

Version information (please complete the following information):

OS: Ubuntu 22.04
OpenVPN version: 2.6b1

Additional context
Doesn't realistically break anything, just code a simple check before it.

Client is not properly notified with AUTH_FAILED when using auth-gen-token and reneg-sec

Describe the bug
AUTH_FAILED message not sent from server to client after token expiration when using auth-gen-token and reneg-sec settings on the server. Instead it is sent after auth-gen-token + (reneg-sec * 2) which leads to a stalled client until AUTH_FAILED is received.

To Reproduce
use both auth-gen-token and reneg-sec

Expected behavior
The AUTH_FAILED message should be sent to the client as soon as the token is expired, or ideally the the client would be asked to re-authenticate before the old token expires and a new token is pushed to the client (as the man page eludes to).

Version information (please complete the following information):

OS: Debian 11 server, MacOS 13.0.1 and Windows 10 22H2 clients
OpenVPN version: 2.5.1-3 server, 2.5.7 (Viscosity) clients

Additional context
The 2.5 openvpn man page states for auth-gen-token:
"The token will expire either after the configured lifetime of the token is reached or after not being renewed for more than 2 * reneg-sec seconds."

The token still expires after the specified auth-gen-token lifetime so reneg-sec should not be factored into the AUTH_FAILED control message unless there's a way to prompt for re-authentication before expiration. Perhaps these two options should be completely independent.

openvpn / openvpn Goto Github PK

openvpn's Introduction

openvpn's People

Contributors

Stargazers

Watchers

Forkers

openvpn's Issues

example logs

Recommend Projects

Recommend Topics

Recommend Org