Zonkd
Very Senior Member
In 384.14 can anyone reproduce these syslog errors with their OpenVPN server? I saw them in 384.12 too.
The tls-crypt warning is of main concern. Here is what I do:
1. Change HMAC Authentication from Default to SHA256.
2. Change TLS control channel security from Disabled to Encrypted.
The 2 syslog warnings indicate my router either hasn't written those changes to it's server config, or hasn't read the changes. Why?
For my troubleshooting I have properly factory reset and tested with M&M config. I used default server settings. I've tried multiple clients with multiple OpenVPN client softwares. When I first enabled the OpenVPN server I gave it plenty of time to automatically generate it's certs/keys. When I enabled TLS Encrypted the router did create it's own Static Key successfully. I exported the client config directly from router. Clients do always connect successfully at least. Note that link-mtu and tun-mtu inconsistency warnings also appear in syslogs because the router doesn't put the options in exported client config files automatically. This is more of an annoyance that a problem. Old post here.
Edit: I'm still seeing the tls-crypt problem but the auth issue is gone now.
Edit: still unsolved and need help troubleshooting.
Code:
WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
WARNING: 'tls-crypt' is present in remote config but missing in local config, remote='tls-crypt'
1. Change HMAC Authentication from Default to SHA256.
2. Change TLS control channel security from Disabled to Encrypted.
The 2 syslog warnings indicate my router either hasn't written those changes to it's server config, or hasn't read the changes. Why?
For my troubleshooting I have properly factory reset and tested with M&M config. I used default server settings. I've tried multiple clients with multiple OpenVPN client softwares. When I first enabled the OpenVPN server I gave it plenty of time to automatically generate it's certs/keys. When I enabled TLS Encrypted the router did create it's own Static Key successfully. I exported the client config directly from router. Clients do always connect successfully at least. Note that link-mtu and tun-mtu inconsistency warnings also appear in syslogs because the router doesn't put the options in exported client config files automatically. This is more of an annoyance that a problem. Old post here.
Edit: I'm still seeing the tls-crypt problem but the auth issue is gone now.
Edit: still unsolved and need help troubleshooting.
Last edited: