meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:openvpn:issues [2023/01/30 10:15] niziaklinux:openvpn:issues [2025/08/12 09:43] (current) niziak
Line 1: Line 1:
 ====== Issues ====== ====== Issues ======
 +
 +====== IP packet with unknown IP version=15 seen ======
 +
 +  It's a common error happening when there's a difference in compression configuration between the server and the client.
 +
 +''comp-lzo'' disabled on server but enabled on client side.
 +
 +====== dco_parse_peer_multi: cannot store DCO stats for peer 4 ======
 +
 +
 +====== Note: NOT using '--topology subnet' disables data channel offload ======
 +
 +After server add topology:
 +
 +<file conf conf>
 +server 10.1.2.0 255.255.255.0
 +topology subnet
 +</file>
 +
 +====== OpenSSL hardware crypto engine functionality is not available ======
 +
 +OpenVPN server running in Proxmox KVM VM. 
 +
 +  If you want to use KVM, you need to set your CPU type to at least to Intel Westmere or to host.
 +  
 +Westmere formerly Nehalem-C (Core i 1 gen)
 +
 +"x86-64-v2-AES": 
 + 
 +  * i5-3470S = IvyBridge (3rd gen)
 +  * i7-3770K = IvyBridge (3rd gen)
 +  * E5-2650 v2 = Ivy Bridge EP (3rd gen)
 +
 +====== ca md too weak ======
 +
 +In OpenVPN server logs:
 +
 +<code>error:0A00018E:SSL routines::ca md too weak</code>
 +
 +workaround:
 +<file conf .conf>
 +tls-cert-profile legacy
 +tls-cipher "DEFAULT:@SECLEVEL=0"
 +</file>
 +
 +===== digest algorithm too weak =====
 +
 +<code>error=CA signature digest algorithm too weak:</code>
 +
 +Solution: upgrade server CA to use at least SHA256
 +
 +Workaround: 
 +
 +<file conf client.conf>
 +# to work around the cert too weak issue 
 +tls-cipher "DEFAULT:@SECLEVEL=0"
 +</file>
 +
 +And from [[https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html|man 3 SSL_CTX_set_security_level]]:
 +
 +<code>
 +Level 0
 +
 +    Everything is permitted. This retains compatibility with previous versions of OpenSSL.
 +
 +Level 1
 +
 +    The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite using MD5 for the MAC is also prohibited.
 +</code>
 +
  
 ===== /sbin/resolvconf: 31: kill: Operation not permitted ===== ===== /sbin/resolvconf: 31: kill: Operation not permitted =====
Line 6: Line 76:
 /sbin/resolvconf: 31: kill: Operation not permitted /sbin/resolvconf: 31: kill: Operation not permitted
 </code> </code>
 +
 +Reason:
 +[[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998388|openresolv: resolvconf fails if called from openvpn during system start with "kill: Operation not permitted"]]
 +
 +Problematic script: ''/lib/resolvconf/libc.d/avahi-daemon''
 +
 +
  
 ===== IP packet with unknown IP version=15 seen ===== ===== IP packet with unknown IP version=15 seen =====
Line 13: Line 90:
 Solution: Solution:
  
- explicitly disable ''comp-lzo no'' on client or allow compression on server.+ explicitly disable ''comp-lzo no'' on server.