meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:openvpn:issues [2023/07/20 10:42] niziaklinux:openvpn:issues [2025/08/12 09:43] (current) niziak
Line 1: Line 1:
 ====== Issues ====== ====== Issues ======
 +
 +====== IP packet with unknown IP version=15 seen ======
 +
 +  It's a common error happening when there's a difference in compression configuration between the server and the client.
 +
 +''comp-lzo'' disabled on server but enabled on client side.
 +
 +====== dco_parse_peer_multi: cannot store DCO stats for peer 4 ======
 +
 +
 +====== Note: NOT using '--topology subnet' disables data channel offload ======
 +
 +After server add topology:
 +
 +<file conf conf>
 +server 10.1.2.0 255.255.255.0
 +topology subnet
 +</file>
 +
 +====== OpenSSL hardware crypto engine functionality is not available ======
 +
 +OpenVPN server running in Proxmox KVM VM. 
 +
 +  If you want to use KVM, you need to set your CPU type to at least to Intel Westmere or to host.
 +  
 +Westmere formerly Nehalem-C (Core i 1 gen)
 +
 +"x86-64-v2-AES": 
 + 
 +  * i5-3470S = IvyBridge (3rd gen)
 +  * i7-3770K = IvyBridge (3rd gen)
 +  * E5-2650 v2 = Ivy Bridge EP (3rd gen)
 +
 +====== ca md too weak ======
 +
 +In OpenVPN server logs:
 +
 +<code>error:0A00018E:SSL routines::ca md too weak</code>
 +
 +workaround:
 +<file conf .conf>
 +tls-cert-profile legacy
 +tls-cipher "DEFAULT:@SECLEVEL=0"
 +</file>
  
 ===== digest algorithm too weak ===== ===== digest algorithm too weak =====
Line 11: Line 55:
 <file conf client.conf> <file conf client.conf>
 # to work around the cert too weak issue  # to work around the cert too weak issue 
-tls-cipher "DEFAULT:@SECLEVEL=1"+tls-cipher "DEFAULT:@SECLEVEL=0"
 </file> </file>