openvpn connect

背景：算是划水一篇，过程不复杂，某云上的vpn的ovpn文件配置，在mac下登陆正常，在windows下首先报了一个错Options error: Unrecognized option or missing or extra parameter(s) in client_config.ovpn:10: data-ciphers (2.4.5) Use --help for more information. 同一个云上，另一个ovpn配置mac和win都能正常登陆。

排错过程：

报错没仔细看，只看到了中间部分 missing or extra parameter，直接放弃，后来想想不应该，搜了下，提示很清楚，是第10行 data-ciphers 参数错了，于是注释掉看看，注释后，报了类似一大堆错

Tue Nov 19 20:56:40 2024 Connection reset, restarting [0]
Tue Nov 19 20:56:40 2024 SIGUSR1[soft,connection-reset] received, process restarting
Tue Nov 19 20:56:40 2024 MANAGEMENT: >STATE:1732021000,RECONNECTING,connection-reset,,,,,
Tue Nov 19 20:56:40 2024 Restart pause, 5 second(s)
Tue Nov 19 20:56:45 2024 TCP/UDP: Preserving recently used remote address:

Tue Nov 19 20:56:40 2024 Connection reset, restarting [0]

Tue Nov 19 20:56:40 2024 SIGUSR1[soft,connection-reset] received, process restarting

Tue Nov 19 20:56:40 2024 MANAGEMENT: >STATE:1732021000,RECONNECTING,connection-reset,,,,,

Tue Nov 19 20:56:40 2024 Restart pause, 5 second(s)

Tue Nov 19 20:56:45 2024 TCP/UDP: Preserving recently used remote address:

没招了，由于同一个云上，有另一个windows也可以登陆的ovpn，没想那么多，认为是哪里配置问题，放弃。

后来想了一下，升级了最新版 OpenVPN Connect (3.5.1-3946版），同样配置，能连上了，尴尬。

再回头对比2个配置，差别就是，有问题的部分

data-ciphers AES-128-GCM

cipher AES-128-GCM

另一个正常的是 cipher AES-128-CBC

软件上，一个是 OpenVPN GUI 11.10.0 （2016年的）内核是 OpenVPN 2.4.5 x86_64-w64-mingw32 ，一个是 OpenVPN Connect 内核是 3.10.1.

然后想起了前几年刷路由器时，AES-128-GCM 这个是近几年才支持的，以前都是 AES-128-cbs

翻了一下openvpn.net 官网，确实有这段介绍

https://openvpn.net/as-docs/tutorials/tutorial--change-encryption-cipher.html#step-1--determine-what-ciphers-to-allow

Access Server 2.13 and newer by default automatically use AES-256-GCM, AES-128-GCM, and CHACHA20-POLY1305 (if the server supports it). Older clients (OpenVPN 2.3 and older) are not supported anymore by default, but this support can be reenabled by defining your own data cipher string and adding a cipher such as AES-256-CBC at the end. AES-256-CBC and AES-256-GCM are equivalent in encryption strength, but GCM is faster and therefore preferred.

还有这段

https://openvpn.net/as-docs/data-channel-encryption-cipher.html#verify-what-data-channel-cipher-is-actually-used-in-the-log-file

BF-CBC default for old Access Server versions

If you use a version of Access Server before 2.5, the cipher is BF-CBC by default. And if you don't upgrade your Access Server, it will continue to use BF-CBC only. This is considered insecure today.

If you upgrade such an old installation of Access Server to version 2.5 or newer, AES-256-GCM will be preferred for newer OpenVPN clients (2.4 and above) while older clients use BF-CBC to retain backward compatibility. In this situation you should verify if you still have older VPN clients that use BF-CBC, and if so, look at our BF-CBC cipher deprecation recommendations.

小结： OpenVPN 软件版本太老，只支持 cipher AES-128-CBC，不支持 AES-128-GCM，因此升级可以解决