OpenVPN Config Questions

[Preskitt.man]

I have a couple of questions of the generated openvpn config file from Merlin (386.3-2). I get mixed results in using this config. On Android phone, using OpenVPN Connect, all seems to work, but get some funky messages and warnings (like the ones below). Using OpenVPN for Android, I can't even connect. On my Mac using TunnelBlick, once again, it works, but with the funky messages.

This is the seemingly relevant part of my OpenVPN config file

resolv-retry infinite
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
# compress lz4
keepalive 15 60
auth-user-pass
remote-cert-tls server

This is an excerpt from the TunnelBlick log.

2021-12-29 17:12:11.478535 *Tunnelblick: openvpnstart starting OpenVPN
2021-12-29 17:12:11.840568 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5).
2021-12-29 17:12:11.840890 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2021-12-29 17:12:11.841206 OpenVPN 2.5.4 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 29 2021
2021-12-29 17:12:11.841231 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10

Issue 1: Told that ncp-ciphers was deprecated, though reverted to data-ciphers.
Issue 2: Still tells me that cipher is not set
Issue 3: Ha to comment out "compress lz4" as compression was also deprecated
Issue 4: This from OpenVPN for Android: SSL 1.1.1 has been deprecated.

Any thoughts?

 

[eibgrad]

One thing about OpenVPN, it tends to be very "talky", and will warn you of things that are NOT necessarily problems. I suppose it's better than the old PPTP VPN where it basically said nothing at all (what little information it provided was only available on the server side). That sometimes ends up creating undue concern by end-users. The router's client config file has to be compatible across a wide variety of possible clients, which may be supporting various OpenVPN versions, so that's why you see some of these messages. And yes, every once in a while it may be outright incompatible, requiring modification. There just isn't a perfect solution.

 

[RMerlin]

I kept some older keywords (like ncp-ciphers) in the exported config for backward compatibility, as otherwise it wouldn't work at all with 2.4.x clients - still a lot of these out there.

 

[elorimer]

OpenVPN for Android (Schwab's version) can give you extensive log messages to help you figure out where the issue is.