Open VPN Windows Client Export Issue

Networking & Firewalls
1

Hello everyone,

i have 3 pfsense boxes on hardware, all running version 2.4.5-p1. (latest) follow this video of Mr. Tom:

same Open VPN configuration on all. The client exports are different !!! actually 1-2 are working, 3 is not. All exports is with windows 10 latest export (2.5, not legacy)

The difference is on Cipher lines. i don’t know why. Anyone with experience with this ?
Servers and settings and networks are ok , triple checked. If i manually edit the .ovpn pfsense 3 is working. I just want to know what’s wrong. Thanks for any suggestions.

pfsense1-pfSense-UDP4-1194-config.ovpn

dev tun
persist-tun
persist-key
cipher AES-128-CBC
data-ciphers AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote 192.168.2.21 1194 udp4
auth-user-pass
ca makariou-pfSense-UDP4-1194-ca.crt
tls-auth makariou-pfSense-UDP4-1194-tls.key 1
remote-cert-tls server

pfsense2-pfSense-UDP4-1194-config.ovpn

dev tun
persist-tun
persist-key
ncp-ciphers AES-128-GCM
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 192.168.2.22 1194 udp
auth-user-pass
ca pfSense-client-UDP4-1194-ca.crt
tls-auth pfSense-client-UDP4-1194-tls.key 1
remote-cert-tls server

pfsense3-pfSense-UDP4-1194-config.ovpn

dev tun
persist-tun
persist-key
data-ciphers AES-128-GCM
data-ciphers-fallback AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 192.168.2.23 1194 udp4
auth-user-pass
ca pfSense-client-UDP4-1194-ca.crt
tls-auth pfSense-client-UDP4-1194-tls.key 1
remote-cert-tls server

Error from windows client:

2020-12-30 21:48:12 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020
2020-12-30 21:48:12 Windows version 10.0 (Windows 10 or greater) 64bit
2020-12-30 21:48:12 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
Enter Management Password:
2020-12-30 21:48:14 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.2.23:1194
2020-12-30 21:48:14 UDPv4 link local (bound): [AF_INET][undef]:1194
2020-12-30 21:48:14 UDPv4 link remote: [AF_INET]192.168.2.23:1194
2020-12-30 21:48:14 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
2020-12-30 21:48:14 [VPN-certificate] Peer Connection Initiated with [AF_INET]192.168.2.23:1194
2020-12-30 21:48:16 OPTIONS ERROR: failed to negotiate cipher with server. Add the server’s cipher (‘AES-128-CBC’) to --data-ciphers (currently ‘AES-128-GCM’) if you want to connect to this server.
2020-12-30 21:48:16 ERROR: Failed to apply push options
2020-12-30 21:48:16 Failed to open tun/tap interface
2020-12-30 21:48:16 SIGUSR1[soft,process-push-msg-failed] received, process restarting

(and repeats…)

2

If the export showing a different cipher, it’s because you have a different cipher. I am really not clear what the goal is here for this.

3

Dear Mr. Tom,

The ciphers i used, are all the same.
The export is exporting a different line for ciphers including “fallback”. This is my question. The specific export is reporting the error on log i post before.

data-ciphers AES-128-GCM
data-ciphers-fallback AES-128-CBC