Have done many OPENVPN setups on IPFIRE. Most times things go smoothly, but sometimes when generate a setup, all get is this when I try to connect:

2023-08-25 16:29:37 OpenVPN 2.5.7 [git:release/2.5/3d792ae9557b959e] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2022
2023-08-25 16:29:37 Windows version 10.0 (Windows 10 or greater) 64bit
2023-08-25 16:29:37 library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10
2023-08-25 16:29:37 MANAGEMENT: TCP Socket listening on [AF_INET]
2023-08-25 16:29:37 Need hold release from management interface, waiting…
2023-08-25 16:29:37 MANAGEMENT: Client connected from [AF_INET]
2023-08-25 16:29:37 MANAGEMENT: CMD ‘state on’
2023-08-25 16:29:37 MANAGEMENT: CMD ‘log on all’
2023-08-25 16:29:37 MANAGEMENT: CMD ‘echo on all’
2023-08-25 16:29:37 MANAGEMENT: CMD ‘bytecount 5’
2023-08-25 16:29:37 MANAGEMENT: CMD ‘state’
2023-08-25 16:29:37 MANAGEMENT: CMD ‘hold off’
2023-08-25 16:29:37 MANAGEMENT: CMD ‘hold release’
2023-08-25 16:29:37 TCP/UDP: Preserving recently used remote address: [AF_INET]
2023-08-25 16:29:37 Socket Buffers: R=[65536->65536] S=[65536->65536]
2023-08-25 16:29:37 UDP link local: (not bound)
2023-08-25 16:29:37 UDP link remote: [AF_INET]
2023-08-25 16:29:37 MANAGEMENT: >STATE:1692998977,WAIT,

Usually when I go back and regenerate everything from scratch on the server, then re-download the client package, it starts working (Maybe). Found the server side log file that pertains to the TLS handshake for OpenVPN but so far it is not helping me, and going back to the server and re-generating everything from the top seems like a waste and is just shooting darts in the dark.

FWIW, client of OpenVPN for Windows is rather “old”.
2.5.7 is dated may 2022, now there’s 2.6.6

Also, AFAIK LZO is considered not that efficient anymore. LZO is reported into library version, however IDK if it’s used or not.

I would also note that the openssl version in your windows system is also very old. It is version 1.1.1o from May 2022 and the current version in the 1.1.1 branch is 1.1.1v
Between 1.1.1o and 1.1.1v there have been 13 CVE’s announced so I would definitely suggest updating your windows client to the latest versions.

The openssl-1.1.1 series will stop being supported on 11th September 2023. Windows has the openssl-3.x series available now.

The version differences of opnvpn and openssl may or may not be related to the problems you are experiencing but if those differences are removed then we can see if the issue is still there and your client will be much more secure.

It is also considered insecure. That is why by default it is turned off in IPFire OpenVPN and there is a warning about potential exposure to the Voracle vulnerability in the WUI page.
If LZO is off on the server then that overrules what the client requests.
It is still in the WUI page because of backward compatibility requirements for those people who already had their systems set up with it. I will raise the LZO question in the next Developers conf call to see if this should now be removed as an option from the WUI.


I don’t know why they provide two different clients but there is OpenVPN GUI which is part of the server package:

And then there is the more modern standalone OpenVPN Connect:

The first one is probably the old-school client for advanced users and the latter one is for end users.

Another difference is that OpenVPN GUI is open source and OpenVPN Connect seems to contain proprietary code according to this thread:

The library that OpenVPN Connect is using is actually open source:

You don’t know what the rest of the code is doing.

But in the end they’re both just GUIs for console commands.

1 Like

Updated all. Still have same problem with two client sites out of 17. Will go back those sites and re-gen from scratch. Something I am putting into the various fields it just doesn’t like (ie x509 name doesn’t match ipfire “name” or something, etc, ???) Generally put the IP address rather than the name into Global Settings section. Don’t usually modify the hostname field when generating the x509 certificates, but over time it might no longer match the System.Home.Hostname field (ie first tab in the GUI) could have changed I suppose. I configure these exactly the same across the board so I am stumped.

A little confused with your comments. Is the default Win10Pro behind on openssl implementation? I don’t remember ever “installing” openssl on my Win10 Pro system, so it should be whatever is the Windows default. Why would it now be so out of date??

Your client log has these lines and the second one says you have openssl 1.1.1o from May 2022

I did a bit of searching online and found that Windows 10 did not come with its own version of openssl. That only started with later versions of windows.

Therefore your version of openssl must have come with the openvpn client that you installed.

This line says that your openvpn client version is 2.5.7 from Oct 2022.

You need to download and install a newer version of the openvpn client software that you used.

I don’t use windows on any of my systems so can’t help with any details of the right version to get from the OpenVPN site that will work with the OpenVPN Community Server that is on IPFire.

However @cfusco has given advice on this in other threads on this forum. Maybe he can help with what to download from the OpenVPN site.

Did as you instructed. Now reads:
2023-09-04 20:04:53 OpenVPN 2.6.6 [git:v2.6.6/c9540130121bfc21] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Aug 15 2023
2023-09-04 20:04:53 Windows version 10.0 (Windows 10 or greater), amd64 executable
2023-09-04 20:04:53 library versions: OpenSSL 3.1.2 1 Aug 2023, LZO 2.10 :slight_smile

That looks very good now. :smiley:

Currently IPFire has version 3.1.1 but that will be upgraded to 3.1.2 in Core Update 179 which is currently in Testing phase.

:crossed_fingers: for how your connections now work with the updated client.