Error from openvpn option

ionmich · April 27, 2019, 4:59pm

Invoking

/usr/sbin/openvpn --help

indicates an option

--cipher alg    : Encrypt packets with cipher algorithm alg
                  (default=BF-CBC).
                  Set alg=none to disable encryption.

and

openvpn --show-ciphers

tells me

AES-256-CBC  (256 bit key, 128 bit block)

is one of the algorithms. But when I invoke

/usr/sbin/openvpn --cipher AES-256-CBC Ireland.ovpn
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: cipher (2.4.3)
Use --help for more information.

or

/usr/sbin/openvpn --cipher=AES-256-CBC Ireland.ovpnOptions error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: cipher=AES-256-CBC (2.4.3)
Use --help for more information.

…it errors out. What am I doing wrong? Thanks in advance.

nrickert · April 27, 2019, 9:17pm

Well, I don’t know. And I don’t use openvpn.

When I look at the man page, it tells me to use:

openvpn  options ... ]

On your command line, the “Ireland.ovpn” part does not look like an option.

Is that the name of a config file? If so, then shouldn’t it be “–config Ireland.opvn”?

ionmich · April 27, 2019, 10:13pm

nrickert:

Well, I don’t know. And I don’t use openvpn.

When I look at the man page, it tells me to use:
openvpn  options ... ]
On your command line, the “Ireland.ovpn” part does not look like an option.

Is that the name of a config file? If so, then shouldn’t it be “–config Ireland.opvn”?

Ireland.opvn is a config file but as the following shows it works without --config. But I will test using your suggestion.

linux-i1f2:/etc/openvpn # /usr/sbin/openvpn Ireland.ovpn
Sat Apr 27 21:58:18 2019 WARNING: file 'pass.txt' is group or others accessible
Sat Apr 27 21:58:18 2019 OpenVPN 2.4.3 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 20 2017
Sat Apr 27 21:58:18 2019 library versions: OpenSSL 1.1.0i-fips  14 Aug 2018, LZO 2.10
Sat Apr 27 21:58:18 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]23.92.127.2:1194
Sat Apr 27 21:58:18 2019 UDP link local: (not bound)
Sat Apr 27 21:58:18 2019 UDP link remote: [AF_INET]23.92.127.2:1194
Sat Apr 27 21:58:18 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Apr 27 21:58:19 2019 [180cbd4dde946350e690d0f40070d450] Peer Connection Initiated with [AF_INET]23.92.127.2:1194
Sat Apr 27 21:58:25 2019 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sat Apr 27 21:58:25 2019 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sat Apr 27 21:58:25 2019 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Sat Apr 27 21:58:25 2019 TUN/TAP device tun0 opened
Sat Apr 27 21:58:25 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Apr 27 21:58:25 2019 /bin/ip link set dev tun0 up mtu 1500
Sat Apr 27 21:58:25 2019 /bin/ip addr add dev tun0 local 10.16.10.10 peer 10.16.10.9
Sat Apr 27 21:58:25 2019 Initialization Sequence Completed

ionmich · April 27, 2019, 10:23pm

You are correct. Even though

/usr/sbin/openvpn Ireland.ovpn

works. When another option is used it does not work. So the correct syntax is

/usr/sbin/openvpn --cipher AES-256-CBC --config Ireland.ovpn

Many thanks for pointing that out.