Hi!
I want to connect two sites via OpenVPN site-to-site. The exact same configuration worked on two Ubiquiti EdgeRouter (based on vyatta). Now at siteA remains the EdgeRouter and on siteB there is my VyOS router. I copied the OVPN configuration from the former siteB router where it worked.
But now I get a strange error message.
Shortened config:
interfaces {
ethernet eth0 {
address 172.16.200.10/27
description WAN
duplex auto
speed auto
}
openvpn vtun0 {
local-address 10.255.13.2 {
}
local-host 172.16.200.10
local-port 1197
mode site-to-site
remote-address 10.255.13.1
remote-host 123.123.123.123
remote-port 1197
shared-secret-key-file /config/auth/secret-lowl146
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 172.16.200.1 {
}
}
}
}
Messages from "/var/log/messages
systemd[1]: Starting OpenVPN connection to vtun0…
openvpn-vtun0[2106]: DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5.
openvpn-vtun0[2106]: disabling NCP mode (–ncp-disable) because not in P2MP client or server mode
openvpn-vtun0[2106]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
openvpn-vtun0[2106]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
systemd[1]: Started OpenVPN connection to vtun0.
openvpn-vtun0[2106]: WARNING: you are using user/group/chroot/setcon without persist-tun – this may cause restarts to fail
openvpn-vtun0[2106]: Outgoing Static Key Encryption: Cipher ‘BF-CBC’ initialized with 128 bit key
openvpn-vtun0[2106]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
openvpn-vtun0[2106]: Outgoing Static Key Encryption: Using 160 bit message hash ‘SHA1’ for HMAC authentication
openvpn-vtun0[2106]: Incoming Static Key Encryption: Cipher ‘BF-CBC’ initialized with 128 bit key
openvpn-vtun0[2106]: WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
openvpn-vtun0[2106]: Incoming Static Key Encryption: Using 160 bit message hash ‘SHA1’ for HMAC authentication
openvpn-vtun0[2106]: RESOLVE: Cannot resolve host address: 172.16.200.10:1197 (Address family for hostname not supported)
openvpn-vtun0[2106]: Exiting due to fatal error
systemd[1]: openvpn@vtun0.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: openvpn@vtun0.service: Failed with result ‘exit-code’.
That RESOLVE: Cannot resolve host address: 172.16.200.10:1197 (Address family for hostname not supported) message must be a bug. Because that definitely is the local address and correct port. I tried searching for that message, but all I found is IPv6 things. My whole network does not use IPv6.