Need OpenVPN update help

Currently reading
Need OpenVPN update help

65
1
NAS
DS-718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
I recently updated my OpenVPN Connect client-side software to v.3.4.0. I imported existing settings and I cannot connect. I get the following error:

"unsupported options present in configuration"

My most recent log is:

[Jul 22, 2023, 09:50:45] OpenVPN core 3.8connect1 win x86_64 64-bit OVPN-DCO built on Jun 26 2023 16:08:41
⏎[Jul 22, 2023, 09:50:45] Frame=512/2112/512 mssfix-ctrl=1250
⏎[Jul 22, 2023, 09:50:45] NOTE: This configuration contains options that were not used:
⏎[Jul 22, 2023, 09:50:45] UNKNOWN/UNSUPPORTED OPTIONS
⏎[Jul 22, 2023, 09:50:45] 4 [pull]

Anyone have any idea what's going on?

TIA, CheapDad
 
Yes.
Go into your .ovpn file, and you'll probably see a line that says "pull" (without the quotation marks).
You can either delete that line, or put a hashtag (#) in front of the word "pull".
As well, some of the ciphers and authentication protocols that OpenVPN used to allow are no longer allowed, as they've been deemed insecure.

So you may need to update your cipher to, for example, AES-256-GCM and your auth to, for example, SHA224.
You would do this both in your .ovpn file and in the VPN server app on the Synology.

Once you've edited the .ovpn file, you'll need to re-import it into the OpenVPN client app.
 
@Rusty, here is a thread that describes my setup process:


@akahan, is there a recommended cipher that we all should be using?

TIA, cheapdad
 
@Rusty, here is a thread that describes my setup process:


@akahan, is there a recommended cipher that we all should be using?

TIA, cheapdad
that "pull" in my case is not commented out and it works fine. You might also look into extra ovpn parameters in the file (just above the certificate block).

Like the:

script-security 2
comp-lzo
cipher #########
auth SHA512
.
.
.

Some clients might have an issue with those. Have you maybe tried to use this vpn setup from another device and a different open vpn client?

Viscosity comes to mind just to test it out.
 
@Rusty - taking "pull" out of my configuration solved the problem, and I was given the same error message as the OP, namely:
[Jul 22, 2023, 09:50:45] UNKNOWN/UNSUPPORTED OPTIONS
⏎[Jul 22, 2023, 09:50:45] 4 [pull]

So it may be you're using a slightly different client than he and I are? Hard to say.
 
@Rusty - taking "pull" out of my configuration solved the problem, and I was given the same error message as the OP, namely:
[Jul 22, 2023, 09:50:45] UNKNOWN/UNSUPPORTED OPTIONS
⏎[Jul 22, 2023, 09:50:45] 4 [pull]

So it may be you're using a slightly different client than he and I are? Hard to say.
While I was using openvpn I used Viscosity on mac and default openvpn on ios. No issues
 
Apologies for the late reply. A lot of life going on.

I put "#" in front of pull and got the following error: "Peer certificate verification error."

Here's what my ovpn file looks like:

dev tun
tls-client

remote SERVER IP ADDRESS 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

#float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway def1

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

#dhcp-option DNS DNS_IP_ADDRESS

#pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
CERTIFICATE STUFF
-----END CERTIFICATE-----

</ca>
 
I would suggest having your VPN server on Synology generate a new profile, and then adjust that profile (by putting in the DNS server, IP address of the Synology, etc.) and import that into the client. The certificate on the Synology may have changed since you last generated a profile.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I put the line of code after the config and just before the ca (certificate information). Additionally the...
Replies
19
Views
1,714
  • Question
Thanks for all your help! I finally got it to do what I needed to do. I think I just can't connect to eero...
Replies
15
Views
2,953
I don't recommend exposing the NAS directly to the internet. Modem>Powerline>Router>Devices (wired/Wi-Fi)
Replies
18
Views
2,801
  • Question
Firewall rules are for IPv6 only, IPv4 which I'm using uses just the port forwarding.
Replies
16
Views
4,313
What are we talking about here exactly? What troubles you and more importantly what are you planning on...
Replies
1
Views
1,122
  • Question
My openvpn just broke with the same error, this is across all devices Windows MAC and IOS
Replies
5
Views
958

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top