Openvpn app update has broken previously working profiles again

[rockyd]

I am using an older version of Gargoyle

1.15.X (Built 20250330-2253 git@ca9ca6a5)

Openvpn app on phone is version 3.7.1

I don't use openvpn everyday, but it seems everytime i want use it, it no longer works.

Is anyone able to still use openvpn to connect to the openvpn server in Gargoyle?

I had issues in the past with it, which I was able to solve with some edits to the profile generated by Gargoyle. None of them seem to work now.

[rockyd]

Sorry posting about it seems to help me solve it. Even if no one responds.

For my future reference and anyone else that may need it.

I had to delete my existing client credentials in Gargoyle, and generate a new one. with the addition of the AES-256-GCM cypher.

Download the profile it generates, and edit it to leave only the following lines

client
remote xxx.xxx.xxx.xxx 1194
dev tun
proto udp
remote-cert-tls server
verb 3

data-ciphers AES-256-GCM:AES-256-CBC

nobind

and all the stuff below, obvious to me, but maybe not to some one else that may need use this solution.


and now it works again, till some app update breaks it again.

[Lantis]

One potential item that may have happened (which is now impossible to verify unless you saved logs at the time?) is the CRL expiring.
By regenerating the credentials you also refreshed this. You can do it another way (no GUI option) viewtopic.php?p=67116#p67116

In the latest Gargoyle and iOS app I’m not doing any changes to the generated config and it all works ok. Is there something different with your setup that needs special config?
OpenVPN configs and allowed config items change quite a bit between versions (surprisingly so). It might just be an older server vs client compatibility thing.

[rockyd]

One potential item that may have happened (which is now impossible to verify unless you saved logs at the time?) is the CRL expiring.
By regenerating the credentials you also refreshed this. You can do it another way (no GUI option)

I read something about something expiring, probably the CRL you speak of, which is what made me try regenerating the credentials. Thanks for the info on regenerating the CRL, though I will still need to download and install the new credential file anyway, will I not?

OpenVPN configs and allowed config items change quite a bit between versions (surprisingly so). It might just be an older server vs client compatibility thing.

Yes it is a older version of Gargoyle as I mentioned at the start of the post.

The credential file from my version normally come with a bunch of options at the top, a lot of which are no longer required.
This is what it generates

client
remote xxx.xxx.xxx.xxx 1194
dev tun
proto udp
resolv-retry infinite
remote-cert-tls server
verb 3

data-ciphers AES-256-GCM:AES-256-CBC


nobind
persist-key
persist-tun

push-peer-info

The bold line are all that left after the edit.

I also tried a Windows 7 Openvpn client in a VM, and that required the cipher line to also be deleted.

[Lantis]

No need to regenerate the credentials for a CRL update, that's completely server side.

I'll check in on these extra options and whether any need pruning, thanks for listing them!

[rockyd]

No need to regenerate the credentials for a CRL update, that's completely server side.

So no need to download and install credential files after the update?

How often does CRL need to be updated?

[Lantis]

Correct.
180 days I think by default.
It can be extended. The certificates are all set to be several years.