What is it that OpenVPN 2.6.0 has changed that prevents it from being able to connect to an OpenVPN-enabled Azure VPN gateway? Only 2.5.8 can connect.
I’ve read the changelogs and tried many, many client-side settings changes to try and get back to a mode that Azure allows, but nothing I’ve tried allows 2.6.0 to connect.
Before I list all the settings changes that I tried, does anyone already know what the problem could be?
I’m assuming Azure’s VPN gateway is either running an ancient version of OpenVPN server, or is otherwise using now-deprecated settings, and I’m sure Microsoft isn’t going to bother looking into whatever breaking change has occurred in 2.6.0 since they actually want us to use their Microsoft Store VPN client.
Yeah, that’s what I’m going to build at Azure if I can’t figure out a client-side fix. Problem is I’ll also have to flesh out a Strongswan implementation with two S2S’s in it to be able to “replace” my current Azure VPN gateway, and I’ve setup neither Strongswan nor OpenVPN server before. I definitely can get it done, but it’ll cost my company more hours of my time for me to embark on that, than if I got the client fixed.
That was the second thing I tried (2.5.8, then 2.4.0, then 2.3.0, then fuggit, tried 2.0.0), after disabling DCO (which is probably not the problem) and something about OCC.
I also tried stuff like:
allow-compression yes/no
comp-lzo yes/no
key-direction 0/1 (it should be 1 in this case though)
Below are some Azure links that MIGHT help:But I don’t know how to interpret things when it gets to all the ciphers and algorithm names; I’m not great at cryptography. I had first assumed 2.6.0 deprecated some old stuff that Azure was stupidly using, but when I got to these pages, it seems like Azure is supporting modern stuff just fine, stuff that wouldn’t have gotten deprecated.
Is there really any particular reason why you need to upgrade your OpenVPN clients to v2.6.0 so soon? I was testing out the OpenVPN 2.6.0 beta clients on Windows, but ran into the same issues that you are seeing with those as well.
Good luck, and do whatever you choose, but FWIW, the native Azure VPN Gateway has been incredibly stable for my org over the past 2+ years… Way better than when we were hosting an OpenVPN server via a VM in Azure. We’re going to hold off for now and wait for Azure to update the VPN Gateway to support 2.6.0 clients.
Our OpenVPN clients got auto-updated by a patch management tool (which has been upgrading it for 5 years running without an incident). Suddenly, 2.6.0 has breaking changes which I wasn’t expecting. Had to uninstall it on all endpoints and roll back to 2.5.8.
At first, I thought I could just figure out the breaking change and get 2.6.0 to work, but fundamentally, I can’t even tell what the breaking change is. So we’re at 2.5.8 but I thought I’d post this thread since others will eventually wonder what the big deal is, too. And all new Azure VPN deployments will be really confusing for folks until Microsoft updates their dozen random documents about Azure VPN to include a blurb about 2.6.0 not being supported.