https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162020-09-21T09:20:27ZpfSense bugtrackerpfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=478822020-09-21T09:20:27ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>pfsense's handling of OpenVPN ncp options is problematic</i> to <i>Improve handling of OpenVPN ncp options</i></li><li><strong>Category</strong> set to <i>OpenVPN</i></li><li><strong>Target version</strong> set to <i>2.5.0</i></li></ul> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=482032020-09-30T09:20:06ZAnonymous
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li></ul> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=492572020-11-06T10:11:50ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul><p>Just a note to myself before I start on this:</p>
<p>The OpenVPN 2.5.0 changes doc and some info on the links above do state that the value of --cipher is added to both --data-ciphers and --data-ciphers-fallback but the man page also mentions that --cipher is deprecated. So despite the temptation of relying on --cipher to handle part of this, we should do the right thing and set data-ciphers and data-ciphers-fallback appropriately.</p>
<p>This is the plan (so far, may change):</p>
<ul>
<li>Rename "NCP Algorithms" to "Data Encryption Algorithms" to reflect the change in OpenVPN (frontend and backend, e.g. "ncp-ciphers" changes to "data_ciphers")</li>
<li>Change "Encryption Algorithm" to "Fallback Data Encryption Algorithm" and move it below "Data Encryption Algorithms" </li>
<li>On upgrade, take the old value of 'crypto' (FKA "Encryption Algorithm") and append it to the cipher list, then rename to 'data_ciphers_fallback' and change backend code to match.</li>
<li>Mark "Enable NCP" as deprecated and default it to enabled (+ change on upgrade to default enabled)</li>
<li>Change "Data Encryption Algorithms" default list to AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305</li>
<li>Add warning if the "Data Encryption Algorithms" does not include one of the above ciphers, but maybe not make it a fatal error.</li>
</ul> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=492652020-11-06T11:56:04ZArne Schwabe
<ul></ul><p>Sounds like a good plan!</p> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=492702020-11-06T14:58:00ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Improve handling of OpenVPN ncp options</i> to <i>Improve handling of OpenVPN data cipher negotiation options</i></li><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>70</i></li></ul><p>I pushed a commit which implements everything above except for the warning message. It'll be set to feedback by the commit but that's OK since it will be good to test the parts that were pushed in the meantime.</p> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=492712020-11-06T15:05:07ZJim Pingle
<ul><li><strong>% Done</strong> changed from <i>70</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="OpenVPN data cipher negotiation updates. Fixes #10919 * Rename "NCP Algorithms" to "Data Encrypt..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/189edaf33bb2b21761d9ace0b3fd0119955f8726">189edaf33bb2b21761d9ace0b3fd0119955f8726</a>.</p> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=492992020-11-07T19:31:51ZS Premeau
<ul></ul><p>This change set does not appear to be writing cipher or data-ciphers to the openvpn configuration file.</p>
<p>Here's my (redacted) openvpn-client configuration block:</p>
<pre><code class="xml syntaxhl"> <span class="nt"><openvpn-client></span>
<span class="nt"><auth_user></auth_user></span>
<span class="nt"><auth_pass></auth_pass></span>
<span class="nt"><proxy_user></proxy_user></span>
<span class="nt"><proxy_passwd></proxy_passwd></span>
<span class="nt"><vpnid></span>1<span class="nt"></vpnid></span>
<span class="nt"><protocol></span>UDP4<span class="nt"></protocol></span>
<span class="nt"><dev_mode></span>tun<span class="nt"></dev_mode></span>
<span class="nt"><interface></span>wan<span class="nt"></interface></span>
<span class="nt"><ipaddr></ipaddr></span>
<span class="nt"><local_port></local_port></span>
<span class="nt"><server_addr></span>REDACTED<span class="nt"></server_addr></span>
<span class="nt"><server_port></span>1194<span class="nt"></server_port></span>
<span class="nt"><proxy_addr></proxy_addr></span>
<span class="nt"><proxy_port></proxy_port></span>
<span class="nt"><proxy_authtype></span>none<span class="nt"></proxy_authtype></span>
<span class="nt"><description></description></span>
<span class="nt"><mode></span>p2p_shared_key<span class="nt"></mode></span>
<span class="nt"><topology></span>subnet<span class="nt"></topology></span>
<span class="nt"><custom_options></custom_options></span>
<span class="nt"><shared_key></span>REDACTED<span class="nt"></shared_key></span>
<span class="nt"><data_ciphers_fallback></span>AES-256-CBC<span class="nt"></data_ciphers_fallback></span>
<span class="nt"><digest></span>SHA256<span class="nt"></digest></span>
<span class="nt"><engine></span>none<span class="nt"></engine></span>
<span class="nt"><tunnel_network></span>172.30.100.100/30<span class="nt"></tunnel_network></span>
<span class="nt"><tunnel_networkv6></tunnel_networkv6></span>
<span class="nt"><remote_network></remote_network></span>
<span class="nt"><remote_networkv6></remote_networkv6></span>
<span class="nt"><use_shaper></use_shaper></span>
<span class="nt"><allow_compression></span>no<span class="nt"></allow_compression></span>
<span class="nt"><compression></span>none<span class="nt"></compression></span>
<span class="nt"><auth-retry-none></auth-retry-none></span>
<span class="nt"><passtos></span>yes<span class="nt"></passtos></span>
<span class="nt"><udp_fast_io></udp_fast_io></span>
<span class="nt"><exit_notify></span>none<span class="nt"></exit_notify></span>
<span class="nt"><sndrcvbuf></sndrcvbuf></span>
<span class="nt"><route_no_pull></route_no_pull></span>
<span class="nt"><route_no_exec></route_no_exec></span>
<span class="nt"><verbosity_level></span>1<span class="nt"></verbosity_level></span>
<span class="nt"><create_gw></span>v4only<span class="nt"></create_gw></span>
<span class="nt"><ncp_enable></span>disabled<span class="nt"></ncp_enable></span>
<span class="nt"><ping_method></span>keepalive<span class="nt"></ping_method></span>
<span class="nt"><keepalive_interval></span>10<span class="nt"></keepalive_interval></span>
<span class="nt"><keepalive_timeout></span>60<span class="nt"></keepalive_timeout></span>
<span class="nt"><ping_seconds></span>10<span class="nt"></ping_seconds></span>
<span class="nt"><ping_action></span>ping_restart<span class="nt"></ping_action></span>
<span class="nt"><ping_action_seconds></span>60<span class="nt"></ping_action_seconds></span>
<span class="nt"><inactive_seconds></span>0<span class="nt"></inactive_seconds></span>
<span class="nt"></openvpn-client></span>
</code></pre>
<p>/var/etc/openvpn/client1/openvpn.conf contains the following:<br /><pre><code class="text syntaxhl">dev ovpnc1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local REDACTED
lport 0
management /var/etc/openvpn/client1/sock unix
remote REDACTED 1194 udp4
ifconfig 172.30.100.102 172.30.100.101
secret /var/etc/openvpn/client1/secret
allow-compression no
compress
passtos
resolv-retry infinite
</code></pre></p> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=493002020-11-07T19:39:01ZS Premeau
<ul></ul><p>The issue does also occur if ncp negotiation is enabled. I could not get any ciphers into the openvpn config file with any cipher config.</p> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=493152020-11-09T07:33:09ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>In Progress</i></li></ul> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=493302020-11-09T09:50:07ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li></ul><p>Applied in changeset <a class="changeset" title="OpenVPN Data Cipher changes. Fixes #10919 * Change handling of data ciphers so they work properl..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/924eeefb45222ee5bbf813b8d3d0b3ab704fcede">924eeefb45222ee5bbf813b8d3d0b3ab704fcede</a>.</p> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=493862020-11-11T12:05:32ZAnonymous
<ul></ul><p>OpenVPN client edit is not saving / loading the Fallback cypher setting.</p>
<p>Looking through /usr/local/www/vpn_openvpn_client.php the section for the fallback setting is still indexed with the old 'crypto' array index and not the new 'data_ciphers_fallback' index, as updated in revision 189edaf3.</p>
<pre><code class="php syntaxhl"> <span class="mi">863</span> <span class="nv">$section</span><span class="o">-></span><span class="nf">addInput</span><span class="p">(</span><span class="k">new</span> <span class="nc">Form_Select</span><span class="p">(</span>
<span class="mi">864</span> <span class="s1">'data_ciphers_fallback'</span><span class="p">,</span>
<span class="mi">865</span> <span class="s1">'Fallback Data Encryption Algorithm'</span><span class="p">,</span>
<span class="mi">866</span> <span class="nv">$pconfig</span><span class="p">[</span><span class="s1">'crypto'</span><span class="p">],</span>
<span class="mi">867</span> <span class="nf">openvpn_get_cipherlist</span><span class="p">()</span>
</code></pre> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=493872020-11-11T12:07:59ZJim Pingle
<ul></ul><p>Nice catch, I've pushed a fix. Thanks!</p> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=494162020-11-12T07:59:59ZS Premeau
<ul></ul><p>The changes through comment 12 appear to fix my issue.</p> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=503702021-01-17T15:46:54ZMax Leighton
<ul></ul><p>The OpenVPN Server Wizard doesn't seem to be updated to reflect these changes. When running through the Wizard the first time, you have the option to set an Encryption Algorithm, but not the Fallback Encryption Algorithm or Data Encryption Algorithms.</p>
<p>As a result, if you create a new server using the Wizard and then export a client config, it will have no value set for data-ciphers-fallback and no data ciphers:</p>
<blockquote>
<p>dev tun<br />persist-tun<br />persist-key<br />data-ciphers-fallback <br />auth SHA256<br />tls-client<br />client<br />resolv-retry infinite<br />remote 100.64.0.6 1194 udp4<br />verify-x509-name "OpenVPNCert" name<br />auth-user-pass<br />remote-cert-tls server</p>
</blockquote>
<p>This gives the error:</p>
<blockquote>
<p>Options error: Unrecognized option or missing or extra parameter(s) in TESTpfSense01-UDP4-1194-test2-config.ovpn:4: data-ciphers-fallback (2.5.0)</p>
</blockquote>
<p>I can go back into the newly created server and resave it without making any other changes, and then export the config again. It will then have the correct values:</p>
<blockquote>
<p>dev tun<br />persist-tun<br />persist-key<br />data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC<br />data-ciphers-fallback AES-128-CBC<br />auth SHA256<br />tls-client<br />client<br />resolv-retry infinite<br />remote 100.64.0.6 1194 udp4<br />verify-x509-name "OpenVPNCert" name<br />auth-user-pass<br />remote-cert-tls server</p>
</blockquote>
<p>From there I can connect without issue.</p> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=504642021-01-22T13:02:29ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>In Progress</i></li></ul> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=504652021-01-22T13:02:36ZJim Pingle
<ul><li><strong>% Done</strong> changed from <i>100</i> to <i>80</i></li></ul> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=505562021-01-26T15:05:06ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>80</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Update OpenVPN Wizard to match current server options. Fixes #10919" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/002a038f4e9d4ce4cb4f8e5dec5036eb822017a6">002a038f4e9d4ce4cb4f8e5dec5036eb822017a6</a>.</p> pfSense - Bug #10919: Improve handling of OpenVPN data cipher negotiation optionshttps://redmine.pfsense.org/issues/10919?journal_id=506152021-01-28T13:10:39ZMax Leighton
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>Tested again on today's snapshot, and all works as expected now. I'll set the ticket to resolved.</p>