Project

General

Profile

Actions

Bug #11328

closed

OpenVPN Ciphers will not stick in 2.5

Added by John Griffin almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
01/28/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.x
Affected Architecture:

Description

So I upgraded my production home firwewall to 2.5 dev yesterday. None of the OpenVPN clients work after the upgrade despite connecting (i'll log a separate bug for that if I can work it out) but i'm attempting to create a new client to see whether that works.

I select the desired ciphers in the "Allowed Data Encryption Algorithms" (AES-256-GCM and AES-256-CBC). Hit save. Go back into the OpenVPN client config, and the ciphers have changed. It seems to like AES-256-GCM, AES-128-GCM and CHACHA20-POLY1305.

Actions #1

Updated by Jim Pingle almost 4 years ago

  • Category changed from VPN (Multiple Types) to OpenVPN
  • Status changed from New to Rejected

I can't reproduce this as stated. I was able to edit an existing client as well as create a new client, both times it respected the exact list I chose. I repeated the test with server entries and it worked as well.

Actions #2

Updated by John Griffin almost 4 years ago

Here is video of it occurring. It seems a bit random, sometimes it works, sometimes you end up with a completely different set of ciphers.

https://youtu.be/eZtZxirQAFM
https://youtu.be/kUBZy0wKulU

Not sure of the protocol around here, as it's already been rejected should i submit another one? Will anyone ever read this :-)

Actions #3

Updated by Jim Pingle almost 4 years ago

Those videos are private and cannot be viewed.

I tried again and can't replicate the problem here. Maybe write out a more complete procedure for replicating the problem, starting with a new/fresh tunnel. Also try different browsers, and make sure any script/ad blocking is disabled for the firewall URL.

Actions #4

Updated by John Griffin almost 4 years ago

Sorry about the video's, they should be viewable now.

You are correct, I cannot replicate the issue in Firefox. I disabled every extension in chrome, then:

On a new blank clean build 2.5 instance I
a) created new CA
b) navigate to OpenVPN - Clients
c) Add
d) Fill in minimal information (remote server, username, password)
e) deselect AEs-128-GCM and CHACHA
f) added AES-256-CBC
g) hit save
go back in and the values will have changed

In the following video you can see that 2 out of 3 times the values were different when I went back in after saving

https://youtu.be/VMX661lJbcA

Actions #5

Updated by Jim Pingle almost 4 years ago

  • Status changed from Rejected to New
  • Assignee set to Anonymous
  • Priority changed from Normal to Very High
  • Target version set to 2.5.0

OK, I can reproduce it that way, but only in Chrome. Watching the network panel as it makes the POST, for whatever reason Chrome is not sending the data_ciphers list in the POST. It happens to both clients and servers.

Actions #6

Updated by Anonymous almost 4 years ago

  • Status changed from New to In Progress
Actions #7

Updated by Anonymous almost 4 years ago

  • Status changed from In Progress to Feedback
  • Assignee changed from Anonymous to John Griffin
Actions #8

Updated by Anonymous almost 4 years ago

  • % Done changed from 0 to 100
Actions #9

Updated by Jim Pingle almost 4 years ago

  • Assignee changed from John Griffin to Jim Pingle
Actions #10

Updated by Jim Pingle almost 4 years ago

  • Status changed from Feedback to Resolved

Works OK now in Chrome and FireFox. No JS errors on the list page or edit page.

Actions #11

Updated by Jim Pingle almost 4 years ago

  • Assignee changed from Jim Pingle to Anonymous
Actions

Also available in: Atom PDF