vpn_openvpn_server.php / vpn_openvpn_client.php : Add controls to OpenVPN for Negotiable Crypto Parameters
OpenVPN 2.4 automatically attempts to negotiate crypto between the client and server, due to this, the tunnel can end up using an unexpected algorithm. For example, if both sides are set to AES-256-CBC but both client and server support AES-256-GCM, they will use AES-256-GCM instead of what was chosen. In cases for older clients, it will accept any that match the chosen cipher or from the list of negotiable ciphers.
- Need to add a multi-select box (reorderable?) of ciphers for --ncp-ciphers
- Possible choices are the same as the 'crypto' gui option, the list is provided by openvpn_get_cipherlist()
- Order of the list is important, as it determines the preference for what the server/client will try
- In the config, this ends up a colon-separated string
- Need to add a checkbox for --ncp-disable to disable NCP
Info from the man page:
For servers, the first cipher from cipher_list will be pushed to clients that support cipher negotiation. Cipher negotiation is enabled in client-server mode only. I.e. if --mode is set to 'server' (server-side, implied by setting --server ), or if --pull is specified (client-side, implied by setting --client). If both peers support and do not disable NCP, the negotiated cipher will override the cipher specified by --cipher. Additionally, to allow for more smooth transition, if NCP is enabled, OpenVPN will inherit the cipher of the peer if that cipher is different from the local --cipher setting, but the peer cipher is one of the ciphers specified in --ncp-ciphers. E.g. a non-NCP client (<=2.3, or with --ncp-disabled set) connecting to a NCP server (2.4+) with "--cipher BF-CBC" and "--ncp-ciphers AES-256-GCM:AES-256-CBC" set can either specify "--cipher BF-CBC" or "--cipher AES-256-CBC" and both will work.
If the multi-select part is not feasible, we at least need the checkbox to allow users to avoid unexpected surprises. The ncp-ciphers list could be handled via advanced options.
Talked to sbeaver, we don't yet have a control that would handle the ordered multi-select, but there are several potential areas where it could be used (auth server selection on OpenVPN could use it, too, and if we add a --tls-ciphers control)