Project

General

Profile

Actions

Feature #7072

closed

vpn_openvpn_server.php / vpn_openvpn_client.php : Add controls to OpenVPN for Negotiable Crypto Parameters

Added by Jim Pingle about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
01/03/2017
Due date:
% Done:

90%

Estimated time:
Plus Target Version:
Release Notes:

Description

OpenVPN 2.4 automatically attempts to negotiate crypto between the client and server, due to this, the tunnel can end up using an unexpected algorithm. For example, if both sides are set to AES-256-CBC but both client and server support AES-256-GCM, they will use AES-256-GCM instead of what was chosen. In cases for older clients, it will accept any that match the chosen cipher or from the list of negotiable ciphers.

  • Need to add a multi-select box (reorderable?) of ciphers for --ncp-ciphers
    • Possible choices are the same as the 'crypto' gui option, the list is provided by openvpn_get_cipherlist()
    • Order of the list is important, as it determines the preference for what the server/client will try
    • In the config, this ends up a colon-separated string
  • Need to add a checkbox for --ncp-disable to disable NCP

Info from the man page:

              For servers, the first cipher from cipher_list will be pushed to
              clients that support cipher negotiation.

              Cipher negotiation is enabled in client-server mode only.  I.e.
              if --mode is set to 'server' (server-side, implied by setting
              --server ), or if --pull is specified (client-side, implied by
              setting --client).

              If both peers support and do not disable NCP, the negotiated
              cipher will override the cipher specified by --cipher.

              Additionally, to allow for more smooth transition, if NCP is
              enabled, OpenVPN will inherit the cipher of the peer if that
              cipher is different from the local --cipher setting, but the
              peer cipher is one of the ciphers specified in --ncp-ciphers.
              E.g. a non-NCP client (<=2.3, or with --ncp-disabled set)
              connecting to a NCP server (2.4+) with "--cipher BF-CBC" and
              "--ncp-ciphers AES-256-GCM:AES-256-CBC" set can either specify
              "--cipher BF-CBC" or "--cipher AES-256-CBC" and both will work.

If the multi-select part is not feasible, we at least need the checkbox to allow users to avoid unexpected surprises. The ncp-ciphers list could be handled via advanced options.

Talked to sbeaver, we don't yet have a control that would handle the ordered multi-select, but there are several potential areas where it could be used (auth server selection on OpenVPN could use it, too, and if we add a --tls-ciphers control)

Actions

Also available in: Atom PDF