Project

General

Profile

Feature #7077

Display negotiated cipher for NCP OpenVPN connections in Status->OpenVPN

Added by Jeff Wischkaemper 4 months ago. Updated 4 months ago.

Status:
Needs Patch
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
01/04/2017
Due date:
% Done:

0%


Description

NCP is great. Not knowing what cipher NCP negotiated is less great.

It would be excellent to add something on the OpenVPN status page that showed what cipher was negotiated, similar to what is displayed on the IPSec status page.

History

#1 Updated by Jim Pingle 4 months ago

  • Status changed from New to Needs Patch
  • Assignee deleted (Jim Pingle)
  • Target version changed from 2.4.0 to Future

We have no way to detect that currently. OpenVPN does not report that in any of their status output. Open a feature request with OpenVPN and if they add it in, we'll display it.

#2 Updated by Jeff Wischkaemper 4 months ago

Will do. Is there something specific I can ask for over there that would make it easier for you?

#3 Updated by Jim Pingle 4 months ago

Nothing in particular comes to mind, it would be nice to see all of the known parameters for connecting clients/servers (selected NCP cipher, compression settings, ECDH curve, etc.

#4 Updated by Jeff Wischkaemper 4 months ago

I'll see what I can do and report back.

#5 Updated by Jeff Wischkaemper 4 months ago

Their initial reply is that it's available if you use verbosity 4... which is correct, but not entirely useful. I'm asking if a couple of specific messages can be moved to 2/3.

#6 Updated by Jim Pingle 4 months ago

"verbosity 4"? As in the system logs? Sure, it's in the logs, sure, but scraping logs isn't proper status output. It should show up in the management status output. For example you connect to the management socket/port and ask for data, like "status 2" and it should output the info there.

That's where the rest of the status output is gleaned from:

: nc -U server2.sock
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
status 2
TITLE,OpenVPN 2.4.0 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Dec 30 2016
TIME,Thu Jan  5 08:59:22 2017,1483624762
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,clara.dw.example.com,198.51.100.6:42289,10.163.202.2,2001:470:c614:202::1000,82837,79207,Thu Jan  5 08:50:19 2017,1483624219,UNDEF,1,1
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,2001:470:c614:202::1000,clara.dw.example.com,198.51.100.6:42289,Thu Jan  5 08:59:22 2017,1483624762
ROUTING_TABLE,10.163.202.2,clara.dw.example.com,198.51.100.6:42289,Thu Jan  5 08:50:19 2017,1483624219
GLOBAL_STATS,Max bcast/mcast queue length,0
END

If they would add a couple more columns to that for the cipher/compression/etc that would be ideal.

#7 Updated by Jeff Wischkaemper 4 months ago

The proposal to add the info to status 2 / 3 has been accepted, and may make it into OVPN 2.4.1. I'll update this when the commit happens.

Thanks

https://community.openvpn.net/openvpn/ticket/814#comment:3

#8 Updated by Jim Pingle 4 months ago

Great news!

We'll keep an eye out for it

Also available in: Atom PDF