Feature #7077
closed
Display negotiated data encryption algorithm in OpenVPN connection status
Added by Jeff Wischkaemper over 7 years ago. Updated about 3 years ago.
100%
Description
NCP is great. Not knowing what cipher NCP negotiated is less great.
It would be excellent to add something on the OpenVPN status page that showed what cipher was negotiated, similar to what is displayed on the IPSec status page.
Files
Updated by Jim Pingle over 7 years ago
- Status changed from New to Needs Patch
- Assignee deleted (
Jim Pingle) - Target version changed from 2.4.0 to Future
We have no way to detect that currently. OpenVPN does not report that in any of their status output. Open a feature request with OpenVPN and if they add it in, we'll display it.
Updated by Jeff Wischkaemper over 7 years ago
Will do. Is there something specific I can ask for over there that would make it easier for you?
Updated by Jim Pingle over 7 years ago
Nothing in particular comes to mind, it would be nice to see all of the known parameters for connecting clients/servers (selected NCP cipher, compression settings, ECDH curve, etc.
Updated by Jeff Wischkaemper over 7 years ago
I'll see what I can do and report back.
Updated by Jeff Wischkaemper over 7 years ago
Their initial reply is that it's available if you use verbosity 4... which is correct, but not entirely useful. I'm asking if a couple of specific messages can be moved to 2/3.
Updated by Jim Pingle over 7 years ago
"verbosity 4"? As in the system logs? Sure, it's in the logs, sure, but scraping logs isn't proper status output. It should show up in the management status output. For example you connect to the management socket/port and ask for data, like "status 2" and it should output the info there.
That's where the rest of the status output is gleaned from:
: nc -U server2.sock >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info status 2 TITLE,OpenVPN 2.4.0 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Dec 30 2016 TIME,Thu Jan 5 08:59:22 2017,1483624762 HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID CLIENT_LIST,clara.dw.example.com,198.51.100.6:42289,10.163.202.2,2001:470:c614:202::1000,82837,79207,Thu Jan 5 08:50:19 2017,1483624219,UNDEF,1,1 HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t) ROUTING_TABLE,2001:470:c614:202::1000,clara.dw.example.com,198.51.100.6:42289,Thu Jan 5 08:59:22 2017,1483624762 ROUTING_TABLE,10.163.202.2,clara.dw.example.com,198.51.100.6:42289,Thu Jan 5 08:50:19 2017,1483624219 GLOBAL_STATS,Max bcast/mcast queue length,0 END
If they would add a couple more columns to that for the cipher/compression/etc that would be ideal.
Updated by Jeff Wischkaemper over 7 years ago
The proposal to add the info to status 2 / 3 has been accepted, and may make it into OVPN 2.4.1. I'll update this when the commit happens.
Thanks
Updated by Jim Pingle over 4 years ago
Looks like this was finally merged in but it's not slated to be in an OpenVPN release until they put out 2.5.
Updated by Matthew Ray about 3 years ago
Now that OpenVPN 2.5.0 is released and will be included pfSense 2.5.0, can this feature request be reopened?
Updated by Viktor Gurov about 3 years ago
- Status changed from Needs Patch to New
sample output:
# nc -U ../server1/sock >INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info status 2 TITLE,OpenVPN 2.5.0 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 2 2020 TIME,2021-02-08 13:48:00,1612781280 HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID,Data Channel Cipher CLIENT_LIST,cert42client,192.168.88.42:3613,10.54.54.2,,12489,11920,2021-02-08 13:12:10,1612779130,UNDEF,0,0,AES-256-GCM HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t) ROUTING_TABLE,10.54.54.2,cert42client,192.168.88.42:3613,2021-02-08 13:12:10,1612779130 GLOBAL_STATS,Max bcast/mcast queue length,0 END
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/127
Updated by Renato Botelho about 3 years ago
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
- Target version changed from Future to CE-Next
Updated by Renato Botelho about 3 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov about 3 years ago
- % Done changed from 0 to 100
Applied in changeset f5736d9827cf1997b648481c50993d69e3caedff.
Updated by Jim Pingle about 3 years ago
- Status changed from Feedback to Waiting on Merge
- Target version changed from CE-Next to 2.5.1
Updated by Renato Botelho about 3 years ago
- Status changed from Waiting on Merge to Feedback
Cherry-picked to RELENG_2_5_1
Updated by Jim Pingle about 3 years ago
- Subject changed from Display negotiated cipher for NCP OpenVPN connections in Status->OpenVPN to Display negotiated data encryption algorithm in OpenVPN connection status
Updating subject for release notes.
Updated by Nick Goehring about 3 years ago
- File encryptionCipher.JPG encryptionCipher.JPG added
Can confirm this is working for me on a SG-5100 running 21.02.2 RC. When connected with my android device, I navigate to Status -> OpenVPN where it shows my device as being connected with AES-128-GCM. Nice feature.
Updated by Jim Pingle about 3 years ago
- Status changed from Feedback to Resolved