Project

General

Profile

Actions

Feature #7077

closed

Display negotiated data encryption algorithm in OpenVPN connection status

Added by Jeff Wischkaemper about 7 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
OpenVPN
Target version:
Start date:
01/04/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

NCP is great. Not knowing what cipher NCP negotiated is less great.

It would be excellent to add something on the OpenVPN status page that showed what cipher was negotiated, similar to what is displayed on the IPSec status page.


Files

encryptionCipher.JPG (32.9 KB) encryptionCipher.JPG Nick Goehring, 03/16/2021 04:59 PM
Actions #1

Updated by Jim Pingle about 7 years ago

  • Status changed from New to Needs Patch
  • Assignee deleted (Jim Pingle)
  • Target version changed from 2.4.0 to Future

We have no way to detect that currently. OpenVPN does not report that in any of their status output. Open a feature request with OpenVPN and if they add it in, we'll display it.

Actions #2

Updated by Jeff Wischkaemper about 7 years ago

Will do. Is there something specific I can ask for over there that would make it easier for you?

Actions #3

Updated by Jim Pingle about 7 years ago

Nothing in particular comes to mind, it would be nice to see all of the known parameters for connecting clients/servers (selected NCP cipher, compression settings, ECDH curve, etc.

Actions #4

Updated by Jeff Wischkaemper about 7 years ago

I'll see what I can do and report back.

Actions #5

Updated by Jeff Wischkaemper about 7 years ago

Their initial reply is that it's available if you use verbosity 4... which is correct, but not entirely useful. I'm asking if a couple of specific messages can be moved to 2/3.

Actions #6

Updated by Jim Pingle about 7 years ago

"verbosity 4"? As in the system logs? Sure, it's in the logs, sure, but scraping logs isn't proper status output. It should show up in the management status output. For example you connect to the management socket/port and ask for data, like "status 2" and it should output the info there.

That's where the rest of the status output is gleaned from:

: nc -U server2.sock
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
status 2
TITLE,OpenVPN 2.4.0 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Dec 30 2016
TIME,Thu Jan  5 08:59:22 2017,1483624762
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,clara.dw.example.com,198.51.100.6:42289,10.163.202.2,2001:470:c614:202::1000,82837,79207,Thu Jan  5 08:50:19 2017,1483624219,UNDEF,1,1
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,2001:470:c614:202::1000,clara.dw.example.com,198.51.100.6:42289,Thu Jan  5 08:59:22 2017,1483624762
ROUTING_TABLE,10.163.202.2,clara.dw.example.com,198.51.100.6:42289,Thu Jan  5 08:50:19 2017,1483624219
GLOBAL_STATS,Max bcast/mcast queue length,0
END

If they would add a couple more columns to that for the cipher/compression/etc that would be ideal.

Actions #7

Updated by Jeff Wischkaemper about 7 years ago

The proposal to add the info to status 2 / 3 has been accepted, and may make it into OVPN 2.4.1. I'll update this when the commit happens.

Thanks

https://community.openvpn.net/openvpn/ticket/814#comment:3

Actions #8

Updated by Jim Pingle about 7 years ago

Great news!

We'll keep an eye out for it

Actions #9

Updated by Jim Pingle over 4 years ago

Looks like this was finally merged in but it's not slated to be in an OpenVPN release until they put out 2.5.

Actions #10

Updated by Matthew Ray about 3 years ago

Now that OpenVPN 2.5.0 is released and will be included pfSense 2.5.0, can this feature request be reopened?

Actions #11

Updated by Viktor Gurov about 3 years ago

  • Status changed from Needs Patch to New

sample output:

# nc -U ../server1/sock 
>INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
status 2
TITLE,OpenVPN 2.5.0 amd64-portbld-freebsd12.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov  2 2020
TIME,2021-02-08 13:48:00,1612781280
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID,Data Channel Cipher
CLIENT_LIST,cert42client,192.168.88.42:3613,10.54.54.2,,12489,11920,2021-02-08 13:12:10,1612779130,UNDEF,0,0,AES-256-GCM
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,10.54.54.2,cert42client,192.168.88.42:3613,2021-02-08 13:12:10,1612779130
GLOBAL_STATS,Max bcast/mcast queue length,0
END

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/127

Actions #12

Updated by Renato Botelho about 3 years ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version changed from Future to CE-Next
Actions #13

Updated by Renato Botelho about 3 years ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #14

Updated by Viktor Gurov about 3 years ago

  • % Done changed from 0 to 100
Actions #15

Updated by Jim Pingle about 3 years ago

  • Status changed from Feedback to Waiting on Merge
  • Target version changed from CE-Next to 2.5.1
Actions #16

Updated by Renato Botelho about 3 years ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

Actions #17

Updated by Jim Pingle about 3 years ago

  • Subject changed from Display negotiated cipher for NCP OpenVPN connections in Status->OpenVPN to Display negotiated data encryption algorithm in OpenVPN connection status

Updating subject for release notes.

Actions #18

Updated by Nick Goehring about 3 years ago

Can confirm this is working for me on a SG-5100 running 21.02.2 RC. When connected with my android device, I navigate to Status -> OpenVPN where it shows my device as being connected with AES-128-GCM. Nice feature.

Actions #19

Updated by Jim Pingle about 3 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF