OpenVPN client export utility - Exporting Android inline configuration can include incorrect client auth method in .ovpn file
Hello this is my first bug entry. I hope I have done a good job reporting the specifics of what I believe to be a bug with the ovpn client export package. It's possible this could be a core openvpn issue -- I am not certain. If I missed some information or if there is more info I may provide, please let me know.
If you set up Open VPN with a more secure auth method, such as RSA-SHA256, and then use the ovpn client export utility to export an inline configuration (ovpn config file) for Andoid, then the config file will include the following line (without double quotes):
Note, however, this is incorrect as the android client must use auth SHA256 (or any client I believe).
This is evidenced by this forum post on openvpn forums: https://forums.openvpn.net/viewtopic.php?f=4&t=23241 and also by my fix by following the instructions to manually change this line to "auth SHA256" without double quotes. The "auth RSA-SHA256" method is only for server config, not client config -- or at least according to the forum post.
Steps to reproduce:
- Set up OpenVPN with defaults except choose the RSA-SHA256 auth crypto option. Ensure you have set up certs for your user(s) as well. (if my config info is needed please notify me and I will obfuscate it accordingly and send it your way; or send redacted screenshots)
- Using the client export utility (/vpn_openvpn_export.php), attempt to export an inline configuration for Android by clicking the "Android" button.
- Inspect the contents of the .ovpn file in a text editor. Notice the "auth RSA-SHA256" line is incorrect it should be "auth SHA256"
- Note, if you export to the current windows installer this will work correctly on a windows client.
- Note, if you simply export the "Config Only" under "Standard Configuration" this ovpn file is also incorrect as it states "auth RSA-SHA256"
- Manually change the auth method to SHA256 instead of RSA-SHA256 and attempt to load the configuartion on an Android device such as with the official OpenVPN Connect app.
- Note, only after manually changing the auth method to SHA256 in the .ovpn file will you then be able to connect to the vpn. Otherwise OpenVPN Connect app will report the following error:
"crypto_alg: RSA-SHA256: not found"
pfsense 2.3.4-RELEASE build on Wed May 03 15:13:29 CDT 2017
openvpn (latest as of 7/8/17)
If RSA-SHA256 is indeed a correct option for most clients, it may not be for android devices. My Android device would not work with "auth RSA-SHA256" method until I changed it to "auth SHA256"
My Android device is a Samsung Galaxy S8+
If more information is needed please let me know.
#1 Updated by Jim Pingle over 2 years ago
- Status changed from New to Not a Bug
- Assignee set to Jim Pingle
It does appear that they are the same, but different versions of OpenSSL or different libraries that are OpenSSL-like may produce different results. At least according to a few references I found, including: https://security.stackexchange.com/questions/91908/using-rsa-sha-as-instead-hmac-in-openvpn
The OpenVPN client and server GUI pages probably should only allow selecting the ones that don't have RSA- or DSA- prefixes since they are equivalent. The export package is doing the correct thing here, making sure you are using the exact matching digest. Trying to "fix" it here would be wrong.
In the meantime, you can select SHA256 on the server side and then you will not have any problems exporting.