Project

General

Profile

Bug #7681

OpenVPN client export utility - Exporting Android inline configuration can include incorrect client auth method in .ovpn file

Added by David Nuzik over 2 years ago. Updated over 2 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
Category:
OpenVPN Client Export
Target version:
-
Start date:
07/08/2017
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

Intro:
Hello this is my first bug entry. I hope I have done a good job reporting the specifics of what I believe to be a bug with the ovpn client export package. It's possible this could be a core openvpn issue -- I am not certain. If I missed some information or if there is more info I may provide, please let me know.

Summary:
If you set up Open VPN with a more secure auth method, such as RSA-SHA256, and then use the ovpn client export utility to export an inline configuration (ovpn config file) for Andoid, then the config file will include the following line (without double quotes):
"auth RSA-SHA256"

Note, however, this is incorrect as the android client must use auth SHA256 (or any client I believe).
This is evidenced by this forum post on openvpn forums: https://forums.openvpn.net/viewtopic.php?f=4&t=23241 and also by my fix by following the instructions to manually change this line to "auth SHA256" without double quotes. The "auth RSA-SHA256" method is only for server config, not client config -- or at least according to the forum post.

Steps to reproduce:
- Set up OpenVPN with defaults except choose the RSA-SHA256 auth crypto option. Ensure you have set up certs for your user(s) as well. (if my config info is needed please notify me and I will obfuscate it accordingly and send it your way; or send redacted screenshots)
- Using the client export utility (/vpn_openvpn_export.php), attempt to export an inline configuration for Android by clicking the "Android" button.
- Inspect the contents of the .ovpn file in a text editor. Notice the "auth RSA-SHA256" line is incorrect it should be "auth SHA256"
- Note, if you export to the current windows installer this will work correctly on a windows client.
- Note, if you simply export the "Config Only" under "Standard Configuration" this ovpn file is also incorrect as it states "auth RSA-SHA256"
- Manually change the auth method to SHA256 instead of RSA-SHA256 and attempt to load the configuartion on an Android device such as with the official OpenVPN Connect app.
- Note, only after manually changing the auth method to SHA256 in the .ovpn file will you then be able to connect to the vpn. Otherwise OpenVPN Connect app will report the following error:
"crypto_alg: RSA-SHA256: not found"

Version info:
pfsense 2.3.4-RELEASE build on Wed May 03 15:13:29 CDT 2017
FreeBSD 10.3-RELEASE-p17
openvpn-client-export 1.4.12
openvpn (latest as of 7/8/17)

Additional:
If RSA-SHA256 is indeed a correct option for most clients, it may not be for android devices. My Android device would not work with "auth RSA-SHA256" method until I changed it to "auth SHA256"
My Android device is a Samsung Galaxy S8+
If more information is needed please let me know.

History

#1 Updated by Jim Pingle over 2 years ago

  • Status changed from New to Not a Bug
  • Assignee set to Jim Pingle

It does appear that they are the same, but different versions of OpenSSL or different libraries that are OpenSSL-like may produce different results. At least according to a few references I found, including: https://security.stackexchange.com/questions/91908/using-rsa-sha-as-instead-hmac-in-openvpn

The OpenVPN client and server GUI pages probably should only allow selecting the ones that don't have RSA- or DSA- prefixes since they are equivalent. The export package is doing the correct thing here, making sure you are using the exact matching digest. Trying to "fix" it here would be wrong.

In the meantime, you can select SHA256 on the server side and then you will not have any problems exporting.

#2 Updated by Jim Pingle over 2 years ago

I made a different issue entry for the actual underlying problem here: https://redmine.pfsense.org/issues/7685

#3 Updated by David Nuzik over 2 years ago

Thank you Jim! Makes sense.

Also available in: Atom PDF