On 18/07/17 17:50, Farkas Levente wrote:
On 07/18/2017 03:55 PM, Jaroslav Reznik wrote:
> This will result in the following:
> * OpenVPN 2.4 based clients will automatically upgrade to AES-256-GCM,
> regardless if they have --cipher in their configuration file or not.
> For OpenVPN v2.4 configurations not wanting this cipher upgrade, the
> client configuration needs to deploy --ncp-disable.
> * OpenVPN 2.3 based clients and older (and v2.4 clients using
> --ncp-disable in the client configuration) can connect to the server
> using any of the --ncp-ciphers list; this is what is called "poor
> man's cipher negotiation" by the upstream OpenVPN developers.
> * Any client not providing --cipher defaults to BF-CBC. These clients
> should still be able to connect to the server as the server allows
> BF-CBC through --ncp-ciphers.
unfortunately it's not working:-(
it takes me long time to debug it on my own server and a long discussion
in this ticket:
https://community.openvpn.net/openvpn/ticket/886
it's not possible to set
cipher AES-256-GCM
since in this case old clients eg android client which not updated to
2.4.x are not able to connect.
The issue I believe you refer to ("unreliable NCP") should be fixed in
OpenVPN v2.4.3.
<
https://community.openvpn.net/openvpn/ticket/887#comment:13>
I just ran a few tests manually now.
---- server.conf --------------
dev tun
persist-tun
server 10.35.8.32 255.255.255.224
topology subnet
user openvpn
group openvpn
chroot /var/lib/openvpn
client-config-dir clients
proto udp
port 1194
verb 4
keepalive 20 45
persist-key
remote-cert-tls client
dh dh2048.pem
pkcs12 server-ec.p12
ecdh-curve secp521r1
cipher AES-256-GCM
auth SHA256
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC
key-direction 1
tls-auth vpn.ta
--------------------------------
---- client.conf ---------------
dev tun
pkcs12 client-ec.p12
remote
testserver.example.com 65441 udp
tls-auth vpn.ta
key-direction 0
verb 4
client
auth SHA256
explicit-exit-notify 2
--------------------------------
I tested this client config on both OpenVPN v2.3.12 and v2.4.3. All
connects with BF-CBC, AES-256-CBC, AES-128-CBC and for v2.4.3 I also
tested AES-256-GCM (I didn't test AES-128-GCM).
So I would recommend to re-test your own setup with the latest v2.4.3 on
the server side; which is what we ship in F25 and newer.
--
kind regards,
David Sommerseth