Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: Reuti on August 09, 2023, 02:45:22 PM

Title: [SOLVED] OpenVPN instance defaults to SHA1 / enforce group not working
Post by: Reuti on August 09, 2023, 02:45:22 PM
After converting my OpenVPN setting to the new instance based setup, two questions remain:

a) The new default for authentication seems to be SHA1, when I would like to go to my former setting SHA-512 I have to enable "advanced mode" – is this intended?

b) When "Enforce local group" is left to "none" it's working fine. If I select a defined group "remote" for the remote users it states in the log file "OpenVPN '2' requires the local group 2001. Denying authentication for user X", despite the fact that user X is a member of group "remote".

-- Reuti
Title: Re: OpenVPN instance defaults to SHA1 / enforce group not working
Post by: allan on August 09, 2023, 05:22:14 PM
Hash collisions are not as important with HMAC for large (>=128 bits) authentication tags. HMAC-SHA1 at 160 bits is still considered secure (https://security.stackexchange.com/questions/187866/why-aren-t-collisions-important-with-hmac). HMAC-SHA-512 would waste CPU resources since HMAC runs the hash function twice per message, and OpenVPN would do it for every sent and received packet. Calculating SHA-512 might also have a significant performance impact (CPU and throughput) on the client side.
Title: Re: OpenVPN instance defaults to SHA1 / enforce group not working
Post by: andrewx1 on August 09, 2023, 10:55:42 PM
I have the same problem with "Enforce local group" not working.
Title: Re: OpenVPN instance defaults to SHA1 / enforce group not working
Post by: Reuti on August 10, 2023, 10:31:28 AM
Quote from: allan on August 09, 2023, 05:22:14 PM
Hash collisions are not as important with HMAC for large (>=128 bits) authentication tags. HMAC-SHA1 at 160 bits is still considered secure (https://security.stackexchange.com/questions/187866/why-aren-t-collisions-important-with-hmac). HMAC-SHA-512 would waste CPU resources since HMAC runs the hash function twice per message, and OpenVPN would do it for every sent and received packet. Calculating SHA-512 might also have a significant performance impact (CPU and throughput) on the client side.

Thx for the pointer. I used a former guide to set up OpenVPN which (like several others) was suggesting to use SHA-512, which is obviously for this use case superfluous.

-- Reuti
Title: Re: OpenVPN instance defaults to SHA1 / enforce group not working
Post by: andrewx1 on August 10, 2023, 08:20:06 PM
Commit 8f51311 fixes the Enforce local group issue

https://github.com/opnsense/core/commit/8f51311423e2f5a3991eb1c3394391b03dfd8f50 (https://github.com/opnsense/core/commit/8f51311423e2f5a3991eb1c3394391b03dfd8f50)

Text only | Text with Images