Hello,
We are using the latest version of OPNsense. I have setup OpenVPN instance. I export the config, but Data Ciphers are not added into the configuration. Could you please let me know, if it is a bug, or I am doing something wrong?
The config of the VPN file:
dev tun
persist-tun
persist-key
proto tcp-client
auth SHA256
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1149 tcp
lport 0
verify-x509-name "C=DE, ST=HESSEN, L=xxx, O=xxx, emailAddress=xxx, CN=WS-OPENVPN-CERTIFICATE" subject
remote-cert-tls server
Nobody has this problem?
Is it a bug or I am doing something wrong?
To be honest I'm not sure, but we're also traveling at the moment it's hard to find time to check. I'll forward this but don't expect a technical reply before tomorrow.
Cheers,
Franco
Just briefly... which client version are you trying to set up? The "Data Ciphers" are likely not exported because OpenVPN deprecated them a while back. If you think this is causing an operational issue a GitHub ticket would be better, but if you just wonder about why it's not there while it's working fine we shall better leave it as is.
Cheers,
Franco
Thank you for your replies. I am using OpenVPN client v2.6.12. But it can't connect and complains that data ciphers are missing. If I add the data ciphers "cipher AES-256-GCM" manually in the config file, then it connects.
If "Data Ciphers" are deprecated and they are not needed to be exported, why I could setup it in Openvpn Instance server then? There is "Data Ciphers" and "Data Ciphers Fallback" in the menu.
Ok just open a ticket on GitHub linking this forum post and we will fix it.
https://github.com/opnsense/core/issues/new?assignees=&labels=&projects=&template=bug_report.md&title=
Thanks,
Franco
Hello,
It started to connect without "Data Ciphers", however I haven't changed anything.
If I use Openvpn Connect, I see that it uses AES256-GCM. No errors.
But if use OpenVPN client v2.6.12 (Community edition), it gives the following error, but it connects successfully.
Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
We are using Openvpn client (Community edition), because it has a Windows service that can start automatically on Windows start.
I would like to make sure if it really uses "Data Ciphers AES256-GCM" with OpenVPN client (Community edition)?
Could you please answer my last question?
Quote from: elvinmammadov on September 23, 2024, 01:53:04 PM
I would like to make sure if it really uses "Data Ciphers AES256-GCM" with OpenVPN client (Community edition)?
Did you view the client side connection log?
Recent versions of OpenVPN support cipher negotiation between server and client - so, even if you have, for example, AES-128-CBC set in the config, you'll likely see a 'PUSH' line ...
PUSH: Received control message: 'PUSH_REPLY, ................... cipher AES-256-GCM'
...with AES-256-GCM and then....
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit keyN.B. data-ciphers-fallback is a server-side option to support older clients, where 'data-ciphers' is not supported:
https://community.openvpn.net/openvpn/wiki/CipherNegotiation
I want to reiterate that opening a ticket is probably the best way to go forward.
Cheers,
Franco
Thank you for your replies.
In the client logs, I couldn't see "PUSH' line ...".
In the server logs, when the client is connected, it shows that the client uses AES-256-GCM.
openvpn_server1 xxx.xxx.xxx.xxx:55396 Data Channel: cipher 'AES-256-GCM', peer-id: 0
However, in the Client logs, it complains that the Data Ciphers are missing. I will create a ticket.
Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case.
If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Ticket ref is https://github.com/opnsense/core/issues/7893
Hello Franco,
I've read that the latest OpenVPN server no longer needs to export Data Ciphers, as OpenVPN now supports cipher negotiation between the server and client. That's great news.
I also checked the OpenVPN server logs and confirmed that it uses AES-256-GCM when a client is connected, which is fine.
When I use OpenVPN Connect, there are no errors. However, when I use the OpenVPN client, it complains about missing Data Ciphers, even though the OPNsense OpenVPN log shows that AES-256-GCM is being used.
It would be much better if the issue causing the OpenVPN client to generate this message could be resolved.
That's why I said please open a ticket and cleaned it up so my colleague could understand what the problem was.
The patch is: https://github.com/opnsense/core/commit/a3fd07bd4e
# opnsense-patch a3fd07bd4e
Export and try with the client again. I'm not 100% sure it's the right thing since the cipher, data-cipher and data-cipher-fallback things are a bit weird.
Cheers,
Franco
I'm not sure this patch fixes the problem - I added an update to the github issue.
Although it is not really a 'problem' - it's not really an error, just a 'note'.
Thanks for chiming in. :)
Cheers,
Franco