Hi there,
I'm working on
OPNsense 26.1.9-amd64, FreeBSD 14.3-RELEASE-p14, OpenSSL 3.0.20I've been working on the OpenVPN Roadwarrior solution update, as part of the switch from Legacy to Instances. I've been using various sources for best practices based on the work environment it is being used in. One of the suggestions was to set the Data Ciphers to this order:
1st: AES-256-GCM
2nd: AES-128-GCM
3rd: CHACHA20-POLY1305
So I went to do that. It's a dropdown field with checkmarks for multiple options, but when you are done selecting the options, it puts them in alphabetical order. So then it looks like:
AES-128-GCM, AES-256-GCM, CHACHA20-POLY1305
I thought "Surely, OPNsense will configure OpenVPN to use the strongest possible encryption first, then work its way down to the least possible encryption. And yet, in the OpenVPN logs, I can see where I'm connecting to the site repeatedly on AES-128-GCM. So I went digging.
In /var/etc/openvpn/instance-[ID].conf:
- data-ciphers AES-128-GCM:AES-256-GCM:CHACHA20-POLY1305
- data-ciphers-fallback AES-128-CBC
Nope. We really are telling it to prioritize the encryption in alphabetical order.
Then I tried forcing it in my OpenVPN config export, in the custom fields area:
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
Disconnect, reconnect and... AES-128-GCM again. So what's on the daemon on the firewall is what is preferred above what the client asks for.
I could edit the file, change the priority, and restart the daemon, but the first time I go into the GUI and make a minor edit, it will revert. So that's not a wise choice.
My suggestion: Shift this field to something like the local and remote network fields are in the Routing section. Let me choose from a list, but then let me click on the Text option and rearrange them.
Thanks!