errors in generated config (v6 only server, tls-auth ...)

Started by JeGr, July 28, 2021, 03:23:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 28, 2021, 03:23:15 PM
Hi,

I checked with 21.1 as well as 21.7 but a v6 only RAS server (tunnel v6, LAN v6, bound to WAN interface with v6) seems to generate an invalid configuration. I tested that in relation to a bug report from this topic

https://forum.opnsense.org/index.php?topic=24094.msg115153#new

and fould it reporting:

Code Select
2021-07-28T15:01:07 openvpn[98366] Use --help for more information.
2021-07-28T15:01:07 openvpn[98366] Options error: --client-disconnect requires --mode server
2021-07-28T15:01:07 openvpn[98366] Cipher negotiation is disabled since neither P2MP client nor server mode is enabled

up until I configured an additional dummy ipv4 tunnel network. Then the server could be configured and came up.

Also the generation routine in use for creating shared keys throws a warning and (incorrectly) writes that to the TLS auth field before the # comments of the static key.

Code Select
2021-07-28 15:10:54 WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...


That also happened in 21.1-latest and 21.7.

Last thing I'm perhaps missing: as we now have access to OVPN 2.5 and cipher negotiation should be default (as far as OVPN is concerned) I can't seem to find support for more then one data-cipher on the UI or am I mistaken? As there now is chacha20 support especially for mobile devices without AES-NI support, it would be nice to configure it to use GCM/Chacha20 and let the client select one.

Cheers
"It doesn't work!" is no valid error description! - Don't forget to [applaud] those offering time & brainpower to help you!
Better have some *sense as no(n)sense! ;)

If you're interested in german-speaking business support, feel free to reach out via PM.
July 28, 2021, 06:27:38 PM #1
Hi
did you try https://github.com/opnsense/core/commit/4738eb409edd1c6774815a7b76dbda8d3896c684
for "--genkey --secret" warning fix? (thnx to @AdSchellevis)

on other issues: it looks like the openvpn package is not yet fully adapted to the changes in 2.5
(pure IPv6 tunnel, ChaCha20-Poly1305 etc.). need some time imho  ;)
July 30, 2021, 12:37:10 PM #2
> on other issues: it looks like the openvpn package is not yet fully adapted to the changes in 2.5
(pure IPv6 tunnel, ChaCha20-Poly1305 etc.). need some time imho  ;)

That's not a problem. I'm not ranting ;) Just pointing out some things/errors I stumble across while testing setups for customers or other forum users when they report it. I was jsut curious if there's some sense to OVPN Server not starting with v6 only. As there were quite a few changes in 2.5 - and some a bit unlucky by deprecating options the hard way - I'm just wondering if those v6 only things are either by the config not being written correctly by OPNsense' UI or by OpenVPN not being ready with version 2.5 :)

But yes, we should see that we can get things like cipher-lists (was ncp-ciphers in 2.4) included, too :)

Cheers
"It doesn't work!" is no valid error description! - Don't forget to [applaud] those offering time & brainpower to help you!
Better have some *sense as no(n)sense! ;)

If you're interested in german-speaking business support, feel free to reach out via PM.
July 30, 2021, 05:28:53 PM #3
I'm just wondering if those v6 only things are either by the config not being written correctly by OPNsense' UI or by OpenVPN not being ready with version 2.5
yes, for now OPN allows to use ipv6 tunnels optionally (ipv4 tunnel must be present), as openvpn < 2.5 did.
July 30, 2021, 07:45:59 PM #4
@Fright: the second problem should be addressed via https://github.com/opnsense/core/commit/c5c622fd


Cheers,
Franco
July 30, 2021, 08:32:14 PM #5
@franco great! thanks!

@JeGr
things like cipher-lists (was ncp-ciphers in 2.4) included, too
for clarity and future PR's, i think ncp-ciphers renamed to data-ciphers  ;)
https://community.openvpn.net/openvpn/wiki/CipherNegotiation
August 03, 2021, 12:50:48 PM #6
Yeah, Franco fixed the IPv6 only part like a charm - that's already working and tested :)

@Fright
> for clarity and future PR's, i think ncp-ciphers renamed to data-ciphers  ;)

You're right, I just wanted to point out, that listing multiple ciphers did exist before. Not used that much, but now with GCM & Chacha20 available, it should be, as with such a setup you can better cater to various devices/CPUs needs then before. x64 with AES-NI runs AES-GCM, mobile ARM can deal with CHACHA20 way faster - so would help both worlds.

But that would also require a bit of UI (re)work to make ciphers selectable for data-ciphers and to select one for fallback.
"It doesn't work!" is no valid error description! - Don't forget to [applaud] those offering time & brainpower to help you!
Better have some *sense as no(n)sense! ;)

If you're interested in german-speaking business support, feel free to reach out via PM.
August 06, 2021, 05:40:28 PM #7
AFAICS there is already a fr for this
https://github.com/opnsense/core/issues/4871
;)
Print
Go Up Pages1
User actions