errors in generated config (v6 only server, tls-auth ...)

[JeGr]

Hi,

I checked with 21.1 as well as 21.7 but a v6 only RAS server (tunnel v6, LAN v6, bound to WAN interface with v6) seems to generate an invalid configuration. I tested that in relation to a bug report from this topic

https://forum.opnsense.org/index.php?topic=24094.msg115153#new

and fould it reporting:

Code: [Select]

2021-07-28T15:01:07 openvpn[98366] Use --help for more information.
2021-07-28T15:01:07 openvpn[98366] Options error: --client-disconnect requires --mode server
2021-07-28T15:01:07 openvpn[98366] Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
up until I configured an additional dummy ipv4 tunnel network. Then the server could be configured and came up.

Also the generation routine in use for creating shared keys throws a warning and (incorrectly) writes that to the TLS auth field before the # comments of the static key.

Code: [Select]

2021-07-28 15:10:54 WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...

That also happened in 21.1-latest and 21.7.

Last thing I'm perhaps missing: as we now have access to OVPN 2.5 and cipher negotiation should be default (as far as OVPN is concerned) I can't seem to find support for more then one data-cipher on the UI or am I mistaken? As there now is chacha20 support especially for mobile devices without AES-NI support, it would be nice to configure it to use GCM/Chacha20 and let the client select one.

Cheers

[Fright]

Hi
did you try https://github.com/opnsense/core/commit/4738eb409edd1c6774815a7b76dbda8d3896c684
for "--genkey --secret" warning fix? (thnx to @AdSchellevis)

on other issues: it looks like the openvpn package is not yet fully adapted to the changes in 2.5
(pure IPv6 tunnel, ChaCha20-Poly1305 etc.). need some time imho 

[JeGr]

> on other issues: it looks like the openvpn package is not yet fully adapted to the changes in 2.5
(pure IPv6 tunnel, ChaCha20-Poly1305 etc.). need some time imho 

That's not a problem. I'm not ranting Just pointing out some things/errors I stumble across while testing setups for customers or other forum users when they report it. I was jsut curious if there's some sense to OVPN Server not starting with v6 only. As there were quite a few changes in 2.5 - and some a bit unlucky by deprecating options the hard way - I'm just wondering if those v6 only things are either by the config not being written correctly by OPNsense' UI or by OpenVPN not being ready with version 2.5

But yes, we should see that we can get things like cipher-lists (was ncp-ciphers in 2.4) included, too

Cheers

[Fright]

I'm just wondering if those v6 only things are either by the config not being written correctly by OPNsense' UI or by OpenVPN not being ready with version 2.5
yes, for now OPN allows to use ipv6 tunnels optionally (ipv4 tunnel must be present), as openvpn < 2.5 did.

[franco]

@Fright: the second problem should be addressed via https://github.com/opnsense/core/commit/c5c622fd


Cheers,
Franco

[Fright]

@franco great! thanks!

@JeGr
things like cipher-lists (was ncp-ciphers in 2.4) included, too
for clarity and future PR's, i think ncp-ciphers renamed to data-ciphers 
https://community.openvpn.net/openvpn/wiki/CipherNegotiation

[JeGr]

Yeah, Franco fixed the IPv6 only part like a charm - that's already working and tested

@Fright
> for clarity and future PR's, i think ncp-ciphers renamed to data-ciphers 

You're right, I just wanted to point out, that listing multiple ciphers did exist before. Not used that much, but now with GCM & Chacha20 available, it should be, as with such a setup you can better cater to various devices/CPUs needs then before. x64 with AES-NI runs AES-GCM, mobile ARM can deal with CHACHA20 way faster - so would help both worlds.

But that would also require a bit of UI (re)work to make ciphers selectable for data-ciphers and to select one for fallback.

[Fright]

AFAICS there is already a fr for this
https://github.com/opnsense/core/issues/4871