[SOLVED] OpenVPN instance defaults to SHA1 / enforce group not working

[Reuti]

After converting my OpenVPN setting to the new instance based setup, two questions remain:

a) The new default for authentication seems to be SHA1, when I would like to go to my former setting SHA-512 I have to enable “advanced mode” – is this intended?

b) When “Enforce local group” is left to “none” it’s working fine. If I select a defined group “remote” for the remote users it states in the log file “OpenVPN '2' requires the local group 2001. Denying authentication for user X”, despite the fact that user X is a member of group “remote”.

-- Reuti

[allan]

Hash collisions are not as important with HMAC for large (>=128 bits) authentication tags. HMAC-SHA1 at 160 bits is still considered secure. HMAC-SHA-512 would waste CPU resources since HMAC runs the hash function twice per message, and OpenVPN would do it for every sent and received packet. Calculating SHA-512 might also have a significant performance impact (CPU and throughput) on the client side.

[andrewx1]

I have the same problem with “Enforce local group” not working.

[Reuti]

Hash collisions are not as important with HMAC for large (>=128 bits) authentication tags. HMAC-SHA1 at 160 bits is still considered secure. HMAC-SHA-512 would waste CPU resources since HMAC runs the hash function twice per message, and OpenVPN would do it for every sent and received packet. Calculating SHA-512 might also have a significant performance impact (CPU and throughput) on the client side.

Thx for the pointer. I used a former guide to set up OpenVPN which (like several others) was suggesting to use SHA-512, which is obviously for this use case superfluous.

-- Reuti

[andrewx1]

Commit 8f51311 fixes the Enforce local group issue

https://github.com/opnsense/core/commit/8f51311423e2f5a3991eb1c3394391b03dfd8f50