Data Ciphers are missing in OpenVPN export configuration. Is it a bug?

[elvinmammadov]

Hello,
We are using the latest version of OPNsense. I have setup OpenVPN instance. I export the config, but Data Ciphers are not added into the configuration. Could you please let me know, if it is a bug, or I am doing something wrong?

The config of the VPN file:
dev tun
persist-tun
persist-key
proto tcp-client
auth SHA256
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1149 tcp
lport 0
verify-x509-name "C=DE, ST=HESSEN, L=xxx, O=xxx, emailAddress=xxx, CN=WS-OPENVPN-CERTIFICATE" subject
remote-cert-tls server

[elvinmammadov]

Nobody has this problem?

[elvinmammadov]

Is it a bug or I am doing something wrong?

[franco]

To be honest I'm not sure, but we're also traveling at the moment it's hard to find time to check. I'll forward this but don't expect a technical reply before tomorrow.


Cheers,
Franco

[franco]

Just briefly... which client version are you trying to set up? The "Data Ciphers" are likely not exported because OpenVPN deprecated them a while back. If you think this is causing an operational issue a GitHub ticket would be better, but if you just wonder about why it's not there while it's working fine we shall better leave it as is.


Cheers,
Franco

[elvinmammadov]

Thank you for your replies. I am using OpenVPN client v2.6.12. But it can't connect and complains that data ciphers are missing. If I add the data ciphers "cipher AES-256-GCM" manually in the config file, then it connects.
If "Data Ciphers" are deprecated and they are not needed to be exported, why I could setup it in Openvpn Instance server then? There is "Data Ciphers" and "Data Ciphers Fallback" in the menu.

[franco]

Ok just open a ticket on GitHub linking this forum post and we will fix it.

https://github.com/opnsense/core/issues/new?assignees=&labels=&projects=&template=bug_report.md&title=


Thanks,
Franco

[elvinmammadov]

Hello,

It started to connect without "Data Ciphers", however I haven't changed anything.

If I use Openvpn Connect, I see that it uses AES256-GCM. No errors.

But if use OpenVPN client v2.6.12 (Community edition), it gives the following error, but it connects successfully.

Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

We are using Openvpn client (Community edition), because it has a Windows service that can start automatically on Windows start.

I would like to make sure if it really uses "Data Ciphers AES256-GCM" with OpenVPN client (Community edition)?

[elvinmammadov]

Could you please answer my last question?

[iMx]

I would like to make sure if it really uses "Data Ciphers AES256-GCM" with OpenVPN client (Community edition)?

Did you view the client side connection log?

Recent versions of OpenVPN support cipher negotiation between server and client - so, even if you have, for example, AES-128-CBC set in the config, you'll likely see a 'PUSH' line ...

Code: [Select]

PUSH: Received control message: 'PUSH_REPLY, ................... cipher AES-256-GCM'

...with AES-256-GCM and then....

Code: [Select]

Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
N.B. data-ciphers-fallback is a server-side option to support older clients, where 'data-ciphers' is not supported:

https://community.openvpn.net/openvpn/wiki/CipherNegotiation

[franco]

I want to reiterate that opening a ticket is probably the best way to go forward.


Cheers,
Franco

[elvinmammadov]

Thank you for your replies.

In the client logs, I couldn't see "PUSH' line ...".

In the server logs, when the client is connected, it shows that the client uses AES-256-GCM.

Code: [Select]

openvpn_server1 xxx.xxx.xxx.xxx:55396 Data Channel: cipher 'AES-256-GCM', peer-id: 0
However, in the Client logs, it complains that the Data Ciphers are missing. I will create a ticket.

Code: [Select]

Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case.
If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

[franco]

Ticket ref is https://github.com/opnsense/core/issues/7893

[elvinmammadov]

Hello Franco,

I've read that the latest OpenVPN server no longer needs to export Data Ciphers, as OpenVPN now supports cipher negotiation between the server and client. That's great news.

I also checked the OpenVPN server logs and confirmed that it uses AES-256-GCM when a client is connected, which is fine.

When I use OpenVPN Connect, there are no errors. However, when I use the OpenVPN client, it complains about missing Data Ciphers, even though the OPNsense OpenVPN log shows that AES-256-GCM is being used.

It would be much better if the issue causing the OpenVPN client to generate this message could be resolved.

[franco]

That's why I said please open a ticket and cleaned it up so my colleague could understand what the problem was.

The patch is: https://github.com/opnsense/core/commit/a3fd07bd4e

# opnsense-patch a3fd07bd4e

Export and try with the client again. I'm not 100% sure it's the right thing since the cipher, data-cipher and data-cipher-fallback things are a bit weird.


Cheers,
Franco