Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 12962 bytes --]

Hi,

> On 16 Dec 2020, at 17:30, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi Michael,
> 
> Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer:
>> Hi,
>> 
>>> On 14 Dec 2020, at 16:12, ummeegge <ummeegge(a)ipfire.org> wrote:
>>> 
>>> Hi Michael,
>>> thanks for looking into this.
>>> 
>>> Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer:
>>>> Hello Erik,
>>>> 
>>>> Yes, I am very much interested in this.
>>>> 
>>>> And I have spent pretty much an hour to make sense out of all of
>>>> this, and unfortunately have to report that I failed.
>>> that´s not good to hear. OK, let me explain... I tried to come up
>>> with
>>> a solution where we already have spoken more times about in the
>>> past, i
>>> tried to follow up your suggestions, the latest about that topic
>>> was
>>> here -->
>>> https://lists.ipfire.org/pipermail/development/2020-October/008441.html
>>> in Oktober to bring up "a select box where multiple algorithms can
>>> be
>>> chosen (like in IPsec)". Since --cipher is deprectaed and will be
>>> replaced by --data-ciphers which is a >=2.5.0 option we need
>>> another
>>> selection field for the --data-ciphers-fallback which is a
>>> replacement
>>> for --cipher and the server uses this directive to talk also to
>>> client
>>> which are <2.5.0 .
>> 
>> Yes, the ciphers. But as far as I understand this, you are offering
>> to select the whole cipher suite. That is something different.
>> 
>> And you are offering different options for TLSv1.3 and lower, which
>> we do not do in IPsec either. You have one selection for both IKEv1
>> and IKEv2.
> Yes, i thougt it might be an idea for the advanced section be it is not
> really needed since OpenVPN uses his own choice for the control-chanel
> if nothing has been configured.

That probably isn’t good then. The UI should at least show the user what is being used.

If we want OpenVPN to chose what is best, there should be some option that says “automatic” at least.

>>> OpenVPN presses to use cipher negotiation which we have avoid since
>>> the
>>> release of 2.4 with --ncp-disable, this option is no also
>>> deprecated so
>>> we need to take action on this.
>> 
>> I will skip my moan about introducing something and then deprecating
>> it shortly after…
> It was good that we did not act at that time.

In hindsight yes. But we didn’t know back then that things would change again, and we do not know now if things will change another time in the near future.

So, we have to do “best-effort” here.

>> 
>> I agree that we need to act.
>> 
>>> We need to have then two new options, two seletion boxes which are
>>> odd
>>> to see in the global section. I tried it in the advanced server
>>> section
>>> too and it looks even more confusing with all the other already
>>> existing options, nothing i wanted to do. So i thought your above
>>> linked suggestions are pretty straight forward and the best
>>> solution to
>>> build an own crypto section which do have already defaults, nobody
>>> needs to do there anyting, the global section has been cleaned up
>>> and
>>> it should be even easier for everone to overview.
>> 
>> We have touched this topic multiple times. And I remember the last
>> conclusion as follows:
>> 
>> The average user does not have to touch the advanced options. They
>> have to put in their subnet, select a port and protocol maybe and
>> that is about it. They do not need to think about what cipher to use,
>> because we would have selected a reasonable default. If they want to
>> change something (because of hardware requirements, etc.) they can do
>> that on the advanced page.
> This is exactly what i did.

Okay. So why is there an extra page then, and not a section on the advanced page?

I like the now cleaner look of the main page which only has the bare necessities.

>> 
>> I agree that this is all not idea, but adding a third page to this
>> all makes it rather more confusing than less.
> Not sure if i understand you here right. You mentioned above the
> advanced page but i understand you here that you do not want a third
> one ?

There is the main page, where things can be configured (subnet, port, protocol, …), then advanced options, and now the cryptography options. 

They are all the same - in that they directly change the OpenVPN configuration - and we only wanted to split them by two things:

a) Is it likely that the user will change them?

b) Or is this an option that the average user should not touch.

The advanced settings page can be as long as we like. It does not have to be pretty.

>>> It made for me no sense to leave parts of the crypto (TLS-auth and
>>> HMACs) in the global section, especially because there are also
>>> even
>>> more algorithms, but also new options for the TLS authentication
>>> which
>>> i have all integrated so i moved them also into that place (patch
>>> 6/7
>>> and 7/7).
>> 
>> I remember that we have agreed to move the existing crypto options to
>> the advanced page.
> Yes, me too and i thought you meant an dedicated crypto page like it is
> for IPSec but you meant the advanced server section ? If yes we would
> mix then routing logging, DNS/WINS options with MTU related configure
> options. Also, the crypto section can have also some additionals like
> key lieftime, tls-version (if someone wants only TLSv1.3) and may some
> other upcoming stuff.

That can all go to the advanced page in my opinion.

>> 
>>> The control-channel cipher selection (patch 5/7) is new and should
>>> be
>>> really a part for the advanced ones, therefor no defaults has been
>>> set,
>>> it simply won´t appear if nothing has been configured.
>> 
>> What is the benefit of choosing a different cipher for the control
>> channel?
> This one is not really needed, as mentioned above OpenVPN makes then
> this desicion by it´s own.

Okay, but why do we have it then? :)

>> 
>>> I have the problem that I cannot get on top of these things. You
>>> are
>>> submitting *massive* patchsets, in this case I even believe that
>>> the
>>> whole things has been submitted a second time, although I do not
>>> know
>>> if there are any changes.
>>> Yes there are. Old and deprecated ciphers will now be detected and
>>> a
>>> warning comes up in the global section to change them as soon as
>>> possible (patch 3/7), also all languages has been translated and
>>> has
>>> been included.
>>> Also i wanted to split it in more specific topics for better
>>> overview
>>> but it seems that i have been failed.
>> 
>> I do not think that you have failed. I just think that it is not
>> clear what the patch intended to do. So I cannot really look at it
>> and verify if the code actually does what you want it to do.
>> 
>> Could it have been split into even smaller changes? Yes, would that
>> have helped? Maybe. But I do not think that we should waste too much
>> time to reformat the patches. I want the changes to be ready to be
>> merged as soon as possible.
> OK. Let´s go through this then. I have attached also screenshots for
> all changes for a better first impression.

That was very helpful to me.

>> 
>>> I could not even find out *what* you are actually trying to do.
>>> There
>>> are more and more buttons being added and I have not the slightest
>>> idea
>>> what I am supposed to do with them. I have given my thoughts about
>>> the
>>> cipher selection and I felt that I have not been heard.
>>> One intention was that you do not need anything to do except you
>>> want
>>> to do some advanced crypto stuff. The rest should have already been
>>> made...
>>> 
>>> 
>>> I fear that this is all way too complicated. I cannot review what I
>>> do
>>> not even understand what the desired outcome is. And failing to
>>> understand that either means that it is either way too complicated
>>> or I
>>> have not read enough anywhere about all of this.
>>> Please check out the above linked topic where you have wrote
>>> suggestions that i simply tried to achieve but again, it seems that
>>> i
>>> was not successfull with this...
>> 
>> So, maybe help me to understand why the user would want to use
>> different ciphers for the control channel and for TLSv1.3/2.
> This is not needed  and i can easily let it out but mentioned beneath
> OpenVPN decided to give TLSv1.2 another directive then TLSv1.3 therefor
> the two boxes.

Yes, I think choosing this once is enough.

>> I consider my ciphers as follows:
>> 
>> * Which algorithms do I trust? If I do not trust AES for example, I
>> would unselect it for everything, regardless if that is the control
>> or data channel).
>> 
>> * What does my hardware support? I would want to choose AES if my
>> hardware has acceleration for it.
>> 
>> * Then I would sort them by most secure first (e.g. AES-256, then
>> AES-192 and so on…)
>> 
>> I can replicate that with only one multiple-select box that simply
>> lists:
>> 
>> * AES-256-GCM
>> * AES-256-CBC
>> * AES-128-GCM
>> * AES-128-CBC
>> * ChaCha20-Poly1305
>> * Blowfish
>> * ...
> 
> This is a problen there is exactly the same, this are two directives. -
> -data-cipher does NCP whereby --data-ciphers-fallback substitutes --
> cipher. If we leave --data-ciphers-fallback out and work only with --
> data-ciphers' clients which do not have this directive can not connect.

No no, we want to be compatible with older clients and there should be a dropdown that works just like the old cipher selection.

It should be possible to turn it off though by adding a “disabled” option.

> Also, client which are <=2.5.0 do not understands both directives and
> simply do not starts. To find a way out in this foggy world i delivered
> a checkbox while client creation so the user have the possiblity to
> bring the new directive into client.ovpn but also old clients can be
> changed/updated via the edit menu.

The clients should not have any cipher configuration now since they should automatically negotiate it - which is enabled by default.

>> 
>> And a second one that has
>> 
>> * SHA512
>> * SHA384
>> * SHA256
>> * …
> 
> The HMACs can not be used for negotiation, this is only a single
> selection.

Well, that is bad. That means we still do not have full negotiation?

>> The code will then have to convert this into the fancy names for the
>> OpenVPN configuration file. But I suppose that should be easy to do.
>> 
>> That way, the user can be certain that they have chosen the right
>> thing for everything in one go.
>> 
>>> So, could you please summarise for me what you want to achieve
>>> here?
>>> Hope i have it done above.
>> 
>> Thank you for that.
>> 
>> I really appreciate all this time that you have invested in this, and
>> the code looks clean. I just think we have been on different pages
>> about what we want it to look and feel like for the user.
> Thank you too. This one really needs a lot of time and testing around
> and also with help from Adolf it comes to this where it currently is.

Great teamwork!

> 
>> 
>>> Is this supposed to make OpenVPN more compatible, secure, or
>>> anything
>>> else?
>>> Yes both but also easier since the user do not need to do anything
>>> but
>>> he should become more security under the hood, the backward and the
>>> forward compatibility should be in a better standing than before
>>> and if
>>> someone wants to go into the depth, this is even also possible.
>> 
>> I think that you have implemented the “pro” version here. It has all
>> the buttons you need and uses all features of OpenVPN. But it is
>> complicated. So maybe lets hide it from the user that there is a
>> control and data channel. Does the user need to know about this? I do
>> not think so. It will work either way.
> 
> No there is no must for the control-channel cipher selection... If one
> is in, it is sometimes nice to walk through all that ;-).
> 
>> 
>>> Why do we not talk about this before things are being implemented,
>>> or
>>> did I just miss the discussion?
>>> Yes i think you missed some of that, hopefully i could remind you
>>> on
>>> some points.
>> 
>> This is good progress :)
> 
> Happy to here this.

Okay, so what are the next steps now?

-Michael

> 
> 
> Best,
> 
> Erik
> 
>> 
>> -Michael
>> 
>>> 
>>> -Michael
>>> 
>>> Best,
>>> 
>>> Erik
>>> 
>>> 
>>>> On 14 Dec 2020, at 14:03, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>> 
>>>> Hi all,
>>>> just wanted to ask if there is still interest in this patch
>>>> series ?
>>>> 
>>>> Best,
>>>> 
>>>> Erik
>>>> 
>>> 
>>> 
>>> 
>> 
> <advanced_encryption_with_defaults.png><client_version.png><global_settings.png><deprectaed_ciphers_warning.png>

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 15358 bytes --]

Hi Michael,
there is currently a lot of other real world stuff around me and my
time is really less since things out there do not get easier these
days, at least for me.

If more time and motivation (which is most important) comes up i will
may go for another try to accomplish this topic with your suggestions.
I would also finish this conversation here since it is hardly
comprehensible and a possible v3 would differs a lot.

If someone else wanted to jump in this topic with solutions i am more
then happy with this.

All the best,

Erik


Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
> Hi,
> 
> > On 16 Dec 2020, at 17:30, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Hi Michael,
> > 
> > Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer:
> > > Hi,
> > > 
> > > > On 14 Dec 2020, at 16:12, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > > 
> > > > Hi Michael,
> > > > thanks for looking into this.
> > > > 
> > > > Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael
> > > > Tremer:
> > > > > Hello Erik,
> > > > > 
> > > > > Yes, I am very much interested in this.
> > > > > 
> > > > > And I have spent pretty much an hour to make sense out of all
> > > > > of
> > > > > this, and unfortunately have to report that I failed.
> > > > that´s not good to hear. OK, let me explain... I tried to come
> > > > up
> > > > with
> > > > a solution where we already have spoken more times about in the
> > > > past, i
> > > > tried to follow up your suggestions, the latest about that
> > > > topic
> > > > was
> > > > here -->
> > > > https://lists.ipfire.org/pipermail/development/2020-October/008441.html
> > > > in Oktober to bring up "a select box where multiple algorithms
> > > > can
> > > > be
> > > > chosen (like in IPsec)". Since --cipher is deprectaed and will
> > > > be
> > > > replaced by --data-ciphers which is a >=2.5.0 option we need
> > > > another
> > > > selection field for the --data-ciphers-fallback which is a
> > > > replacement
> > > > for --cipher and the server uses this directive to talk also to
> > > > client
> > > > which are <2.5.0 .
> > > 
> > > Yes, the ciphers. But as far as I understand this, you are
> > > offering
> > > to select the whole cipher suite. That is something different.
> > > 
> > > And you are offering different options for TLSv1.3 and lower,
> > > which
> > > we do not do in IPsec either. You have one selection for both
> > > IKEv1
> > > and IKEv2.
> > Yes, i thougt it might be an idea for the advanced section be it is
> > not
> > really needed since OpenVPN uses his own choice for the control-
> > chanel
> > if nothing has been configured.
> 
> That probably isn’t good then. The UI should at least show the user
> what is being used.
> 
> If we want OpenVPN to chose what is best, there should be some option
> that says “automatic” at least.
> 
> > > > OpenVPN presses to use cipher negotiation which we have avoid
> > > > since
> > > > the
> > > > release of 2.4 with --ncp-disable, this option is no also
> > > > deprecated so
> > > > we need to take action on this.
> > > 
> > > I will skip my moan about introducing something and then
> > > deprecating
> > > it shortly after…
> > It was good that we did not act at that time.
> 
> In hindsight yes. But we didn’t know back then that things would
> change again, and we do not know now if things will change another
> time in the near future.
> 
> So, we have to do “best-effort” here.
> 
> > > 
> > > I agree that we need to act.
> > > 
> > > > We need to have then two new options, two seletion boxes which
> > > > are
> > > > odd
> > > > to see in the global section. I tried it in the advanced server
> > > > section
> > > > too and it looks even more confusing with all the other already
> > > > existing options, nothing i wanted to do. So i thought your
> > > > above
> > > > linked suggestions are pretty straight forward and the best
> > > > solution to
> > > > build an own crypto section which do have already defaults,
> > > > nobody
> > > > needs to do there anyting, the global section has been cleaned
> > > > up
> > > > and
> > > > it should be even easier for everone to overview.
> > > 
> > > We have touched this topic multiple times. And I remember the
> > > last
> > > conclusion as follows:
> > > 
> > > The average user does not have to touch the advanced options.
> > > They
> > > have to put in their subnet, select a port and protocol maybe and
> > > that is about it. They do not need to think about what cipher to
> > > use,
> > > because we would have selected a reasonable default. If they want
> > > to
> > > change something (because of hardware requirements, etc.) they
> > > can do
> > > that on the advanced page.
> > This is exactly what i did.
> 
> Okay. So why is there an extra page then, and not a section on the
> advanced page?
> 
> I like the now cleaner look of the main page which only has the bare
> necessities.
> 
> > > 
> > > I agree that this is all not idea, but adding a third page to
> > > this
> > > all makes it rather more confusing than less.
> > Not sure if i understand you here right. You mentioned above the
> > advanced page but i understand you here that you do not want a
> > third
> > one ?
> 
> There is the main page, where things can be configured (subnet, port,
> protocol, …), then advanced options, and now the cryptography
> options. 
> 
> They are all the same - in that they directly change the OpenVPN
> configuration - and we only wanted to split them by two things:
> 
> a) Is it likely that the user will change them?
> 
> b) Or is this an option that the average user should not touch.
> 
> The advanced settings page can be as long as we like. It does not
> have to be pretty.
> 
> > > > It made for me no sense to leave parts of the crypto (TLS-auth
> > > > and
> > > > HMACs) in the global section, especially because there are also
> > > > even
> > > > more algorithms, but also new options for the TLS
> > > > authentication
> > > > which
> > > > i have all integrated so i moved them also into that place
> > > > (patch
> > > > 6/7
> > > > and 7/7).
> > > 
> > > I remember that we have agreed to move the existing crypto
> > > options to
> > > the advanced page.
> > Yes, me too and i thought you meant an dedicated crypto page like
> > it is
> > for IPSec but you meant the advanced server section ? If yes we
> > would
> > mix then routing logging, DNS/WINS options with MTU related
> > configure
> > options. Also, the crypto section can have also some additionals
> > like
> > key lieftime, tls-version (if someone wants only TLSv1.3) and may
> > some
> > other upcoming stuff.
> 
> That can all go to the advanced page in my opinion.
> 
> > > 
> > > > The control-channel cipher selection (patch 5/7) is new and
> > > > should
> > > > be
> > > > really a part for the advanced ones, therefor no defaults has
> > > > been
> > > > set,
> > > > it simply won´t appear if nothing has been configured.
> > > 
> > > What is the benefit of choosing a different cipher for the
> > > control
> > > channel?
> > This one is not really needed, as mentioned above OpenVPN makes
> > then
> > this desicion by it´s own.
> 
> Okay, but why do we have it then? :)
> 
> > > 
> > > > I have the problem that I cannot get on top of these things.
> > > > You
> > > > are
> > > > submitting *massive* patchsets, in this case I even believe
> > > > that
> > > > the
> > > > whole things has been submitted a second time, although I do
> > > > not
> > > > know
> > > > if there are any changes.
> > > > Yes there are. Old and deprecated ciphers will now be detected
> > > > and
> > > > a
> > > > warning comes up in the global section to change them as soon
> > > > as
> > > > possible (patch 3/7), also all languages has been translated
> > > > and
> > > > has
> > > > been included.
> > > > Also i wanted to split it in more specific topics for better
> > > > overview
> > > > but it seems that i have been failed.
> > > 
> > > I do not think that you have failed. I just think that it is not
> > > clear what the patch intended to do. So I cannot really look at
> > > it
> > > and verify if the code actually does what you want it to do.
> > > 
> > > Could it have been split into even smaller changes? Yes, would
> > > that
> > > have helped? Maybe. But I do not think that we should waste too
> > > much
> > > time to reformat the patches. I want the changes to be ready to
> > > be
> > > merged as soon as possible.
> > OK. Let´s go through this then. I have attached also screenshots
> > for
> > all changes for a better first impression.
> 
> That was very helpful to me.
> 
> > > 
> > > > I could not even find out *what* you are actually trying to do.
> > > > There
> > > > are more and more buttons being added and I have not the
> > > > slightest
> > > > idea
> > > > what I am supposed to do with them. I have given my thoughts
> > > > about
> > > > the
> > > > cipher selection and I felt that I have not been heard.
> > > > One intention was that you do not need anything to do except
> > > > you
> > > > want
> > > > to do some advanced crypto stuff. The rest should have already
> > > > been
> > > > made...
> > > > 
> > > > 
> > > > I fear that this is all way too complicated. I cannot review
> > > > what I
> > > > do
> > > > not even understand what the desired outcome is. And failing to
> > > > understand that either means that it is either way too
> > > > complicated
> > > > or I
> > > > have not read enough anywhere about all of this.
> > > > Please check out the above linked topic where you have wrote
> > > > suggestions that i simply tried to achieve but again, it seems
> > > > that
> > > > i
> > > > was not successfull with this...
> > > 
> > > So, maybe help me to understand why the user would want to use
> > > different ciphers for the control channel and for TLSv1.3/2.
> > This is not needed  and i can easily let it out but mentioned
> > beneath
> > OpenVPN decided to give TLSv1.2 another directive then TLSv1.3
> > therefor
> > the two boxes.
> 
> Yes, I think choosing this once is enough.
> 
> > > I consider my ciphers as follows:
> > > 
> > > * Which algorithms do I trust? If I do not trust AES for example,
> > > I
> > > would unselect it for everything, regardless if that is the
> > > control
> > > or data channel).
> > > 
> > > * What does my hardware support? I would want to choose AES if my
> > > hardware has acceleration for it.
> > > 
> > > * Then I would sort them by most secure first (e.g. AES-256, then
> > > AES-192 and so on…)
> > > 
> > > I can replicate that with only one multiple-select box that
> > > simply
> > > lists:
> > > 
> > > * AES-256-GCM
> > > * AES-256-CBC
> > > * AES-128-GCM
> > > * AES-128-CBC
> > > * ChaCha20-Poly1305
> > > * Blowfish
> > > * ...
> > 
> > This is a problen there is exactly the same, this are two
> > directives. -
> > -data-cipher does NCP whereby --data-ciphers-fallback substitutes -
> > -
> > cipher. If we leave --data-ciphers-fallback out and work only with
> > --
> > data-ciphers' clients which do not have this directive can not
> > connect.
> 
> No no, we want to be compatible with older clients and there should
> be a dropdown that works just like the old cipher selection.
> 
> It should be possible to turn it off though by adding a “disabled”
> option.
> 
> > Also, client which are <=2.5.0 do not understands both directives
> > and
> > simply do not starts. To find a way out in this foggy world i
> > delivered
> > a checkbox while client creation so the user have the possiblity to
> > bring the new directive into client.ovpn but also old clients can
> > be
> > changed/updated via the edit menu.
> 
> The clients should not have any cipher configuration now since they
> should automatically negotiate it - which is enabled by default.
> 
> > > 
> > > And a second one that has
> > > 
> > > * SHA512
> > > * SHA384
> > > * SHA256
> > > * …
> > 
> > The HMACs can not be used for negotiation, this is only a single
> > selection.
> 
> Well, that is bad. That means we still do not have full negotiation?
> 
> > > The code will then have to convert this into the fancy names for
> > > the
> > > OpenVPN configuration file. But I suppose that should be easy to
> > > do.
> > > 
> > > That way, the user can be certain that they have chosen the right
> > > thing for everything in one go.
> > > 
> > > > So, could you please summarise for me what you want to achieve
> > > > here?
> > > > Hope i have it done above.
> > > 
> > > Thank you for that.
> > > 
> > > I really appreciate all this time that you have invested in this,
> > > and
> > > the code looks clean. I just think we have been on different
> > > pages
> > > about what we want it to look and feel like for the user.
> > Thank you too. This one really needs a lot of time and testing
> > around
> > and also with help from Adolf it comes to this where it currently
> > is.
> 
> Great teamwork!
> 
> > 
> > > 
> > > > Is this supposed to make OpenVPN more compatible, secure, or
> > > > anything
> > > > else?
> > > > Yes both but also easier since the user do not need to do
> > > > anything
> > > > but
> > > > he should become more security under the hood, the backward and
> > > > the
> > > > forward compatibility should be in a better standing than
> > > > before
> > > > and if
> > > > someone wants to go into the depth, this is even also possible.
> > > 
> > > I think that you have implemented the “pro” version here. It has
> > > all
> > > the buttons you need and uses all features of OpenVPN. But it is
> > > complicated. So maybe lets hide it from the user that there is a
> > > control and data channel. Does the user need to know about this?
> > > I do
> > > not think so. It will work either way.
> > 
> > No there is no must for the control-channel cipher selection... If
> > one
> > is in, it is sometimes nice to walk through all that ;-).
> > 
> > > 
> > > > Why do we not talk about this before things are being
> > > > implemented,
> > > > or
> > > > did I just miss the discussion?
> > > > Yes i think you missed some of that, hopefully i could remind
> > > > you
> > > > on
> > > > some points.
> > > 
> > > This is good progress :)
> > 
> > Happy to here this.
> 
> Okay, so what are the next steps now?
> 
> -Michael
> 
> > 
> > 
> > Best,
> > 
> > Erik
> > 
> > > 
> > > -Michael
> > > 
> > > > 
> > > > -Michael
> > > > 
> > > > Best,
> > > > 
> > > > Erik
> > > > 
> > > > 
> > > > > On 14 Dec 2020, at 14:03, ummeegge <ummeegge(a)ipfire.org>
> > > > > wrote:
> > > > > 
> > > > > Hi all,
> > > > > just wanted to ask if there is still interest in this patch
> > > > > series ?
> > > > > 
> > > > > Best,
> > > > > 
> > > > > Erik
> > > > > 
> > > > 
> > > > 
> > > > 
> > > 
> > <advanced_encryption_with_defaults.png><client_version.png><global_
> > settings.png><deprectaed_ciphers_warning.png>
> 

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 15357 bytes --]

Hi Erik,

I have been keeping an eye on this OpenVPN thread anyway so I am willing to pick this up and see if I can help.

As I am no where near as proficient in OpenVPN as you I may end up needing some guidance but am willing to give it a go and see how things go.

I have a couple of bugs with my name against them that I want to get moving first but then I will pick this topic up if you are okay with that.

Regards,

Adolf.

On 13/01/2021 10:18, ummeegge wrote:
> Hi Michael,
> there is currently a lot of other real world stuff around me and my
> time is really less since things out there do not get easier these
> days, at least for me.
> 
> If more time and motivation (which is most important) comes up i will
> may go for another try to accomplish this topic with your suggestions.
> I would also finish this conversation here since it is hardly
> comprehensible and a possible v3 would differs a lot.
> 
> If someone else wanted to jump in this topic with solutions i am more
> then happy with this.
> 
> All the best,
> 
> Erik
> 
> 
> Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
>> Hi,
>>
>>> On 16 Dec 2020, at 17:30, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>
>>> Hi Michael,
>>>
>>> Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael Tremer:
>>>> Hi,
>>>>
>>>>> On 14 Dec 2020, at 16:12, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>>>
>>>>> Hi Michael,
>>>>> thanks for looking into this.
>>>>>
>>>>> Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael
>>>>> Tremer:
>>>>>> Hello Erik,
>>>>>>
>>>>>> Yes, I am very much interested in this.
>>>>>>
>>>>>> And I have spent pretty much an hour to make sense out of all
>>>>>> of
>>>>>> this, and unfortunately have to report that I failed.
>>>>> that´s not good to hear. OK, let me explain... I tried to come
>>>>> up
>>>>> with
>>>>> a solution where we already have spoken more times about in the
>>>>> past, i
>>>>> tried to follow up your suggestions, the latest about that
>>>>> topic
>>>>> was
>>>>> here -->
>>>>> https://lists.ipfire.org/pipermail/development/2020-October/008441.html
>>>>> in Oktober to bring up "a select box where multiple algorithms
>>>>> can
>>>>> be
>>>>> chosen (like in IPsec)". Since --cipher is deprectaed and will
>>>>> be
>>>>> replaced by --data-ciphers which is a >=2.5.0 option we need
>>>>> another
>>>>> selection field for the --data-ciphers-fallback which is a
>>>>> replacement
>>>>> for --cipher and the server uses this directive to talk also to
>>>>> client
>>>>> which are <2.5.0 .
>>>>
>>>> Yes, the ciphers. But as far as I understand this, you are
>>>> offering
>>>> to select the whole cipher suite. That is something different.
>>>>
>>>> And you are offering different options for TLSv1.3 and lower,
>>>> which
>>>> we do not do in IPsec either. You have one selection for both
>>>> IKEv1
>>>> and IKEv2.
>>> Yes, i thougt it might be an idea for the advanced section be it is
>>> not
>>> really needed since OpenVPN uses his own choice for the control-
>>> chanel
>>> if nothing has been configured.
>>
>> That probably isn’t good then. The UI should at least show the user
>> what is being used.
>>
>> If we want OpenVPN to chose what is best, there should be some option
>> that says “automatic” at least.
>>
>>>>> OpenVPN presses to use cipher negotiation which we have avoid
>>>>> since
>>>>> the
>>>>> release of 2.4 with --ncp-disable, this option is no also
>>>>> deprecated so
>>>>> we need to take action on this.
>>>>
>>>> I will skip my moan about introducing something and then
>>>> deprecating
>>>> it shortly after…
>>> It was good that we did not act at that time.
>>
>> In hindsight yes. But we didn’t know back then that things would
>> change again, and we do not know now if things will change another
>> time in the near future.
>>
>> So, we have to do “best-effort” here.
>>
>>>>
>>>> I agree that we need to act.
>>>>
>>>>> We need to have then two new options, two seletion boxes which
>>>>> are
>>>>> odd
>>>>> to see in the global section. I tried it in the advanced server
>>>>> section
>>>>> too and it looks even more confusing with all the other already
>>>>> existing options, nothing i wanted to do. So i thought your
>>>>> above
>>>>> linked suggestions are pretty straight forward and the best
>>>>> solution to
>>>>> build an own crypto section which do have already defaults,
>>>>> nobody
>>>>> needs to do there anyting, the global section has been cleaned
>>>>> up
>>>>> and
>>>>> it should be even easier for everone to overview.
>>>>
>>>> We have touched this topic multiple times. And I remember the
>>>> last
>>>> conclusion as follows:
>>>>
>>>> The average user does not have to touch the advanced options.
>>>> They
>>>> have to put in their subnet, select a port and protocol maybe and
>>>> that is about it. They do not need to think about what cipher to
>>>> use,
>>>> because we would have selected a reasonable default. If they want
>>>> to
>>>> change something (because of hardware requirements, etc.) they
>>>> can do
>>>> that on the advanced page.
>>> This is exactly what i did.
>>
>> Okay. So why is there an extra page then, and not a section on the
>> advanced page?
>>
>> I like the now cleaner look of the main page which only has the bare
>> necessities.
>>
>>>>
>>>> I agree that this is all not idea, but adding a third page to
>>>> this
>>>> all makes it rather more confusing than less.
>>> Not sure if i understand you here right. You mentioned above the
>>> advanced page but i understand you here that you do not want a
>>> third
>>> one ?
>>
>> There is the main page, where things can be configured (subnet, port,
>> protocol, …), then advanced options, and now the cryptography
>> options.
>>
>> They are all the same - in that they directly change the OpenVPN
>> configuration - and we only wanted to split them by two things:
>>
>> a) Is it likely that the user will change them?
>>
>> b) Or is this an option that the average user should not touch.
>>
>> The advanced settings page can be as long as we like. It does not
>> have to be pretty.
>>
>>>>> It made for me no sense to leave parts of the crypto (TLS-auth
>>>>> and
>>>>> HMACs) in the global section, especially because there are also
>>>>> even
>>>>> more algorithms, but also new options for the TLS
>>>>> authentication
>>>>> which
>>>>> i have all integrated so i moved them also into that place
>>>>> (patch
>>>>> 6/7
>>>>> and 7/7).
>>>>
>>>> I remember that we have agreed to move the existing crypto
>>>> options to
>>>> the advanced page.
>>> Yes, me too and i thought you meant an dedicated crypto page like
>>> it is
>>> for IPSec but you meant the advanced server section ? If yes we
>>> would
>>> mix then routing logging, DNS/WINS options with MTU related
>>> configure
>>> options. Also, the crypto section can have also some additionals
>>> like
>>> key lieftime, tls-version (if someone wants only TLSv1.3) and may
>>> some
>>> other upcoming stuff.
>>
>> That can all go to the advanced page in my opinion.
>>
>>>>
>>>>> The control-channel cipher selection (patch 5/7) is new and
>>>>> should
>>>>> be
>>>>> really a part for the advanced ones, therefor no defaults has
>>>>> been
>>>>> set,
>>>>> it simply won´t appear if nothing has been configured.
>>>>
>>>> What is the benefit of choosing a different cipher for the
>>>> control
>>>> channel?
>>> This one is not really needed, as mentioned above OpenVPN makes
>>> then
>>> this desicion by it´s own.
>>
>> Okay, but why do we have it then? :)
>>
>>>>
>>>>> I have the problem that I cannot get on top of these things.
>>>>> You
>>>>> are
>>>>> submitting *massive* patchsets, in this case I even believe
>>>>> that
>>>>> the
>>>>> whole things has been submitted a second time, although I do
>>>>> not
>>>>> know
>>>>> if there are any changes.
>>>>> Yes there are. Old and deprecated ciphers will now be detected
>>>>> and
>>>>> a
>>>>> warning comes up in the global section to change them as soon
>>>>> as
>>>>> possible (patch 3/7), also all languages has been translated
>>>>> and
>>>>> has
>>>>> been included.
>>>>> Also i wanted to split it in more specific topics for better
>>>>> overview
>>>>> but it seems that i have been failed.
>>>>
>>>> I do not think that you have failed. I just think that it is not
>>>> clear what the patch intended to do. So I cannot really look at
>>>> it
>>>> and verify if the code actually does what you want it to do.
>>>>
>>>> Could it have been split into even smaller changes? Yes, would
>>>> that
>>>> have helped? Maybe. But I do not think that we should waste too
>>>> much
>>>> time to reformat the patches. I want the changes to be ready to
>>>> be
>>>> merged as soon as possible.
>>> OK. Let´s go through this then. I have attached also screenshots
>>> for
>>> all changes for a better first impression.
>>
>> That was very helpful to me.
>>
>>>>
>>>>> I could not even find out *what* you are actually trying to do.
>>>>> There
>>>>> are more and more buttons being added and I have not the
>>>>> slightest
>>>>> idea
>>>>> what I am supposed to do with them. I have given my thoughts
>>>>> about
>>>>> the
>>>>> cipher selection and I felt that I have not been heard.
>>>>> One intention was that you do not need anything to do except
>>>>> you
>>>>> want
>>>>> to do some advanced crypto stuff. The rest should have already
>>>>> been
>>>>> made...
>>>>>
>>>>>
>>>>> I fear that this is all way too complicated. I cannot review
>>>>> what I
>>>>> do
>>>>> not even understand what the desired outcome is. And failing to
>>>>> understand that either means that it is either way too
>>>>> complicated
>>>>> or I
>>>>> have not read enough anywhere about all of this.
>>>>> Please check out the above linked topic where you have wrote
>>>>> suggestions that i simply tried to achieve but again, it seems
>>>>> that
>>>>> i
>>>>> was not successfull with this...
>>>>
>>>> So, maybe help me to understand why the user would want to use
>>>> different ciphers for the control channel and for TLSv1.3/2.
>>> This is not needed  and i can easily let it out but mentioned
>>> beneath
>>> OpenVPN decided to give TLSv1.2 another directive then TLSv1.3
>>> therefor
>>> the two boxes.
>>
>> Yes, I think choosing this once is enough.
>>
>>>> I consider my ciphers as follows:
>>>>
>>>> * Which algorithms do I trust? If I do not trust AES for example,
>>>> I
>>>> would unselect it for everything, regardless if that is the
>>>> control
>>>> or data channel).
>>>>
>>>> * What does my hardware support? I would want to choose AES if my
>>>> hardware has acceleration for it.
>>>>
>>>> * Then I would sort them by most secure first (e.g. AES-256, then
>>>> AES-192 and so on…)
>>>>
>>>> I can replicate that with only one multiple-select box that
>>>> simply
>>>> lists:
>>>>
>>>> * AES-256-GCM
>>>> * AES-256-CBC
>>>> * AES-128-GCM
>>>> * AES-128-CBC
>>>> * ChaCha20-Poly1305
>>>> * Blowfish
>>>> * ...
>>>
>>> This is a problen there is exactly the same, this are two
>>> directives. -
>>> -data-cipher does NCP whereby --data-ciphers-fallback substitutes -
>>> -
>>> cipher. If we leave --data-ciphers-fallback out and work only with
>>> --
>>> data-ciphers' clients which do not have this directive can not
>>> connect.
>>
>> No no, we want to be compatible with older clients and there should
>> be a dropdown that works just like the old cipher selection.
>>
>> It should be possible to turn it off though by adding a “disabled”
>> option.
>>
>>> Also, client which are <=2.5.0 do not understands both directives
>>> and
>>> simply do not starts. To find a way out in this foggy world i
>>> delivered
>>> a checkbox while client creation so the user have the possiblity to
>>> bring the new directive into client.ovpn but also old clients can
>>> be
>>> changed/updated via the edit menu.
>>
>> The clients should not have any cipher configuration now since they
>> should automatically negotiate it - which is enabled by default.
>>
>>>>
>>>> And a second one that has
>>>>
>>>> * SHA512
>>>> * SHA384
>>>> * SHA256
>>>> * …
>>>
>>> The HMACs can not be used for negotiation, this is only a single
>>> selection.
>>
>> Well, that is bad. That means we still do not have full negotiation?
>>
>>>> The code will then have to convert this into the fancy names for
>>>> the
>>>> OpenVPN configuration file. But I suppose that should be easy to
>>>> do.
>>>>
>>>> That way, the user can be certain that they have chosen the right
>>>> thing for everything in one go.
>>>>
>>>>> So, could you please summarise for me what you want to achieve
>>>>> here?
>>>>> Hope i have it done above.
>>>>
>>>> Thank you for that.
>>>>
>>>> I really appreciate all this time that you have invested in this,
>>>> and
>>>> the code looks clean. I just think we have been on different
>>>> pages
>>>> about what we want it to look and feel like for the user.
>>> Thank you too. This one really needs a lot of time and testing
>>> around
>>> and also with help from Adolf it comes to this where it currently
>>> is.
>>
>> Great teamwork!
>>
>>>
>>>>
>>>>> Is this supposed to make OpenVPN more compatible, secure, or
>>>>> anything
>>>>> else?
>>>>> Yes both but also easier since the user do not need to do
>>>>> anything
>>>>> but
>>>>> he should become more security under the hood, the backward and
>>>>> the
>>>>> forward compatibility should be in a better standing than
>>>>> before
>>>>> and if
>>>>> someone wants to go into the depth, this is even also possible.
>>>>
>>>> I think that you have implemented the “pro” version here. It has
>>>> all
>>>> the buttons you need and uses all features of OpenVPN. But it is
>>>> complicated. So maybe lets hide it from the user that there is a
>>>> control and data channel. Does the user need to know about this?
>>>> I do
>>>> not think so. It will work either way.
>>>
>>> No there is no must for the control-channel cipher selection... If
>>> one
>>> is in, it is sometimes nice to walk through all that ;-).
>>>
>>>>
>>>>> Why do we not talk about this before things are being
>>>>> implemented,
>>>>> or
>>>>> did I just miss the discussion?
>>>>> Yes i think you missed some of that, hopefully i could remind
>>>>> you
>>>>> on
>>>>> some points.
>>>>
>>>> This is good progress :)
>>>
>>> Happy to here this.
>>
>> Okay, so what are the next steps now?
>>
>> -Michael
>>
>>>
>>>
>>> Best,
>>>
>>> Erik
>>>
>>>>
>>>> -Michael
>>>>
>>>>>
>>>>> -Michael
>>>>>
>>>>> Best,
>>>>>
>>>>> Erik
>>>>>
>>>>>
>>>>>> On 14 Dec 2020, at 14:03, ummeegge <ummeegge(a)ipfire.org>
>>>>>> wrote:
>>>>>>
>>>>>> Hi all,
>>>>>> just wanted to ask if there is still interest in this patch
>>>>>> series ?
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>> Erik
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>> <advanced_encryption_with_defaults.png><client_version.png><global_
>>> settings.png><deprectaed_ciphers_warning.png>
>>
> 
> 

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 18951 bytes --]

Good morning Adolf,

Am Donnerstag, dem 14.01.2021 um 19:50 +0100 schrieb Adolf Belka:
> Hi Erik,
> 
> I have been keeping an eye on this OpenVPN thread anyway so I am
> willing to pick this up and see if I can help.
> 
> As I am no where near as proficient in OpenVPN as you I may end up
> needing some guidance but am willing to give it a go and see how
> things go.
Will try to help you out if i can.

> 
> I have a couple of bugs with my name against them that I want to get
> moving first but then I will pick this topic up if you are okay with
> that.
As mentioned before, i am more then happy with this.

> 
> Regards,
> 
> Adolf.

Best,

Erik

> 
> On 13/01/2021 10:18, ummeegge wrote:
> > Hi Michael,
> > there is currently a lot of other real world stuff around me and my
> > time is really less since things out there do not get easier these
> > days, at least for me.
> > 
> > If more time and motivation (which is most important) comes up i
> > will
> > may go for another try to accomplish this topic with your
> > suggestions.
> > I would also finish this conversation here since it is hardly
> > comprehensible and a possible v3 would differs a lot.
> > 
> > If someone else wanted to jump in this topic with solutions i am
> > more
> > then happy with this.
> > 
> > All the best,
> > 
> > Erik
> > 
> > 
> > Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
> > > Hi,
> > > 
> > > > On 16 Dec 2020, at 17:30, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > > 
> > > > Hi Michael,
> > > > 
> > > > Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael
> > > > Tremer:
> > > > > Hi,
> > > > > 
> > > > > > On 14 Dec 2020, at 16:12, ummeegge <ummeegge(a)ipfire.org>
> > > > > > wrote:
> > > > > > 
> > > > > > Hi Michael,
> > > > > > thanks for looking into this.
> > > > > > 
> > > > > > Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael
> > > > > > Tremer:
> > > > > > > Hello Erik,
> > > > > > > 
> > > > > > > Yes, I am very much interested in this.
> > > > > > > 
> > > > > > > And I have spent pretty much an hour to make sense out of
> > > > > > > all
> > > > > > > of
> > > > > > > this, and unfortunately have to report that I failed.
> > > > > > that´s not good to hear. OK, let me explain... I tried to
> > > > > > come
> > > > > > up
> > > > > > with
> > > > > > a solution where we already have spoken more times about in
> > > > > > the
> > > > > > past, i
> > > > > > tried to follow up your suggestions, the latest about that
> > > > > > topic
> > > > > > was
> > > > > > here -->
> > > > > >   
> > > > > > https://lists.ipfire.org/pipermail/development/2020-October/008441.html
> > > > > > in Oktober to bring up "a select box where multiple
> > > > > > algorithms
> > > > > > can
> > > > > > be
> > > > > > chosen (like in IPsec)". Since --cipher is deprectaed and
> > > > > > will
> > > > > > be
> > > > > > replaced by --data-ciphers which is a >=2.5.0 option we
> > > > > > need
> > > > > > another
> > > > > > selection field for the --data-ciphers-fallback which is a
> > > > > > replacement
> > > > > > for --cipher and the server uses this directive to talk
> > > > > > also to
> > > > > > client
> > > > > > which are <2.5.0 .
> > > > > 
> > > > > Yes, the ciphers. But as far as I understand this, you are
> > > > > offering
> > > > > to select the whole cipher suite. That is something
> > > > > different.
> > > > > 
> > > > > And you are offering different options for TLSv1.3 and lower,
> > > > > which
> > > > > we do not do in IPsec either. You have one selection for both
> > > > > IKEv1
> > > > > and IKEv2.
> > > > Yes, i thougt it might be an idea for the advanced section be
> > > > it is
> > > > not
> > > > really needed since OpenVPN uses his own choice for the
> > > > control-
> > > > chanel
> > > > if nothing has been configured.
> > > 
> > > That probably isn’t good then. The UI should at least show the
> > > user
> > > what is being used.
> > > 
> > > If we want OpenVPN to chose what is best, there should be some
> > > option
> > > that says “automatic” at least.
> > > 
> > > > > > OpenVPN presses to use cipher negotiation which we have
> > > > > > avoid
> > > > > > since
> > > > > > the
> > > > > > release of 2.4 with --ncp-disable, this option is no also
> > > > > > deprecated so
> > > > > > we need to take action on this.
> > > > > 
> > > > > I will skip my moan about introducing something and then
> > > > > deprecating
> > > > > it shortly after…
> > > > It was good that we did not act at that time.
> > > 
> > > In hindsight yes. But we didn’t know back then that things would
> > > change again, and we do not know now if things will change
> > > another
> > > time in the near future.
> > > 
> > > So, we have to do “best-effort” here.
> > > 
> > > > > 
> > > > > I agree that we need to act.
> > > > > 
> > > > > > We need to have then two new options, two seletion boxes
> > > > > > which
> > > > > > are
> > > > > > odd
> > > > > > to see in the global section. I tried it in the advanced
> > > > > > server
> > > > > > section
> > > > > > too and it looks even more confusing with all the other
> > > > > > already
> > > > > > existing options, nothing i wanted to do. So i thought your
> > > > > > above
> > > > > > linked suggestions are pretty straight forward and the best
> > > > > > solution to
> > > > > > build an own crypto section which do have already defaults,
> > > > > > nobody
> > > > > > needs to do there anyting, the global section has been
> > > > > > cleaned
> > > > > > up
> > > > > > and
> > > > > > it should be even easier for everone to overview.
> > > > > 
> > > > > We have touched this topic multiple times. And I remember the
> > > > > last
> > > > > conclusion as follows:
> > > > > 
> > > > > The average user does not have to touch the advanced options.
> > > > > They
> > > > > have to put in their subnet, select a port and protocol maybe
> > > > > and
> > > > > that is about it. They do not need to think about what cipher
> > > > > to
> > > > > use,
> > > > > because we would have selected a reasonable default. If they
> > > > > want
> > > > > to
> > > > > change something (because of hardware requirements, etc.)
> > > > > they
> > > > > can do
> > > > > that on the advanced page.
> > > > This is exactly what i did.
> > > 
> > > Okay. So why is there an extra page then, and not a section on
> > > the
> > > advanced page?
> > > 
> > > I like the now cleaner look of the main page which only has the
> > > bare
> > > necessities.
> > > 
> > > > > 
> > > > > I agree that this is all not idea, but adding a third page to
> > > > > this
> > > > > all makes it rather more confusing than less.
> > > > Not sure if i understand you here right. You mentioned above
> > > > the
> > > > advanced page but i understand you here that you do not want a
> > > > third
> > > > one ?
> > > 
> > > There is the main page, where things can be configured (subnet,
> > > port,
> > > protocol, …), then advanced options, and now the cryptography
> > > options.
> > > 
> > > They are all the same - in that they directly change the OpenVPN
> > > configuration - and we only wanted to split them by two things:
> > > 
> > > a) Is it likely that the user will change them?
> > > 
> > > b) Or is this an option that the average user should not touch.
> > > 
> > > The advanced settings page can be as long as we like. It does not
> > > have to be pretty.
> > > 
> > > > > > It made for me no sense to leave parts of the crypto (TLS-
> > > > > > auth
> > > > > > and
> > > > > > HMACs) in the global section, especially because there are
> > > > > > also
> > > > > > even
> > > > > > more algorithms, but also new options for the TLS
> > > > > > authentication
> > > > > > which
> > > > > > i have all integrated so i moved them also into that place
> > > > > > (patch
> > > > > > 6/7
> > > > > > and 7/7).
> > > > > 
> > > > > I remember that we have agreed to move the existing crypto
> > > > > options to
> > > > > the advanced page.
> > > > Yes, me too and i thought you meant an dedicated crypto page
> > > > like
> > > > it is
> > > > for IPSec but you meant the advanced server section ? If yes we
> > > > would
> > > > mix then routing logging, DNS/WINS options with MTU related
> > > > configure
> > > > options. Also, the crypto section can have also some
> > > > additionals
> > > > like
> > > > key lieftime, tls-version (if someone wants only TLSv1.3) and
> > > > may
> > > > some
> > > > other upcoming stuff.
> > > 
> > > That can all go to the advanced page in my opinion.
> > > 
> > > > > 
> > > > > > The control-channel cipher selection (patch 5/7) is new and
> > > > > > should
> > > > > > be
> > > > > > really a part for the advanced ones, therefor no defaults
> > > > > > has
> > > > > > been
> > > > > > set,
> > > > > > it simply won´t appear if nothing has been configured.
> > > > > 
> > > > > What is the benefit of choosing a different cipher for the
> > > > > control
> > > > > channel?
> > > > This one is not really needed, as mentioned above OpenVPN makes
> > > > then
> > > > this desicion by it´s own.
> > > 
> > > Okay, but why do we have it then? :)
> > > 
> > > > > 
> > > > > > I have the problem that I cannot get on top of these
> > > > > > things.
> > > > > > You
> > > > > > are
> > > > > > submitting *massive* patchsets, in this case I even believe
> > > > > > that
> > > > > > the
> > > > > > whole things has been submitted a second time, although I
> > > > > > do
> > > > > > not
> > > > > > know
> > > > > > if there are any changes.
> > > > > > Yes there are. Old and deprecated ciphers will now be
> > > > > > detected
> > > > > > and
> > > > > > a
> > > > > > warning comes up in the global section to change them as
> > > > > > soon
> > > > > > as
> > > > > > possible (patch 3/7), also all languages has been
> > > > > > translated
> > > > > > and
> > > > > > has
> > > > > > been included.
> > > > > > Also i wanted to split it in more specific topics for
> > > > > > better
> > > > > > overview
> > > > > > but it seems that i have been failed.
> > > > > 
> > > > > I do not think that you have failed. I just think that it is
> > > > > not
> > > > > clear what the patch intended to do. So I cannot really look
> > > > > at
> > > > > it
> > > > > and verify if the code actually does what you want it to do.
> > > > > 
> > > > > Could it have been split into even smaller changes? Yes,
> > > > > would
> > > > > that
> > > > > have helped? Maybe. But I do not think that we should waste
> > > > > too
> > > > > much
> > > > > time to reformat the patches. I want the changes to be ready
> > > > > to
> > > > > be
> > > > > merged as soon as possible.
> > > > OK. Let´s go through this then. I have attached also
> > > > screenshots
> > > > for
> > > > all changes for a better first impression.
> > > 
> > > That was very helpful to me.
> > > 
> > > > > 
> > > > > > I could not even find out *what* you are actually trying to
> > > > > > do.
> > > > > > There
> > > > > > are more and more buttons being added and I have not the
> > > > > > slightest
> > > > > > idea
> > > > > > what I am supposed to do with them. I have given my
> > > > > > thoughts
> > > > > > about
> > > > > > the
> > > > > > cipher selection and I felt that I have not been heard.
> > > > > > One intention was that you do not need anything to do
> > > > > > except
> > > > > > you
> > > > > > want
> > > > > > to do some advanced crypto stuff. The rest should have
> > > > > > already
> > > > > > been
> > > > > > made...
> > > > > > 
> > > > > > 
> > > > > > I fear that this is all way too complicated. I cannot
> > > > > > review
> > > > > > what I
> > > > > > do
> > > > > > not even understand what the desired outcome is. And
> > > > > > failing to
> > > > > > understand that either means that it is either way too
> > > > > > complicated
> > > > > > or I
> > > > > > have not read enough anywhere about all of this.
> > > > > > Please check out the above linked topic where you have
> > > > > > wrote
> > > > > > suggestions that i simply tried to achieve but again, it
> > > > > > seems
> > > > > > that
> > > > > > i
> > > > > > was not successfull with this...
> > > > > 
> > > > > So, maybe help me to understand why the user would want to
> > > > > use
> > > > > different ciphers for the control channel and for TLSv1.3/2.
> > > > This is not needed  and i can easily let it out but mentioned
> > > > beneath
> > > > OpenVPN decided to give TLSv1.2 another directive then TLSv1.3
> > > > therefor
> > > > the two boxes.
> > > 
> > > Yes, I think choosing this once is enough.
> > > 
> > > > > I consider my ciphers as follows:
> > > > > 
> > > > > * Which algorithms do I trust? If I do not trust AES for
> > > > > example,
> > > > > I
> > > > > would unselect it for everything, regardless if that is the
> > > > > control
> > > > > or data channel).
> > > > > 
> > > > > * What does my hardware support? I would want to choose AES
> > > > > if my
> > > > > hardware has acceleration for it.
> > > > > 
> > > > > * Then I would sort them by most secure first (e.g. AES-256,
> > > > > then
> > > > > AES-192 and so on…)
> > > > > 
> > > > > I can replicate that with only one multiple-select box that
> > > > > simply
> > > > > lists:
> > > > > 
> > > > > * AES-256-GCM
> > > > > * AES-256-CBC
> > > > > * AES-128-GCM
> > > > > * AES-128-CBC
> > > > > * ChaCha20-Poly1305
> > > > > * Blowfish
> > > > > * ...
> > > > 
> > > > This is a problen there is exactly the same, this are two
> > > > directives. -
> > > > -data-cipher does NCP whereby --data-ciphers-fallback
> > > > substitutes -
> > > > -
> > > > cipher. If we leave --data-ciphers-fallback out and work only
> > > > with
> > > > --
> > > > data-ciphers' clients which do not have this directive can not
> > > > connect.
> > > 
> > > No no, we want to be compatible with older clients and there
> > > should
> > > be a dropdown that works just like the old cipher selection.
> > > 
> > > It should be possible to turn it off though by adding a
> > > “disabled”
> > > option.
> > > 
> > > > Also, client which are <=2.5.0 do not understands both
> > > > directives
> > > > and
> > > > simply do not starts. To find a way out in this foggy world i
> > > > delivered
> > > > a checkbox while client creation so the user have the
> > > > possiblity to
> > > > bring the new directive into client.ovpn but also old clients
> > > > can
> > > > be
> > > > changed/updated via the edit menu.
> > > 
> > > The clients should not have any cipher configuration now since
> > > they
> > > should automatically negotiate it - which is enabled by default.
> > > 
> > > > > 
> > > > > And a second one that has
> > > > > 
> > > > > * SHA512
> > > > > * SHA384
> > > > > * SHA256
> > > > > * …
> > > > 
> > > > The HMACs can not be used for negotiation, this is only a
> > > > single
> > > > selection.
> > > 
> > > Well, that is bad. That means we still do not have full
> > > negotiation?
> > > 
> > > > > The code will then have to convert this into the fancy names
> > > > > for
> > > > > the
> > > > > OpenVPN configuration file. But I suppose that should be easy
> > > > > to
> > > > > do.
> > > > > 
> > > > > That way, the user can be certain that they have chosen the
> > > > > right
> > > > > thing for everything in one go.
> > > > > 
> > > > > > So, could you please summarise for me what you want to
> > > > > > achieve
> > > > > > here?
> > > > > > Hope i have it done above.
> > > > > 
> > > > > Thank you for that.
> > > > > 
> > > > > I really appreciate all this time that you have invested in
> > > > > this,
> > > > > and
> > > > > the code looks clean. I just think we have been on different
> > > > > pages
> > > > > about what we want it to look and feel like for the user.
> > > > Thank you too. This one really needs a lot of time and testing
> > > > around
> > > > and also with help from Adolf it comes to this where it
> > > > currently
> > > > is.
> > > 
> > > Great teamwork!
> > > 
> > > > 
> > > > > 
> > > > > > Is this supposed to make OpenVPN more compatible, secure,
> > > > > > or
> > > > > > anything
> > > > > > else?
> > > > > > Yes both but also easier since the user do not need to do
> > > > > > anything
> > > > > > but
> > > > > > he should become more security under the hood, the backward
> > > > > > and
> > > > > > the
> > > > > > forward compatibility should be in a better standing than
> > > > > > before
> > > > > > and if
> > > > > > someone wants to go into the depth, this is even also
> > > > > > possible.
> > > > > 
> > > > > I think that you have implemented the “pro” version here. It
> > > > > has
> > > > > all
> > > > > the buttons you need and uses all features of OpenVPN. But it
> > > > > is
> > > > > complicated. So maybe lets hide it from the user that there
> > > > > is a
> > > > > control and data channel. Does the user need to know about
> > > > > this?
> > > > > I do
> > > > > not think so. It will work either way.
> > > > 
> > > > No there is no must for the control-channel cipher selection...
> > > > If
> > > > one
> > > > is in, it is sometimes nice to walk through all that ;-).
> > > > 
> > > > > 
> > > > > > Why do we not talk about this before things are being
> > > > > > implemented,
> > > > > > or
> > > > > > did I just miss the discussion?
> > > > > > Yes i think you missed some of that, hopefully i could
> > > > > > remind
> > > > > > you
> > > > > > on
> > > > > > some points.
> > > > > 
> > > > > This is good progress :)
> > > > 
> > > > Happy to here this.
> > > 
> > > Okay, so what are the next steps now?
> > > 
> > > -Michael
> > > 
> > > > 
> > > > 
> > > > Best,
> > > > 
> > > > Erik
> > > > 
> > > > > 
> > > > > -Michael
> > > > > 
> > > > > > 
> > > > > > -Michael
> > > > > > 
> > > > > > Best,
> > > > > > 
> > > > > > Erik
> > > > > > 
> > > > > > 
> > > > > > > On 14 Dec 2020, at 14:03, ummeegge <ummeegge(a)ipfire.org>
> > > > > > > wrote:
> > > > > > > 
> > > > > > > Hi all,
> > > > > > > just wanted to ask if there is still interest in this
> > > > > > > patch
> > > > > > > series ?
> > > > > > > 
> > > > > > > Best,
> > > > > > > 
> > > > > > > Erik
> > > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > 
> > > > <advanced_encryption_with_defaults.png><client_version.png><glo
> > > > bal_
> > > > settings.png><deprectaed_ciphers_warning.png>
> > > 
> > 
> > 

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 17096 bytes --]

Hi Erik,

Where can I get hold of your latest version of ovpnmain.cgi

Regards,

Adolf.

On 15/01/2021 05:56, ummeegge wrote:
> Good morning Adolf,
>
> Am Donnerstag, dem 14.01.2021 um 19:50 +0100 schrieb Adolf Belka:
>> Hi Erik,
>>
>> I have been keeping an eye on this OpenVPN thread anyway so I am
>> willing to pick this up and see if I can help.
>>
>> As I am no where near as proficient in OpenVPN as you I may end up
>> needing some guidance but am willing to give it a go and see how
>> things go.
> Will try to help you out if i can.
>
>> I have a couple of bugs with my name against them that I want to get
>> moving first but then I will pick this topic up if you are okay with
>> that.
> As mentioned before, i am more then happy with this.
>
>> Regards,
>>
>> Adolf.
> Best,
>
> Erik
>
>> On 13/01/2021 10:18, ummeegge wrote:
>>> Hi Michael,
>>> there is currently a lot of other real world stuff around me and my
>>> time is really less since things out there do not get easier these
>>> days, at least for me.
>>>
>>> If more time and motivation (which is most important) comes up i
>>> will
>>> may go for another try to accomplish this topic with your
>>> suggestions.
>>> I would also finish this conversation here since it is hardly
>>> comprehensible and a possible v3 would differs a lot.
>>>
>>> If someone else wanted to jump in this topic with solutions i am
>>> more
>>> then happy with this.
>>>
>>> All the best,
>>>
>>> Erik
>>>
>>>
>>> Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
>>>> Hi,
>>>>
>>>>> On 16 Dec 2020, at 17:30, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>>>
>>>>> Hi Michael,
>>>>>
>>>>> Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael
>>>>> Tremer:
>>>>>> Hi,
>>>>>>
>>>>>>> On 14 Dec 2020, at 16:12, ummeegge <ummeegge(a)ipfire.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi Michael,
>>>>>>> thanks for looking into this.
>>>>>>>
>>>>>>> Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael
>>>>>>> Tremer:
>>>>>>>> Hello Erik,
>>>>>>>>
>>>>>>>> Yes, I am very much interested in this.
>>>>>>>>
>>>>>>>> And I have spent pretty much an hour to make sense out of
>>>>>>>> all
>>>>>>>> of
>>>>>>>> this, and unfortunately have to report that I failed.
>>>>>>> that´s not good to hear. OK, let me explain... I tried to
>>>>>>> come
>>>>>>> up
>>>>>>> with
>>>>>>> a solution where we already have spoken more times about in
>>>>>>> the
>>>>>>> past, i
>>>>>>> tried to follow up your suggestions, the latest about that
>>>>>>> topic
>>>>>>> was
>>>>>>> here -->
>>>>>>>    
>>>>>>> https://lists.ipfire.org/pipermail/development/2020-October/008441.html
>>>>>>> in Oktober to bring up "a select box where multiple
>>>>>>> algorithms
>>>>>>> can
>>>>>>> be
>>>>>>> chosen (like in IPsec)". Since --cipher is deprectaed and
>>>>>>> will
>>>>>>> be
>>>>>>> replaced by --data-ciphers which is a >=2.5.0 option we
>>>>>>> need
>>>>>>> another
>>>>>>> selection field for the --data-ciphers-fallback which is a
>>>>>>> replacement
>>>>>>> for --cipher and the server uses this directive to talk
>>>>>>> also to
>>>>>>> client
>>>>>>> which are <2.5.0 .
>>>>>> Yes, the ciphers. But as far as I understand this, you are
>>>>>> offering
>>>>>> to select the whole cipher suite. That is something
>>>>>> different.
>>>>>>
>>>>>> And you are offering different options for TLSv1.3 and lower,
>>>>>> which
>>>>>> we do not do in IPsec either. You have one selection for both
>>>>>> IKEv1
>>>>>> and IKEv2.
>>>>> Yes, i thougt it might be an idea for the advanced section be
>>>>> it is
>>>>> not
>>>>> really needed since OpenVPN uses his own choice for the
>>>>> control-
>>>>> chanel
>>>>> if nothing has been configured.
>>>> That probably isn’t good then. The UI should at least show the
>>>> user
>>>> what is being used.
>>>>
>>>> If we want OpenVPN to chose what is best, there should be some
>>>> option
>>>> that says “automatic” at least.
>>>>
>>>>>>> OpenVPN presses to use cipher negotiation which we have
>>>>>>> avoid
>>>>>>> since
>>>>>>> the
>>>>>>> release of 2.4 with --ncp-disable, this option is no also
>>>>>>> deprecated so
>>>>>>> we need to take action on this.
>>>>>> I will skip my moan about introducing something and then
>>>>>> deprecating
>>>>>> it shortly after…
>>>>> It was good that we did not act at that time.
>>>> In hindsight yes. But we didn’t know back then that things would
>>>> change again, and we do not know now if things will change
>>>> another
>>>> time in the near future.
>>>>
>>>> So, we have to do “best-effort” here.
>>>>
>>>>>> I agree that we need to act.
>>>>>>
>>>>>>> We need to have then two new options, two seletion boxes
>>>>>>> which
>>>>>>> are
>>>>>>> odd
>>>>>>> to see in the global section. I tried it in the advanced
>>>>>>> server
>>>>>>> section
>>>>>>> too and it looks even more confusing with all the other
>>>>>>> already
>>>>>>> existing options, nothing i wanted to do. So i thought your
>>>>>>> above
>>>>>>> linked suggestions are pretty straight forward and the best
>>>>>>> solution to
>>>>>>> build an own crypto section which do have already defaults,
>>>>>>> nobody
>>>>>>> needs to do there anyting, the global section has been
>>>>>>> cleaned
>>>>>>> up
>>>>>>> and
>>>>>>> it should be even easier for everone to overview.
>>>>>> We have touched this topic multiple times. And I remember the
>>>>>> last
>>>>>> conclusion as follows:
>>>>>>
>>>>>> The average user does not have to touch the advanced options.
>>>>>> They
>>>>>> have to put in their subnet, select a port and protocol maybe
>>>>>> and
>>>>>> that is about it. They do not need to think about what cipher
>>>>>> to
>>>>>> use,
>>>>>> because we would have selected a reasonable default. If they
>>>>>> want
>>>>>> to
>>>>>> change something (because of hardware requirements, etc.)
>>>>>> they
>>>>>> can do
>>>>>> that on the advanced page.
>>>>> This is exactly what i did.
>>>> Okay. So why is there an extra page then, and not a section on
>>>> the
>>>> advanced page?
>>>>
>>>> I like the now cleaner look of the main page which only has the
>>>> bare
>>>> necessities.
>>>>
>>>>>> I agree that this is all not idea, but adding a third page to
>>>>>> this
>>>>>> all makes it rather more confusing than less.
>>>>> Not sure if i understand you here right. You mentioned above
>>>>> the
>>>>> advanced page but i understand you here that you do not want a
>>>>> third
>>>>> one ?
>>>> There is the main page, where things can be configured (subnet,
>>>> port,
>>>> protocol, …), then advanced options, and now the cryptography
>>>> options.
>>>>
>>>> They are all the same - in that they directly change the OpenVPN
>>>> configuration - and we only wanted to split them by two things:
>>>>
>>>> a) Is it likely that the user will change them?
>>>>
>>>> b) Or is this an option that the average user should not touch.
>>>>
>>>> The advanced settings page can be as long as we like. It does not
>>>> have to be pretty.
>>>>
>>>>>>> It made for me no sense to leave parts of the crypto (TLS-
>>>>>>> auth
>>>>>>> and
>>>>>>> HMACs) in the global section, especially because there are
>>>>>>> also
>>>>>>> even
>>>>>>> more algorithms, but also new options for the TLS
>>>>>>> authentication
>>>>>>> which
>>>>>>> i have all integrated so i moved them also into that place
>>>>>>> (patch
>>>>>>> 6/7
>>>>>>> and 7/7).
>>>>>> I remember that we have agreed to move the existing crypto
>>>>>> options to
>>>>>> the advanced page.
>>>>> Yes, me too and i thought you meant an dedicated crypto page
>>>>> like
>>>>> it is
>>>>> for IPSec but you meant the advanced server section ? If yes we
>>>>> would
>>>>> mix then routing logging, DNS/WINS options with MTU related
>>>>> configure
>>>>> options. Also, the crypto section can have also some
>>>>> additionals
>>>>> like
>>>>> key lieftime, tls-version (if someone wants only TLSv1.3) and
>>>>> may
>>>>> some
>>>>> other upcoming stuff.
>>>> That can all go to the advanced page in my opinion.
>>>>
>>>>>>> The control-channel cipher selection (patch 5/7) is new and
>>>>>>> should
>>>>>>> be
>>>>>>> really a part for the advanced ones, therefor no defaults
>>>>>>> has
>>>>>>> been
>>>>>>> set,
>>>>>>> it simply won´t appear if nothing has been configured.
>>>>>> What is the benefit of choosing a different cipher for the
>>>>>> control
>>>>>> channel?
>>>>> This one is not really needed, as mentioned above OpenVPN makes
>>>>> then
>>>>> this desicion by it´s own.
>>>> Okay, but why do we have it then? :)
>>>>
>>>>>>> I have the problem that I cannot get on top of these
>>>>>>> things.
>>>>>>> You
>>>>>>> are
>>>>>>> submitting *massive* patchsets, in this case I even believe
>>>>>>> that
>>>>>>> the
>>>>>>> whole things has been submitted a second time, although I
>>>>>>> do
>>>>>>> not
>>>>>>> know
>>>>>>> if there are any changes.
>>>>>>> Yes there are. Old and deprecated ciphers will now be
>>>>>>> detected
>>>>>>> and
>>>>>>> a
>>>>>>> warning comes up in the global section to change them as
>>>>>>> soon
>>>>>>> as
>>>>>>> possible (patch 3/7), also all languages has been
>>>>>>> translated
>>>>>>> and
>>>>>>> has
>>>>>>> been included.
>>>>>>> Also i wanted to split it in more specific topics for
>>>>>>> better
>>>>>>> overview
>>>>>>> but it seems that i have been failed.
>>>>>> I do not think that you have failed. I just think that it is
>>>>>> not
>>>>>> clear what the patch intended to do. So I cannot really look
>>>>>> at
>>>>>> it
>>>>>> and verify if the code actually does what you want it to do.
>>>>>>
>>>>>> Could it have been split into even smaller changes? Yes,
>>>>>> would
>>>>>> that
>>>>>> have helped? Maybe. But I do not think that we should waste
>>>>>> too
>>>>>> much
>>>>>> time to reformat the patches. I want the changes to be ready
>>>>>> to
>>>>>> be
>>>>>> merged as soon as possible.
>>>>> OK. Let´s go through this then. I have attached also
>>>>> screenshots
>>>>> for
>>>>> all changes for a better first impression.
>>>> That was very helpful to me.
>>>>
>>>>>>> I could not even find out *what* you are actually trying to
>>>>>>> do.
>>>>>>> There
>>>>>>> are more and more buttons being added and I have not the
>>>>>>> slightest
>>>>>>> idea
>>>>>>> what I am supposed to do with them. I have given my
>>>>>>> thoughts
>>>>>>> about
>>>>>>> the
>>>>>>> cipher selection and I felt that I have not been heard.
>>>>>>> One intention was that you do not need anything to do
>>>>>>> except
>>>>>>> you
>>>>>>> want
>>>>>>> to do some advanced crypto stuff. The rest should have
>>>>>>> already
>>>>>>> been
>>>>>>> made...
>>>>>>>
>>>>>>>
>>>>>>> I fear that this is all way too complicated. I cannot
>>>>>>> review
>>>>>>> what I
>>>>>>> do
>>>>>>> not even understand what the desired outcome is. And
>>>>>>> failing to
>>>>>>> understand that either means that it is either way too
>>>>>>> complicated
>>>>>>> or I
>>>>>>> have not read enough anywhere about all of this.
>>>>>>> Please check out the above linked topic where you have
>>>>>>> wrote
>>>>>>> suggestions that i simply tried to achieve but again, it
>>>>>>> seems
>>>>>>> that
>>>>>>> i
>>>>>>> was not successfull with this...
>>>>>> So, maybe help me to understand why the user would want to
>>>>>> use
>>>>>> different ciphers for the control channel and for TLSv1.3/2.
>>>>> This is not needed  and i can easily let it out but mentioned
>>>>> beneath
>>>>> OpenVPN decided to give TLSv1.2 another directive then TLSv1.3
>>>>> therefor
>>>>> the two boxes.
>>>> Yes, I think choosing this once is enough.
>>>>
>>>>>> I consider my ciphers as follows:
>>>>>>
>>>>>> * Which algorithms do I trust? If I do not trust AES for
>>>>>> example,
>>>>>> I
>>>>>> would unselect it for everything, regardless if that is the
>>>>>> control
>>>>>> or data channel).
>>>>>>
>>>>>> * What does my hardware support? I would want to choose AES
>>>>>> if my
>>>>>> hardware has acceleration for it.
>>>>>>
>>>>>> * Then I would sort them by most secure first (e.g. AES-256,
>>>>>> then
>>>>>> AES-192 and so on…)
>>>>>>
>>>>>> I can replicate that with only one multiple-select box that
>>>>>> simply
>>>>>> lists:
>>>>>>
>>>>>> * AES-256-GCM
>>>>>> * AES-256-CBC
>>>>>> * AES-128-GCM
>>>>>> * AES-128-CBC
>>>>>> * ChaCha20-Poly1305
>>>>>> * Blowfish
>>>>>> * ...
>>>>> This is a problen there is exactly the same, this are two
>>>>> directives. -
>>>>> -data-cipher does NCP whereby --data-ciphers-fallback
>>>>> substitutes -
>>>>> -
>>>>> cipher. If we leave --data-ciphers-fallback out and work only
>>>>> with
>>>>> --
>>>>> data-ciphers' clients which do not have this directive can not
>>>>> connect.
>>>> No no, we want to be compatible with older clients and there
>>>> should
>>>> be a dropdown that works just like the old cipher selection.
>>>>
>>>> It should be possible to turn it off though by adding a
>>>> “disabled”
>>>> option.
>>>>
>>>>> Also, client which are <=2.5.0 do not understands both
>>>>> directives
>>>>> and
>>>>> simply do not starts. To find a way out in this foggy world i
>>>>> delivered
>>>>> a checkbox while client creation so the user have the
>>>>> possiblity to
>>>>> bring the new directive into client.ovpn but also old clients
>>>>> can
>>>>> be
>>>>> changed/updated via the edit menu.
>>>> The clients should not have any cipher configuration now since
>>>> they
>>>> should automatically negotiate it - which is enabled by default.
>>>>
>>>>>> And a second one that has
>>>>>>
>>>>>> * SHA512
>>>>>> * SHA384
>>>>>> * SHA256
>>>>>> * …
>>>>> The HMACs can not be used for negotiation, this is only a
>>>>> single
>>>>> selection.
>>>> Well, that is bad. That means we still do not have full
>>>> negotiation?
>>>>
>>>>>> The code will then have to convert this into the fancy names
>>>>>> for
>>>>>> the
>>>>>> OpenVPN configuration file. But I suppose that should be easy
>>>>>> to
>>>>>> do.
>>>>>>
>>>>>> That way, the user can be certain that they have chosen the
>>>>>> right
>>>>>> thing for everything in one go.
>>>>>>
>>>>>>> So, could you please summarise for me what you want to
>>>>>>> achieve
>>>>>>> here?
>>>>>>> Hope i have it done above.
>>>>>> Thank you for that.
>>>>>>
>>>>>> I really appreciate all this time that you have invested in
>>>>>> this,
>>>>>> and
>>>>>> the code looks clean. I just think we have been on different
>>>>>> pages
>>>>>> about what we want it to look and feel like for the user.
>>>>> Thank you too. This one really needs a lot of time and testing
>>>>> around
>>>>> and also with help from Adolf it comes to this where it
>>>>> currently
>>>>> is.
>>>> Great teamwork!
>>>>
>>>>>>> Is this supposed to make OpenVPN more compatible, secure,
>>>>>>> or
>>>>>>> anything
>>>>>>> else?
>>>>>>> Yes both but also easier since the user do not need to do
>>>>>>> anything
>>>>>>> but
>>>>>>> he should become more security under the hood, the backward
>>>>>>> and
>>>>>>> the
>>>>>>> forward compatibility should be in a better standing than
>>>>>>> before
>>>>>>> and if
>>>>>>> someone wants to go into the depth, this is even also
>>>>>>> possible.
>>>>>> I think that you have implemented the “pro” version here. It
>>>>>> has
>>>>>> all
>>>>>> the buttons you need and uses all features of OpenVPN. But it
>>>>>> is
>>>>>> complicated. So maybe lets hide it from the user that there
>>>>>> is a
>>>>>> control and data channel. Does the user need to know about
>>>>>> this?
>>>>>> I do
>>>>>> not think so. It will work either way.
>>>>> No there is no must for the control-channel cipher selection...
>>>>> If
>>>>> one
>>>>> is in, it is sometimes nice to walk through all that ;-).
>>>>>
>>>>>>> Why do we not talk about this before things are being
>>>>>>> implemented,
>>>>>>> or
>>>>>>> did I just miss the discussion?
>>>>>>> Yes i think you missed some of that, hopefully i could
>>>>>>> remind
>>>>>>> you
>>>>>>> on
>>>>>>> some points.
>>>>>> This is good progress :)
>>>>> Happy to here this.
>>>> Okay, so what are the next steps now?
>>>>
>>>> -Michael
>>>>
>>>>>
>>>>> Best,
>>>>>
>>>>> Erik
>>>>>
>>>>>> -Michael
>>>>>>
>>>>>>> -Michael
>>>>>>>
>>>>>>> Best,
>>>>>>>
>>>>>>> Erik
>>>>>>>
>>>>>>>
>>>>>>>> On 14 Dec 2020, at 14:03, ummeegge <ummeegge(a)ipfire.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>> just wanted to ask if there is still interest in this
>>>>>>>> patch
>>>>>>>> series ?
>>>>>>>>
>>>>>>>> Best,
>>>>>>>>
>>>>>>>> Erik
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>> <advanced_encryption_with_defaults.png><client_version.png><glo
>>>>> bal_
>>>>> settings.png><deprectaed_ciphers_warning.png>
>>>
>

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 22546 bytes --]

Hi Adolf,
you can find it with better overview on Patchwork -->
https://patchwork.ipfire.org/patch/3712/
you can get there the specific diffs (button right side) and a list of
the series by clicking on "Related --> Show"

Best,

Erik

Am Freitag, dem 22.01.2021 um 23:08 +0100 schrieb Adolf Belka:
> Hi Erik,
> 
> Where can I get hold of your latest version of ovpnmain.cgi
> 
> Regards,
> 
> Adolf.
> 
> On 15/01/2021 05:56, ummeegge wrote:
> > Good morning Adolf,
> > 
> > Am Donnerstag, dem 14.01.2021 um 19:50 +0100 schrieb Adolf Belka:
> > > Hi Erik,
> > > 
> > > I have been keeping an eye on this OpenVPN thread anyway so I am
> > > willing to pick this up and see if I can help.
> > > 
> > > As I am no where near as proficient in OpenVPN as you I may end
> > > up
> > > needing some guidance but am willing to give it a go and see how
> > > things go.
> > Will try to help you out if i can.
> > 
> > > I have a couple of bugs with my name against them that I want to
> > > get
> > > moving first but then I will pick this topic up if you are okay
> > > with
> > > that.
> > As mentioned before, i am more then happy with this.
> > 
> > > Regards,
> > > 
> > > Adolf.
> > Best,
> > 
> > Erik
> > 
> > > On 13/01/2021 10:18, ummeegge wrote:
> > > > Hi Michael,
> > > > there is currently a lot of other real world stuff around me
> > > > and my
> > > > time is really less since things out there do not get easier
> > > > these
> > > > days, at least for me.
> > > > 
> > > > If more time and motivation (which is most important) comes up
> > > > i
> > > > will
> > > > may go for another try to accomplish this topic with your
> > > > suggestions.
> > > > I would also finish this conversation here since it is hardly
> > > > comprehensible and a possible v3 would differs a lot.
> > > > 
> > > > If someone else wanted to jump in this topic with solutions i
> > > > am
> > > > more
> > > > then happy with this.
> > > > 
> > > > All the best,
> > > > 
> > > > Erik
> > > > 
> > > > 
> > > > Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael
> > > > Tremer:
> > > > > Hi,
> > > > > 
> > > > > > On 16 Dec 2020, at 17:30, ummeegge <ummeegge(a)ipfire.org>
> > > > > > wrote:
> > > > > > 
> > > > > > Hi Michael,
> > > > > > 
> > > > > > Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael
> > > > > > Tremer:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > > On 14 Dec 2020, at 16:12, ummeegge
> > > > > > > > <ummeegge(a)ipfire.org>
> > > > > > > > wrote:
> > > > > > > > 
> > > > > > > > Hi Michael,
> > > > > > > > thanks for looking into this.
> > > > > > > > 
> > > > > > > > Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb
> > > > > > > > Michael
> > > > > > > > Tremer:
> > > > > > > > > Hello Erik,
> > > > > > > > > 
> > > > > > > > > Yes, I am very much interested in this.
> > > > > > > > > 
> > > > > > > > > And I have spent pretty much an hour to make sense
> > > > > > > > > out of
> > > > > > > > > all
> > > > > > > > > of
> > > > > > > > > this, and unfortunately have to report that I failed.
> > > > > > > > that´s not good to hear. OK, let me explain... I tried
> > > > > > > > to
> > > > > > > > come
> > > > > > > > up
> > > > > > > > with
> > > > > > > > a solution where we already have spoken more times
> > > > > > > > about in
> > > > > > > > the
> > > > > > > > past, i
> > > > > > > > tried to follow up your suggestions, the latest about
> > > > > > > > that
> > > > > > > > topic
> > > > > > > > was
> > > > > > > > here -->
> > > > > > > >    
> > > > > > > > https://lists.ipfire.org/pipermail/development/2020-October/008441.html
> > > > > > > > in Oktober to bring up "a select box where multiple
> > > > > > > > algorithms
> > > > > > > > can
> > > > > > > > be
> > > > > > > > chosen (like in IPsec)". Since --cipher is deprectaed
> > > > > > > > and
> > > > > > > > will
> > > > > > > > be
> > > > > > > > replaced by --data-ciphers which is a >=2.5.0 option we
> > > > > > > > need
> > > > > > > > another
> > > > > > > > selection field for the --data-ciphers-fallback which
> > > > > > > > is a
> > > > > > > > replacement
> > > > > > > > for --cipher and the server uses this directive to talk
> > > > > > > > also to
> > > > > > > > client
> > > > > > > > which are <2.5.0 .
> > > > > > > Yes, the ciphers. But as far as I understand this, you
> > > > > > > are
> > > > > > > offering
> > > > > > > to select the whole cipher suite. That is something
> > > > > > > different.
> > > > > > > 
> > > > > > > And you are offering different options for TLSv1.3 and
> > > > > > > lower,
> > > > > > > which
> > > > > > > we do not do in IPsec either. You have one selection for
> > > > > > > both
> > > > > > > IKEv1
> > > > > > > and IKEv2.
> > > > > > Yes, i thougt it might be an idea for the advanced section
> > > > > > be
> > > > > > it is
> > > > > > not
> > > > > > really needed since OpenVPN uses his own choice for the
> > > > > > control-
> > > > > > chanel
> > > > > > if nothing has been configured.
> > > > > That probably isn’t good then. The UI should at least show
> > > > > the
> > > > > user
> > > > > what is being used.
> > > > > 
> > > > > If we want OpenVPN to chose what is best, there should be
> > > > > some
> > > > > option
> > > > > that says “automatic” at least.
> > > > > 
> > > > > > > > OpenVPN presses to use cipher negotiation which we have
> > > > > > > > avoid
> > > > > > > > since
> > > > > > > > the
> > > > > > > > release of 2.4 with --ncp-disable, this option is no
> > > > > > > > also
> > > > > > > > deprecated so
> > > > > > > > we need to take action on this.
> > > > > > > I will skip my moan about introducing something and then
> > > > > > > deprecating
> > > > > > > it shortly after…
> > > > > > It was good that we did not act at that time.
> > > > > In hindsight yes. But we didn’t know back then that things
> > > > > would
> > > > > change again, and we do not know now if things will change
> > > > > another
> > > > > time in the near future.
> > > > > 
> > > > > So, we have to do “best-effort” here.
> > > > > 
> > > > > > > I agree that we need to act.
> > > > > > > 
> > > > > > > > We need to have then two new options, two seletion
> > > > > > > > boxes
> > > > > > > > which
> > > > > > > > are
> > > > > > > > odd
> > > > > > > > to see in the global section. I tried it in the
> > > > > > > > advanced
> > > > > > > > server
> > > > > > > > section
> > > > > > > > too and it looks even more confusing with all the other
> > > > > > > > already
> > > > > > > > existing options, nothing i wanted to do. So i thought
> > > > > > > > your
> > > > > > > > above
> > > > > > > > linked suggestions are pretty straight forward and the
> > > > > > > > best
> > > > > > > > solution to
> > > > > > > > build an own crypto section which do have already
> > > > > > > > defaults,
> > > > > > > > nobody
> > > > > > > > needs to do there anyting, the global section has been
> > > > > > > > cleaned
> > > > > > > > up
> > > > > > > > and
> > > > > > > > it should be even easier for everone to overview.
> > > > > > > We have touched this topic multiple times. And I remember
> > > > > > > the
> > > > > > > last
> > > > > > > conclusion as follows:
> > > > > > > 
> > > > > > > The average user does not have to touch the advanced
> > > > > > > options.
> > > > > > > They
> > > > > > > have to put in their subnet, select a port and protocol
> > > > > > > maybe
> > > > > > > and
> > > > > > > that is about it. They do not need to think about what
> > > > > > > cipher
> > > > > > > to
> > > > > > > use,
> > > > > > > because we would have selected a reasonable default. If
> > > > > > > they
> > > > > > > want
> > > > > > > to
> > > > > > > change something (because of hardware requirements, etc.)
> > > > > > > they
> > > > > > > can do
> > > > > > > that on the advanced page.
> > > > > > This is exactly what i did.
> > > > > Okay. So why is there an extra page then, and not a section
> > > > > on
> > > > > the
> > > > > advanced page?
> > > > > 
> > > > > I like the now cleaner look of the main page which only has
> > > > > the
> > > > > bare
> > > > > necessities.
> > > > > 
> > > > > > > I agree that this is all not idea, but adding a third
> > > > > > > page to
> > > > > > > this
> > > > > > > all makes it rather more confusing than less.
> > > > > > Not sure if i understand you here right. You mentioned
> > > > > > above
> > > > > > the
> > > > > > advanced page but i understand you here that you do not
> > > > > > want a
> > > > > > third
> > > > > > one ?
> > > > > There is the main page, where things can be configured
> > > > > (subnet,
> > > > > port,
> > > > > protocol, …), then advanced options, and now the cryptography
> > > > > options.
> > > > > 
> > > > > They are all the same - in that they directly change the
> > > > > OpenVPN
> > > > > configuration - and we only wanted to split them by two
> > > > > things:
> > > > > 
> > > > > a) Is it likely that the user will change them?
> > > > > 
> > > > > b) Or is this an option that the average user should not
> > > > > touch.
> > > > > 
> > > > > The advanced settings page can be as long as we like. It does
> > > > > not
> > > > > have to be pretty.
> > > > > 
> > > > > > > > It made for me no sense to leave parts of the crypto
> > > > > > > > (TLS-
> > > > > > > > auth
> > > > > > > > and
> > > > > > > > HMACs) in the global section, especially because there
> > > > > > > > are
> > > > > > > > also
> > > > > > > > even
> > > > > > > > more algorithms, but also new options for the TLS
> > > > > > > > authentication
> > > > > > > > which
> > > > > > > > i have all integrated so i moved them also into that
> > > > > > > > place
> > > > > > > > (patch
> > > > > > > > 6/7
> > > > > > > > and 7/7).
> > > > > > > I remember that we have agreed to move the existing
> > > > > > > crypto
> > > > > > > options to
> > > > > > > the advanced page.
> > > > > > Yes, me too and i thought you meant an dedicated crypto
> > > > > > page
> > > > > > like
> > > > > > it is
> > > > > > for IPSec but you meant the advanced server section ? If
> > > > > > yes we
> > > > > > would
> > > > > > mix then routing logging, DNS/WINS options with MTU related
> > > > > > configure
> > > > > > options. Also, the crypto section can have also some
> > > > > > additionals
> > > > > > like
> > > > > > key lieftime, tls-version (if someone wants only TLSv1.3)
> > > > > > and
> > > > > > may
> > > > > > some
> > > > > > other upcoming stuff.
> > > > > That can all go to the advanced page in my opinion.
> > > > > 
> > > > > > > > The control-channel cipher selection (patch 5/7) is new
> > > > > > > > and
> > > > > > > > should
> > > > > > > > be
> > > > > > > > really a part for the advanced ones, therefor no
> > > > > > > > defaults
> > > > > > > > has
> > > > > > > > been
> > > > > > > > set,
> > > > > > > > it simply won´t appear if nothing has been configured.
> > > > > > > What is the benefit of choosing a different cipher for
> > > > > > > the
> > > > > > > control
> > > > > > > channel?
> > > > > > This one is not really needed, as mentioned above OpenVPN
> > > > > > makes
> > > > > > then
> > > > > > this desicion by it´s own.
> > > > > Okay, but why do we have it then? :)
> > > > > 
> > > > > > > > I have the problem that I cannot get on top of these
> > > > > > > > things.
> > > > > > > > You
> > > > > > > > are
> > > > > > > > submitting *massive* patchsets, in this case I even
> > > > > > > > believe
> > > > > > > > that
> > > > > > > > the
> > > > > > > > whole things has been submitted a second time, although
> > > > > > > > I
> > > > > > > > do
> > > > > > > > not
> > > > > > > > know
> > > > > > > > if there are any changes.
> > > > > > > > Yes there are. Old and deprecated ciphers will now be
> > > > > > > > detected
> > > > > > > > and
> > > > > > > > a
> > > > > > > > warning comes up in the global section to change them
> > > > > > > > as
> > > > > > > > soon
> > > > > > > > as
> > > > > > > > possible (patch 3/7), also all languages has been
> > > > > > > > translated
> > > > > > > > and
> > > > > > > > has
> > > > > > > > been included.
> > > > > > > > Also i wanted to split it in more specific topics for
> > > > > > > > better
> > > > > > > > overview
> > > > > > > > but it seems that i have been failed.
> > > > > > > I do not think that you have failed. I just think that it
> > > > > > > is
> > > > > > > not
> > > > > > > clear what the patch intended to do. So I cannot really
> > > > > > > look
> > > > > > > at
> > > > > > > it
> > > > > > > and verify if the code actually does what you want it to
> > > > > > > do.
> > > > > > > 
> > > > > > > Could it have been split into even smaller changes? Yes,
> > > > > > > would
> > > > > > > that
> > > > > > > have helped? Maybe. But I do not think that we should
> > > > > > > waste
> > > > > > > too
> > > > > > > much
> > > > > > > time to reformat the patches. I want the changes to be
> > > > > > > ready
> > > > > > > to
> > > > > > > be
> > > > > > > merged as soon as possible.
> > > > > > OK. Let´s go through this then. I have attached also
> > > > > > screenshots
> > > > > > for
> > > > > > all changes for a better first impression.
> > > > > That was very helpful to me.
> > > > > 
> > > > > > > > I could not even find out *what* you are actually
> > > > > > > > trying to
> > > > > > > > do.
> > > > > > > > There
> > > > > > > > are more and more buttons being added and I have not
> > > > > > > > the
> > > > > > > > slightest
> > > > > > > > idea
> > > > > > > > what I am supposed to do with them. I have given my
> > > > > > > > thoughts
> > > > > > > > about
> > > > > > > > the
> > > > > > > > cipher selection and I felt that I have not been heard.
> > > > > > > > One intention was that you do not need anything to do
> > > > > > > > except
> > > > > > > > you
> > > > > > > > want
> > > > > > > > to do some advanced crypto stuff. The rest should have
> > > > > > > > already
> > > > > > > > been
> > > > > > > > made...
> > > > > > > > 
> > > > > > > > 
> > > > > > > > I fear that this is all way too complicated. I cannot
> > > > > > > > review
> > > > > > > > what I
> > > > > > > > do
> > > > > > > > not even understand what the desired outcome is. And
> > > > > > > > failing to
> > > > > > > > understand that either means that it is either way too
> > > > > > > > complicated
> > > > > > > > or I
> > > > > > > > have not read enough anywhere about all of this.
> > > > > > > > Please check out the above linked topic where you have
> > > > > > > > wrote
> > > > > > > > suggestions that i simply tried to achieve but again,
> > > > > > > > it
> > > > > > > > seems
> > > > > > > > that
> > > > > > > > i
> > > > > > > > was not successfull with this...
> > > > > > > So, maybe help me to understand why the user would want
> > > > > > > to
> > > > > > > use
> > > > > > > different ciphers for the control channel and for
> > > > > > > TLSv1.3/2.
> > > > > > This is not needed  and i can easily let it out but
> > > > > > mentioned
> > > > > > beneath
> > > > > > OpenVPN decided to give TLSv1.2 another directive then
> > > > > > TLSv1.3
> > > > > > therefor
> > > > > > the two boxes.
> > > > > Yes, I think choosing this once is enough.
> > > > > 
> > > > > > > I consider my ciphers as follows:
> > > > > > > 
> > > > > > > * Which algorithms do I trust? If I do not trust AES for
> > > > > > > example,
> > > > > > > I
> > > > > > > would unselect it for everything, regardless if that is
> > > > > > > the
> > > > > > > control
> > > > > > > or data channel).
> > > > > > > 
> > > > > > > * What does my hardware support? I would want to choose
> > > > > > > AES
> > > > > > > if my
> > > > > > > hardware has acceleration for it.
> > > > > > > 
> > > > > > > * Then I would sort them by most secure first (e.g. AES-
> > > > > > > 256,
> > > > > > > then
> > > > > > > AES-192 and so on…)
> > > > > > > 
> > > > > > > I can replicate that with only one multiple-select box
> > > > > > > that
> > > > > > > simply
> > > > > > > lists:
> > > > > > > 
> > > > > > > * AES-256-GCM
> > > > > > > * AES-256-CBC
> > > > > > > * AES-128-GCM
> > > > > > > * AES-128-CBC
> > > > > > > * ChaCha20-Poly1305
> > > > > > > * Blowfish
> > > > > > > * ...
> > > > > > This is a problen there is exactly the same, this are two
> > > > > > directives. -
> > > > > > -data-cipher does NCP whereby --data-ciphers-fallback
> > > > > > substitutes -
> > > > > > -
> > > > > > cipher. If we leave --data-ciphers-fallback out and work
> > > > > > only
> > > > > > with
> > > > > > --
> > > > > > data-ciphers' clients which do not have this directive can
> > > > > > not
> > > > > > connect.
> > > > > No no, we want to be compatible with older clients and there
> > > > > should
> > > > > be a dropdown that works just like the old cipher selection.
> > > > > 
> > > > > It should be possible to turn it off though by adding a
> > > > > “disabled”
> > > > > option.
> > > > > 
> > > > > > Also, client which are <=2.5.0 do not understands both
> > > > > > directives
> > > > > > and
> > > > > > simply do not starts. To find a way out in this foggy world
> > > > > > i
> > > > > > delivered
> > > > > > a checkbox while client creation so the user have the
> > > > > > possiblity to
> > > > > > bring the new directive into client.ovpn but also old
> > > > > > clients
> > > > > > can
> > > > > > be
> > > > > > changed/updated via the edit menu.
> > > > > The clients should not have any cipher configuration now
> > > > > since
> > > > > they
> > > > > should automatically negotiate it - which is enabled by
> > > > > default.
> > > > > 
> > > > > > > And a second one that has
> > > > > > > 
> > > > > > > * SHA512
> > > > > > > * SHA384
> > > > > > > * SHA256
> > > > > > > * …
> > > > > > The HMACs can not be used for negotiation, this is only a
> > > > > > single
> > > > > > selection.
> > > > > Well, that is bad. That means we still do not have full
> > > > > negotiation?
> > > > > 
> > > > > > > The code will then have to convert this into the fancy
> > > > > > > names
> > > > > > > for
> > > > > > > the
> > > > > > > OpenVPN configuration file. But I suppose that should be
> > > > > > > easy
> > > > > > > to
> > > > > > > do.
> > > > > > > 
> > > > > > > That way, the user can be certain that they have chosen
> > > > > > > the
> > > > > > > right
> > > > > > > thing for everything in one go.
> > > > > > > 
> > > > > > > > So, could you please summarise for me what you want to
> > > > > > > > achieve
> > > > > > > > here?
> > > > > > > > Hope i have it done above.
> > > > > > > Thank you for that.
> > > > > > > 
> > > > > > > I really appreciate all this time that you have invested
> > > > > > > in
> > > > > > > this,
> > > > > > > and
> > > > > > > the code looks clean. I just think we have been on
> > > > > > > different
> > > > > > > pages
> > > > > > > about what we want it to look and feel like for the user.
> > > > > > Thank you too. This one really needs a lot of time and
> > > > > > testing
> > > > > > around
> > > > > > and also with help from Adolf it comes to this where it
> > > > > > currently
> > > > > > is.
> > > > > Great teamwork!
> > > > > 
> > > > > > > > Is this supposed to make OpenVPN more compatible,
> > > > > > > > secure,
> > > > > > > > or
> > > > > > > > anything
> > > > > > > > else?
> > > > > > > > Yes both but also easier since the user do not need to
> > > > > > > > do
> > > > > > > > anything
> > > > > > > > but
> > > > > > > > he should become more security under the hood, the
> > > > > > > > backward
> > > > > > > > and
> > > > > > > > the
> > > > > > > > forward compatibility should be in a better standing
> > > > > > > > than
> > > > > > > > before
> > > > > > > > and if
> > > > > > > > someone wants to go into the depth, this is even also
> > > > > > > > possible.
> > > > > > > I think that you have implemented the “pro” version here.
> > > > > > > It
> > > > > > > has
> > > > > > > all
> > > > > > > the buttons you need and uses all features of OpenVPN.
> > > > > > > But it
> > > > > > > is
> > > > > > > complicated. So maybe lets hide it from the user that
> > > > > > > there
> > > > > > > is a
> > > > > > > control and data channel. Does the user need to know
> > > > > > > about
> > > > > > > this?
> > > > > > > I do
> > > > > > > not think so. It will work either way.
> > > > > > No there is no must for the control-channel cipher
> > > > > > selection...
> > > > > > If
> > > > > > one
> > > > > > is in, it is sometimes nice to walk through all that ;-).
> > > > > > 
> > > > > > > > Why do we not talk about this before things are being
> > > > > > > > implemented,
> > > > > > > > or
> > > > > > > > did I just miss the discussion?
> > > > > > > > Yes i think you missed some of that, hopefully i could
> > > > > > > > remind
> > > > > > > > you
> > > > > > > > on
> > > > > > > > some points.
> > > > > > > This is good progress :)
> > > > > > Happy to here this.
> > > > > Okay, so what are the next steps now?
> > > > > 
> > > > > -Michael
> > > > > 
> > > > > > 
> > > > > > Best,
> > > > > > 
> > > > > > Erik
> > > > > > 
> > > > > > > -Michael
> > > > > > > 
> > > > > > > > -Michael
> > > > > > > > 
> > > > > > > > Best,
> > > > > > > > 
> > > > > > > > Erik
> > > > > > > > 
> > > > > > > > 
> > > > > > > > > On 14 Dec 2020, at 14:03, ummeegge
> > > > > > > > > <ummeegge(a)ipfire.org>
> > > > > > > > > wrote:
> > > > > > > > > 
> > > > > > > > > Hi all,
> > > > > > > > > just wanted to ask if there is still interest in this
> > > > > > > > > patch
> > > > > > > > > series ?
> > > > > > > > > 
> > > > > > > > > Best,
> > > > > > > > > 
> > > > > > > > > Erik
> > > > > > > > > 
> > > > > > > > 
> > > > > > > > 
> > > > > > <advanced_encryption_with_defaults.png><client_version.png>
> > > > > > <glo
> > > > > > bal_
> > > > > > settings.png><deprectaed_ciphers_warning.png>
> > > > 
> > 

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[Adolf Belka (ipfire)]

[-- Attachment #1: Type: text/plain, Size: 18120 bytes --]

Hi All,


After some deliberation, I have to say that I will not be able to pick up this OpenVPN topic for the new encryption section coming with OpenVPN 2.5.0

The basis for this decision is that as I have been reviewing ovpnmain.cgi and the changes proposed by Erik, I have come to realise that my capabilities to understand what is going on in the code are just too limited. I have not been able to understand the structure of the existing code well enough to even start to think about proposing changes to the code that would do what is needed but also not have knock on effects.

I am very sorry to be communicating this and I have thought hard about it for some time but even leaving some gaps and then going back to the code after a while has resulted in me continuing to find new code that I didn't understand what it was doing rather than things becoming clearer and eventually I came to this conclusion.

I will still continue to help with testing and to provide update patches for addons and core programs and also work on the simpler bugs where my knowledge is sufficient.


Regards,

Adolf.

On 15/01/2021 05:56, ummeegge wrote:
> Good morning Adolf,
>
> Am Donnerstag, dem 14.01.2021 um 19:50 +0100 schrieb Adolf Belka:
>> Hi Erik,
>>
>> I have been keeping an eye on this OpenVPN thread anyway so I am
>> willing to pick this up and see if I can help.
>>
>> As I am no where near as proficient in OpenVPN as you I may end up
>> needing some guidance but am willing to give it a go and see how
>> things go.
> Will try to help you out if i can.
>
>> I have a couple of bugs with my name against them that I want to get
>> moving first but then I will pick this topic up if you are okay with
>> that.
> As mentioned before, i am more then happy with this.
>
>> Regards,
>>
>> Adolf.
> Best,
>
> Erik
>
>> On 13/01/2021 10:18, ummeegge wrote:
>>> Hi Michael,
>>> there is currently a lot of other real world stuff around me and my
>>> time is really less since things out there do not get easier these
>>> days, at least for me.
>>>
>>> If more time and motivation (which is most important) comes up i
>>> will
>>> may go for another try to accomplish this topic with your
>>> suggestions.
>>> I would also finish this conversation here since it is hardly
>>> comprehensible and a possible v3 would differs a lot.
>>>
>>> If someone else wanted to jump in this topic with solutions i am
>>> more
>>> then happy with this.
>>>
>>> All the best,
>>>
>>> Erik
>>>
>>>
>>> Am Dienstag, dem 29.12.2020 um 11:44 +0100 schrieb Michael Tremer:
>>>> Hi,
>>>>
>>>>> On 16 Dec 2020, at 17:30, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>>>
>>>>> Hi Michael,
>>>>>
>>>>> Am Dienstag, dem 15.12.2020 um 12:58 +0100 schrieb Michael
>>>>> Tremer:
>>>>>> Hi,
>>>>>>
>>>>>>> On 14 Dec 2020, at 16:12, ummeegge <ummeegge(a)ipfire.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi Michael,
>>>>>>> thanks for looking into this.
>>>>>>>
>>>>>>> Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael
>>>>>>> Tremer:
>>>>>>>> Hello Erik,
>>>>>>>>
>>>>>>>> Yes, I am very much interested in this.
>>>>>>>>
>>>>>>>> And I have spent pretty much an hour to make sense out of
>>>>>>>> all
>>>>>>>> of
>>>>>>>> this, and unfortunately have to report that I failed.
>>>>>>> that´s not good to hear. OK, let me explain... I tried to
>>>>>>> come
>>>>>>> up
>>>>>>> with
>>>>>>> a solution where we already have spoken more times about in
>>>>>>> the
>>>>>>> past, i
>>>>>>> tried to follow up your suggestions, the latest about that
>>>>>>> topic
>>>>>>> was
>>>>>>> here -->
>>>>>>>    
>>>>>>> https://lists.ipfire.org/pipermail/development/2020-October/008441.html
>>>>>>> in Oktober to bring up "a select box where multiple
>>>>>>> algorithms
>>>>>>> can
>>>>>>> be
>>>>>>> chosen (like in IPsec)". Since --cipher is deprectaed and
>>>>>>> will
>>>>>>> be
>>>>>>> replaced by --data-ciphers which is a >=2.5.0 option we
>>>>>>> need
>>>>>>> another
>>>>>>> selection field for the --data-ciphers-fallback which is a
>>>>>>> replacement
>>>>>>> for --cipher and the server uses this directive to talk
>>>>>>> also to
>>>>>>> client
>>>>>>> which are <2.5.0 .
>>>>>> Yes, the ciphers. But as far as I understand this, you are
>>>>>> offering
>>>>>> to select the whole cipher suite. That is something
>>>>>> different.
>>>>>>
>>>>>> And you are offering different options for TLSv1.3 and lower,
>>>>>> which
>>>>>> we do not do in IPsec either. You have one selection for both
>>>>>> IKEv1
>>>>>> and IKEv2.
>>>>> Yes, i thougt it might be an idea for the advanced section be
>>>>> it is
>>>>> not
>>>>> really needed since OpenVPN uses his own choice for the
>>>>> control-
>>>>> chanel
>>>>> if nothing has been configured.
>>>> That probably isn’t good then. The UI should at least show the
>>>> user
>>>> what is being used.
>>>>
>>>> If we want OpenVPN to chose what is best, there should be some
>>>> option
>>>> that says “automatic” at least.
>>>>
>>>>>>> OpenVPN presses to use cipher negotiation which we have
>>>>>>> avoid
>>>>>>> since
>>>>>>> the
>>>>>>> release of 2.4 with --ncp-disable, this option is no also
>>>>>>> deprecated so
>>>>>>> we need to take action on this.
>>>>>> I will skip my moan about introducing something and then
>>>>>> deprecating
>>>>>> it shortly after…
>>>>> It was good that we did not act at that time.
>>>> In hindsight yes. But we didn’t know back then that things would
>>>> change again, and we do not know now if things will change
>>>> another
>>>> time in the near future.
>>>>
>>>> So, we have to do “best-effort” here.
>>>>
>>>>>> I agree that we need to act.
>>>>>>
>>>>>>> We need to have then two new options, two seletion boxes
>>>>>>> which
>>>>>>> are
>>>>>>> odd
>>>>>>> to see in the global section. I tried it in the advanced
>>>>>>> server
>>>>>>> section
>>>>>>> too and it looks even more confusing with all the other
>>>>>>> already
>>>>>>> existing options, nothing i wanted to do. So i thought your
>>>>>>> above
>>>>>>> linked suggestions are pretty straight forward and the best
>>>>>>> solution to
>>>>>>> build an own crypto section which do have already defaults,
>>>>>>> nobody
>>>>>>> needs to do there anyting, the global section has been
>>>>>>> cleaned
>>>>>>> up
>>>>>>> and
>>>>>>> it should be even easier for everone to overview.
>>>>>> We have touched this topic multiple times. And I remember the
>>>>>> last
>>>>>> conclusion as follows:
>>>>>>
>>>>>> The average user does not have to touch the advanced options.
>>>>>> They
>>>>>> have to put in their subnet, select a port and protocol maybe
>>>>>> and
>>>>>> that is about it. They do not need to think about what cipher
>>>>>> to
>>>>>> use,
>>>>>> because we would have selected a reasonable default. If they
>>>>>> want
>>>>>> to
>>>>>> change something (because of hardware requirements, etc.)
>>>>>> they
>>>>>> can do
>>>>>> that on the advanced page.
>>>>> This is exactly what i did.
>>>> Okay. So why is there an extra page then, and not a section on
>>>> the
>>>> advanced page?
>>>>
>>>> I like the now cleaner look of the main page which only has the
>>>> bare
>>>> necessities.
>>>>
>>>>>> I agree that this is all not idea, but adding a third page to
>>>>>> this
>>>>>> all makes it rather more confusing than less.
>>>>> Not sure if i understand you here right. You mentioned above
>>>>> the
>>>>> advanced page but i understand you here that you do not want a
>>>>> third
>>>>> one ?
>>>> There is the main page, where things can be configured (subnet,
>>>> port,
>>>> protocol, …), then advanced options, and now the cryptography
>>>> options.
>>>>
>>>> They are all the same - in that they directly change the OpenVPN
>>>> configuration - and we only wanted to split them by two things:
>>>>
>>>> a) Is it likely that the user will change them?
>>>>
>>>> b) Or is this an option that the average user should not touch.
>>>>
>>>> The advanced settings page can be as long as we like. It does not
>>>> have to be pretty.
>>>>
>>>>>>> It made for me no sense to leave parts of the crypto (TLS-
>>>>>>> auth
>>>>>>> and
>>>>>>> HMACs) in the global section, especially because there are
>>>>>>> also
>>>>>>> even
>>>>>>> more algorithms, but also new options for the TLS
>>>>>>> authentication
>>>>>>> which
>>>>>>> i have all integrated so i moved them also into that place
>>>>>>> (patch
>>>>>>> 6/7
>>>>>>> and 7/7).
>>>>>> I remember that we have agreed to move the existing crypto
>>>>>> options to
>>>>>> the advanced page.
>>>>> Yes, me too and i thought you meant an dedicated crypto page
>>>>> like
>>>>> it is
>>>>> for IPSec but you meant the advanced server section ? If yes we
>>>>> would
>>>>> mix then routing logging, DNS/WINS options with MTU related
>>>>> configure
>>>>> options. Also, the crypto section can have also some
>>>>> additionals
>>>>> like
>>>>> key lieftime, tls-version (if someone wants only TLSv1.3) and
>>>>> may
>>>>> some
>>>>> other upcoming stuff.
>>>> That can all go to the advanced page in my opinion.
>>>>
>>>>>>> The control-channel cipher selection (patch 5/7) is new and
>>>>>>> should
>>>>>>> be
>>>>>>> really a part for the advanced ones, therefor no defaults
>>>>>>> has
>>>>>>> been
>>>>>>> set,
>>>>>>> it simply won´t appear if nothing has been configured.
>>>>>> What is the benefit of choosing a different cipher for the
>>>>>> control
>>>>>> channel?
>>>>> This one is not really needed, as mentioned above OpenVPN makes
>>>>> then
>>>>> this desicion by it´s own.
>>>> Okay, but why do we have it then? :)
>>>>
>>>>>>> I have the problem that I cannot get on top of these
>>>>>>> things.
>>>>>>> You
>>>>>>> are
>>>>>>> submitting *massive* patchsets, in this case I even believe
>>>>>>> that
>>>>>>> the
>>>>>>> whole things has been submitted a second time, although I
>>>>>>> do
>>>>>>> not
>>>>>>> know
>>>>>>> if there are any changes.
>>>>>>> Yes there are. Old and deprecated ciphers will now be
>>>>>>> detected
>>>>>>> and
>>>>>>> a
>>>>>>> warning comes up in the global section to change them as
>>>>>>> soon
>>>>>>> as
>>>>>>> possible (patch 3/7), also all languages has been
>>>>>>> translated
>>>>>>> and
>>>>>>> has
>>>>>>> been included.
>>>>>>> Also i wanted to split it in more specific topics for
>>>>>>> better
>>>>>>> overview
>>>>>>> but it seems that i have been failed.
>>>>>> I do not think that you have failed. I just think that it is
>>>>>> not
>>>>>> clear what the patch intended to do. So I cannot really look
>>>>>> at
>>>>>> it
>>>>>> and verify if the code actually does what you want it to do.
>>>>>>
>>>>>> Could it have been split into even smaller changes? Yes,
>>>>>> would
>>>>>> that
>>>>>> have helped? Maybe. But I do not think that we should waste
>>>>>> too
>>>>>> much
>>>>>> time to reformat the patches. I want the changes to be ready
>>>>>> to
>>>>>> be
>>>>>> merged as soon as possible.
>>>>> OK. Let´s go through this then. I have attached also
>>>>> screenshots
>>>>> for
>>>>> all changes for a better first impression.
>>>> That was very helpful to me.
>>>>
>>>>>>> I could not even find out *what* you are actually trying to
>>>>>>> do.
>>>>>>> There
>>>>>>> are more and more buttons being added and I have not the
>>>>>>> slightest
>>>>>>> idea
>>>>>>> what I am supposed to do with them. I have given my
>>>>>>> thoughts
>>>>>>> about
>>>>>>> the
>>>>>>> cipher selection and I felt that I have not been heard.
>>>>>>> One intention was that you do not need anything to do
>>>>>>> except
>>>>>>> you
>>>>>>> want
>>>>>>> to do some advanced crypto stuff. The rest should have
>>>>>>> already
>>>>>>> been
>>>>>>> made...
>>>>>>>
>>>>>>>
>>>>>>> I fear that this is all way too complicated. I cannot
>>>>>>> review
>>>>>>> what I
>>>>>>> do
>>>>>>> not even understand what the desired outcome is. And
>>>>>>> failing to
>>>>>>> understand that either means that it is either way too
>>>>>>> complicated
>>>>>>> or I
>>>>>>> have not read enough anywhere about all of this.
>>>>>>> Please check out the above linked topic where you have
>>>>>>> wrote
>>>>>>> suggestions that i simply tried to achieve but again, it
>>>>>>> seems
>>>>>>> that
>>>>>>> i
>>>>>>> was not successfull with this...
>>>>>> So, maybe help me to understand why the user would want to
>>>>>> use
>>>>>> different ciphers for the control channel and for TLSv1.3/2.
>>>>> This is not needed  and i can easily let it out but mentioned
>>>>> beneath
>>>>> OpenVPN decided to give TLSv1.2 another directive then TLSv1.3
>>>>> therefor
>>>>> the two boxes.
>>>> Yes, I think choosing this once is enough.
>>>>
>>>>>> I consider my ciphers as follows:
>>>>>>
>>>>>> * Which algorithms do I trust? If I do not trust AES for
>>>>>> example,
>>>>>> I
>>>>>> would unselect it for everything, regardless if that is the
>>>>>> control
>>>>>> or data channel).
>>>>>>
>>>>>> * What does my hardware support? I would want to choose AES
>>>>>> if my
>>>>>> hardware has acceleration for it.
>>>>>>
>>>>>> * Then I would sort them by most secure first (e.g. AES-256,
>>>>>> then
>>>>>> AES-192 and so on…)
>>>>>>
>>>>>> I can replicate that with only one multiple-select box that
>>>>>> simply
>>>>>> lists:
>>>>>>
>>>>>> * AES-256-GCM
>>>>>> * AES-256-CBC
>>>>>> * AES-128-GCM
>>>>>> * AES-128-CBC
>>>>>> * ChaCha20-Poly1305
>>>>>> * Blowfish
>>>>>> * ...
>>>>> This is a problen there is exactly the same, this are two
>>>>> directives. -
>>>>> -data-cipher does NCP whereby --data-ciphers-fallback
>>>>> substitutes -
>>>>> -
>>>>> cipher. If we leave --data-ciphers-fallback out and work only
>>>>> with
>>>>> --
>>>>> data-ciphers' clients which do not have this directive can not
>>>>> connect.
>>>> No no, we want to be compatible with older clients and there
>>>> should
>>>> be a dropdown that works just like the old cipher selection.
>>>>
>>>> It should be possible to turn it off though by adding a
>>>> “disabled”
>>>> option.
>>>>
>>>>> Also, client which are <=2.5.0 do not understands both
>>>>> directives
>>>>> and
>>>>> simply do not starts. To find a way out in this foggy world i
>>>>> delivered
>>>>> a checkbox while client creation so the user have the
>>>>> possiblity to
>>>>> bring the new directive into client.ovpn but also old clients
>>>>> can
>>>>> be
>>>>> changed/updated via the edit menu.
>>>> The clients should not have any cipher configuration now since
>>>> they
>>>> should automatically negotiate it - which is enabled by default.
>>>>
>>>>>> And a second one that has
>>>>>>
>>>>>> * SHA512
>>>>>> * SHA384
>>>>>> * SHA256
>>>>>> * …
>>>>> The HMACs can not be used for negotiation, this is only a
>>>>> single
>>>>> selection.
>>>> Well, that is bad. That means we still do not have full
>>>> negotiation?
>>>>
>>>>>> The code will then have to convert this into the fancy names
>>>>>> for
>>>>>> the
>>>>>> OpenVPN configuration file. But I suppose that should be easy
>>>>>> to
>>>>>> do.
>>>>>>
>>>>>> That way, the user can be certain that they have chosen the
>>>>>> right
>>>>>> thing for everything in one go.
>>>>>>
>>>>>>> So, could you please summarise for me what you want to
>>>>>>> achieve
>>>>>>> here?
>>>>>>> Hope i have it done above.
>>>>>> Thank you for that.
>>>>>>
>>>>>> I really appreciate all this time that you have invested in
>>>>>> this,
>>>>>> and
>>>>>> the code looks clean. I just think we have been on different
>>>>>> pages
>>>>>> about what we want it to look and feel like for the user.
>>>>> Thank you too. This one really needs a lot of time and testing
>>>>> around
>>>>> and also with help from Adolf it comes to this where it
>>>>> currently
>>>>> is.
>>>> Great teamwork!
>>>>
>>>>>>> Is this supposed to make OpenVPN more compatible, secure,
>>>>>>> or
>>>>>>> anything
>>>>>>> else?
>>>>>>> Yes both but also easier since the user do not need to do
>>>>>>> anything
>>>>>>> but
>>>>>>> he should become more security under the hood, the backward
>>>>>>> and
>>>>>>> the
>>>>>>> forward compatibility should be in a better standing than
>>>>>>> before
>>>>>>> and if
>>>>>>> someone wants to go into the depth, this is even also
>>>>>>> possible.
>>>>>> I think that you have implemented the “pro” version here. It
>>>>>> has
>>>>>> all
>>>>>> the buttons you need and uses all features of OpenVPN. But it
>>>>>> is
>>>>>> complicated. So maybe lets hide it from the user that there
>>>>>> is a
>>>>>> control and data channel. Does the user need to know about
>>>>>> this?
>>>>>> I do
>>>>>> not think so. It will work either way.
>>>>> No there is no must for the control-channel cipher selection...
>>>>> If
>>>>> one
>>>>> is in, it is sometimes nice to walk through all that ;-).
>>>>>
>>>>>>> Why do we not talk about this before things are being
>>>>>>> implemented,
>>>>>>> or
>>>>>>> did I just miss the discussion?
>>>>>>> Yes i think you missed some of that, hopefully i could
>>>>>>> remind
>>>>>>> you
>>>>>>> on
>>>>>>> some points.
>>>>>> This is good progress :)
>>>>> Happy to here this.
>>>> Okay, so what are the next steps now?
>>>>
>>>> -Michael
>>>>
>>>>>
>>>>> Best,
>>>>>
>>>>> Erik
>>>>>
>>>>>> -Michael
>>>>>>
>>>>>>> -Michael
>>>>>>>
>>>>>>> Best,
>>>>>>>
>>>>>>> Erik
>>>>>>>
>>>>>>>
>>>>>>>> On 14 Dec 2020, at 14:03, ummeegge <ummeegge(a)ipfire.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>> just wanted to ask if there is still interest in this
>>>>>>>> patch
>>>>>>>> series ?
>>>>>>>>
>>>>>>>> Best,
>>>>>>>>
>>>>>>>> Erik
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>> <advanced_encryption_with_defaults.png><client_version.png><glo
>>>>> bal_
>>>>> settings.png><deprectaed_ciphers_warning.png>
>>>
>

[PATCH v2 1/7] OpenVPN: Introduce advanced encryption section

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 30401 bytes --]

- The whole crypto section will be sorted out from the global section to
an extra page while this patchset and a set of defaults should handle
the encryption also for not experienced users. The WUI style has been
adopted from the IPSec WUI.

- The new directive '--data-ciphers algs' has been introduced for RWs with
OpenVPN version 2.5.0. This directive negotiates with the clients the
best but also available cipher. The selection for '--data-ciphers algs' is
between the GCM family and the new CHACHA20-POLY1305. All ciphers
can be combined with another.
- The new directive '--data-ciphers algs' substitutes '--ncp-disable', therefor
'--ncp-disable' has been removed which fixes the deprecation warning in
the new OpenVPN-2.5.0 server instance.
- While client generation the client version can be set via a checkbox
which enables, if client is >=2.5.0 a full cipher negotiation by printing
also the '--data-cipher algs' directive into the client.ovpn, if the client
version <=2.5.0 (checkbox off), the old deprecated '--cipher alg' will be written.
Existing clients can also subsequently be enhanced via editing the
connection.

Signed-off-by: ummeegge <erik.kapfer(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 192 +++++++++++++++++++++++++++++++++++++-
 langs/de/cgi-bin/de.pl    |   7 ++
 langs/en/cgi-bin/en.pl    |   7 ++
 langs/es/cgi-bin/es.pl    |   7 ++
 langs/fr/cgi-bin/fr.pl    |   7 ++
 langs/it/cgi-bin/it.pl    |   7 ++
 langs/nl/cgi-bin/nl.pl    |   7 ++
 langs/pl/cgi-bin/pl.pl    |   7 ++
 langs/ru/cgi-bin/ru.pl    |   7 ++
 langs/tr/cgi-bin/tr.pl    |   7 ++
 10 files changed, 251 insertions(+), 4 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 68a70d147..40ae58673 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -75,6 +75,7 @@ my $name;
 my $col="";
 my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
 my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+my @advcipherchar=();
 
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 $cgiparams{'ENABLED'} = 'off';
@@ -98,6 +99,7 @@ $cgiparams{'number'} = '';
 $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
+$cgiparams{'DATACIPHERS'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
 # Perform crypto and configration test
 &pkiconfigcheck;
@@ -325,8 +327,16 @@ sub writeserverconf {
     }	
     print CONF "status-version 1\n";
     print CONF "status /var/run/ovpnserver.log 30\n";
-    print CONF "ncp-disable\n";
     print CONF "cipher $sovpnsettings{DCIPHER}\n";
+
+	# Data channel encryption
+	# Set seperator for data ciphers
+	@advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+	# Add also algorithm from --cipher directive
+	if ($sovpnsettings{'DATACIPHERS'} ne '') {
+		print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
+	}
+
 	print CONF "auth $sovpnsettings{'DAUTH'}\n";
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
@@ -911,6 +921,27 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     &writeserverconf();#hier ok
 }
 
+###
+### Save Advanced encryption
+###
+
+if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+	&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+
+	$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
+
+	# --data-ciphers needs at least one cipher
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'};
+		goto ADV_ENC_ERROR;
+	}
+
+	&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
+	&writeserverconf();
+}
+
+### End Save advanced encryption
+
 ###
 # m.a.d net2net
 ###
@@ -2344,7 +2375,16 @@ else
 	$zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or die "Can't add file cacert.pem\n";
 	$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";    
     }
-    print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
+	# Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0 in client.ovpn
+	if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+		# Set seperator for --data-ciphers algorithms
+		@advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+		print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
+	} else {
+		print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
+	}
+
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
     if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2859,7 +2899,132 @@ END
     &Header::closebigbox();
     &Header::closepage();
     exit(0);
-	
+
+###
+### Advanced encryption settings
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn advanced encryption'}) {
+	%cgiparams = ();
+	%confighash = ();
+	my @temp=();
+	my $disabled;
+	&General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
+
+	my $key = $cgiparams{'KEY'};
+	if (! $key) {
+		$key = &General::findhasharraykey (\%confighash);
+		foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
+	}
+	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
+
+ADV_ENC_ERROR:
+
+	# Set default data channel ciphers
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42];
+	}
+	$checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+	$checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+	$checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+	$checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+	@temp = split('\|', $cgiparams{'DATACIPHERS'});
+	foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
+	# Save settings and display default if not configured
+	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
+	} else {
+		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
+	}
+
+ADV_ENC_ERROR:
+
+	&Header::showhttpheaders();
+	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
+	&Header::openbigbox('100%', 'left', '', $errormessage);
+	if ($errormessage) {
+		&Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+		print "<class name='base'>$errormessage";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
+	if ($warnmessage) {
+		&Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:");
+		print "<class name='base'>$warnmessage";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
+	print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
+	&Header::openbox('100%', 'left', "$Lang::tr{'ovpn advanced encryption'}:");
+	print<<END
+
+	<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+	<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+
+	<table width='100%'>
+		<thead>
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn data channel'}</th>
+			</tr>
+		</thead>
+		<tbody>
+			<tr>
+				<td class='boldbase' width="27%">$Lang::tr{'ovpn data encryption'}</td>
+				<td class='boldbase'>
+					<select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'>
+						<option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option>
+						<option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option>
+						<option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option>
+						<option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
+					</select>
+				</td>
+			</tr>
+		</tbody>
+	</table>
+	<hr>
+END
+;
+
+	if ( -e "/var/run/openvpn.pid") {
+		print"  <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>$Lang::tr{'server restart'}<br><br><hr>";
+		print<<END;
+			<table width='100%'>
+				<tr>
+					<td>&nbsp;</td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' disabled='disabled' /></td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
+					<td>&nbsp;</td>
+				</tr>
+			</table>
+		</form>
+END
+;
+
+	} else {
+		print<<END;
+			<table width='100%'>
+				<tr>
+					<td>&nbsp;</td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' /></td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
+					<td>&nbsp;</td>
+				</tr>
+			</table>
+		</form>
+END
+;
+
+	}
+
+	&Header::closebox();
+	&Header::closebigbox();
+	&Header::closepage();
+	exit(0);
+
+### END advanced encryption
 
 # A.Marx CCD   Add,delete or edit CCD net
 
@@ -3595,6 +3760,8 @@ if ($confighash{$cgiparams{'KEY'}}) {
 		$cgiparams{'DAUTH'}		= $confighash{$cgiparams{'KEY'}}[39];
 		$cgiparams{'DCIPHER'}		= $confighash{$cgiparams{'KEY'}}[40];
 		$cgiparams{'TLSAUTH'}		= $confighash{$cgiparams{'KEY'}}[41];
+		# Index from [39] to [44] has been reserved by advanced encryption
+		$cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45];
 	} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
 	$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
 	
@@ -4338,6 +4505,8 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
 		$confighash{$key}[41] = "no-pass";
 	}
+	# Index from [39] to [44] has been reserved by advanced encryption
+	$confighash{$key}[45]         = $cgiparams{'CLIENTVERSION'};
 
 	&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
 	
@@ -4749,6 +4918,7 @@ if ($cgiparams{'TYPE'} eq 'host') {
 	    print"</td></tr></table><br><br>";
 		my $name=$cgiparams{'CHECK1'};
 		$checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED';
+		$checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED';
 		
 	if (! -z "${General::swroot}/ovpn/ccd.conf"){	
 		print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>";
@@ -4884,7 +5054,12 @@ if ($cgiparams{'TYPE'} eq 'host') {
 	
 	print <<END;
 	<table border='0' width='100%'>
-	<tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+		<tr><td width='30%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+		<tr>
+			<td width='30%'>$Lang::tr{'ovpn client version 25 cipher negotiation'}:</td>
+			<td colspan='3'><input type='checkbox' name='CLIENTVERSION' $checked{'CLIENTVERSION'}{'on'} />
+			<font color='red'>&nbsp;$Lang::tr{'ovpn client version 25 warning'}</font></td>
+		</tr>
 	<tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
 	<tr><td colspan='4'>&nbsp</td></tr>
 	<tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
@@ -5138,6 +5313,13 @@ END
     $checked{'DCOMPLZO'}{'on'} = '';
     $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
 
+	if ($cgiparams{'CLIENTVERSION'} = '' ) {
+		$cgiparams{'CLIENTVERSION'} = 'off';
+	}
+	$checked{'CLIENTVERSION'}{'off'} = '';
+	$checked{'CLIENTVERSION'}{'on'} = '';
+	$checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED';
+
 # m.a.d
     $checked{'MSSFIX'}{'off'} = '';
     $checked{'MSSFIX'}{'on'} = '';
@@ -5281,11 +5463,13 @@ END
 	print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";	
+	print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>";
     } else{
 	print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
+	print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />";
 	if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
 	     -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
 	     -e "${General::swroot}/ovpn/certs/servercert.pem" &&
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 2fb46e741..0d0705845 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1901,10 +1901,15 @@
 'override mtu' => 'Überschreibe Standard-MTU',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Erweiterte Konfiguration',
+'ovpn advanced encryption' => 'Erweiterte Kryptografie Einstellung',
+'ovpn client version 25 cipher negotiation' => 'Verschlüsselung aushandeln',
+'ovpn client version 25 warning' => 'Erst ab Client Version 2.5.0 verfügbar',
 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik',
 'ovpn config' => 'OVPN-Konfiguration',
 'ovpn connection name' => 'Verbindungs-Name',
 'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
+'ovpn data channel' => 'Daten-Kanal',
 'ovpn device' => 'OpenVPN-Gerät',
 'ovpn dh' => 'Diffie-Hellman-Parameter-Länge',
 'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen',
@@ -1913,6 +1918,7 @@
 'ovpn dl' => 'OVPN-Konfiguration downloaden',
 'ovpn engines' => 'Krypto Engine',
 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
+'ovpn errmsg invalid data cipher input' => 'Der Daten-Kanal benötigt mindestens einen Algorithmus',
 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
 'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
@@ -2163,6 +2169,7 @@
 'save error' => 'Konfigurationsarchiv-Datei konnte nicht gespeichert werden',
 'save settings' => 'Einstellungen speichern',
 'save-adv-options' => 'Erweiterte Optionen speichern',
+'save-enc-options' => 'Kryptografie Optionen speichern',
 'script name' => 'Skriptname:',
 'search' => 'Suchen',
 'secondary dns' => 'Sekundärer DNS-Server:',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index b5284effa..affa43cd3 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1933,10 +1933,15 @@
 'override mtu' => 'Override default MTU',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Additional configuration',
+'ovpn advanced encryption' => 'Advanced encryption settings',
+'ovpn client version 25 cipher negotiation' => 'Negotiate encryption',
+'ovpn client version 25 warning' => 'Available with client version 2.5.0 and higher',
 'ovpn con stat' => 'OpenVPN Connection Statistics',
 'ovpn config' => 'OVPN-Config',
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
+'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel' => 'Data-Channel',
 'ovpn device' => 'OpenVPN device:',
 'ovpn dh' => 'Diffie-Hellman parameters length',
 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
@@ -1945,6 +1950,7 @@
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
+'ovpn errmsg invalid data cipher input' => 'The data cipher needs at least one cipher',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
 'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
@@ -2196,6 +2202,7 @@
 'save error' => 'Unable to save configuration archive file',
 'save settings' => 'Save settings',
 'save-adv-options' => 'Save advanced options',
+'save-enc-options' => 'Save encryption options',
 'script name' => 'Script name:',
 'search' => 'Search',
 'secondary dns' => 'Secondary DNS:',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index 93a15bba0..3d6efc21a 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -36,6 +36,9 @@
 'Number of IPs for the pie chart' => 'Número de IPS para la gráfica circular',
 'Number of Ports for the pie chart' => 'Número de puerto para la gráfica circular',
 'OVPN' => 'OpenVPN',
+'ovpn advanced encryption' => 'Configuración avanzada de encriptación',
+'ovpn client version 25 cipher negotiation' => 'Negociar encriptación',
+'ovpn client version 25 warning' => 'Disponible con la versión de Cliente 2.5.0 y superior',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Páginas',
 'Ping' => 'Ping:',
@@ -1328,7 +1331,10 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'Estadisticas de conexión OpenVPN',
 'ovpn config' => 'Configruación de OVPN',
+'ovpn data encryption' => 'Encriptación Data-Channel',
+'ovpn data channel' => 'Canal-Datos',
 'ovpn device' => 'Dispositivo OpenVPN',
+'ovpn errmsg invalid data cipher input' => 'El cifrado de datos necesita al menos de un cifrado',
 'ovpn dl' => 'Configuración de descargas OVPN',
 'ovpn log' => 'Registro de log de OVPN',
 'ovpn on blue' => 'OpenVPN en BLUE',
@@ -1531,6 +1537,7 @@
 'save error' => 'Imposible grabar archivo de configuración',
 'save settings' => 'Guardar configuraciones',
 'save-adv-options' => 'Guardar configuraciones avanzadas',
+'save-enc-options' => 'Guardar opciones de encriptado',
 'script name' => 'Nombre de Script:',
 'secondary dns' => 'DNS Secundario:',
 'secondary ntp server' => 'Servidor NTP Secundario',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index a2d27939c..df19ef316 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -1934,10 +1934,15 @@
 'override mtu' => 'Remplacer le MTU par défaut',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Configuration additionnelle',
+'ovpn advanced encryption' => 'Paramètres de cryptage avancés',
+'ovpn client version 25 cipher negotiation' => 'Négocier le cryptage',
+'ovpn client version 25 warning' => 'Disponible avec le client version 2.5.0 et supérieur',
 'ovpn con stat' => 'Statistiques de connexions OpenVPN',
 'ovpn config' => 'Config OVPN',
 'ovpn connection name' => 'Nom de la connexion ',
 'ovpn crypt options' => 'Options cryptographiques',
+'ovpn data encryption' => 'Chiffrage du canal de données',
+'ovpn data channel' => 'Canal de données',
 'ovpn device' => 'Périphérique OpenVPN :',
 'ovpn dh' => 'Longueur de paramètres Diffie-Hellman ',
 'ovpn dh new key' => 'Générer de nouveaux paramètres Diffie-Hellman ',
@@ -1946,6 +1951,7 @@
 'ovpn dl' => 'Télécharger Config OVPN',
 'ovpn engines' => 'Moteur Crypto',
 'ovpn errmsg green already pushed' => 'La route pour le réseau VERT est toujours activée',
+'ovpn errmsg invalid data cipher input' => 'Le chiffrage de données nécessite au moins un cryptogramme',
 'ovpn errmsg invalid ip or mask' => 'Adresse ou masque de sous-réseau invalide',
 'ovpn error dh' => 'Le paramètre Diffie-Hellman doit être au minimum à 2048 bits ! <br>Veuillez générer ou télécharger un nouveau paramètre Diffie-Hellman, cela peut être fait ci-dessous dans la section "Options de paramètres Diffie-Hellman".</br>',
 'ovpn error md5' => 'Votre certificat hôte utilise MD5 pour la signature qui n\'est plus acceptée. <br>Veuillez mettre à jour la dernière version d\'IPFire et générez un nouveau certificat racine et hôte..</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés!</br>',
@@ -2200,6 +2206,7 @@
 'save error' => 'Impossible de sauvegarder le fichier archive de configuration',
 'save settings' => 'Sauvegarder les paramètres',
 'save-adv-options' => 'Sauvegarder les options avancées',
+'save-enc-options' => 'Enregistrer les options de chiffrage',
 'script name' => 'Nom du script :',
 'search' => 'Recherche',
 'secondary dns' => 'DNS secondaire :',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index 14436de4b..1c190eff2 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -43,6 +43,11 @@
 'Number of IPs for the pie chart' => 'Numero di IP per il grafico a torta',
 'Number of Ports for the pie chart' => 'Numero di porte per il grafico a torta',
 'OVPN' => 'OpenVPN',
+'ovpn data encryption' => 'Crittografia del canale dati',
+'ovpn data channel' => 'Canale-Dati',
+'ovpn advanced encryption' => 'Impostazioni avanzate di crittografia',
+'ovpn client version 25 cipher negotiation' => 'Negozazione cirttografia',
+'ovpn client version 25 warning' => 'Disponibile con client 2.5.0 o più recente',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Pagine',
 'Ping' => 'Ping :',
@@ -1701,6 +1706,7 @@
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for Verde network is always set',
+'ovpn errmsg invalid data cipher input' => 'La crittografia dati necessita almeno un cifrario',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.',
 'ovpn ha' => 'Hash algorithm',
@@ -1928,6 +1934,7 @@
 'save error' => 'Unable to save configuration archive file',
 'save settings' => 'Save settings',
 'save-adv-options' => 'Save advanced options',
+'save-enc-options' => 'Salva impostazioni di crittografia',
 'script name' => 'Script name:',
 'secondary dns' => 'DNS Secondario:',
 'secondary ntp server' => 'NTP server secondario',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index 53341a6f8..8207399e2 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -43,6 +43,9 @@
 'Number of IPs for the pie chart' => 'Aantal IPs voor de taartdiagram',
 'Number of Ports for the pie chart' => 'Aantal poorten voor de taartdiagram',
 'OVPN' => 'OpenVPN',
+'ovpn advanced encryption' => 'Geavanceerde versleuteling instellingen',
+'ovpn client version 25 cipher negotiation' => 'Onderhandel over versleuteling',
+'ovpn client version 25 warning' => 'Beschikbaar met clientversie 2.5.0 en hoger',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Pagina\'s',
 'Ping' => 'Ping :',
@@ -1655,9 +1658,12 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'OpenVPN connectiestatistieken',
 'ovpn config' => 'OVPN-Configuratie',
+'ovpn data encryption' => 'Datakanaalversleuteling',
+'ovpn data channel' => 'Data-kanaal',
 'ovpn device' => 'OpenVPN apparaat:',
 'ovpn dl' => 'OVPN-Configuratie download',
 'ovpn errmsg green already pushed' => 'Route voor het groene netwerk is altijd aangezet',
+'ovpn errmsg invalid data cipher input' => 'De gegevens codering heeft ten minste één codering nodig',
 'ovpn errmsg invalid ip or mask' => 'Ongeldig netwerkadres of subnetmasker',
 'ovpn log' => 'OVPN-Log',
 'ovpn mgmt in root range' => 'Een poortnummer hoger dan 1024 is vereist.',
@@ -1881,6 +1887,7 @@
 'save error' => 'Kan configuratie-archief niet opslaan',
 'save settings' => 'Opslaan instellingen',
 'save-adv-options' => 'Opslaan geavanceerde opties',
+'save-enc-options' => 'Bewaar encryptie opties',
 'script name' => 'Scriptnaam:',
 'secondary dns' => 'Secondaire DNS:',
 'secondary ntp server' => 'Secondaire NTP server',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index 63c8a1793..f9fbe57df 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -37,6 +37,9 @@
 'Number of IPs for the pie chart' => 'Liczba numerów IP na wykresie kołowym',
 'Number of Ports for the pie chart' => 'Liczba portów na wykresie kołowym',
 'OVPN' => 'OpenVPN',
+'ovpn advanced encryption' => 'Zaawansowane ustawienia szyfrowania',
+'ovpn client version 25 cipher negotiation' => 'Negocjowanie szyfrowania',
+'ovpn client version 25 warning' => 'Dostępny z klientem w wersji 2.5.0 i wyższej',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Stron',
 'Ping' => 'Ping :',
@@ -1340,8 +1343,11 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'Statystyki połączeń OpenVPN',
 'ovpn config' => 'OVPN-Konfig',
+'ovpn data encryption' => 'Szyfrowanie Kanału-Danych',
+'ovpn data channel' => 'Kanał-Danych',
 'ovpn device' => 'Urządzenie OpenVPN:',
 'ovpn dl' => 'Pobierz konfig OVPN',
+'ovpn errmsg invalid data cipher input' => 'Szyfr danych wymaga co najmniej jednego szyfru',
 'ovpn log' => 'Log OVPN',
 'ovpn on blue' => 'OpenVPN na int. BLUE',
 'ovpn on orange' => 'OpenVPN na int. ORANGE',
@@ -1543,6 +1549,7 @@
 'save error' => 'Nie można zapisać konfiguracji do pliku archiwum',
 'save settings' => 'Zapisz ustawienia',
 'save-adv-options' => 'Zapisz zaawansowane ustawienia',
+'save-enc-options' => 'Zapisywanie opcji szyfrowania',
 'script name' => 'Nazwa skryptu:',
 'secondary dns' => 'Zapasowy DNS:',
 'secondary ntp server' => 'Zapasowy serwer NTP',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 4f69dc47a..700a8d838 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -35,6 +35,9 @@
 'Number of IPs for the pie chart' => 'Число IP для круглых графиков',
 'Number of Ports for the pie chart' => 'Число портов для круглых графиков',
 'OVPN' => 'OpenVPN',
+'ovpn advanced encryption' => 'Расширенные настройки шифрования',
+'ovpn client version 25 cipher negotiation' => 'Обсудить шифрование',
+'ovpn client version 25 warning' => 'Доступно с клиентской версией 2.5.0 и выше',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Страницы',
 'Ping' => 'Пинг :',
@@ -1331,9 +1334,12 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'Статистика подключений OpenVPN',
 'ovpn config' => 'Настройки OVPN',
+'ovpn data encryption' => 'шифрование-каналов данных',
+'ovpn data channel' => 'Информационный-канал',
 'ovpn device' => 'Устройство OpenVPN:',
 'ovpn dl' => 'Загрузка настроек OVPN',
 'ovpn errmsg green already pushed' => 'Маршрут для зелёной сети всегда включён',
+'ovpn errmsg invalid data cipher input' => 'Для шифра данных нужен хотя бы один шифр',
 'ovpn errmsg invalid ip or mask' => 'Неправильный адрес или маска подсти',
 'ovpn log' => 'Журнал OVPN',
 'ovpn on blue' => 'OpenVPN на BLUE',
@@ -1538,6 +1544,7 @@
 'save error' => 'Не получилось сохранить архив настроек',
 'save settings' => 'Сохранить настройки',
 'save-adv-options' => 'Сохранить дополнительные настройки',
+'save-enc-options' => 'Сохранить параметры шифрования',
 'script name' => 'Имя скрипта:',
 'secondary dns' => 'Второй DNS:',
 'secondary ntp server' => 'Второй NTP сервер',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index 34e8bdcf7..0c64063c7 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -1835,9 +1835,14 @@
 'override mtu' => 'Varsayılan MTU seçeneğini geçersiz kıl',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Ek yapılandırma',
+'ovpn advanced encryption' => 'Gelişmiş şifreleme ayarları',
+'ovpn client version 25 cipher negotiation' => 'Şifrelemeyi görüşün',
+'ovpn client version 25 warning' => 'İstemci sürümü 2.5.0 ve üstü ile mevcuttur',
 'ovpn con stat' => 'OpenVPN Bağlantı İstatistiği',
 'ovpn config' => 'OVPN-Yapılandırması',
 'ovpn crypt options' => 'Şifreleme seçenekleri',
+'ovpn data channel' => 'Veri-Kanalı',
+'ovpn data encryption' => 'Veri-Kanalı şifreleme',
 'ovpn device' => 'OpenVPN aygıtı:',
 'ovpn dh' => 'Diffie-Hellman parametre uzunluğu',
 'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun',
@@ -1846,6 +1851,7 @@
 'ovpn dl' => 'OVPN-Yapılandırması İndir',
 'ovpn engines' => 'Şifreleme motoru',
 'ovpn errmsg green already pushed' => 'Yeşil ağ için her zaman bir yol ayarla',
+'ovpn errmsg invalid data cipher input' => 'Veri şifresinin en az bir şifreye ihtiyacı var',
 'ovpn errmsg invalid ip or mask' => 'Geçersiz ağ adresi veya alt ağ maskesi',
 'ovpn generating the root and host certificates' => 'Root ve ana bilgisayar sertifika üretimi uzun zaman alabilir.',
 'ovpn ha' => 'Hash algorithması',
@@ -2080,6 +2086,7 @@
 'save error' => 'Yapılandırma arşiv dosyası kaydedilemiyor.',
 'save settings' => 'Ayarları kaydet',
 'save-adv-options' => 'Gelişmiş Seçenekleri Kaydet',
+'save-enc-options' => 'Şifreleme Seçeneklerini Kaydedin',
 'script name' => 'Komut adı:',
 'search' => 'Ara',
 'secondary dns' => 'İkincil DNS:',
-- 
2.20.1

[PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 42121 bytes --]

- The TLS authentication has been enhanced with --tls-crypt and with
OpenVPN version 2.5.0 new introduced --tls-crypt-v2 .
- New keys will be shown and can partly be downloaded over the
"Certificate Authorities and -Keys" table.
- The global section has been completely cleaned up from encryption
settings which follows the IPSec WUI style.

Signed-off-by: ummeegge <erik.kapfer(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 304 +++++++++++++++++++++++++++++++-------
 langs/de/cgi-bin/de.pl    |  10 +-
 langs/en/cgi-bin/en.pl    |  12 +-
 langs/es/cgi-bin/es.pl    |  10 ++
 langs/fr/cgi-bin/fr.pl    |  12 +-
 langs/it/cgi-bin/it.pl    |   7 +-
 langs/nl/cgi-bin/nl.pl    |  13 +-
 langs/pl/cgi-bin/pl.pl    |  10 ++
 langs/ru/cgi-bin/ru.pl    |  11 ++
 langs/tr/cgi-bin/tr.pl    |   9 ++
 10 files changed, 334 insertions(+), 64 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index a80befdb6..23085e763 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -371,9 +371,19 @@ sub writeserverconf {
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
 
-    if ($sovpnsettings{'TLSAUTH'} eq 'on') {
-	print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
-    }
+	# TLS control channel authentication
+	if ($sovpnsettings{'TLSAUTH'} ne 'off') {
+		if ($sovpnsettings{'TLSAUTH'} eq 'on') {
+			print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
+		}
+		if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+			print CONF "tls-crypt ${General::swroot}/ovpn/certs/tc.key\n";
+		}
+		if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+			print CONF "tls-crypt-v2 ${General::swroot}/ovpn/certs/tc-v2-server.key\n";
+		}
+	}
+
     if ($sovpnsettings{DCOMPLZO} eq 'on') {
         print CONF "comp-lzo\n";
     }
@@ -959,6 +969,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 	&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
 
 	$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
+	$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
 	$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
 	$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
 
@@ -982,6 +993,39 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 		$vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'};
 	}
 
+	# Create ta.key for tls-auth if not presant
+	if ($cgiparams{'TLSAUTH'} eq 'on') {
+		if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+			system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+			if ($?) {
+				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+				goto ADV_ENC_ERROR;
+			}
+		}
+	}
+
+	# Create tc.key for tls-crypt if not presant
+	if ($cgiparams{'TLSAUTH'} eq 'tls-crypt') {
+		if ( ! -e "${General::swroot}/ovpn/certs/tc.key") {
+			system('/usr/sbin/openvpn', '--genkey', 'tls-crypt', "${General::swroot}/ovpn/certs/tc.key");
+			if ($?) {
+				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+				goto ADV_ENC_ERROR;
+			}
+		}
+	}
+
+	# Create tc-v2-server.key for tls-crypt-v2 server if not presant
+	if ($cgiparams{'TLSAUTH'} eq 'tls-crypt-v2') {
+		if ( ! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+			system('/usr/sbin/openvpn', '--genkey', 'tls-crypt-v2-server', "${General::swroot}/ovpn/certs/tc-v2-server.key");
+			if ($?) {
+				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+				goto ADV_ENC_ERROR;
+			}
+		}
+	}
+
 	&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
 	&writeserverconf();
 }
@@ -1272,17 +1316,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
 	goto SETTINGS_ERROR;
     }
 
-	# Create ta.key for tls-auth if not presant
-	if ($cgiparams{'TLSAUTH'} eq 'on') {
-		if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
-			system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
-			if ($?) {
-				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
-				goto SETTINGS_ERROR;
-			}
-		}
-	}
-
     $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
     $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
     $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
@@ -1293,7 +1326,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
     $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
-    $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
 #wrtie enable
 
   if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");}
@@ -1723,12 +1755,34 @@ END
 ### Download tls-auth key
 ###
 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
-    if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
-	print "Content-Type: application/octet-stream\r\n";
-	print "Content-Disposition: filename=ta.key\r\n\r\n";
-	print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
-	exit(0);
-    }
+	if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
+		print "Content-Type: application/octet-stream\r\n";
+		print "Content-Disposition: filename=ta.key\r\n\r\n";
+		print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
+		exit(0);
+	}
+
+###
+### Download tls-crypt key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt key'}) {
+	if ( -f "${General::swroot}/ovpn/certs/tc.key" ) {
+		print "Content-Type: application/octet-stream\r\n";
+		print "Content-Disposition: filename=tc.key\r\n\r\n";
+		print `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+		exit(0);
+	}
+
+###
+### Download tls-crypt-v2 key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt-v2 key'}) {
+	if ( -f "${General::swroot}/ovpn/certs/tc-v2-server.key" ) {
+		print "Content-Type: application/octet-stream\r\n";
+		print "Content-Disposition: filename=tc-v2-server.key\r\n\r\n";
+		print `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+		exit(0);
+	}
 
 ###
 ### Form for generating a root certificate
@@ -2451,13 +2505,37 @@ else
 
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
-    if ($vpnsettings{'TLSAUTH'} eq 'on') {
-	if ($cgiparams{'MODE'} eq 'insecure') {
-		print CLIENTCONF ";";
-	}
-	print CLIENTCONF "tls-auth ta.key\r\n";
-	$zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key")  or die "Can't add file ta.key\n";
+	# Comment TLS-Auth directive if 'insecure' mode has been choosen
+	if ($vpnsettings{'TLSAUTH'} eq 'on') {
+		if ($cgiparams{'MODE'} eq 'insecure') {
+			print CLIENTCONF ";";
+		}
+		print CLIENTCONF "tls-auth ta.key\r\n";
+		$zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key")  or die "Can't add file ta.key\n";
     }
+
+	# Comment TLS-Crypt directive if 'insecure' mode has been choosen
+	if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+		if ($cgiparams{'MODE'} eq 'insecure') {
+			print CLIENTCONF ";";
+		}
+		print CLIENTCONF "tls-crypt tc.key\r\n";
+		$zip->addFile( "${General::swroot}/ovpn/certs/tc.key", "tc.key")  or die "Can't add file tc.key\n";
+	}
+
+	# Comment TLS-Crypt-v2 directive if 'insecure' mode has been choosen and generate individual key
+	if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+		if ($cgiparams{'MODE'} eq 'insecure') {
+			print CLIENTCONF ";";
+		}
+		print CLIENTCONF "tls-crypt-v2 tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\r\n";
+		# Generate individual tls-crypt-v2 client key
+		my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key";
+		system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile");
+		# Add individual tls-crypt-v2 client key to client package
+		$zip->addFile( "$cryptfile", "tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key")  or die "Can't add file tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\n";
+	}
+
     if ($vpnsettings{DCOMPLZO} eq 'on') {
         print CLIENTCONF "comp-lzo\r\n";
     }
@@ -2514,7 +2592,33 @@ else
 	print CLIENTCONF "</key>\r\n\r\n";
 	close(FILE);
 
-	# TLS auth
+	# Create individual tls-crypt-v2 client key and print it to client.conf if 'insecure' has been selected
+	if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+		my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key";
+		system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile");
+		open(FILE, "<$cryptfile");
+		print CLIENTCONF "<tls-crypt-v2>\r\n";
+		while (<FILE>) {
+			chomp($_);
+			print CLIENTCONF "$_\r\n";
+		}
+		print CLIENTCONF "</tls-crypt-v2>\r\n\r\n";
+		close(FILE);
+	}
+
+	# Print TLS-Crypt key to client.ovpn if 'insecure' has been selected
+	if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+		open(FILE, "<${General::swroot}/ovpn/certs/tc.key");
+		print CLIENTCONF "<tls-crypt>\r\n";
+		while (<FILE>) {
+			chomp($_);
+			print CLIENTCONF "$_\r\n";
+		}
+		print CLIENTCONF "</tls-crypt>\r\n\r\n";
+		close(FILE);
+	}
+
+	# Print TLS-Auth key to client.ovpn if 'insecure' has been selected
 	if ($vpnsettings{'TLSAUTH'} eq 'on') {
 		open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
 		print CLIENTCONF "<tls-auth>\r\n";
@@ -2706,6 +2810,50 @@ else
 		exit(0);
     }
 
+###
+### Display tls-crypt key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt key'}) {
+
+	if (! -e "${General::swroot}/ovpn/certs/tc.key") {
+		$errormessage = $Lang::tr{'not present'};
+	} else {
+		&Header::showhttpheaders();
+		&Header::openpage($Lang::tr{'ovpn'}, 1, '');
+		&Header::openbigbox('100%', 'LEFT', '', '');
+		&Header::openbox('100%', 'LEFT', "$Lang::tr{'tc key'}");
+		my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+		$output = &Header::cleanhtml($output,"y");
+		print "<pre>$output</pre>\n";
+		&Header::closebox();
+		print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+		&Header::closebigbox();
+		&Header::closepage();
+		exit(0);
+	}
+
+###
+### Display tls-crypt-v2 server key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt-v2 key'}) {
+
+	if (! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+		$errormessage = $Lang::tr{'not present'};
+	} else {
+		&Header::showhttpheaders();
+		&Header::openpage($Lang::tr{'ovpn'}, 1, '');
+		&Header::openbigbox('100%', 'LEFT', '', '');
+		&Header::openbox('100%', 'LEFT', "$Lang::tr{'tc v2 key'}");
+		my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+		$output = &Header::cleanhtml($output,"y");
+		print "<pre>$output</pre>\n";
+		&Header::closebox();
+		print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+		&Header::closebigbox();
+		&Header::closepage();
+		exit(0);
+	}
+
 ###
 ### Display Certificate Revoke List
 ###
@@ -2758,9 +2906,6 @@ ADV_ERROR:
     if ($cgiparams{'LOG_VERB'} eq '') {
 		$cgiparams{'LOG_VERB'} =  '3';
     }
-    if ($cgiparams{'TLSAUTH'} eq '') {
-		$cgiparams{'TLSAUTH'} = 'off';
-    }
     $checked{'CLIENT2CLIENT'}{'off'} = '';
     $checked{'CLIENT2CLIENT'}{'on'} = '';
     $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
@@ -2981,6 +3126,7 @@ END
 	}
 	$confighash{$key}[39] = $cgiparams{'DAUTH'};
 	$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+	$confighash{$key}[41] = $cgiparams{'TLSAUTH'};
 	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
 	$confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'};
 	$confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
@@ -3004,6 +3150,17 @@ ADV_ENC_ERROR:
 	@temp = split('\|', $cgiparams{'DAUTH'});
 	foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; }
 
+	# Set default for TLS control authentication
+	if ($cgiparams{'TLSAUTH'} eq '') {
+		$cgiparams{'TLSAUTH'} = 'tls-crypt'; #[41]
+	}
+	$checked{'TLSAUTH'}{'on'} = '';
+	$checked{'TLSAUTH'}{'off'} = '';
+	$checked{'TLSAUTH'}{'tls-crypt'} = '';
+	$checked{'TLSAUTH'}{'tls-crypt-v2'} = '';
+	@temp = split('\|', $cgiparams{'TLSAUTH'});
+	foreach my $key (@temp) {$checked{'TLSAUTH'}{$key} = "selected='selected'"; }
+
 	# Set default for data-cipher-fallback (the old --cipher directive)
 	if ($cgiparams{'DCIPHER'} eq '') {
 		$cgiparams{'DCIPHER'} =  'AES-256-CBC'; #[40]
@@ -3058,12 +3215,14 @@ ADV_ENC_ERROR:
 	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 		$confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'};
 		$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
+		$confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'TLSAUTH'};
 		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
 		$confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'};
 		$confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'};
 	} else {
 		$cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'};
 		$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
+		$cgiparams{'TLSAUTH'} = $vpnsettings{'TLSAUTH'};
 		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
 		$cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'};
 		$cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'};
@@ -3175,6 +3334,7 @@ ADV_ENC_ERROR:
 			<tr>
 				<th width="15%"></th>
 				<th>$Lang::tr{'ovpn ha'}</th>
+				<th>$Lang::tr{'ovpn tls auth'}</th>
 			</tr>
 		</thead>
 		<tbody>
@@ -3193,6 +3353,14 @@ ADV_ENC_ERROR:
 						<option value='whirlpool' $checked{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
 						<option value='SHA1' $checked{'DAUTH'}{'SHA1'}>SHA1 160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
 					</select>
+
+				<td class='boldbase'>
+					<select name='TLSAUTH' size='6' style='width: 100%' style="margin-right:-17px" size="11">
+						<option value='tls-crypt-v2' $checked{'TLSAUTH'}{'tls-crypt-v2'}>TLS-Crypt-v2</option>
+						<option value='tls-crypt' $checked{'TLSAUTH'}{'tls-crypt'}>TLS-Crypt</option>
+						<option value='on' $checked{'TLSAUTH'}{'on'}>TLS-Auth</option>
+						<option value='off' $checked{'TLSAUTH'}{'off'}>Off</option>
+					</select>
 				</td>
 			</tr>
 		</tbody>
@@ -3972,7 +4140,6 @@ if ($confighash{$cgiparams{'KEY'}}) {
 		$cgiparams{'CCD_WINS'}		= $confighash{$cgiparams{'KEY'}}[37];
 		$cgiparams{'DAUTH'}		= $confighash{$cgiparams{'KEY'}}[39];
 		$cgiparams{'DCIPHER'}		= $confighash{$cgiparams{'KEY'}}[40];
-		$cgiparams{'TLSAUTH'}		= $confighash{$cgiparams{'KEY'}}[41];
 		# Index from [39] to [44] has been reserved by advanced encryption
 		$cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45];
 	} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
@@ -4890,10 +5057,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
     $checked{'MSSFIX'}{'on'} = '';
     $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
 
-    $checked{'TLSAUTH'}{'off'} = '';
-    $checked{'TLSAUTH'}{'on'} = '';
-    $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
-
     if (1) {
 	&Header::showhttpheaders();
 	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
@@ -5439,9 +5602,6 @@ END
     if ($cgiparams{'MSSFIX'} eq '') {
 		$cgiparams{'MSSFIX'} = 'off';
     }
-	if ($cgiparams{'TLSAUTH'} eq '') {
-		$cgiparams{'TLSAUTH'} = 'off';
-	}
     if ($cgiparams{'DOVPN_SUBNET'} eq '') {
 		$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
     }
@@ -5459,10 +5619,6 @@ END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
 
-    $checked{'TLSAUTH'}{'off'} = '';
-    $checked{'TLSAUTH'}{'on'} = '';
-    $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
-
     $checked{'DCOMPLZO'}{'off'} = '';
     $checked{'DCOMPLZO'}{'on'} = '';
     $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
@@ -5565,17 +5721,6 @@ END
         <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
     </tr>
 
-	<tr><td colspan='4'><br></td></tr>
-	<tr>
-		<td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
-	</tr>
-	<tr><td colspan='1'><br></td></tr>
-
-	<tr>
-		<td class='base'>$Lang::tr{'ovpn tls auth'}</td>
-		<td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
-	</tr>
-
     <tr><td colspan='4'><br><br></td></tr>
 END
 ;				   
@@ -5874,6 +6019,10 @@ END
     my $col3="bgcolor='$color{'color22'}'";
     # ta.key line
     my $col4="bgcolor='$color{'color20'}'";
+	# tc-v2.key line
+	my $col5="bgcolor='$color{'color22'}'";
+	# tc.key
+	my $col6="bgcolor='$color{'color20'}'";
 
     if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
 		my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
@@ -6003,7 +6152,7 @@ END
 		# Nothing
 		print <<END;
 		<tr>
-			<td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
+			<td width='25%' class='base' $col4>$Lang::tr{'ta key'}</td>
 			<td class='base' $col4>$Lang::tr{'not present'}</td>
 			<td colspan='3' $col4>&nbsp;</td>
 		</tr>
@@ -6011,6 +6160,51 @@ END
 		;
     }
 
+	# Adding tc-v2.key to chart
+	if (-f "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+		my $tcvsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+		$tcvsubject    =~ /-----BEGIN (.*)-----[\n]/;
+		$tcvsubject    = $1;
+		print <<END;
+
+		<tr>
+			<td class='base' $col5>$Lang::tr{'tc v2 key'}</td>
+			<td class='base' $col5>$tcvsubject</td>
+				<form method='post' name='frmtcv2key'><td width='3%' align='center' $col5>
+					<input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt-v2 key'}' />
+					<input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt-v2 key'}' title='$Lang::tr{'show tls-crypt-v2 key key'}' width='20' height='20' border='0' />
+				</form>
+				<form method='post' name='frmtckey'><td width='3%' align='center' $col5>
+			<td width='4%' $col5>&nbsp;</td>
+		</tr>
+END
+;
+	}
+
+	# Adding tc.key to chart
+	if (-f "${General::swroot}/ovpn/certs/tc.key") {
+		my $tcsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+		$tcsubject    =~ /# (.*)[\n]/;
+		$tcsubject    = $1;
+		print <<END;
+
+		<tr>
+			<td class='base' $col6>$Lang::tr{'tc key'}</td>
+			<td class='base' $col6>$tcsubject</td>
+				<form method='post' name='frmtckey'><td width='3%' align='center' $col6>
+					<input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt key'}' />
+					<input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt key'}' title='$Lang::tr{'show tls-crypt key'}' width='20' height='20' border='0' />
+				</form>
+				<form method='post' name='frmtckey'><td width='3%' align='center' $col6>
+					<input type='image' name='$Lang::tr{'download tls-crypt key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-crypt key'}' title='$Lang::tr{'download tls-crypt key'}' border='0' />
+					<input type='hidden' name='ACTION' value='$Lang::tr{'download tls-crypt key'}' />
+				</form>
+			<td width='4%' $col6>&nbsp;</td>
+		</tr>
+END
+;
+	}
+
     if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
         print "<tr><td colspan='5' align='center'><form method='post'>";
 		print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index a4c166bfe..b6093be3e 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -894,6 +894,9 @@
 'download new ruleset' => 'Neuen Regelsatz herunterladen',
 'download pkcs12 file' => 'PKCS12-Datei herunterladen',
 'download root certificate' => 'Root-Zertifikat herunterladen',
+'download tls-auth key' => 'TLS-Auth Schlüssel herunterladen',
+'download tls-crypt key' => 'TLS-Crypt Schlüssel herunterladen',
+'download tls-crypt-v2 key' => 'TLS-Crypt-v2 Schlüssel herunterladen',
 'download tls-auth key' => 'tls-auth Key herunterladen',
 'dpd action' => 'Aktion für Erkennung toter Gegenstellen (Dead Peer Detection)',
 'dpd delay' => 'Verzögerung',
@@ -1951,7 +1954,7 @@
 'ovpn subnet' => 'OpenVPN-Subnetz:',
 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit  ',
-'ovpn tls auth' => 'TLS-Kanalabsicherung:',
+'ovpn tls auth' => 'TLS-Kanalabsicherung',
 'ovpn warning 64 bit block cipher' => 'Diser Algorithmus ist unsicher und wird bald entfernt. <br>Bitte ändern Sie dies so schnell wie möglich!</br>',
 'ovpn warning algorithm' => 'Folgender Algorithmus wurde konfiguriert',
 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
@@ -2226,6 +2229,9 @@
 'show last x lines' => 'die letzten x Zeilen anzeigen',
 'show root certificate' => 'Root-Zertifikat anzeigen',
 'show share options' => 'Anzeige der Freigabeeinstellungen',
+'show tls-auth key' => 'TLS-Auth Schlüssel anzeigen',
+'show tls-crypt key' => 'TLS-Crypt Schlüssel anzeigen',
+'show tls-crypt-v2 key' => 'TLS-Crypt-v2 Schlüssel anzeigen',
 'shuffle' => 'Zufall',
 'shutdown' => 'Herunterfahren',
 'shutdown ask' => 'Herunterfahren?',
@@ -2352,6 +2358,8 @@
 'system logs' => 'Systemprotokolldateien',
 'system status information' => 'System-Statusinformationen',
 'ta key' => 'TLS-Authentifizierungsschlüssel',
+'tc key' => 'TLS-Kryptografie-Schlüssel',
+'tc v2 key' => 'TLS-Kryptografie-Schlüssel-Version2',
 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2',
 'tcp more reliable' => 'TCP (zuverlässiger)',
 'telephone not set' => 'Telefonnummer nicht angegeben.',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index dc324676a..fe2a9d65d 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -918,7 +918,9 @@
 'download new ruleset' => 'Download new ruleset',
 'download pkcs12 file' => 'Download PKCS12 file',
 'download root certificate' => 'Download root certificate',
-'download tls-auth key' => 'Download tls-auth key',
+'download tls-auth key' => 'Download TLS-Auth key',
+'download tls-crypt key' => 'Download TLS-Crypt key',
+'download tls-crypt-v2 key' => 'Download TLS-Crypt-v2 server key',
 'dpd action' => 'Action',
 'dpd delay' => 'Delay',
 'dpd timeout' => 'Timeout',
@@ -1983,7 +1985,7 @@
 'ovpn subnet' => 'OpenVPN subnet:',
 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
-'ovpn tls auth' => 'TLS Channel Protection:',
+'ovpn tls auth' => 'TLS Channel Protection',
 'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will soon be removed. <br>Please change this as soon as possible!</br>',
 'ovpn warning algorithm' => 'You configured the algorithm',
 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
@@ -2262,7 +2264,9 @@
 'show lines' => 'Show lines',
 'show root certificate' => 'Show root certificate',
 'show share options' => 'Show shares options',
-'show tls-auth key' => 'Show tls-auth key',
+'show tls-auth key' => 'Show TLS-Auth key',
+'show tls-crypt key' => 'Show TLS-Crypt key',
+'show tls-crypt-v2 key' => 'Show TLS-Crypt-v2 key',
 'shuffle' => 'Shuffle',
 'shutdown' => 'Shutdown',
 'shutdown ask' => 'Shutdown?',
@@ -2390,6 +2394,8 @@
 'system logs' => 'System Logs',
 'system status information' => 'System Status Information',
 'ta key' => 'TLS-Authentification-Key',
+'tc key' => 'TLS-Cryptografic-Key',
+'tc v2 key' => 'TLS-Cryptografic-Key-version2',
 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2',
 'tcp more reliable' => 'TCP (more reliable)',
 'telephone not set' => 'Telephone not set.',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index 1a0272b8a..99aa73482 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -717,6 +717,9 @@
 'download new ruleset' => 'Descargar nuevo grupo de reglas',
 'download pkcs12 file' => 'Descargar archivo PKCS12',
 'download root certificate' => 'Descargar certificado root',
+'download tls-auth key' => 'Descargar llave TLS-Auth',
+'download tls-crypt key' => 'Descargar llave TLS-Crypt',
+'download tls-crypt-v2 key' => 'Descargar llave servidor TLS-Crypt-v2',
 'dpd action' => 'Acción al detectar Dead Peer',
 'driver' => 'Driver',
 'drop input' => 'Registrar paquetes descartados',
@@ -1352,6 +1355,7 @@
 'ovpn subnet' => 'Subred de OpenVPN (ej. 10.0.10.0/255.255.255.0',
 'ovpn subnet is invalid' => 'Subred de OpenVPN no es válida.',
 'ovpn subnet overlap' => 'La subred de OpenVPN se traslapa con:',
+'ovpn tls auth' => 'Protección Canal TLS',
 'ovpn warning 64 bit block cipher' => 'Este algoritmo de cifrado del  está roto y pronto se eliminará. <br>¡Por favor, cambie esto lo antes posible!</br>',
 'ovpn warning algorithm' => 'Se configuró el siguiente algoritmo',
 'ovpn_fastio' => 'Fast-IO',
@@ -1596,6 +1600,9 @@
 'show lines' => 'Mostrar líneas',
 'show root certificate' => 'Mostrar certificado root',
 'show share options' => 'Mostrar opciones de recursos compartidos',
+'show tls-auth key' => 'Mostrar llave TLS-Auth',
+'show tls-crypt key' => 'Mostrar llave TLS-Crypt',
+'show tls-crypt-v2 key' => 'Mostrar llave TLS-Crypt-v2',
 'shuffle' => 'Al azar',
 'shutdown' => 'Apagar',
 'shutdown ask' => '¿Apagar?',
@@ -1698,6 +1705,9 @@
 'system log viewer' => 'Visor de registros (logs) del sistema',
 'system logs' => 'Registros del sistema',
 'system status information' => 'Información de status del sistema',
+'ta key' => 'Clave de Autentificación-TLS',
+'tc key' => 'Clave Criptográfica-TLS',
+'tc v2 key' => 'Clave Criptográfica-TLS versión 2',
 'telephone not set' => 'Teléfono no establecido.',
 'template' => 'Preestablecido',
 'template warning' => 'Tiene dos opciones para establecer QoS. La primera, presionar el botón Guardar y generar clases y reglas por ud. mismo. La segunda, presione el botón preestablecidos y las clases y reglas se generarán a partir de una plantilla',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index d5deea1c0..349ebb83d 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -921,7 +921,9 @@
 'download new ruleset' => 'Télécharger de nouvelles règles',
 'download pkcs12 file' => 'Télécharger le fichier PKCS12',
 'download root certificate' => 'Télécharger le certificat Root',
-'download tls-auth key' => 'Télécharger la clé tls-auth',
+'download tls-auth key' => 'Télécharger la clé TLS-Auth',
+'download tls-crypt key' => 'Télécharger la clef TLS-Crypt',
+'download tls-crypt-v2 key' => 'Télécharger la clef server TLS-Crypt-v2',
 'dpd action' => 'Détection du pair mort',
 'dpd delay' => 'Retard',
 'dpd timeout' => 'Délai dépassé',
@@ -1984,7 +1986,7 @@
 'ovpn subnet' => 'Sous-réseau OpenVPN',
 'ovpn subnet is invalid' => 'Sous-réseau OpenVPN non valide.',
 'ovpn subnet overlap' => 'Le sous-réseau OpenVPN se chevauche avec : ',
-'ovpn tls auth' => 'Protection du canal TLS :',
+'ovpn tls auth' => 'Protection du canal TLS',
 'ovpn warning 64 bit block cipher' => 'Ce L\'algorithme de chiffage du n\'est plus sûr et sera bientôt supprimé. <br>Veuillez changer cela dès que possible!</br>',
 'ovpn warning algorithm' => 'L\'algorithme suivant a été configuré',
 'ovpn warning rfc3280' => 'Votre certificat d\'hôte n\'est pas conforme avec la RFC3280.<br>Veuillez mettre à jour la dernière version d\'IPFire et générer dès que possible un nouveau certificat racine et hôte.</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés !</br>',
@@ -2266,7 +2268,9 @@
 'show lines' => 'Montrer les lignes',
 'show root certificate' => 'Afficher le certificat root',
 'show share options' => 'Montrer les options partagées',
-'show tls-auth key' => 'Afficher clef tls-auth',
+'show tls-auth key' => 'Afficher clef TLS-Auth',
+'show tls-crypt key' => 'Montrer la clef TLS-Crypt',
+'show tls-crypt-v2 key' => 'Montrer la clef TLS-Crypt-v2',
 'shuffle' => 'Mélanger',
 'shutdown' => 'Arrêter',
 'shutdown ask' => 'Arrêter ?',
@@ -2394,6 +2398,8 @@
 'system logs' => 'Rapports système',
 'system status information' => 'Informations sur le statut du système',
 'ta key' => 'Clé d\'authentification TLS',
+'tc key' => 'Clef de chiffrage TLS',
+'tc v2 key' => 'Clef de chiffrage TLS version2',
 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2',
 'tcp more reliable' => 'TCP (plus fiable)',
 'telephone not set' => 'Numéro de téléphone non défini.',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index ad16de583..cbbb3bb80 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -1739,6 +1739,7 @@
 'ovpn subnet' => 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
+'ovpn tls auth' => 'Protezione del canale TLS',
 'ovpn warning 64 bit block cipher' => 'L\'algoritmo di crittografia è insicuro e verrà presto disinstallato.<br>Si prega di cambiare il più presto possibile!</br>',
 'ovpn warning algorithm' => 'È stato configurato il seguente algoritmo',
 'ovpn_fastio' => 'Fast-IO',
@@ -1994,7 +1995,9 @@
 'show lines' => 'Show lines',
 'show root certificate' => 'Show root certificate',
 'show share options' => 'Show shares options',
-'show tls-auth key' => 'Show tls-auth key',
+'show tls-auth key' => 'Mostra la chiave TLS-Auth',
+'show tls-crypt key' => 'Mostra la chiave TLS-Crypt',
+'show tls-crypt-v2 key' => 'Mostra la chiave TLS-Crypt v2',
 'shuffle' => 'Shuffle',
 'shutdown' => 'Spegni',
 'shutdown ask' => 'Spegni?',
@@ -2107,6 +2110,8 @@
 'system logs' => 'Log di Sistema',
 'system status information' => 'Informazioni e stato del sistema',
 'ta key' => 'TLS-Authentification-Key',
+'tc key' => 'Chiave-Crittografica-TLS',
+'tc v2 key' => 'Chiave-Crittografica-TLS-v2',
 'telephone not set' => 'Telephone not set.',
 'template' => 'Preset',
 'template warning' => 'Ci sono due opzioni per impostare il Qos. La prima: si preme il pulsante Salva e poi si generano le classi e le regole da soli. La seconda: si preme il tasto di preset e le classi e le regole saranno automaticamente generate da un modello.',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index b0f037e0c..23ccaedf9 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -794,6 +794,9 @@
 'download new ruleset' => 'Download nieuwe regelset',
 'download pkcs12 file' => 'Download PKCS12 bestand',
 'download root certificate' => 'Download root certificaat',
+'download tls-auth key' => 'Download TLS-Auth sleutel',
+'download tls-crypt key' => 'Download TLS-Crypt sleutel',
+'download tls-crypt-v2 key' => 'Download TLS-Crypt-v2 server sleutel',
 'dpd action' => 'Dead peer-detectie actie',
 'dpd delay' => 'Vertraging',
 'dpd timeout' => 'Timeout',
@@ -1660,12 +1663,13 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'OpenVPN connectiestatistieken',
 'ovpn config' => 'OVPN-Configuratie',
+'ovpn crypt options' => 'Cryptografische opties',
 'ovpn channel encryption' => 'Control-kanaal versleuteling',
 'ovpn control channel v2' => 'Controle-Kanaal TLSv2',
 'ovpn control channel v3' => 'Controle-Kanaal TLSv3',
 'ovpn data encryption' => 'Datakanaalversleuteling',
 'ovpn data channel authentication' => 'Gegevens en kanaal verificatie',
-'ovpn data channel' => 'Data-kanaal',
+'ovpn data channel' => 'Data-Kanaal',
 'ovpn data channel fallback' => 'Data-Kanaal terugval',
 'ovpn device' => 'OpenVPN apparaat:',
 'ovpn dl' => 'OVPN-Configuratie download',
@@ -1693,6 +1697,7 @@
 'ovpn subnet' => 'OpenVPN subnet (bijv. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' => 'OpenVPN subnet is ongeldig.',
 'ovpn subnet overlap' => 'OpenVPN subnet overlapt met : ',
+'ovpn tls auth' => 'TLS Kanaal bescherming',
 'ovpn warning 64 bit block cipher' => 'Dit encryptie algoritme is verbroken en zal binnenkort worden verwijderd. <br>Verander dit zo snel mogelijk!</br>',
 'ovpn warning algorithm' => 'U hebt het algoritme geconfigureerd',
 'ovpn warning rfc3280' => 'Uw gastheercertificaat is niet RFC3280-conform. <br>Please-update naar de nieuwste IPFire-versie en genereer zo snel mogelijk een nieuw root- en host-certificaat.</br><br>Alle OpenVPN-clients moeten dan vernieuwd worden!</br>',
@@ -1948,6 +1953,9 @@
 'show lines' => 'Toon regels',
 'show root certificate' => 'Toon root certificaat',
 'show share options' => 'Toon shares opties',
+'show tls-auth key' => 'Toon TLS-Auth sleutel',
+'show tls-crypt key' => 'Toon TLS-Crypt sleutel',
+'show tls-crypt-v2 key' => 'Toon TLS-Crypt-v2 sleutel',
 'shuffle' => 'Willekeurige volgorde',
 'shutdown' => 'Afsluiten',
 'shutdown ask' => 'Afsluiten?',
@@ -2057,6 +2065,9 @@
 'system log viewer' => 'Systeem Log Viewer',
 'system logs' => 'Systeem logs',
 'system status information' => 'Systeem Status Informatie',
+'ta key' => 'TLS-Authentificatie-sleutel',
+'tc key' => 'TLS-Cryptografische-sleutel',
+'tc v2 key' => 'TLS-Cryptografische sleutel-versie2',
 'telephone not set' => 'Telefoon niet ingesteld.',
 'template' => 'Vooringesteld',
 'template warning' => 'U heeft twee opties voor QoS. Bij de eerste klikt u op de knop opslaan en genereert u zelf de klassen en regels. Voor de tweede klikt u op de "vooringesteld" knop en worden de regels middels een sjabloon voor u ingesteld.',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index 5e8ec0864..fb7c12e85 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -719,6 +719,9 @@
 'download new ruleset' => 'Pobierz nowy zestaw reguł',
 'download pkcs12 file' => 'Pobierz plik PKCS12',
 'download root certificate' => 'Pobierz certyfikat root',
+'download tls-auth key' => 'Pobierz klucz TLS-Auth',
+'download tls-crypt key' => 'Pobierz klucz TLS-Crypt',
+'download tls-crypt-v2 key' => 'Pobierz klucz serwera TLS-Crypt-v2',
 'dpd action' => 'Dead Peer Detection action',
 'driver' => 'Sterownik',
 'drop input' => 'Loguj odrzucone pakiety wejściowe (input packets)',
@@ -1365,6 +1368,7 @@
 'ovpn subnet' => 'Podsieć OpenVPN (np. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' => 'Podsieć OpenVPN jest niepoprawna.',
 'ovpn subnet overlap' => 'Podsieć OpenVPN zachodzi na : ',
+'ovpn tls auth' => 'Ochrona Kanału-TLS',
 'ovpn warning 64 bit block cipher' => 'Szyfr danych wymaga co najmniej jednego szyfru. <br>Proszę to zmienić jak najszybciej!</br>',
 'ovpn warning algorithm' => 'Skonfigurowałeś algorytm',
 'ovpn_fastio' => 'Fast-IO',
@@ -1609,6 +1613,9 @@
 'show lines' => 'Pokaż linie',
 'show root certificate' => 'Pokaż certyfikat root',
 'show share options' => 'Pokaż opcje zasobu',
+'show tls-auth key' => 'Pokaż klucz TLS-Auth',
+'show tls-crypt key' => 'Pokaż klucz TLS-Crypt',
+'show tls-crypt-v2 key' => 'Pokaż klucz TLS-Crypt-v2',
 'shuffle' => 'Losowo',
 'shutdown' => 'Wyłącz',
 'shutdown ask' => 'Wyłączyć?',
@@ -1712,6 +1719,9 @@
 'system log viewer' => 'Przegląd logów systemu',
 'system logs' => 'Logi systemu',
 'system status information' => 'Informacje o stanie systemu',
+'ta key' => 'TLS-Klucz-Uwierzytelniający',
+'tc key' => 'TLS-Klucz-Kryptograficzny',
+'tc v2 key' => 'TLS-Klucz-Kryptograficzny-wersja2',
 'telephone not set' => 'Telephone not set.',
 'template' => 'Schemat',
 'template warning' => 'Masz 2 możliwości skonfigurowania QoS. Pierwsza to naciśnięcie przycisku zapisz i skonfigurowanie klas i reguł samodzielnie. Druga to wciśnięcie przycisku schemat aby utworzyć klasy i reguły ze schematu.',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 6e3af2d7e..c4520ae2c 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -714,6 +714,9 @@
 'download new ruleset' => 'Загрузить новые правила',
 'download pkcs12 file' => 'Загрузить PKCS12 файл',
 'download root certificate' => 'Загрузить root сертификат',
+'download tls-auth key' => 'Скачать TLS-Auth ключ',
+'download tls-crypt key' => 'Скачать TLS-Crypt ключ',
+'download tls-crypt-v2 key' => 'Скачать серверный ключ TLS-Crypt-v2',
 'dpd action' => 'Действие при обнаружении Dead Peer',
 'driver' => 'Драйвер',
 'drop input' => 'Записывать сброшенные входящие пакеты',
@@ -1339,6 +1342,7 @@
 'ovpn channel encryption' => 'Шифрование каналов управления',
 'ovpn control channel v2' => 'Канал-управления TLSv2',
 'ovpn control channel v3' => 'Канал-управления TLSv3',
+'ovpn crypt options' => 'Криптографические опции',
 'ovpn data encryption' => 'шифрование-каналов данных',
 'ovpn data channel authentication' => 'Аутентификация данных и каналов',
 'ovpn data channel' => 'Информационный-канал',
@@ -1359,6 +1363,7 @@
 'ovpn subnet' => 'Подсеть OpenVPN (e.g. 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' => 'Подсеть OpenVPN задана неверно.',
 'ovpn subnet overlap' => 'Подсеть OpenVPN пересекается с: ',
+'ovpn tls auth' => 'Защита канала TLS',
 'ovpn warning 64 bit block cipher' => 'Этот алгоритм шифрования сломан и вскоре будет удален. <br>Пожалуйста, измените это как можно скорее!</br>',
 'ovpn warning algorithm' => 'Вы настроили алгоритм',
 'ovpn_fastio' => 'Fast-IO',
@@ -1603,6 +1608,9 @@
 'show lines' => 'Показать строки',
 'show root certificate' => 'Показать root сертификат',
 'show share options' => 'Показать настройки общих ресурсов',
+'show tls-auth key' => 'Показать ключ TLS-Auth',
+'show tls-crypt key' => 'Показать ключ TLS-Crypt',
+'show tls-crypt-v2 key' => 'Показать ключ TLS-Crypt-клавиша-v2',
 'shuffle' => 'Перемешать',
 'shutdown' => 'Выключить',
 'shutdown ask' => 'Выключить?',
@@ -1706,6 +1714,9 @@
 'system log viewer' => 'System Log Viewer',
 'system logs' => 'Системные журналы',
 'system status information' => 'System Status Information',
+'ta key' => 'TLS-Аутентификация-Кей',
+'tc key' => 'TLS-криптографический-ключ',
+'tc v2 key' => 'TLS-криптографическая-версия2',
 'telephone not set' => 'Telephone not set.',
 'template' => 'Задать',
 'template warning' => 'У Вас есть две опции для установки Qos. Первая - нажать кнопку сохранения и сгенерировать классы и правила самостоятельно. Вторая - задать правила по шаблону.',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index e55a73aa3..1cde33dc7 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -879,6 +879,9 @@
 'download new ruleset' => 'Yeni Kural Kümesi İndir',
 'download pkcs12 file' => 'PKCS12 dosyasını indir',
 'download root certificate' => 'Root sertifikasını indir',
+'download tls-auth key' => 'TLS-Auth anahtarını indirin',
+'download tls-crypt key' => 'TLS-Crypt anahtarını indirin',
+'download tls-crypt-v2 key' => 'TLS-Crypt-v2 sunucu anahtarını indirin',
 'download tls-auth key' => 'Tls kimlik doğrulama anahtarını indir',
 'dpd action' => 'Hareketsiz eş algılama eylemi',
 'dpd delay' => 'Gecikme',
@@ -1884,6 +1887,7 @@
 'ovpn subnet' => 'OpenVPN alt ağı (örneğin 10.0.10.0/255.255.255.0)',
 'ovpn subnet is invalid' => 'Geçersiz OpenVPN alt ağı.',
 'ovpn subnet overlap' => 'OpenVPN alt ağı ile örtüşenler: ',
+'ovpn tls auth' => 'TLS Kanal Koruması',
 'ovpn warning 64 bit block cipher' => 'Bu şifreleme algoritması bozuldu ve yakında kaldırılacak. <br> Lütfen bunu mümkün olan en kısa sürede değiştirin!</br>',
 'ovpn warning algorithm' => 'Algoritmayı sen yapılandırdın',
 'ovpn_fastio' => 'Hızlı-IO',
@@ -2148,6 +2152,9 @@
 'show root certificate' => 'Root sertifikasını göster',
 'show share options' => 'Paylaşım seçeneklerini göster',
 'show tls-auth key' => 'Tls kimlik doğrulama anahtarını göster',
+'show tls-auth key' => 'TLS-Auth anahtarını göster',
+'show tls-crypt key' => 'TLS-Crypt anahtarını göster',
+'show tls-crypt-v2 key' => 'TLS-Crypt-v2 anahtarını göster',
 'shuffle' => 'Karma',
 'shutdown' => 'Kapat',
 'shutdown ask' => 'Kapat?',
@@ -2260,6 +2267,8 @@
 'system logs' => 'Sistem Günlükleri',
 'system status information' => 'Sistem Durum Bilgisi',
 'ta key' => 'TLS Kimlik Doğrulama Anahtarı',
+'tc key' => 'TLS-Şifreleme-Anahtarı',
+'tc v2 key' => 'TLS-Şifreleme-Anahtarı-versiyon 2',
 'tcp more reliable' => 'TCP (daha güvenli)',
 'telephone not set' => 'Telefon ayarlanmamış.',
 'template' => 'Ön Ayar',
-- 
2.20.1

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 91 bytes --]

Hi all,
just wanted to ask if there is still interest in this patch series ?

Best,

Erik

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1403 bytes --]

Hello Erik,

Yes, I am very much interested in this.

And I have spent pretty much an hour to make sense out of all of this, and unfortunately have to report that I failed.

I have the problem that I cannot get on top of these things. You are submitting *massive* patchsets, in this case I even believe that the whole things has been submitted a second time, although I do not know if there are any changes.

I could not even find out *what* you are actually trying to do. There are more and more buttons being added and I have not the slightest idea what I am supposed to do with them. I have given my thoughts about the cipher selection and I felt that I have not been heard.

I fear that this is all way too complicated. I cannot review what I do not even understand what the desired outcome is. And failing to understand that either means that it is either way too complicated or I have not read enough anywhere about all of this.

So, could you please summarise for me what you want to achieve here?

Is this supposed to make OpenVPN more compatible, secure, or anything else?

Why do we not talk about this before things are being implemented, or did I just miss the discussion?

-Michael

> On 14 Dec 2020, at 14:03, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi all,
> just wanted to ask if there is still interest in this patch series ?
> 
> Best,
> 
> Erik
> 

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 4392 bytes --]

Hi Michael,
thanks for looking into this.

Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer:
> Hello Erik,
> 
> Yes, I am very much interested in this.
> 
> And I have spent pretty much an hour to make sense out of all of
> this, and unfortunately have to report that I failed.
that´s not good to hear. OK, let me explain... I tried to come up with
a solution where we already have spoken more times about in the past, i
tried to follow up your suggestions, the latest about that topic was
here -->
https://lists.ipfire.org/pipermail/development/2020-October/008441.html
in Oktober to bring up "a select box where multiple algorithms can be
chosen (like in IPsec)". Since --cipher is deprectaed and will be
replaced by --data-ciphers which is a >=2.5.0 option we need another
selection field for the --data-ciphers-fallback which is a replacement
for --cipher and the server uses this directive to talk also to client
which are <2.5.0 .
OpenVPN presses to use cipher negotiation which we have avoid since the
release of 2.4 with --ncp-disable, this option is no also deprecated so
we need to take action on this.

We need to have then two new options, two seletion boxes which are odd
to see in the global section. I tried it in the advanced server section
too and it looks even more confusing with all the other already
existing options, nothing i wanted to do. So i thought your above
linked suggestions are pretty straight forward and the best solution to
build an own crypto section which do have already defaults, nobody
needs to do there anyting, the global section has been cleaned up and
it should be even easier for everone to overview.

It made for me no sense to leave parts of the crypto (TLS-auth and
HMACs) in the global section, especially because there are also even
more algorithms, but also new options for the TLS authentication which
i have all integrated so i moved them also into that place (patch 6/7
and 7/7).

The control-channel cipher selection (patch 5/7) is new and should be
really a part for the advanced ones, therefor no defaults has been set,
it simply won´t appear if nothing has been configured.


I have the problem that I cannot get on top of these things. You are
submitting *massive* patchsets, in this case I even believe that the
whole things has been submitted a second time, although I do not know
if there are any changes.
Yes there are. Old and deprecated ciphers will now be detected and a
warning comes up in the global section to change them as soon as
possible (patch 3/7), also all languages has been translated and has
been included.
Also i wanted to split it in more specific topics for better overview
but it seems that i have been failed.


I could not even find out *what* you are actually trying to do. There
are more and more buttons being added and I have not the slightest idea
what I am supposed to do with them. I have given my thoughts about the
cipher selection and I felt that I have not been heard.
One intention was that you do not need anything to do except you want
to do some advanced crypto stuff. The rest should have already been
made...


I fear that this is all way too complicated. I cannot review what I do
not even understand what the desired outcome is. And failing to
understand that either means that it is either way too complicated or I
have not read enough anywhere about all of this.
Please check out the above linked topic where you have wrote
suggestions that i simply tried to achieve but again, it seems that i
was not successfull with this...


So, could you please summarise for me what you want to achieve here?
Hope i have it done above.


Is this supposed to make OpenVPN more compatible, secure, or anything
else?
Yes both but also easier since the user do not need to do anything but
he should become more security under the hood, the backward and the
forward compatibility should be in a better standing than before and if
someone wants to go into the depth, this is even also possible.


Why do we not talk about this before things are being implemented, or
did I just miss the discussion?
Yes i think you missed some of that, hopefully i could remind you on
some points.


-Michael

Best,

Erik


> On 14 Dec 2020, at 14:03, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi all,
> just wanted to ask if there is still interest in this patch series ?
> 
> Best,
> 
> Erik
> 

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 7930 bytes --]

Hi,

> On 14 Dec 2020, at 16:12, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi Michael,
> thanks for looking into this.
> 
> Am Montag, dem 14.12.2020 um 14:43 +0100 schrieb Michael Tremer:
>> Hello Erik,
>> 
>> Yes, I am very much interested in this.
>> 
>> And I have spent pretty much an hour to make sense out of all of
>> this, and unfortunately have to report that I failed.
> that´s not good to hear. OK, let me explain... I tried to come up with
> a solution where we already have spoken more times about in the past, i
> tried to follow up your suggestions, the latest about that topic was
> here -->
> https://lists.ipfire.org/pipermail/development/2020-October/008441.html
> in Oktober to bring up "a select box where multiple algorithms can be
> chosen (like in IPsec)". Since --cipher is deprectaed and will be
> replaced by --data-ciphers which is a >=2.5.0 option we need another
> selection field for the --data-ciphers-fallback which is a replacement
> for --cipher and the server uses this directive to talk also to client
> which are <2.5.0 .

Yes, the ciphers. But as far as I understand this, you are offering to select the whole cipher suite. That is something different.

And you are offering different options for TLSv1.3 and lower, which we do not do in IPsec either. You have one selection for both IKEv1 and IKEv2.

> OpenVPN presses to use cipher negotiation which we have avoid since the
> release of 2.4 with --ncp-disable, this option is no also deprecated so
> we need to take action on this.

I will skip my moan about introducing something and then deprecating it shortly after…

I agree that we need to act.

> We need to have then two new options, two seletion boxes which are odd
> to see in the global section. I tried it in the advanced server section
> too and it looks even more confusing with all the other already
> existing options, nothing i wanted to do. So i thought your above
> linked suggestions are pretty straight forward and the best solution to
> build an own crypto section which do have already defaults, nobody
> needs to do there anyting, the global section has been cleaned up and
> it should be even easier for everone to overview.

We have touched this topic multiple times. And I remember the last conclusion as follows:

The average user does not have to touch the advanced options. They have to put in their subnet, select a port and protocol maybe and that is about it. They do not need to think about what cipher to use, because we would have selected a reasonable default. If they want to change something (because of hardware requirements, etc.) they can do that on the advanced page.

I agree that this is all not idea, but adding a third page to this all makes it rather more confusing than less.

> It made for me no sense to leave parts of the crypto (TLS-auth and
> HMACs) in the global section, especially because there are also even
> more algorithms, but also new options for the TLS authentication which
> i have all integrated so i moved them also into that place (patch 6/7
> and 7/7).

I remember that we have agreed to move the existing crypto options to the advanced page.

> The control-channel cipher selection (patch 5/7) is new and should be
> really a part for the advanced ones, therefor no defaults has been set,
> it simply won´t appear if nothing has been configured.

What is the benefit of choosing a different cipher for the control channel?

> I have the problem that I cannot get on top of these things. You are
> submitting *massive* patchsets, in this case I even believe that the
> whole things has been submitted a second time, although I do not know
> if there are any changes.
> Yes there are. Old and deprecated ciphers will now be detected and a
> warning comes up in the global section to change them as soon as
> possible (patch 3/7), also all languages has been translated and has
> been included.
> Also i wanted to split it in more specific topics for better overview
> but it seems that i have been failed.

I do not think that you have failed. I just think that it is not clear what the patch intended to do. So I cannot really look at it and verify if the code actually does what you want it to do.

Could it have been split into even smaller changes? Yes, would that have helped? Maybe. But I do not think that we should waste too much time to reformat the patches. I want the changes to be ready to be merged as soon as possible.

> I could not even find out *what* you are actually trying to do. There
> are more and more buttons being added and I have not the slightest idea
> what I am supposed to do with them. I have given my thoughts about the
> cipher selection and I felt that I have not been heard.
> One intention was that you do not need anything to do except you want
> to do some advanced crypto stuff. The rest should have already been
> made...
> 
> 
> I fear that this is all way too complicated. I cannot review what I do
> not even understand what the desired outcome is. And failing to
> understand that either means that it is either way too complicated or I
> have not read enough anywhere about all of this.
> Please check out the above linked topic where you have wrote
> suggestions that i simply tried to achieve but again, it seems that i
> was not successfull with this...

So, maybe help me to understand why the user would want to use different ciphers for the control channel and for TLSv1.3/2.

I consider my ciphers as follows:

* Which algorithms do I trust? If I do not trust AES for example, I would unselect it for everything, regardless if that is the control or data channel).

* What does my hardware support? I would want to choose AES if my hardware has acceleration for it.

* Then I would sort them by most secure first (e.g. AES-256, then AES-192 and so on…)

I can replicate that with only one multiple-select box that simply lists:

* AES-256-GCM
* AES-256-CBC
* AES-128-GCM
* AES-128-CBC
* ChaCha20-Poly1305
* Blowfish
* ...

And a second one that has

* SHA512
* SHA384
* SHA256
* …

The code will then have to convert this into the fancy names for the OpenVPN configuration file. But I suppose that should be easy to do.

That way, the user can be certain that they have chosen the right thing for everything in one go.

> So, could you please summarise for me what you want to achieve here?
> Hope i have it done above.

Thank you for that.

I really appreciate all this time that you have invested in this, and the code looks clean. I just think we have been on different pages about what we want it to look and feel like for the user.

> Is this supposed to make OpenVPN more compatible, secure, or anything
> else?
> Yes both but also easier since the user do not need to do anything but
> he should become more security under the hood, the backward and the
> forward compatibility should be in a better standing than before and if
> someone wants to go into the depth, this is even also possible.

I think that you have implemented the “pro” version here. It has all the buttons you need and uses all features of OpenVPN. But it is complicated. So maybe lets hide it from the user that there is a control and data channel. Does the user need to know about this? I do not think so. It will work either way.

> Why do we not talk about this before things are being implemented, or
> did I just miss the discussion?
> Yes i think you missed some of that, hopefully i could remind you on
> some points.

This is good progress :)

-Michael

> 
> -Michael
> 
> Best,
> 
> Erik
> 
> 
>> On 14 Dec 2020, at 14:03, ummeegge <ummeegge(a)ipfire.org> wrote:
>> 
>> Hi all,
>> just wanted to ask if there is still interest in this patch series ?
>> 
>> Best,
>> 
>> Erik
>> 
> 
> 
> 

Re: [PATCH v2 7/7] OpenVPN: Moved TLS auth to advanced encryption section

[Paul Simmons]

[-- Attachment #1: Type: text/plain, Size: 276 bytes --]

On 12/14/20 7:03 AM, ummeegge wrote:
> Hi all,
> just wanted to ask if there is still interest in this patch series ?
>
> Best,
>
> Erik
>
Hey there, @list.  I'm patiently awaiting this series.

Thanks!

-- 
Pity for the guilty is treason to the innocent — Terry Goodkind