From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: OpenVPN patchset from Erik's input
Date: Wed, 22 Feb 2023 11:21:20 +0000
Message-ID: <32A1D261-0170-4991-9AA3-C8AB59027111@ipfire.org>
In-Reply-To: <8b85da02-2f40-6a08-2186-db818c614242@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4751029546527480537=="
List-Id: <development.lists.ipfire.org>

--===============4751029546527480537==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Adolf,

> On 17 Feb 2023, at 11:46, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>=20
> Hi All,
>=20
>=20
> I got Erik's OpenVPN patchset from some time ago and have created an update=
d patchset based on the current state of IPFire.

Okay. So I suppose it all applied well or you were able to fix any merge conf=
licts.

> I applied those changes to ovpnmain.cgi and en.pl and installed them into a=
 vm clone on my testbed.
>=20
> Here are some images of the changes. Basically the ciphers are moved from t=
he main page to an additional ciphers page.

Yes, this is something the user ideally does not need to change. I would actu=
ally not hesitate too much to just hardcode something as 99% of people will b=
e on the same settings.

However, I do not understand why there are different options for the control =
and data channel. I do not see any reason why I would want different settings=
 because I either support a certain cipher or I don=E2=80=99t. If I consider =
my data channel =E2=80=9Cless important=E2=80=9D or need more throughput and =
use AES-128 instead of AES-256, then what is the benefit of keeping the contr=
ol channel on AES-256?

Then there is labelling which isn=E2=80=99t clear to me. I suppose it works a=
s follows:

Data Channel is the new setting. It should in theory be possible to select mu=
ltiple options.

Data Channel fallback seems to be what used to be on the front page before an=
d it should only allow to pick one option. If that is the case, then I believ=
e that the UI suggests otherwise. This setting will then also go away with Op=
enVPN 2.6.0. Is that correct?

On the control channel the options are mislabeled. I suppose TLSv3 should be =
TLSv1.3 and TLSv2 should be TLSv1.2 and possible less?!

I don=E2=80=99t really like it that there are two boxes, but since TLSv1.3 do=
es not support many of the cipher suites that TLSv1.2 supports, there might b=
e no easy way around it. TLSv1.2 is on its way out, so we won=E2=80=99t need =
to support this for forever hopefully.

Authentication: If there is only one option, the <select> tag should not look=
 like it does currently where it suggests that multiple options can be select=
ed at the same time.

What does 64-bit/8-32bit optimised mean for Blake2?

Why is there an extra button for the encryption settings? Why is this not par=
t of the advanced options?

> 1st image is current status of the main page, 2nd image is the modified mai=
n page and the 3rd is the Advanced Encryption settings page.
>=20
> I will also upload the updated patches to my ipfire git repo
>=20
> https://git.ipfire.org/?p=3Dpeople/bonnietwin/ipfire-2.x.git;a=3Dsummary

So this is a good start, but the UI is not making this process easy.

I had a brief look at the code and it looks okay. Our CGIs are quite messy an=
yways, so I do not think it is worth adding the most polished code here :) Th=
is should not mean that we can just do whatever because we are just making fu=
ture changes even more difficult for ourselves.

I didn=E2=80=99t apply this to my system and test. Did you do this? Does it w=
ork with various client version of OpenVPN?

-Michael

>=20
>=20
> Regards,
>=20
> Adolf.
>=20
> <Screenshot - main page.png><Screenshot - modified main page.png><Screensho=
t - advanced encryptions settings page.png>


--===============4751029546527480537==--