From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: OpenVPN-2.5.0 update procedure and idea collector Date: Mon, 23 Nov 2020 17:58:57 +0000 Message-ID: <3574F9FB-7407-4268-9A5D-5BF1BFD1761D@ipfire.org> In-Reply-To: <9727cf30a318c21bef541b1441ad02164d6f6e98.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9200969921111140613==" List-Id: --===============9200969921111140613== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello everyone, Good to see that we are moving forward on making OpenVPN on IPFire better. To avoid that the conversation is getting stuck again, can we split the probl= ems into many smaller ones instead of having one massive thread again? I thin= k I suggested that some time before and it would really help us to stay on tr= ack with things and ideally merge everything that is done already so that we = do not end up with one massive patchset that is getting really difficult to w= ork with later on. > On 22 Nov 2020, at 16:30, ummeegge wrote: >=20 > Hi all, > i am currently in the update process of the already realeased OpenVPN- > 2.5.0 --> https://openvpn.net/community-downloads-2/ . The update has > been tested and worked so far also with the old default client > configuration (tested with 2.4.9 client). There are two warnings --> Which clients to we want to support? Is it possible and do we want to support OpenVPN 2.3, too? Depending on when the last release has been, it might not be worth it. > 1) DEPRECATED OPTION: ncp-disable. Disabling dynamic cipher negotiation > is a deprecated debug feature that will be removed in OpenVPN 2.6 I think we have a good way to migrate cryptography. > 2) WARNING: --topology net30 support for server configs with IPv4 pools > will be removed in a future release. Please migrate to --topology > subnet as soon as possible. This seems to be much trickier. > in the server log but it nevertheless works flawlessly. >=20 > Am working currently on an "Advanced Encryption Settings" page which > includes currently four new directives --data-ciphers (data channel > encryption), --data-ciphers-fallback (data-channel encryption for > clients <=3D OpenVPN-2.3.9), --tls-ciphers (control channel TLSv2 only) > and --tls-ciphersuites (control channel >=3D TLSv3) all options are > explained in here -->=20 > https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html > , which works here currently and looks like this: >=20 > Button to belong to this page: > https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advanced= _encryption_button.png >=20 > And the page itself: > https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advanced= _encryption.png In order to keep things like this archived for later, you can simply attach t= hem to the email that you send to the list :) Then I have some questions: 1) Does this need to be an extra page? Why didn=E2=80=99t you put this on the= advanced server options page? 2) What is the use-case for choosing different things for the data/control ch= annel? I am asking this because I find this really confusing. Why does OpenVPN need = different things selected for TLSv1.3 and <=3DTLSv1.2? Should we not hide thi= s from the user, because otherwise editing the configuration file is easier? I assume that clients <=3D version 2.3 cannot use cipher negotiation? How is = it possible to select multiple options here and this still works? > You can see also the default settings, were i need also your ideas and > comments for may better defaults. I am sure we have talked about this somewhere and we even came up with a deci= sion=E2=80=A6 It must be here on the list somewhere... > On the page itself is also more planned but to not overload this here > now, i wanted to go now a two step procedure with this update. >=20 > 1) Push OpenVPN-2.5.0 update with the new ciphers and HMACs for regukar > global settings for RW and N2N. A overview of the new crypto can be > found in here --> > https://community.ipfire.org/t/openvpn-2-5-development-version/2173 . > 2) I would push the "Advanced Encryption settings" development as seen > above then as one patch <-- this would also eliminate the first warning > causing --ncp-disable since we can delete this option then. I do not understand how we can split this into two steps because I thought Op= enVPN 2.5 won=E2=80=99t work with the current settings?! -Michael > Everything else would come detached from this. >=20 > Some feedback might be nice. >=20 > Best, >=20 > Erik >=20 --===============9200969921111140613==--