From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: OpenVPN patchset from Erik's input
Date: Wed, 22 Feb 2023 13:54:29 +0100
Message-ID: <3e45d933-4ae0-4d82-9154-6eadbe6c342b@ipfire.org>
In-Reply-To: <32A1D261-0170-4991-9AA3-C8AB59027111@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2978880173482857878=="
List-Id: <development.lists.ipfire.org>

--===============2978880173482857878==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Michael,

On 22/02/2023 12:21, Michael Tremer wrote:
> Hello Adolf,
>=20
>> On 17 Feb 2023, at 11:46, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>
>> Hi All,
>>
>>
>> I got Erik's OpenVPN patchset from some time ago and have created an updat=
ed patchset based on the current state of IPFire.
>=20
> Okay. So I suppose it all applied well or you were able to fix any merge co=
nflicts.
I had to end up applying all the patches manually. There were enough=20
changes with the OTP stuff plus the change to the system commands that=20
many Hunks failed to apply plus I found one hunk that applied in the=20
wrong place.

So manual application just seemed the most secure if a bit long winded=20
approach. That was why I created the new patch set because that is now=20
based on next so any changes can be done relative to that patch set.
>=20
>> I applied those changes to ovpnmain.cgi and en.pl and installed them into =
a vm clone on my testbed.
>>
>> Here are some images of the changes. Basically the ciphers are moved from =
the main page to an additional ciphers page.
>=20
> Yes, this is something the user ideally does not need to change. I would ac=
tually not hesitate too much to just hardcode something as 99% of people will=
 be on the same settings.
>=20
> However, I do not understand why there are different options for the contro=
l and data channel. I do not see any reason why I would want different settin=
gs because I either support a certain cipher or I don=E2=80=99t. If I conside=
r my data channel =E2=80=9Cless important=E2=80=9D or need more throughput an=
d use AES-128 instead of AES-256, then what is the benefit of keeping the con=
trol channel on AES-256?
>=20
> Then there is labelling which isn=E2=80=99t clear to me. I suppose it works=
 as follows:
>=20
> Data Channel is the new setting. It should in theory be possible to select =
multiple options.
>=20
> Data Channel fallback seems to be what used to be on the front page before =
and it should only allow to pick one option. If that is the case, then I beli=
eve that the UI suggests otherwise. This setting will then also go away with =
OpenVPN 2.6.0. Is that correct?
That is what I would read it as. I will check if more than one option=20
can be selected in the fallback set.
>=20
> On the control channel the options are mislabeled. I suppose TLSv3 should b=
e TLSv1.3 and TLSv2 should be TLSv1.2 and possible less?!
That sounds like what is intended.
>=20
> I don=E2=80=99t really like it that there are two boxes, but since TLSv1.3 =
does not support many of the cipher suites that TLSv1.2 supports, there might=
 be no easy way around it. TLSv1.2 is on its way out, so we won=E2=80=99t nee=
d to support this for forever hopefully.
>=20
> Authentication: If there is only one option, the <select> tag should not lo=
ok like it does currently where it suggests that multiple options can be sele=
cted at the same time.
I am also not sure if all are needed. I will need to check if TLS-Auth=20
no longer works with the TLSv1.3. TLS-Auth is what is currently working=20
and I haven't seen anything suggesting it is deprecated. SHA2 512 bit=20
seems strong enough for the moment and is not at risk from being broken=20
as far as I am aware. I would just remove the SHA1 has as that is=20
definitely not recommended any more.
It would be simpler and easier if that stayed just with TLS-Auth if that=20
works with TLSv1.3. I will check into that.
>=20
> What does 64-bit/8-32bit optimised mean for Blake2?
I have no idea.
>=20
> Why is there an extra button for the encryption settings? Why is this not p=
art of the advanced options?
I don't know but putting it all on the advanced options page wouldn't be=20
too difficult ( says he keeping he fingers well crossed).
>=20
>> 1st image is current status of the main page, 2nd image is the modified ma=
in page and the 3rd is the Advanced Encryption settings page.
>>
>> I will also upload the updated patches to my ipfire git repo
>>
>> https://git.ipfire.org/?p=3Dpeople/bonnietwin/ipfire-2.x.git;a=3Dsummary
>=20
> So this is a good start, but the UI is not making this process easy.
>=20
> I had a brief look at the code and it looks okay. Our CGIs are quite messy =
anyways, so I do not think it is worth adding the most polished code here :) =
This should not mean that we can just do whatever because we are just making =
future changes even more difficult for ourselves.
>=20
> I didn=E2=80=99t apply this to my system and test. Did you do this? Does it=
 work with various client version of OpenVPN?
I put it onto a vm clone on my system to get the screenshots. I haven't=20
tested various options yet as I have been a bit busy with clearing out=20
some bugs but I will do that and report back on it.
My only problem with that is that all my clients are up to date so I=20
don't have any that would only work with older ciphers but at least I=20
can check that everything works with my Android phone and my Linux=20
laptop with various ciphers etc selected.

Regards,
Adolf
>=20
> -Michael
>=20
>>
>>
>> Regards,
>>
>> Adolf.
>>
>> <Screenshot - main page.png><Screenshot - modified main page.png><Screensh=
ot - advanced encryptions settings page.png>
>=20

--=20
Sent from my laptop

--===============2978880173482857878==--