Re: [PATCH] OpenVPN: Introduce Negotiable Crypto Parameters for roadwarriors

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3423 bytes --]

Hi,
it is also a question if the life is not more worst to use broken stuff
which is in the case of MD5 not only a problem of OpenVPN. The
backwards compatibility stands sometimes diametral to security so using
 the good old way includes regular not much work (for administration
but also for implementation) but leads especially for VPNs to an
apparent security.
Beneath the 64bit block cipher desaster where more than 50% of the
ciphers on IPFires OpenVPN are affected will surely comes in a closer
future a question if 2048 bit key lenghts (which we have in the host
certificates) are long enough, where again all needs to be setup again
if this should be changed. ECC crypto, also a nice one, new, fast,
secure, but again all needs to be setup again if it should be used
(there is more..).
>From my point of view i wanted to bring new stuff as early as possible
into the forum to inform but also to test it as good as possible and
tried to find ways to make the life of the users easy but sometimes it
is simply not possible to go new ways without work/user_interaction. If
i also try to consider every use case (backwards compatibility,
configuration, setup) i can leave my feed on the ground and don´t need
to make steps forward cause with 100% someone needs to fix something on
it´s setup.

OpenVPN makes currently a lot new which makes it really tough for me to
implement all that without breaking something for someone since the
manpage do not delivers all the truth i need also to make tests whereby
the whole 2.4 update of OpenVPN and implementation into IPFire goes
into weeks of work to be a little safer of what works and what not.

So in summary, if IPFire will drop OpenVPN with 3.x and the life of the
admins are as worst as described in here it is a possiblity to change
the VPNs now to IPSec, i can spare my time with implementing all that
unfunny changes and the current state (which is OK in my opinion) can
be left as it is, i know developing such things for free is a kind of
thankless cause mostly only the bugs a reported back but am currently a
little motivless to make more in here with this background knowledge.

Best,

Erik


Am Donnerstag, den 30.08.2018, 08:35 +0100 schrieb Michael Tremer:
> Hi,
> 
> this is indeed on the lower side of some bigger users.
> 
> It is quite common to have hundreds of RW connections. >= 200 is not
> very rare.
> 
> Replacing them because of the MD5 change was troubling for them and
> that is why
> I am stressing backwards-compatibility so much with the latest
> changes. It makes
> the difference between OpenVPN being usable or making life a lot
> worse for the
> admins.
> 
> Best,
> -Michael
> 
> On Wed, 2018-08-29 at 23:49 +0200, ummeegge wrote:
> > Hi Michael and Alex,
> > 
> > Am Mittwoch, den 29.08.2018, 11:33 +0100 schrieb Michael Tremer:
> > > > 
> > > > Yes, needed also some braingoo for all that and it seems that
> > > > it is
> > > > not
> > > > finished at all...
> > > 
> > > Just because this is quite topical today: Alex just told me how
> > > long
> > > it took him
> > > to replace 20 N2N connections and 80 RW connections. Poor him.
> > > 
> > > There is a very good reason why we don't have OpenVPN in IPFire
> > > 3.
> > 
> > 100 connections are a lot. Can we use this knowlegdge for
> > bugreports on
> > OpenPVN or is this topic (OpenVPN) just obsolet ? 
> > 
> > > > 
> > > > Best,
> > > > 
> > > > Erik
> > > 
> > > 
> 
>