From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: OpenVPN-2.5.0 update procedure and idea collector Date: Mon, 23 Nov 2020 12:41:34 +0100 Message-ID: In-Reply-To: <9727cf30a318c21bef541b1441ad02164d6f6e98.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5887149528197959504==" List-Id: --===============5887149528197959504== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Erik, Thanks for all your work on OpenVPN. Much appreciated, especially in these ch= allenging times of many changes. Am I correct in my presumption that in the advanced encryption settings GUI w= e will be able to select multiple entries, which will then be made into a lis= t in order that the entries are in the tables. From the advanced encryption settings page I see that you have removed the o= ld insecure options, which is good. For the Data-Channel fallback do you have to have a default or can you unsele= ct everything. There could be people who only want to connect to systems that= have the strongest ciphers and just refuse to connect with weaker ones. For the Control-Channel sections I would suggest swapping the order of TLSv2 = and TLSv3 on the screen. The Data-Channel goes from most secure to least secu= re from left to right. I think that the Control-Channel should do the same. I don't have any comments about the defaults. They seem reasonable to me. Excellent work, it's looking very nice. Regards, Adolf. On 22/11/2020 17:30, ummeegge wrote: > Hi all, > i am currently in the update process of the already realeased OpenVPN- > 2.5.0 --> https://openvpn.net/community-downloads-2/ . The update has > been tested and worked so far also with the old default client > configuration (tested with 2.4.9 client). There are two warnings --> >=20 > 1) DEPRECATED OPTION: ncp-disable. Disabling dynamic cipher negotiation > is a deprecated debug feature that will be removed in OpenVPN 2.6 >=20 > 2) WARNING: --topology net30 support for server configs with IPv4 pools > will be removed in a future release. Please migrate to --topology > subnet as soon as possible. >=20 > in the server log but it nevertheless works flawlessly. >=20 > Am working currently on an "Advanced Encryption Settings" page which > includes currently four new directives --data-ciphers (data channel > encryption), --data-ciphers-fallback (data-channel encryption for > clients <=3D OpenVPN-2.3.9), --tls-ciphers (control channel TLSv2 only) > and --tls-ciphersuites (control channel >=3D TLSv3) all options are > explained in here --> > https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html > , which works here currently and looks like this: >=20 > Button to belong to this page: > https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advanced= _encryption_button.png >=20 > And the page itself: > https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advanced= _encryption.png >=20 >=20 > You can see also the default settings, were i need also your ideas and > comments for may better defaults. > On the page itself is also more planned but to not overload this here > now, i wanted to go now a two step procedure with this update. >=20 > 1) Push OpenVPN-2.5.0 update with the new ciphers and HMACs for regukar > global settings for RW and N2N. A overview of the new crypto can be > found in here --> > https://community.ipfire.org/t/openvpn-2-5-development-version/2173 . > 2) I would push the "Advanced Encryption settings" development as seen > above then as one patch <-- this would also eliminate the first warning > causing --ncp-disable since we can delete this option then. >=20 > Everything else would come detached from this. >=20 > Some feedback might be nice. >=20 > Best, >=20 > Erik >=20 --===============5887149528197959504==--